How to Add Security Questions to WordPress Login Screen

Most financial institutions and large companies require you to add security questions on your account for identity verification. Recently one of our readers asked if it was possible to add security questions in WordPress to add an additional security layer. In this article, we will show you how to add security questions to WordPress login, registration, and reset password page.

Why Add Security Questions to Login & Registration Forms in WordPress?

There are many ways to protect WordPress admin area from unauthorized access. However, if you run a multi-user or WordPress membership site, then it becomes difficult to choose between security and user experience.

Adding a security question to your WordPress site’s login screen acts like an additional password. Your users can choose a question from a list of random questions and then add an answer to that question.

This makes it difficult for hackers to enter a website using compromised password or email address.

Having said that, let’s see how you can easily add security questions to your WordPress site.

Video Tutorial

If you don’t like the video or need more instructions, then continue reading.

Adding Security Questions to Improve WordPress Login Security

First thing you need to do is install and activate the WP Security Question plugin. For more details, see our step by step guide on how to install a WordPress plugin.

Upon activation, you need to visit Settings » Security Questions page to configure the plugin settings.

You will see a list of security questions already setup. You can add your own security questions by clicking on the “Add more” button at the bottom. Alternatively you can also edit or remove the existing questions.

At the bottom of the settings pages, you will find the options to enable security questions on login, registration, and lost password pages.

Don’t forget to click on the save settings button to store your changes.

That’s all. From now on all users on your site will be asked to select and answer their security question on the login page.

Your WordPress site’s registered users can visit their Profile page to select a security question and add their answer to it.

Users who do not set a security question will still be able to login by just using their username/email and password.

If you enabled security questions on registration page, then new users will be able to select a security question during registration.

Enabling security question on forgot password page will ask users to answer their security question to get the password reset email.

If a user’s email address is compromised, then this would stop someone from gaining access by resetting password.

At WPBeginner, we use Sucuri to protect our website from malicious attacks and login attempts. Sucuri is a web security company that offers website monitoring and firewall services.

See how Sucuri helped us block 450,000 WordPress attacks in 3 months.

We hope this article helped you learn how to add security questions to your WordPress login screen. You may also want to see our guide on how and why you should limit login attempts in WordPress.

If you liked this article, then please subscribe to our YouTube Channel for WordPress video tutorials. You can also find us on Twitter and Facebook.

The post How to Add Security Questions to WordPress Login Screen appeared first on WPBeginner.

The Ultimate WordPress Security Guide (Step by Step)

WordPress security is a topic of huge importance for every website owner. Each week, Google blacklists around 20,000 websites for malware and around 50,000 for phishing. If you are serious about your website, then you need to pay attention to the WordPress security best practices. In this guide, we will share all the top WordPress security tips to help you protect your website against hackers and malware.

While WordPress core software is very secure, and it’s audited regularly by hundreds of developers, there is a lot that can be done to harden your WordPress website.

At WPBeginner, we believe that security is not just about risk elimination. It’s also about risk reduction. As a website owner, there’s a lot that you can do to improve your WordPress security (even if you’re not tech savvy).

We have a number of actionable steps that you can take to improve your WordPress security.

To make it easy, we have created a table of content to help you easily navigate through our ultimate WordPress security guide.

Table of Contents

Basics of WordPress Security

• Why WordPress Security is Important?


• Keeping WordPress Updated


• Passwords and User Permissions


• The Role of Web Hosting

WordPress Security in Easy Steps (No Coding)

• Install a WordPress Backup Solution


• Best WordPress Security Plugin


• Enable Web Application Firewall (WAF)

WordPress Security for DIY Users

• Change the Default “admin” username


• Disable File Editing


• Disable PHP File Execution


• Limit Login Attempts


• Change WordPress Database Prefix


• Password Protect WP-Admin and Login


• Disable Directory Indexing and Browsing


• Disable XML-RPC in WordPress


• Automatically log out Idle Users


• Add Security Questions to WordPress Login


• Fixing a Hacked WordPress Site

Ready? Let’s get started.

