UpdraftPlus celebrates World Backup Day: Get 20% off UpdraftPlus Premium

UpdraftPlus is happy to celebrate World Backup Day with everyone today! With millions of users of UpdraftPlus all over the world, we are continually supporting and developing our WordPress backup plugin to help keep your WordPress site safe and secure.

With hacking becoming a bigger threat every day, the importance of having a secure and safe backup of your site available with UpdraftPlus (should the worst happen) cannot be overstated. From opportunistic amateurs to state sponsored cyber-attack units, the security of your site has never been under as much threat as it is now.

World Backup day is a yearly reminder that everything you’ve worked for and built can be lost in just a few seconds. As well as hacking threats, site owners have to also be wary of crashes, viruses, malicious actors and issues with plugins and themes.

Here at UpdraftPlus, we hear stories from users all over the world every day who have had these problems; and were only saved by their UpdraftPlus backup. As the world’s most popular and highest rated WordPress backup plugin, we have made it our mission in life to ensure that should your site ever get hit by any of these problems, you can always restore it to its previous state using your downloaded backup and our plugin.

Installed by over 3 million users all over the world, our easy-to-use interface allows you to backup and restore your website with a single click. You can also set the schedule to backup automatically as often as you like, so you don’t have to worry about forgetting to backup your site manually and will always have a recent upload of your site ready to go.

As it is World Backup Day, get 20% off
UpdraftPlus Premium for today only using the discount code: WBUD22 at the checkout.

Happy World Backup Day from all at UpdraftPlus

The post UpdraftPlus celebrates World Backup Day: Get 20% off UpdraftPlus Premium appeared first on UpdraftPlus. UpdraftPlus – Backup, restore and migration plugin for WordPress.

Why You Need to Upgrade to WP-Optimize Premium

Now that you have your WordPress site in excellent shape and filled with engaging content and compelling designs, you can start to evaluate if it is enough to retain new visitors and keep them coming back again and again.

With so many online options to choose from, it can be hugely difficult to compete for people’s already fleeting attention. To have a successful site these days, you have to do a lot more than just the bare minimum if you hope to increase the traffic on your page. While colourful designs, well-made content and excellent marketing may bring visitors to your WordPress site initially, it is the efficiency, speed and quality that will get them to stay. 

Given how important speed is to a user that visits your site, one of the most important questions you need to ask is, how long does your website take to load a page? Studies show that more than half of the people who visit a site will leave if it takes over three seconds to load a page. Ideally you should aim to have your site load in around two seconds or less. 

Abandonment of your site is not the only damage slow loading speeds can cause. Google confirmed that the speed of your website can even affect a percentage of search queries – and by extension, your SEO ranking. A very large part of your website’s success reflects on how fast it responds to visitor interaction. 

With this knowledge, it is important that you do everything you can to make sure your WordPress site loads as quickly as possible. A great way to help achieve this is by installing the WP-Optimize WordPress plugin. In this blog, we will take a look at the many features and advantages of WP-Optimize, why it should be your WordPress optimization plugin of choice, and why you should upgrade to the premium version.  

What can performance-boosting plugins do for your WordPress site?

No matter how well you may think your site is set-up, you should always have a dedicated tool that will help with your site’s performance. Performance-boosting plugins like

 help optimize your WordPress site to perform at the best possible level. It can help to speed things up for visitors interacting with your pages for the first time, as well as improve the general efficiency of the website. 

As an all-in-one performance-boosting plugin, WP-Optimize consists of everything you need to keep your website fast and thoroughly optimized. With thousands of 5-star reviews and more than one million active installations, WP-Optimize ranks at the very top of the list of the best performance-boosting plugins in the world.  

Why should you use WP-Optimize?

As mentioned earlier, both the free and Premium versions of WP-Optimize expertly optimizes your WordPress site in the following ways:

  1. Cleans the database.
  2. Compress images.
  3. Caching. 

1. Clean database

Your database stores all the data you require for your website to function properly. Some things you don’t need are also stored in the process. The clean database feature removes all the useless data and even reclaims the space lost due to data fragmentation. Database cleaning is the number one, most basic function of a performance-boosting plugin. 

