For quite some time, MD5 was the standard for hashing passwords, but today it is considered insecure and obsolete. Nowadays, WordPress adopts contemporary and more trustworthy algorithms such as bcrypt, but such protection is of no use should the website be poorly designed and use old plugins and other legacy software.

In this article, we share why MD5 is not trustworthy and share some tips on how to prevent WordPress MD5 hash decrypt exploits, to make your WordPress more secure and reliable.

What is MD5 Hash

MD5 is a system that hides your password behind a string of random symbols. For example, if your password is “abc123”, via MD5 it is masked like 0192023a7bbd73250516f069df18b500. This approach is designed to help you keep your password safe, and when working with databases, still see a hashed version of the pass, so no one steals it right away.

However, MD5 is already an old and obsolete technology that can be easily hacked. This is why contemporary developers have turned to other password protection methods and have slowly and completely abandoned MD5.

Read also: How to Change WordPress Password

Does WordPress Still Use MD5 Hash

New versions of WordPress no longer adopt MD5 hash, and instead they rely on PHP protection that is considered way better than the old-school hashing method.

However, there’s a chance your website can still use MD5 hash. Such occasions might be:

• You migrated a WordPress website and user database from an old system
• You use old versions of WordPress plugins
• You are using an old version of WordPress.

Regardless of the occasion, to prevent your website from being easily hacked, follow our tips in the next sections.

How to Prevent WordPress MD5 Hash Decrypt Exploits on Your Website

There are many steps you can take to prevent WordPress MD5 hash decrypt exploits and make your website more secure and reliable. Here are some suggestions.

1. Update WordPress Core

A simple way of preventing MD5 decrypt exploits and improving your website’s security is by using a fresh copy of the latest WordPress version available. It is highly advisable to constantly check and install updates, as they provide you with one more layer of protection. Read how to update WordPress and take the first step in preventing MD4 hash exploits on your website. Also, when updating WordPress, don’t forget to back up your website as a protection from unforeseen events.

Read also: How to Restore Your WordPress Website From a Backup

2. Update WordPress Plugins

A second straightforward method of preventing MD5 hash exploits is by updating your installed plugins to the latest version available. Similar to WordPress core, plugins should be constantly updated to make sure they function properly and don’t create technical issues on your website. As a rule of thumb, always use plugins from reliable developers and always back up your website before installing and using plugins.

3. Rehash Old MD5 Passwords

Should you use an old version of WordPress, chances are that some stored passwords are still hashed with the MD5 hash. Luckily, WordPress can update the old passwords the next time a user logs in. To make it happen, you can create a simple plugin and activate it on the go.

To start the process, log in to the AwradSpace hosting panel and head to File Manager:

Then, open the root folder of your WordPress website and head to wp-content/:

Then, open the plugins/ folder:

Inside, create a new folder by clicking the blue Create button at the top of the page:

From the options, select Create Directory and name it as you wish, for example, MD5 Rehash:

Then, open this older and inside, create a new file. To do so, click on the Create button at the top of the page and select the Create File options. Add a name to the file, and make sure to add a .PHP extension:

Then, open this newly created file and add this string of code inside:

<?php
/**
* Plugin Name: WP MD5 Rehash on Login
* Description: Upgrades legacy MD5 password hashes to WordPress’s current algorithm on successful login.
* Version: 1.0.0
*/

add_filter(‘check_password’, function ($check, $password, $hash, $user_id) {
// Detect an MD5 hash (32 hex chars) and verify it against the typed password
if (is_string($hash) && strlen($hash) === 32 && ctype_xdigit($hash)) {
if (hash_equals(strtolower($hash), md5($password))) {
// Correct password: immediately rehash using WordPress’s current algorithm (e.g., bcrypt)
if ($user_id) {
wp_set_password($password, $user_id);
}
return true; // allow login
}
return false; // wrong password
}

// For modern hashes, let WordPress handle the check
return $check;
}, 10, 4);

After you have inserted this string, click on the Save button, so AwardSpace applies your changes:

Now, you should log in to WordPress and activate the plugin. After you enter the admin dashboard, head to Plugins -> Installed Plugins:

Then, click on Activate, so you engage the plugin you just created:

Now that the plugin is active, this is going to happen next time a user logs in to WordPress:

• A user will log in, and WordPress will automatically check their password.
• Should the stored password be hashed with MD5, the filter you created will activate.
• WordPress will instantly update the password database to a contemporary safety system.