Why Website Security is Important?

A hacked WordPress site can cause serious damage to your business revenue and reputation. Hackers can steal user information, passwords, install malicious software, and can even distribute malware to your users.

Worst, you may find yourself paying ransomware to hackers just to regain access to your website.

In March 2016, Google reported that more than 50 million website users have been warned about a website they’re visiting may contain malware or steal information.

Furthermore, Google blacklists around 20,000 websites for malware and around 50,000 for phishing each week.

If your website is a business, then you need to pay extra attention to your WordPress security.

Similar to how it’s the business owners responsibility to protect their physical store building, as an online business owner it is your responsibility to protect your business website.

[Back to Top ↑]

Keeping WordPress Updated

WordPress is an open source software which is regularly maintained and updated. By default, WordPress automatically installs minor updates. For major releases, you need to manually initiate the update.

WordPress also comes with thousands of plugins and themes that you can install on your website. These plugins and themes are maintained by third-party developers which regularly release updates as well.

These WordPress updates are crucial for the security and stability of your WordPress site. You need to make sure that your WordPress core, plugins, and theme are up to date.

[Back to Top ↑]

Strong Passwords and User Permissions

The most common WordPress hacking attempts use stolen passwords. You can make that difficult by using stronger passwords that are unique for your website. Not just for WordPress admin area, but also for FTP accounts, database, WordPress hosting account, and your professional email address.

The top reason why beginners don’t like using strong passwords is because they’re hard to remember. The good thing is you don’t need to remember passwords anymore. You can use a password manager. See our guide on how to manage WordPress passwords.

Another way to reduce the risk is to not give any one access to your WordPress admin account unless you absolutely have to. If you have a large team or guest authors, then make sure that you understand user roles and capabilities in WordPress before you add new user and authors to your WordPress site.

[Back to Top ↑]

The Role of WordPress Hosting

Your WordPress hosting service plays the most important role in the security of your WordPress site. A good shared hosting provider like BlueHost or Siteground take the extra measures to protect their servers against common threats.

However, on shared hosting you share the server resources with many other customers. This opens the risk of cross-site contamination where a hacker can use a neighboring site to attack your website.

Using a managed WordPress hosting service provides a more secure platform for your website. Managed WordPress hosting companies offer automatic backups, automatic WordPress updates, and more advanced security configurations to protect your website

We recommend WPEngine as our preferred managed WordPress hosting provider. They’re also the most popular one in the industry. (See our special WPEngine coupon).

[Back to Top ↑]

WordPress Security in Easy Steps (No Coding)

We know that improving WordPress security can be a terrifying thought for beginners. Specially if you’re not techy. Guess what – you’re not alone.

We have helped thousands of WordPress users in hardening their WordPress security.

We will show you how you can improve your WordPress security with just a few clicks (no coding required).

If you can point-and-click, you can do this!

Install a WordPress Backup Solution

Backups are your first defense against any WordPress attack. Remember, nothing is 100% secure. If government websites can be hacked, then so can yours.

Backups allow you to quickly restore your WordPress site in case something bad was to happen.

There are many free and paid WordPress backup plugins that you can use. The most important thing you need to know when it comes to backups is that you must regularly save full-site backups to a remote location (not your hosting account).

We recommend storing it on a cloud service like Amazon, Dropbox, or private clouds like Stash.

Based on how frequently you update your website, the ideal setting might be either once a day or real-time backups.

Thankfully this can be easily done by using plugins like VaultPress or BackupBuddy. They are both reliable and most importantly easy to use (no coding needed).

[Back to Top ↑]

Best WordPress Security Plugin

After backups, the next thing we need to do is setup an auditing and monitoring system that keeps track of everything that happens on your website.

This includes file integrity monitoring, failed login attempts, malware scanning, etc.

Thankfully, this can be all taken care by the best free WordPress security plugin, Sucuri Scanner.