The database feature is easy to use and especially comes in handy for cleaning out the following: 

  • Drafts. Gets rid of auto-draft posts and creates space in your database for new and useful drafts. 
  • Comments. Removes Askimets and other such redundant metadata from comments. 
  • Trash. Deletes old post revisions and trash.  
  • Spam. Zero spam tolerance. Automatically removes all spam, unapproved and trashed comments. 
  • Trackbacks and pingbacks. Deletes automatic acknowledgments, references, and notifications ensuring a clutter-free website.

2. Compress images

In addition to cleaning databases, WP-Optimize features a tool for image optimization and compression. Large images that would have otherwise reduced your site’s load speed are compressed and saved to your image library, where they are uploaded instantly. WP-Optimize covers a wide range of image formats including PNG, GIF, JPG, BM, and TIF. This feature frees up space, saves server resources for more important tasks, and helps your website load faster. 

3. Caching

Every website has a reserved storage space, which is referred to as the cache system

The purpose of this cache system is to store temporary data like the static versions of your website. This way, your WordPress site won’t have to run heavy PHP scripts whenever someone loads your site. Instead, your cache will collect texts, images, and other required data from first-time visitors. This improves the load speed and general efficiency of the site during subsequent visits.  

Every cache system requires adequate RAM and CPU performance. With time, growing page traffic will overwhelm your RAM and CPU causing your site to render slowly. But that won’t happen with performance-boosting plugins like WP-Optimize. With the WP-Optimize cache 

Why you should upgrade to WP-Optimize Premium

As mentioned at the beginning of this blog, WP-Optimize has both a free and a premium version. The basic features of WP-Optimize are free and can be downloaded hereThe Premium version comes with the following additional features:

Premium packages

The premium version is available in three packages at competitive prices: 

Package  Coverage 
1. Starter 1 to 2 websites
2. Business 5 websites 
3. Unlimited  No limit 

Additional benefits of WP-Optimize Premium

Multisite support

While the free version can cater to ONLY one site at a time, the Premium version offers multisite functions. Optimize all your sites on your WordPress network. 

More options

WP-Optimize Premium offers flexibility and a range of advanced options. For instance, you can optimize individual database tables should you wish to do so.

Remove unwanted images

This newly-added Premium optimization process helps to eliminate orphaned images from your WordPress sites. Images that exceed specific size limits are also removed to minimize server footprint – and by extension cost. 

Lazy load

Not all components are needed to load your page. The lazy load feature helps to prioritize the necessary components while delaying the rest until they are required. This optimization process significantly improves website performance for large sites.  


Optimization might be automatic, but with Premium you can schedule when it occurs. This Premium scheduling feature allows you to set up routine optimizations. 


Every process can now be documented. Log messages are sent to three additional destinations – including Simple History, Syslog, and Slack. 


WP-Optimize Premium is available in multiple languages and subscriptions can also be paid for with multiple currencies. 

Geolocation and WooCommerce compatible

Your international WooCommerce store requires an effective geolocation feature to offer country-specific content, determine appropriate VAT and pricing. WP-Optimize Premium can even help with this. 

Run from WP-CLI

You can run optimization commands straight on the command line and receive detailed results on screen.

Power tweaks

This is an advanced option for experienced users. Power tweaks improve your site’s performance by aiming at certain weak points in your website or other plugins. 

Purge pages

This lets you delete HTML copies of your page(s). With the Premium version, you can purge pages when needed – For example, when you update a media file or create a new post. 

Prevent individual page caching

You can use Premium to prevent selected pages on your website from being cached. An example of such a page is the admin page. This feature can also help improve security.

Premium support

Upgrading to Premium automatically gives you Premium support. Your queries will be promptly addressed by WP-Optimize experts. 


If you are serious about getting the best performance out of your site and giving your visitors the best user experience possible, then the short and simple answer is yes – upgrading to WP-Premium is totally worth it. With so many extra Premium features available, the added benefits will remove all doubts once you realize how important factors such as removing unwanted images, lazy loading, power tweaks and premium support are to the success and speed of your site. 

Download WP-Optimize Premium today and see the difference for yourself.

The post Why You Need to Upgrade to WP-Optimize Premium appeared first on UpdraftPlus. UpdraftPlus – Backup, restore and migration plugin for WordPress.