4. (BONUS) Update Salts and Keys

Salts and keys are long random strings of symbols in WordPress that protect WordPress users from stolen data and cookies. Should these strings be old, weak, stolen, or exposed in any other way, attackers can reuse stolen cookies to enter your website. Although not directly tied to MD5 hashing, updating salts and keys can add one more layer of protection for your WordPress website.

The first step of the process is to go to the File Manager via the AwardSpace hosting panel (as shown above) and then head to the root directory of your WordPress website. There, locate a file named wp-config.php and open it:

Then, within this file, locate these lines:

define(‘AUTH_KEY’, ‘…’);
define(‘SECURE_AUTH_KEY’, ‘…’);
define(‘LOGGED_IN_KEY’, ‘…’);
define(‘NONCE_KEY’, ‘…’);
define(‘AUTH_SALT’, ‘…’);
define(‘SECURE_AUTH_SALT’, ‘…’);
define(‘LOGGED_IN_SALT’, ‘…’);
define(‘NONCE_SALT’, ‘…’);

Within the file, they look like this:

Now, you need to replace these with new strings. To do so, open the official WordPress Salt Generator. It will generate new random strings. Once you see these, copy and replace the old string with the new ones. Don’t touch anything else within the file!

Once you have replaced the strings, click on Save, so the changes are applied:

Conclusion – How to Prevent WordPress MD5 Hash Decrypt Exploits

MD5 was a thing of beauty back in the day, but today it is obsolete and makes your website vulnerable. To prevent vulnerability issues tied to remaining MD5 hashes, you should always update WordPress and plugins, and upgrade old MD5 passwords to new versions, so you make sure your website is safe and sound.

The post How to Prevent WordPress MD5 Hash Decrypt Exploits appeared first on AwardSpace.com.

What you need to know:

A new feature in WordPress 5.7 and later allows you to quickly enable HTTPS on your website. The option is found in your Site Health settings. You just need to make sure that you have a valid SSL installed beforehand.

WordPress has long supported the ability to use HTTPS for enhanced security, however setting up HTTPS and SSL on a WordPress site has always been a hassle that involves multiple steps and various tools. Fortunately, with the release of WordPress 5.7, the CMS developers have made the process much simpler and more straightforward. In this article, we will show you how you can enable HTTPS on a site running WordPress 5.7 or later.

Table of Contents:

• Prerequisites
• How Do I Enable HTTPS on a Site Running WordPress 5.7 or Later?
• Additional Tweaks
• Conclusion

Prerequisites

WordPress will surface the option to enable HTTPS only when it detects that you have a valid SSL certificate installed. As such, you need to get an SSL certificate for your website before you can proceed further with this tutorial.

Important:

You must ensure that your SSL certificate is properly configured and fully operational before proceeding. If in doubt, you can reach out to the Technical Support Team for assistance.

At this point, we should mention that SSL certificates are considered an advanced hosting feature. Therefore, only our premium shared hosting plans and Semi-Dedicated servers support SSL. If you are still using our free hosting service, then you would need to upgrade before you are able to take advantage of HTTPS.

How Do I Enable HTTPS on a Site Running WordPress 5.7 or Later?

With the release of WordPress 5.7, the basic setup of HTTPS has become a one-click task. Here, we will guide you through each step:

1. For starters, you should log into your WordPress Dashboard:

2. While you are on the Dashboard, look for the Site Health Status widget:

3. In the widget, there should be a link that invites you to visit the Site Health screen. Click on this link.

Tip:

If you cannot find the Site Health Status widget or the link contained therein, you can simply select the Tools menu item and choose the Site Health option from there.

4. Once you arrive on the Site Health screen, look for a recommended improvement that mentions HTTPS:

5. Click on the HTTPS recommendation in order to expand it and view its details.
6. You will see a button that says Update your site to use HTTPS. Click on it.

6. That’s it! Just like that, your site was updated to use HTTPS:

The HTTPS migration tool provided by WordPress is truly a one-click solution that makes it straightforward and easy to use. Unfortunately, at its current stage, it leaves one notable security hole open that needs to be dealt with manually. We will describe this security hole in the next section and show you how to fix it.

Additional Tweaks

While the WordPress one-click HTTPS setup is very handy and convenient, its current version (5.7.2) leaves out one essential security setting – the ability to force a secure connection from the moment a visitor tries to access the website. In other words, if a visitor uses http:// to access your website, they would not be using HTTPS for that initial connection. Fortunately, there’s an easy fix for that.