You need to install and activate the free Sucuri Security plugin. For more details, please see our step by step guide on how to install a WordPress plugin.

Upon activation, you need to go to the Sucuri menu in your WordPress admin.

The first thing you will be asked to do is Generate a free API key. This enables audit logging, integrity checking, email alerts, and other important features.

The next thing, you need to do is click on the Hardening tab from the Sucuri Menu. Go through every option and click on the “Harden” button.

These options help you lock down the key areas that hackers often use in their attacks. The only hardening option that’s a paid upgrade is the Web Application Firewall which we will explain in the next step, so skip it for now.

We have also covered a lot of these “Hardening” options later in this article for those who want to do it without using a plugin or the ones that require additional steps such as “Database Prefix change” or “Changing the Admin Username”.

After the hardening part, most default settings of this plugin are good and doesn’t need changing. The only thing we recommend customizing is the Email Alerts.

The default alert settings can clutter your inbox with emails. We recommend receiving alerts for key actions like changes in plugins, new user registration, etc. You can configure the alerts by going to Sucuri Settings » Alerts.

This WordPress security plugin is very powerful, so browse through all the tabs and settings to see all that it does such as Malware scanning, Audit logs, Failed Login Attempt tracking, etc.

Enable Web Application Firewall (WAF)

The easiest way to protect your website and be confident about your WordPress security is by using a web application firewall (WAF). The firewall blocks all malicious traffic before it even reaches your website.

We use and recommend Sucuri as the best web-application firewall for WordPress. You can read about how Sucuri helped us block 450,000 WordPress attacks in a month.

The best part about Sucuri’s firewall is that it also comes with a malware cleanup and blacklist removal guarantee. Basically if you were to be hacked under their watch, they guarantee that they will fix your website (no matter how many pages you have).

This is a pretty strong warranty because repairing hacked websites is expensive. Security experts normally charge 0 per hour. Whereas you can get the entire Sucuri security stack for 9 per year.

Improve your WordPress Security with the Sucuri Firewall »

Sucuri is not the only firewall provider out there. The other popular competitor is Cloudflare. See our comparison of Sucuri vs Cloudflare (Pros and Cons).

[Back to Top ↑]

WordPress Security for DIY Users

If you do everything that we have mentioned thus far, then you’re in a pretty good shape.

But as always, there’s more that you can do to harden your WordPress security.

Some of these steps may require coding knowledge.

Change the Default “admin” username

In the old days, the default WordPress admin username was “admin”. Since usernames make up half of login credentials, this made it easier for hackers to do brute-force attacks.

Thankfully, WordPress has since changed this and now requires you to select a custom username at the time of installing WordPress.

However, some 1-click WordPress installers, still set the default admin username to “admin”. If you notice that to be the case, then it’s probably a good idea to switch your web hosting.

Since WordPress doesn’t allow you to change usernames by default, there are three methods you can use to change the username.

1. Create a new admin username and delete the old one.


2. Use the Username Changer plugin


3. Update username from phpMyAdmin

We have covered all three of these in our detailed guide on how to properly change your WordPress username (step by step).

Note: We’re talking about the username called “admin”, not the administrator role.

[Back to Top ↑]

Disable File Editing

WordPress comes with a built-in code editor which allows you to edit your theme and plugin files right from your WordPress admin area. In the wrong hands, this feature can be a security risk which is why we recommend turning it off.

You can easily do this by adding the following code in your wp-config.php file.

// Disallow file edit
define( 'DISALLOW_FILE_EDIT', true );

Alternatively, you can do this with 1-click using the Hardening feature in the free Sucuri plugin that we mentioned above.

[Back to Top ↑]

Disable PHP File Execution in Certain WordPress Directories

Another way to harden your WordPress security is by disabling PHP file execution in directories where it’s not needed such as /wp-content/uploads/.

You can do this by opening a text editor like Notepad and paste this code:

<Files *.php>
deny from all
</Files>

Next, you need to save this file as .htaccess and upload it to /wp-content/uploads/ folders on your website using an FTP client.