Why you should upgrade to UpdraftPlus Premium

The free version of UpdraftPlus is fully functional and a great option for a lot of WordPress users. However, we’ve developed a brilliant range of features to make it even better. UpdraftPlus Premium will unlock all the extra features, including a Migrate/Clone tool, multiple online storage options, detailed scheduling, reporting, encryption and much more.

UpdraftPlus Premium also gives you free upgrades and support for a year and plus 1 Gigabyte of UpdraftVault storage, which means you can back up the site without needing to pay for space with a separate remote storage location like Dropbox.

Why go Premium?

No platform offers you the kind of tools to make a highly functional website quite like WordPress. As the platform currently hosts over 40% of the world’s websites, it is a natural target for malicious attacks by bad actors looking to exploit any vulnerabilities. 

As well as the threat of hacks, your website could also fall victim to other issues, such as a server crash due to simple use errors, or the installation of badly coded plugins or themes. In just a few seconds, everything you’ve worked so hard to build could be taken away – leaving you to start again from scratch. 

To avoid such a catastrophic loss happening to you, your first task when setting up a WordPress site should be installing the WordPress backup plugin UpdraftPlus – The world’s number 1, most trusted backup and restore plugin. 

You might think you have every security box checked and have your website running perfectly, with no indication that there are any problems on the horizon. While that may be the case, it doesn’t mean a problem isn’t waiting just around the corner. Think of UpdraftPlus premium as website insurance. If your website never suffers a problem, then great. If it does however, you can rest easy knowing you are in safe hands and UpdraftPlus will be there to help you get all your hard work back.

The benefits of UpdraftPlus Premium: Backup, restore and clone

As the world’s most popular and highest rated WordPress backup plugin, UpdraftPlus Premium comes loaded with features and tools:

UpdraftPlus can perform total manual or/and scheduled backups of all your site’s databases, files, themes, and plugins. 

Just having a backup can be pretty useless if it doesn’t you are not able to perform a prompt and secure restoration. With UpdraftPlus Premium, you can restore your backup file directly from the control panel of your site.

With most backup plugins, you are left to manually backup your website whenever you remember. With UpdraftPlus Premium, you can set your site up to automatically backup every 2, 4, 8, or 12 hours, daily, weekly, bi-weekly or monthly.

UpdraftPlus Premium has earned the trust of its considerable user base as it has provided a trusted service to the WordPress community for around a decade. Little wonder why it is the most installed and highest rated backup plugin on the market.

Easy to use
UpdraftPlus Premium comes with an engaging, easy-to-use interface that lets you backup and restore data with just a click of a button.

What additional benefits does UpdraftPlus Premium have?
If you use the free version of the UpdraftPlus plugin, you will be familiar with many of the basic features available. If you upgrade to the Premium version, you get the following features in addition to those being available on the free version: 

Incremental backups

Incremental backups (as the name implies) only backups changes that have occurred in your WordPress website since your last full backup. If your last backup was 12 hours ago, the new incremental backup will backup only what has changed in those last twelve hours (e.g. a new photo was uploaded) and add it to the main backup file. By making incremental backups, you use less resources and have quicker backup times.

Other backup plugins will typically backup the whole website every time you make a backup. As you can imagine, this is a huge waste of your time and resources which UpdraftPlus Premium prevents by employing the incremental backup process. 

Cloning and migration
UpdraftPlus Premium has features that can clone your whole website and/or migrate it to a new domain of your choice in minutes. With UpdraftPlus Premium, you are also given free UpdraftClone tokens, so you are no longer required to buy tokens when you want to clone your site.

The UpdraftClone and Updraft Migrator features are a way for you to effectively and seamlessly “copy and paste” your website to any URL with no hosting difficulties. 

Prompt customer support
UpdraftPlus Premium also comes with quick access to expert help and support from our product developers whenever you require it. You can reach us through a web forum and ticket. 

Pre-update backups
Other backup plugins typically stand idle when you update a plugin, theme or core updates, putting your site at considerable risk. But UpdraftPlus Premium will ask you if you would like to first back up your site before any update begins. This way, you will have the most recent version of your WordPress site before you make any changes. 

Non-WP files and databases
Besides the obvious WordPress website core data that will be secured, an UpdraftPlus Premium backup will also cover non-WordPress files and databases such as third party themes. Total security is guaranteed. 