In fact, we have already covered this fix in a whole separate guide about redirecting HTTP traffic to HTTPS. We recommend using one of the three .htaccess options to force a secure connection for your WordPress site.

Below, we will show you the before and after versions of our WordPress .htaccess file. We will be applying the third .htaccess option in the after version.

The default WordPress .htaccess contains:

# BEGIN WordPress
# The directives (lines) between "BEGIN WordPress" and "END WordPress" are
# dynamically generated, and should only be modified via WordPress filters.
# Any changes to the directives between these markers will be overwritten.
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>

# END WordPress

The above directives do not force a secure connection in any way, which is why when you navigate to your website without specifying https://, you may see a Not Secure warning, like the one shown below:

And here is the .htaccess file once we have included the additional directives:

# BEGIN WordPress
# The directives (lines) between "BEGIN WordPress" and "END WordPress" are
# dynamically generated, and should only be modified via WordPress filters.
# Any changes to the directives between these markers will be overwritten.
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>

# END WordPress

RewriteEngine On
RewriteBase /
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

With this upgraded .htaccess file, all visitors will be redirected to a secure version of your homepage:

And that’s it! Simply saving your changes will be enough for the changes to take effect immediately.

Tip:

If your WordPress site still does not force a secure connection even after saving your changes, you should try clearing your web browser’s cache and cookies, or alternatively, you may try using a different web browser.

Conclusion

Undoubtedly, the addition of a 1-click HTTPS enabler is one of the best features to come with WordPress 5.7. It transforms the error-prone process of manually editing your site configuration and database into a straightforward solution that is safe and fully automated. We truly believe that this will result in fewer broken WordPress sites and a safer web for all of us.

The post How Do I Enable HTTPS on a Site Running WordPress 5.7 or Later? appeared first on AwardSpace.com.

If you have a using a strong password to protect your website, and it is hard for unwanted users to enter your WordPress admin panel, you are halfway there. Yet again, it will be best to take stricter measures to protect your web property.

Read: Internet Security: Trends You Absolutely Need to Know About

Getting optimized and secured WordPress Hosting is just one part of making your WordPress website securer. Let’s find out another step that you can take in the direction of protecting your web estate.

Why Limit Login Attempts in WordPress

As you probably know, one of the most common website attacks is the so-called brute force attack. In essence, it is an attempt for your password to be unraveled by endless tries and errors. In a way, if your password is strong, you don’t have to worry. But still, the bots used to do this kind of work, are getting smarter and smarter.

That means that there is, in fact, a danger. And you should give your best to prevent bad things to happen to you.

If limiting WordPress dashboard access is not an option in your specific case, the next best thing is to use a strong password, and limit the number of login attempts to your WordPress.

Doing so will likely help you to catch the origin of the possible brute force attack, and block the IP.

The bots that are performing brute force attacks are able to sometimes enter the dashboard of a website because they make thousands and thousands of attempts in the time that a real human can only make 3 or 4. And the bots are doing so automatically. If you limit the number of attempts allowed in a given period of time, you’ll significantly slow down the attack, so you can react.

How to Limit Login Attempts in WordPress

To limit the number of possible login attempts in WordPress, the easiest way is to install a plugin. And surprise, surprise! the most famous plugin for limiting the login attempts is called  Limit Attempts. It is created by BestWebSoft.

Once you’ve installed and activated the Limit Login Attempts plugin, enter in its settings page, and tune the settings up, according to your preferences.

This is what you can expect to see, once you open the settings page of the plugin.

Here you can adjust the number of attempts allowed and the period on which the ‘sessions get reset’ and thus, the user will be able to attempt once again to enter his or her profile.

The post Limit Login Attempts in WordPress appeared first on AwardSpace.com.

Having the right tools in hand can significantly reduce the risk of cyber-crime attacks and can make your website a safer place for you, as a web administrator, and your visitors.

8 Ways to Strengthen the Security of Your WP Admin Panel

Below is a list of suggestions on how to secure the admin area of your WordPress blog:

Keep your WordPress instance and plugins up-to-date

One of the most important keys to ensure the highest level of security for your application is to regularly update your Content Management System and its plugins. WordPress updates (patches) contain bug fixes and provide protection against exploits of vulnerabilities.

The most convenient way to upgrade your CMS instance is through the built-in WordPress Updates page, available in your WordPress dashboard:

Use complex credentials

Anothey way to improve your admin panel security is by strengthening the username and password for your WordPress administrative account. If you pick strong and secure login details, it will become impossible for the hackers to get access to the backend of your site.