For more detailed explanation, see our guide on how to disable PHP execution in certain WordPress directories

Alternatively, you can do this with 1-click using the Hardening feature in the free Sucuri plugin that we mentioned above.

[Back to Top ↑]

Limit Login Attempts

By default, WordPress allows users to try to login as many time as they want. This leaves your WordPress site vulnerable to brute force attacks. Hackers try to crack passwords by trying to login with different combinations.

This can be easily fixed by limiting the failed login attempts a user can make. If you’re using the web application firewall mentioned earlier, then this is automatically take care of.

However, if you don’t have the firewall setup, then proceed with the steps below.

First, you need to install and activate the Login LockDown plugin. For more details, see our step by step guide on how to install a WordPress plugin.

Upon activation, visit Settings » Login LockDown page to setup the plugin.

For detailed instructions, take a look at our guide on how and why you should limit login attempts in WordPress.

[Back to Top ↑]

Change WordPress Database Prefix

By default, WordPress uses wp_ as the prefix for all tables in your WordPress database. If your WordPress site is using the default database prefix, then it makes it easier for hackers to guess what your table name is. This is why we recommend changing it.

You can change your database prefix by following our step by step tutorial on how to change WordPress database prefix to improve security.

Note: This can break your site if it’s not done properly. Only proceed, if you feel comfortable with your coding skills.

[Back to Top ↑]

Password Protect WordPress Admin and Login Page

Normally, hackers can request your wp-admin folder and login page without any restriction. This allows hackers to try their hacking tricks or run DDoS attacks.

You can add additional password protection on a server side which will effectively block those requests.

Follow our step-by-step instructions on how to password protect your WordPress admin (wp-admin) directory.

[Back to Top ↑]

Disable Directory Indexing and Browsing

Directory browsing can be used by hackers to find out if you have any files with known vulnerabilities, so they can take advantage of these files to gain access.

Directory browsing can also be used by other people to look into your files, copy images, find out your directory structure, and other information. This is why it is highly recommended that you turn off directory indexing and browsing.

You need to connect to your website using FTP or cPanel’s file manager. Next, locate the .htaccess file in your website’s root directory. If you cannot see it there, then refer to our guide on why you can’t see .htaccess file in WordPress.

After that, you need to add the following line at the end of the .htaccess file:

Options -Indexes

Don’t forget to save and upload .htaccess file back to your site. For more on this topic, see our article on how to disable directory browsing in WordPress.

[Back to Top ↑]

Disable XML-RPC in WordPress

XML-RPC was enabled by default in WordPress 3.5 because it helps connecting your WordPress site with web and mobile apps.

However because of it’s powerful nature, XML-RPC can significantly amplify the brute-force attacks.

For example, traditionally if a hacker wanted to try 500 different passwords on your website, they would have to make 500 separate login attempts which will be caught and blocked by the login lockdown plugin.

But with XML-RPC, a hacker can use the system.multicall function to try thousands of password with say 20 or 50 requests.

This is why if you’re not using XML-RPC, we recommend that you disable it.

There are 3 ways to disable XML-RPC in WordPress, and we have covered all of them in our step by step tutorial on how to disable XML-RPC in WordPress.

Tip: The .htaccess method is the best one because it’s the least resource intensive.

If you’re using the web-application firewall mentioned earlier, then this can be taken care of by the firewall.

[Back to Top ↑]

Automatically log out Idle Users in WordPress

Logged in users can sometimes wander away from screen, and this poses a security risk. Someone can hijack their session, change passwords, or make changes to their account.

This is why many banking and financial sites automatically log out an inactive user. You can implement similar functionality on your WordPress site as well.

You will need to install and activate the Idle User Logout plugin. Upon activation, visit Settings » Idle User Logout page to configure plugin settings.

Simply set the time duration and uncheck the box next to ‘Disable in wp admin’ option for better security. Don’t forget to click on the save changes button to store your settings.