UpdraftPlus Premium works with WordPress Network and Multisite to back them up securely. The backup and restore control panel can be found in the dashboard of the network. You can even restore individual websites within the network.

Advanced scheduling
The premium version also allows you to set a specific time for your website’s backup to be created, retained, or deleted.

More database options
A typical backup plugin saves all your data somewhere safe for when a problem hits your site. Should this happen, you are left with your backup copy to restore your website to its previous state.

But there are times when the hacker doesn’t just attack your site, but also attempts to steal or delete your backup files. With UpdraftPlus Premium and its enhanced security and industry-standard AES (Advanced Encryption Standard) encryptor, your WordPress site’s database (including files, passwords, and list of users) is encrypted and secured in the backup location of your choice. 

Thorough logging and reporting
UpdraftPlus Premium keeps you updated on what’s going on with your website in real time. All backup activities are carefully recorded and the backup status is displayed in the WordPress admin panel – together with warnings and error messages. You will also receive a report for when a backup completes, as well as file checksums for backup integrity verification. UpdraftPlus Premium also allows users to send reports to Slack if desired.

Importer feature
This is easily one of the coolest features of UpdraftPlus Premium. Some backup plugins are just that – they backup your website without any capacity to restore it at a later point. Besides restoring its own backup files, UpdraftPlus Premium also allows you to restore backups from other WordPress backup plugins with our importer feature.

Lock settings
Much like your smartphones, the Premium version locks access to UpdraftPlus using a password. This gives you the ability to control which site users can access the backup dashboard and files. 

WP-CLI stands for WordPress Command Line Interface. CLI functions by relaying commands to a program using a line of text. So, instead of the cumbersome drag-and-drop plugins, you simply backup files using typed lines of text. 

While it may require some technical know-how, this can be a very handy feature for those that require it. 

Zero ads
No one enjoys random ads popping up, disrupting your workflow and taking up your valuable time. The Premium version of UpdraftPlus removes all adverts and lets you get to work away without any distractions

UpdraftPlus Premium packages

If you decide to upgrade to UpdraftPlus Premium, you can choose between five packages with an annual subscription. Automatic renewal gives you 40% off on renewal. What’s more? You can cancel at any time. 

Supports up to 2 websites.
All UpdraftPlus add-ons. Free updates. Free support. Free storage of 1GB UpdraftVault. UpdraftClone tokens.

Supports up to 10 websites.
All UpdraftPlus add-ons. Free updates. Free support. Free storage of 1GB UpdraftVault. UpdraftClone tokens.

Supports up to 35 websites.
All UpdraftPlus add-ons. Free updates. Free support. Free storage of 1GB UpdraftVault. UpdraftClone tokens. 

Supports an unlimited number of websites.
All UpdraftPlus add-ons. Free updates. Free support. Free storage of 1GB UpdraftVault. UpdraftClone tokens.

All of the same features as Enterprise, but with unlimited annual UpdraftCentral Cloud subscription and an additional 50GB UpdraftVault storage

Why would you need to upgrade?

Premium can be particularly useful if you run a bigger or more complex website (or multiple websites), have a history of being targeted by malicious hackers, make a lot of changes daily to your site, or feel the limited “backup and restore” options of the UpdraftPlus free plugin no longer meet your needs. 

If you fall within the above categories, then UpdraftPlus Premium is for you. 

Benefit from UpdraftVault with UpdraftPlus Premium

This is a built-in storage option for your UpdraftPlus backups that gives you 1GB – 50GB of free storage tailored specifically for the UpdraftPlus platform. This can save you the headache of setting up and calibrating third-party storage systems like Google Drive. 

More remote storage options

With the free version of UpdraftPlus, you can backup your website directly to UpdraftVault, Dropbox, Google Drive, Amazon S3 (or compatible), Rackspace Cloud, FTP, DreamObjects, Openstack Swift and email. 

The Premium version expands your options and allows you to backup directly to Microsoft OneDrive, Microsoft Azure, Google Cloud Storage, Backblaze B2, SFTP, SCP, and WebDAV.