For more detailed instructions, see our guide on how to automatically log out idle users in WordPress.

[Back to Top ↑]

Add Security Questions to WordPress Login Screen

Adding a security question to your WordPress login screen makes it even harder for someone to get unauthorized access.

You can add security questions by installing the WP Security Questions plugin. Upon activation, you need to visit Settings » Security Questions page to configure the plugin settings.

For more detailed instructions, see our tutorial on how to add security questions to WordPress login screen.

[Back to Top ↑]

Fixing a Hacked WordPress Site

Many WordPress users don’t realize the importance of backups and website security until their website is hacked.

Cleaning up a WordPress site can be very difficult and time consuming. Our first advice would be to let a professional take care of it.

Hackers install backdoors on affected sites, and if these backdoors are not fixed properly, then your website will likely get hacked again.

Allowing a professional security company like Sucuri to fix your website will ensure that your site is safe to use again. It will also protect you against any future attacks.

For the adventurous and DIY users, we have compiled a step by step guide on fixing a hacked WordPress site.

[Back to Top ↑]

That’s all, we hope this article helped you learn the top WordPress security best practices as well as discover the best WordPress security plugins for your website.

If you liked this article, then please subscribe to our YouTube Channel for WordPress video tutorials. You can also find us on Twitter and Facebook.

The post The Ultimate WordPress Security Guide (Step by Step) appeared first on WPBeginner.

Shared Hosting Security: Protecting Yourself From Hackers

alt="Shared Hosting Security: Protecting Yourself From Hackers" src="http://whsr.webrevenueinc1.netdna-cdn.com/wp-content/uploads/2015/04/default-image-500x308_c.jpg" />

class="border" src="http://www.webhostingsecretrevealed.net/images/2012/0823-1.jpg" alt="Security For Shared Hosting" width="750px" />

When your website functions as part of a shared hosting platform, there are only a few basic steps that you can take to protect the website from hackers and other users on the server that don’t act responsibly. For the most part, your website will be managed by the hosting service. However, your best interests aren’t always what they are looking out for. Hosting companies may be forced to make decisions that influence your hosting environment in order to protect the hundreds to thousands of users on the same server.

Make Regular Backups

Your web hosting company tells you that it makes regular backups, but you should never rely on these services to protect the information on your website. Use the web hosting companies backup as a fail-safe measure, but make sure to create and maintain your own backups off-site. Using a simple file manager (or better still, href="http://www.webhostingsecretrevealed.net/featured-articles/mastering-the-cron-job-and-automating-basic-server-tasks/">use cron) you can download all of your website files to your computer. Make sure you download any databases that your website needs to function as well.

Keeping Your Site Clean

If you aren’t using an email account, remove it from your server. Email accounts, FTP accounts and other unused applications should be removed if they aren’t being used. Look for any unneeded files and remove those as well. Extra files make backups take longer and the less files on a website the better the chances of finding something that doesn’t belong there.

Most importantly, if a script is not being used on your website, remove it as soon as possible. Hackers love to take advantage of out-dated scripts that the website owner has forgotten about.

Password Protection

If you are using SSH or multiple FTP accounts, use a different password for each account. Hackers that gain access to one of your passwords can quickly damage your website if all of your MySQL databases, FTP Accounts, CMS installations and anything else that uses a password all use the same password. Once you have changed your passwords, change them regularly and always update passwords with a strong password that consists of letters, numbers and symbols.

Avoid using common phrases or words as those passwords in many cases can be cracked quickly. If you are using a CMS such as Joomla, Drupal or even an LMS such as Moodle, password protect the web address for the administrator login. This adds another level of protection and makes it more difficult for hackers to identify which application is running on your server.

File Permissions

There are several private areas on a site that should never be accessible to the public. Make sure your permissions for read-only files are set appropriately. Setting all files to 7-7-7 is an invitation to hackers to access your website and change or delete required files. When changing permissions you have to be careful. Often content management systems require specific permissions to operate effectively. Before changing any permissions, take note of the current permissions. This can be done easily with a screenshot. If the website stops functioning, you probably changed a permission you shouldn’t have. Consult the documentation for any application you have running on your website.

Application Updates

Regardless of what applications or software you are using on the website, subscribe to security releases and updates relating to your application. When a new CMS update comes out, don’t wait for Fantastico or other auto-install scripts to update with the latest upgrade. Learn how to perform upgrades on your own and make sure to keep everything up-to-date. Updates protect your website from known security vulnerabilities and will greatly improve your ability to keep hackers from taking advantage of older out-of-date software.

Monitor Your Scripts

While it may seem convenient to allow opportunities for users to share your website with friends, this is an open invitation for hackers to use your website to send unsolicited email to thousands of users. Make sure that any script you use is updated regularly and protected against hackers. One way to accomplish this is to keep email forms off the public area of the website. Use password protected logins to make sure that only registered users can access certain, more vulnerable areas of the website.

Forums

If you have forums on your website, disable the option for people to inject code, use Java applets or use HTML on your public forum posts. You can always ban users that have to register on your website if you find one of them is using malicious code. However, for public forums, you have to take additional security precautions to ensure that hackers can’t inject code on your website.

Java Applications

Java offers incredible flexibility and makes it possible for website developers to create custom applications.

It also provides information about users computers and can be accessed by knowledgeable hackers to exploit users to your website. Reduce this possibility by providing access to special features only to users that have registered on your website. It won’t eliminate the possibility of injectable code being utilized on your website, but it will provide more security for your shared server.

Protect Your Computer

Your FTP program may be compromised simply by using an unprotected computer. There are malware and viruses that are designed to exploit FTP programs and gain access to your websites files. Protecting your computer from viruses, spyware, malware and hackers is essential. Make sure you install a reputable antivirus program that has the ability to track intruders on your machine. If you aren’t using the Internet, disconnect to prevent hackers from accessing your system.

Store Sensitive Information Offline

Don’t store your passwords and other sensitive information on any computer that has access to the Internet. Hackers can get into your computer often without you ever knowing. If they access your passwords, then any password they obtain can be used to access private files, banking information or anything else that you store online.

CMS Installations

Content Management Systems such as Joomla, WordPress, and Drupal are commonly used for their simple and easy to use interfaces.

However, if a hacker knows what version you are using they can exploit vulnerabilities to gain access to your website. When possible, hide your plugins and make it difficult for browsers to identify what CMS you are using. There are often extensions that can be installed that automatically remove this information from files on your website.

Safe-Mode

PHP scripts exist that allow users to access information on a shared hosting environment. Ensuring that your PHP settings are correct and prevent the ability for non-authorized users to execute scripts provides a level of protection. To do this, make sure “Safe-Mode” is turned on. If you don’t know how to do this, a simple ticket to your web hosting companies tech support should resolve this issue. Without “Safe-Mode” it is possible for users to run a script that lists all of your passwords, files, directory and other sensitive website information.

Use Databases

Don’t store sensitive information in a file on your website. Use a database to store and protect your sensitive user information from hackers. With most applications, the database is used automatically. However, some applications offer the option to use the server hard drive or the database to store session information. Whenever possible, use the database option to provide an additional layer of security on your website.

Configure .htaccess

Linux websites have an option for website users to href="http://www.webhostingsecretrevealed.net/web-hosting-knowledge/the-basics-of-htaccess/">set privacy preferences in a .htaccess file. There are several code snippets that you can insert into the file to make your website more secure. Prevent access your htaccess file and set the permissions to 644 so that users visiting your website can’t access the file. Additional measures include restricting access to certain file types, prevent unauthorized browsing of the site directory, change the default index page to make your website more secure, disguising script extensions and securing directories to the local area network or a specific IP adress so that only you have access to files.