Free and premium versions of UpdraftPlus plugin compared

Get it from WordPress.Org UpdraftPlus.Com
Buy It Now!
Backup WordPress files and database
Translated into over 16 languages
Restore from backup
Backup to remote storage
Dropbox, Google Drive, FTP, S3, Rackspace, Email
Incremental Backups
Free 1Gb for UpdraftVault
WebDAV, Microsoft OneDrive, Google Cloud, Microsoft Azure, SFTP/SCP, encrypted FTP, BackBlaze
Backup extra files and databases
Migrate / clone (i.e. copy) websites
Basic email reporting
Advanced reporting features
Automatic backup when updating WP/plugins/themes
Send backups to multiple remote destinations
Database encryption
Restore backups from other plugins
No advertising links on UpdraftPlus settings page
Scheduled backups
Fix backup time
Network/Multisite support
Lock settings access
Browse backup contents in WordPress
Download individual files from backup in WordPress
Personal support
Run from WP-CLI
Restore a backup from other plugins

Is UpdraftPlus Premium worth it?

For all the additional benefits and perks that it brings, we feel that UpdraftPlus Premium is more than worth it if you truly value the safety and security of your WordPress site. With Premium you can exercise full control over your backups by unlocking enhanced security features and free updates. From accessing the latest UpdraftPlus Add-Ons for a year, to free support via our forum and email for a year, extra remote storage options, incremental backups and free tokens for UpdraftClone.

UpdraftPlus Premium is what total security and peace of mind looks like! 

The post Why you should upgrade to UpdraftPlus Premium appeared first on UpdraftPlus. UpdraftPlus – Backup, restore and migration plugin for WordPress.

How to create an eLearning course site with WordPress 

The world of online course creation can seem daunting to a new instructor. Creating courses might be your forte, but making a website to sell them might seem like a difficult and daunting task. Fear not, as this blog will help you set up an create an eLearning course site with WordPress.

We understand that most people might not be adept at coding or do not have the resources to create a full-fledged website by themselves. That is where WordPress comes in. Little needs to be said about the popularity of WordPress, as it is one of the most popular CMS platforms in the world. WordPress lets users have a large number of nifty plugins and themes and can assist in setting up a site by simply dragging and dropping elements, without much need for coding. 

For this blog, we are going to go through a comprehensive view of tools that will let us set up an LMS site with ease. 

Why have an LMS site?

eLearning has seen a huge increase in popularity recently due to Covid and the rise of remote working/teaching. Business analytics forums state that 1.2 billion students were affected by the closure of educational institutions worldwide during the pandemic. Filling the gap with a fast and well-designed solution for students is the right way to make an impact in this massive market. 

What do you need to start off? We are going to talk about two main elements in this article:

  • Robust LMS plugin  
  • Innovative design pack

This may seem like a small list of tools to start with, but trust us they will be more than enough.

Making the right plugin choice

To build our LMS site on WordPress we need to be careful about the plugins that we use. While some plugins are paid versions only, they also usually offer free counterparts under the “freemium” model. We are only going to focus on an LMS plugin that offers us enough functionality without having to spend any money. But how do you determine if a plugin is right for you? An LMS plugin should offer some basic features that we need to start with:

  • Functional course building
  • Easy to use quiz building 
  • Student interaction with email 
  • Easy payment integration 
  • Certificates
  • Theme starter pack integrations 

Taking into consideration these features, we suggest using Tutor LMS. Tutor LMS offers these features on its free version for users. Although there are more features on the paid version, we will only look at the free features of plugins in this blog. 

Installing the required plugin

Now that you have decided on the choice of plugin, lets go ahead and start setting it up. To install Tutor LMS navigate first to your WordPress admin panel. From the admin panel go to Plugins > Add new, search for Tutor LMS then install and activate the plugin. In a few seconds, it should be ready to be used.

Beautifying with a theme

Before heading on to configure our LMS plugin, you must first decide on a theme for your site. The Tutor Starter theme not only is free, but it also was made to be integrated with the LMS plugin – Tutor LMS. This makes life a whole lot easier. To install Tutor Starter from the WordPress admin panel we find the Appearance tab. From there we click on Add new and search for “Tutor Starter”. Go ahead and hit install and activate.

You need to add one more plugin before you can start utilizing Tutor Starter properly. In the same way you installed the other plugins, you need to navigate to ‘Add a new plugin’ and search for TutorMate. TutorMate is a companion demo importer plugin for the Tutor Starter theme. After finding it from Plugins > Add new, click to install and activate it.