Hosting Company

One of the best ways to secure your website is to choose a website hosting company dedicated to preserving your information. Not all website hosting companies offer the same level of security – this is why you need href="http://www.webhostingsecretrevealed.net/hosting-reviews/">reliable hosting reviews like mine ;). Ensure that your host has the knowledge and staff to monitor website activity and stop hackers before they have a chance to access your website and files by using scanners and other industry-grade protection.

Final Considerations

Shared hosting provides an unsecured environment that makes it possible for hackers to potentially access and steal data from your website. There are only so many options you can use to protect your website from hackers on a shared server. Consider purchasing a dedicated, semi-dedicated or VPS if you are storing important user information. Never collect credit cards or personal information if you don’t have an SSL certificate installed. If a hacker gains access to your users credit card information, you could be held personally responsible. For any issues that you don’t feel comfortable correcting on your own, consider hiring a IT professional or enlisting the help of your hosting server to secure your website.

Page 23 – Web Hosting Secret Revealed

Website Security: Why Go WP Engine For WordPress Hosting

alt="Website Security: Why Go WP Engine For WordPress Hosting" src="http://whsr.webrevenueinc1.netdna-cdn.com/wp-content/uploads/2015/04/default-image-500x308_c.jpg" />

Back in year 2009, I had href="http://www.webhostingsecretrevealed.com/featured-articles/bluehost-hostmonster-user-alert-cpu-throttling/">some problems with WHSR server speed and spent tremendously long hours looking for (and working on) the right fix; then in mid 2010, being paranoid of hackers, I spent sleepless nights learning how to safe guard my WordPress site – I ended up subscribing to VaultPress, costing me extra /mo (ouch).

If WPEngine (href="http://www.webhostingsecretrevealed.com/wpengine.php" target="_blank" rel="nofollow">http://www.wpengine.com) existed earlier, I would have saved my time for other stuffs – drink more beer, go more gym, travel more to other countries, make more money; or simply, play more StarCraft2 and get a better league ranking ;).

What I Like About WP Engine Security Features

src="http://www.webhostingsecretrevealed.com/images/2012/0320-1.jpg" class="border" alt="WP Engine Security Features" />

In this post, I am going to share with you a few security (and stability) factors that made me decide on the switch.

1. No Overselling Host

Unlike most other hosting companies, WPEngine does not oversell. Excessive RAM is allocated to keep all non-media file system cache in RAM (this makes your site load faster) plus the load balancer assures your server average CPU load never exceed 0.2 per CPU at all time.

And, in case for some reasons your site needs more CPU power than usual, an extra cluster server will be served (which is my next point).

2. Extra Cluster Server When Necessary

Worry about digg or slashdot impact? Stay on the safe side with WP Engine. In case your server is down or overloaded, WPEngine will reroute your site traffics to another server. Generall,y this means your site gets 100% uptime with WPEngine.

3. Content Deliver Network Feature

WPEngine is the only WordPress hosting that comes along with CDN feature. The bundled service is an advantage as one, it’s much cheaper; and two, best of all, the technical staffs will configure everything for you.

4. Instantaneous WordPress Auto Upgrade

WordPress upgrades are vital – it protects your WordPress websites against known threats and bugs. With WP Engine, All WordPress installations at WPEngine are upgraded the same hour as a security path is released.

5. Hacker Cleanup Guarantee (HCG)

WPEngine’s HCG is another wonderful feature that puts me sleep well at night. What’s included in this guarantee is that, if your site ever get hacked (which is quite unlikely), WPEngine will have clearly-written procedure on how to handle the situation and the management guarantees to clean up everything for you.