You are now geared up and ready to go. Next, ass a starter pack from Tutor Starter to your WordPress site. From the WordPress admin panel, go to Tutor Starter > Starter sites. Here you can find 4 unique demo starter sites for different types of sites according to what you want to create. 

You can preview the site before you choose to import it. When you have decided which site to import simply click the Import button. This will bring up the following popup.

From here you can choose to launch with either the Elementor or Gutenberg page builder. For this blog, we are going to go ahead and run it with Gutenberg. Tutor Starter shows us if we are missing any plugin/add-ons when we try to make this installation. So if you are missing Qubely and WooCommerce, they will be automatically installed and activated. 

Once the import is complete you can see the site by clicking “View your site”.

To edit the page, go to the WordPress admin dashboard and select Customize your site. This takes us to the customization page where you can access all the background changes, widgets, and much more. 

Configuring the back-end

Next you need to add some content to the site. Here starts your main journey to create content for your LMS site. To set up our courses, navigate to WpAdmin > Tutor LMS > Courses. From the courses menu, we select Add new to add a new course to the siteYou are then taken to the main course menu. Here input the course name, add a course description, add a video if needed and any other information. There is also a featured image section that can utilized to let students know what the course is about. 

Now comes the most important task to setting up your course – adding topics and quizzes. To add a quiz first you need to create a topic. Scroll down on the course menu to the course builder section where you can find a button that adds a new topic. Once you have added a new topic, you can now add a lesson and/or a quiz to that topic. 

Adding a lesson

Clicking the lesson button brings up the pop up that lets you configure the lesson. Add the lesson title, the actual lesson text and the lesson video, should it be required. We can even add attachments to the lesson.

Create the quiz

After you have created a lesson, for evaluation you will also need to add a quiz. Right beside the lesson button, click the Quiz button to show the quiz pop up menu. 

First, add a quiz name and hit Save & Next. The next tab gives the quiz question option where you can configure what type of questions you want to set for students. Next, select the name of the question and access the drop-down Question Type menu that shows all the different types of questions that can be set. 

The options on this pop up are easy to navigate and self-explanatory, so setting it up is a breeze regardless of what type of question selected. 

How do you monetize your course?

Once you are done with the basic setup of the course, what then comes next? The basic setup is followed by adding payments options to the course in order to generate revenue. To achieve that, you will need to integrate WooCommerce as it is one of the most popular eCommerce solutions. It is very easy to use and integrate and also FREE. 

WooCommerce integration and sales

For selling your courses as a product on your LMS site, you need to have a payment system such as WooCommerce added. As previously stated, WooCommerce is automatically installed, so you do not need to separately go through the installation process. To activate WooCommerce on Tutor LMS head to Dashboard > Tutor LMS > Settings > Monetization (Tab) > WooCommerce (Enable).

You have now activated WooCommerce for your LMS site. But how do you link the course to WooCommerce so that it can be paid for? You need to first create a Product to sell through WooCommerce. Go to the WordPress admin panel where you will see a new Product tab. From there, you can add a new product. You can set the name, price and even sale price of the said product. 

To finalize the monetization process, you must link this product to the course we want to sell. In order to do this, you need to edit the course and scroll down to the Add Product section, where you can find a drop-down menu of the product you created and link it to your course. Make sure to select the paid option and you are all set!

For any other course you want to monetize, just follow these steps and you should have no problems.. 

Market your courses 

The next task is to market your course to potential students, making sure that your product reaches its desired customer.

  • Identify your target students
  • Advertise your courses efficiently for maximum outreach
  • Promote your course as industry-standard material
  • Offer sales to increase student
  • Get affiliate personnel to promote your material elsewhere

While this is definitely not a comprehensive list, these tips could help you get on track with marketing your course.

Backing up your site

Now you have set up your eLearning site, it is important to remember to back it up using UpdraftPlus. As the world’s leading and most trusted backup plugin, UpdraftPlus can be trusted to keep your site and all the hard work you put into creating it, safe and secure. 

Just download the free plugin, or upgrade to UpdraftPlus Premium, for total peace of mind.

Best of luck with your site and if you have any queries, feel free to comment below.

The post How to create an eLearning course site with WordPress  appeared first on UpdraftPlus. UpdraftPlus – Backup, restore and migration plugin for WordPress.

What crucial WordPress security issues you be aware of?

WordPress is the most popular Content Management System (CMS) worldwide, powering more than a third of all websites existing today. Its popularity also makes it an appealing target for cyberattacks, and it too has its share of security vulnerabilities.

While WordPress may have its own security issues, it isn’t the only platform that is targeted by cyber-criminals, with the theft of data becoming a highly lucrative business. From personal blogs to large business websites, no one has been safe from the potential threats posed by malicious actors. Regardless of if your site is a small blog or a large business, you need to know how to secure your website regardless of its purpose. Top of any list should be installing the UpdraftPlus backup plugin – The world’s most popular and highest rated backup plugin. In the event that you should ever find yourself a victim of an attack, you can at least rest easy in the knowledge that you have a secure backup in order to restore your site. 

Here are some WordPress Security issues you should know about and how to address them;

1. The plugin system

Part of what makes WordPress so popular is its modularity. You can quickly and easily expand base features thanks to the plugin system. Unfortunately, not all plugins are created to the high standard of UpdraftPlus, and some can introduce new vulnerabilities to your WordPress website.

The ‘PWA for WP & AMP’ Plugin for example exposed over 20,000 WordPress websites to an access control vulnerability. Due to allowing arbitrary file uploads, attackers could remotely execute code and take over websites running this plugin. Users should be aware of two things from this example. The first is to limit the number of plugins used on your WordPress site where possible. The second is to ensure that all your applications – including plugins and WordPress version – are regularly updated. Updates sometimes add new features, but their main purpose is to address newly discovered vulnerabilities.

2. SQL injection attacks

Data is a new and highly valuable commodity, and one reason attackers target websites is to steal information held in the database. SQL Injections are a popular way of doing this, with attackers embedding SQL commands on websites that may compromise sensitive information.

If you’re wondering how this happens, think about the average form you’ll find on many WordPress websites. It allows users to provide information such as usernames and passwords for login. If an attacker inserts SQL code in these fields, the underlying database may process that code and perform unexpected actions. There are several ways you can work to prevent SQL injection attacks, but the most common is to implement strict input validation. For example, you can add the following code to your .htaccess file to ensure that all input is excluded from SQL queries;

# Enable rewrite engine

RewriteEngine On

RewriteRule ^(.*)$ – [F,L]

# Block MySQL injections

RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=http:// [OR]

RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=(..//?)+ [OR]

RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=/([a-z0-9_.]//?)+ [NC,OR]

RewriteCond %{QUERY_STRING} =PHP[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12} [NC,OR]

RewriteCond %{QUERY_STRING} (../|..) [OR]

RewriteCond %{QUERY_STRING} ftp: [NC,OR]

RewriteCond %{QUERY_STRING} http: [NC,OR]

RewriteCond %{QUERY_STRING} https: [NC,OR]

RewriteCond %{QUERY_STRING} =|w| [NC,OR]

RewriteCond %{QUERY_STRING} ^(.*)/self/(.*)$ [NC,OR]

RewriteCond %{QUERY_STRING} ^(.*)cPath=http://(.*)$ [NC,OR]

RewriteCond %{QUERY_STRING} (<|%3C).*script.*(>|%3E) [NC,OR]

RewriteCond %{QUERY_STRING} (<|%3C)([^s]*s)+cript.*(>|%3E) [NC,OR]

RewriteCond %{QUERY_STRING} (<|%3C).*iframe.*(>|%3E) [NC,OR]

RewriteCond %{QUERY_STRING} (<|%3C)([^i]*i)+frame.*(>|%3E) [NC,OR]

RewriteCond %{QUERY_STRING} GLOBALS(=|[|%[0-9A-Z]{0,2}) [OR]

RewriteCond %{QUERY_STRING} _REQUEST(=|[|%[0-9A-Z]{0,2}) [OR]

RewriteCond %{QUERY_STRING} ^.*([|]|(|)|<|>).* [NC,OR]


RewriteCond %{QUERY_STRING} (./|../|…/)+(motd|etc|bin) [NC,OR]

RewriteCond %{QUERY_STRING} (localhost|loopback| [NC,OR]