Jerry, Why Are You Blowing WP Engine’s Trumpet?

id='floatright'>href="http://www.webhostingsecretrevealed.com/wpengine.php" target="_blank">src="http://www.webhostingsecretrevealed.com/images/2012/0320-2.jpg" border="0" alt="Visit WP Engine" />

Web Hosting News Update: Changing Cloudscape, Stopping Hackers and Security Upgrades

alt="Web Hosting News Update: Changing Cloudscape, Stopping Hackers and Security Upgrades" src="http://whsr.webrevenueinc1.netdna-cdn.com/wp-content/uploads/2014/08/internet-500x472_c.jpg" />

If there is one thing that is certain, it is that news in the category of web hosting changes often. In this news update, TSW takes a look at trends in cloudhosting and the changing cloudscape, what Google’s HTTPS algorithm means for website owners, important security upgrades, and a new system for blocking brute force attacks on WordPress.

Changing Cloudscape and Where Cloud Hosting Is Headed

Although the concept of cloud computing dates back to the 1999, when salesforce.com and Google launched consumer cloud services, throughout the 2000s the market has grown.

There is little doubt that cloud-based infrastructures are growing in popularity and that trend will likely continue into the next decade and beyond. The big names in hyperscale vending are AWS, Google, Softlayer and Microsoft are offering cloud services at discounted rates and price matching one another. The goal is to secure the majority of marketshare in the coming few years, maintain those clients and make a profit with sheer volume plus add-on sales. Look for great deals in cloud hosting in the next few years as the big four and those coming up behind them, such as Amazon, battle it out to see who the top dog in cloud hosting will ultimately be.

For readers who are keen to dig deeper, here are the pricing pages from href="https://cloud.google.com/products/compute-engine/">Google Compute Engine, href="http://aws.amazon.com/ec2/pricing/">Amazon AWS, href="http://blogs.msdn.com/b/windowsazure/archive/2014/03/31/microsoft-azure-innovation-quality-and-price.aspx">Microsoft Azure, and href="http://www.softlayer.com/virtual-servers">IBM Softlayer. Adrian Cockcroft has assembled my own spreadsheet summary of instance specifications from the above vendors:  href="http://bit.ly/cloudinstances">http://bit.ly/cloudinstances.

WHMCS Urges Security Upgrades

If you’re using a service, such as CloudFlare and other proxy services with your WHMCS installation, the site released a href="http://blog.whmcs.com/security.php" target="_blank">security update on their blog urging customers to update. The update provides an IP detection logic system to improve security features. The blog post states, “The update includes a significant update to the low-level cryptographic routines used for admin authentication. These changes will affect any 3rd-party integration which directly accesses the admin user database table; they should not have an observable impact on installations otherwise.”

Protecting Your WordPress Website

Automattic, the company that oversees WordPress.com, released an announcement that it has purchased BruteProtect. BruteProtect is a plugin combined with a service that protects website owners using WP from hackers. BruteProtect will be part of Jetpack and thus will be installed with a single click. Malicious logins can threaten the health of your site and business, so this is a welcome acquisition for WordPress-based sites.

Google’s HTTPS Algorithm Changes

It’s probably no surprise to website hosts that Google has yet again added another element to how they rank websites. This time, their focus is on how secure your website it. They href="http://googlewebmastercentral.blogspot.com/2014/08/https-as-ranking-signal.html" target="_blank">stated on the Google Blog:

“Over the past few months we’ve been running tests taking into account whether sites use secure, encrypted connections as a signal in our search ranking algorithms. We’ve seen positive results, so we’re starting to use HTTPS as a ranking signal.”

class="alignright size-full wp-image-10700" src="http://whsr.webrevenueinc1.netdna-cdn.com/wp-content/uploads/2014/08/site-security.jpg" alt="site security" width="300" height="259" />

Preference will be given to sites that offer visitors a secure HTTPS connection. Google’s focus on security may lead to development of more products and stronger security measures from hosting providers. In the meantime, you can talk to your web hosting company about what they will be offering in light of Google’s latest focus.

The Internet is fluid and web hosting news changes from day to day. WHSR will always highlight the top concerns website owners might have about hosting and bring you the latest updates. However, it is impossible to cover everything. If you have something to add to this list, please share your news in the comments section below.

Page 12 – Web Hosting Secret Revealed