RewriteCond %{QUERY_STRING} (<|>|’|%0A|%0D|%27|%3C|%3E|%00) [NC,OR]

RewriteCond %{QUERY_STRING} concat[^(]*( [NC,OR]

RewriteCond %{QUERY_STRING} union([^s]*s)+elect [NC,OR]

RewriteCond %{QUERY_STRING} union([^a]*a)+ll([^s]*s)+elect [NC,OR]

RewriteCond %{QUERY_STRING} (sp_executesql) [NC]

RewriteRule ^(.*)$ – [F,L]


3. Cross-site scripting attacks

How the XSS attack works (Source: Imperva)

Like SQL Injection attacks, Cross-site scripting (XSS) attempts to inject malicious code into vulnerable websites. One example is posting information that leads website users to another website that then attempts to steal personal data. This scenario can be potentially dangerous as the other website may not even need input from the user. It can simply scan user identification data such as cookies, session tokens, and more.

You can generally prevent XSS attacks using a Web Application Firewall (WAF). This useful tool allows you to block specific traffic on websites. Most top WordPress security plugins like All In One WP Security & Firewall will have this feature available. If you’d rather focus on running your WordPress website and want to leave the security to the experts, One WP Security & Firewall is a great way of doing so. It not only helps you block most types of attacks but can also scan your WordPress website for vulnerabilities you may not be aware of.

4. Brute force attacks

WordPress makes use of a credential system that allows administrators and other authorized users to access its control features. Unfortunately, many users tend to employ weak and obvious passwords. Brute force passwords make use of scripts that make continued and multiple login attempts to a WordPress site until successful. The script works with a database that holds a dictionary of commonly used usernames and passwords (such as Admin and Password1), hoping that you would have chosen one of these combinations without putting any thought into the risks.

You can however do several things to limit the effectiveness of brute force attacks;

  • Use complex and unique passwords
  • Block access to the WordPress admin directory
  • Add Two-factor Authentication (2FA)
  • Disable directory browsing
  • Limit the number of login attempts

5. Distributed denial of service attacks

DDoS attacks try to overcome a website with a flood of requests mimicking visitor traffic. (Source: dnsstuff)

Distributed denial of service (DDoS) attacks consist of a massive flood of requests that target a website. This flood is intended to cripple a website, making it inaccessible to regular visitors as it is unable to cope with the volume of requests. While DDoS isn’t unique to WordPress, websites based on this CMS can be especially vulnerable since it requires more resources to serve a request than regular static websites. It can be impossible to guard against a determined DDoS flood however, but even the most prominent organisations have succumbed to these attacks. One example of this was the GitHub attack in 2018, in which their website came under a 20-minute DDoS flood attack.

Generally smaller websites aren’t the target of such a massive volume. To mitigate against smaller DDoS waves however, make sure you use a Content Distribution Network (CDN). These server networks can help balance incoming loads and help in serving content faster.

6. Cross-site request forgery attacks

Cross-site request forgery (CSRF) attacks are another way attackers force web applications like WordPress to recognize fake authentications. WordPress is especially vulnerable since these sites generally hold many user credentials. The CSRF attack is similar to the XSS attack discussed earlier in many ways. The main difference is that CSRF needs an authentication session, while XSS does not. Regardless, the ultimate aim is to divert a visitor towards an alternative location to steal data.

CSRF prevention needs implementation at the plugin level in most cases. Developers typically use anti-CSRF tokens to link sessions with specific users. WordPress website owners can only rely on plugin updates and general website hardening techniques to help prevent CSRF attacks.

Some hardening actions that may work include;

  • Disabling file editors
  • Targeted blocks of PHO execution
  • 2FA implementation

Final thoughts on WordPress security issues

There is sometimes a misconception that WordPress is a highly vulnerable web application. However, this isn’t an entirely fair claim. Part of it stems from the widespread use of WordPress, but a more significant reason is the failure of website owners to take the necessary proper precautions.

We often take security for granted without thinking of the consequences of choosing a simple password. Website owners however have to take responsibility not just for the integrity of their websites, but also for the safety of their users’ data.

Author Profile

Pui Mun Beh is a digital marketer of WebRevenue

The post What crucial WordPress security issues you be aware of? appeared first on UpdraftPlus. UpdraftPlus – Backup, restore and migration plugin for WordPress.