We also recommend you update your WordPress admin account password on a regular basis. To update your admin panel password, open the Users menu in your WordPress dashboard and click on All Users. Click on your administrative username and scroll down to the Account Management section. Enter your chosen password and press Update Profile.

It is also advisable that you pick a different nickname (Display Name) for your WordPress account.

Change your admin panel’s default URL (web address)

Changing the default URL to the admin panel (wp-login.php) can play a significant role in protecting your WordPress backend from brute-force attempts and hackers. Once changed, it will become hard for an intruder to get into your WordPress site’s admin panel.

To change your backend URL you can use the Rename wp-login.php plugin. After a successful activation, the plugin will add a new menu to the Permalinks area of your dashboard.

Once you have chosen a new login address for your admin panel, you will need to log off for the changes to take effect.

Set up a password-protection on the /wp-admin directory

Enabling password protection adds an extra layer of protection to your administrative page. When active, users will be prompted to supply a different set of credentials in order to authenticate themselves.

How Does It Work?

If a visitor attempts to load /wp-admin in a browser, a popup window will appear and force them to enter those credentials.

Protecting a directory with a password can be done via our Control Panel’s Password Protection. If you’re new to the Password Protection section, please follow our Password Protection guide for further details and instructions on how to secure a specific directory in your account.

Install Captcha

You can add more security to your WordPress Admin Panel’s login page by enabling the Login No Captcha reCAPTCHA plugin.

The Login No Captcha reCAPTCHA plugin adds an additional checkbox to your WordPress login page. Before submitting the form, users will be prompted to confirm they’re not a robot:

Limit the number of login attempts

By default, all WordPress users are permitted to access the admin area of their website as many times as they want. This gives hackers a better chance of obtaining your WP login credentials.

Luckily, there is a solution to this problem. With the help of a plugin, you can easily prevent any brute-force attack by limiting the number of login attempts to your WP admin panel.

Below is a list of some of the most frequently used security plugins:

• Wordfence
• Login LockDown
• Limit Login Attempts
• Jetpack

Allow only specific IP addresses to access your admin area

A great way to protect your WordPress administrative area is by using the Order directive within a .htaccess file.

Create a new file in the /wp-admin directory of your WordPress blog and name it .htaccess. Using your favorite editor or our built-in File Manager, open the .htaccess file you’ve created and insert the below code into it:

Note: Please ensure you replace xxx.xxx.xxx.xxx with your current IP address.

The above set of rules will grant access to the backend of your site ONLY to your local IP address. All requests coming from a different IP address or network will be denied and will produce a Forbidden error:

The post How to Secure Your WP Admin Panel appeared first on AwardSpace.com.

And while building a WordPress website, it would be wise to think of liming WordPress dashboard access. Which is, in essence, the same as blocking IP addresses from a WordPress site.

Doing so will limit the IP addresses from which one can access the wp-admin and wp-login.php pages of your WordPress website.

There are a number of ways to achieve that. Say, by installing a plugin to your WordPress website. Yet, if you choose to do it that way, there is a possibility to diminish the performance of your website.

Read:  WordPress Performance Optimization

Thus, the best way to limit WordPress dashboard access is to get in your .htaccess file and fill in the IP addresses from which you enter your website.

Find the Htaccess File in WordPress

In order to edit it, you need to know where to find the htaccess file of WordPress.

The WordPress htaccess location should always be the same. Yet, there is a possibility for the file not to exist in your WordPress installation.

Here is what you need to do in order to find the htaccess file if there is one, and to create it if there is none.

Login to your AwardSpace account, and go to the file manager, which you’ll find on the first screen.

Once you enter the file manager, go to the folder of the website whose dashboard access you want to restrict.

When you enter the folder of the website, you’ll probably see that there is an htaccess file in the main website directory. You shouldn’t edit this file, as it is the file that commands the whole WordPress installation.

To limit WordPress dashboard access, go to the wp-admin folder, which you’ll see on the same page.

In this folder, you can either find an htaccess file or not. If there is one, go to the next step and start to edit the htaccess file of WordPress.

If your installation doesn’t have such a file, just create it, by clicking on the Create button at the top of the page.

When you click that button, a pop-up will emerge. It will offer you to create either a file or a folder. Click on the Create File: option, and fill the text field with .htaccess.

After you’ve typed .htaccess in the field, click the Create button. Right after that, a new file will emerge. What is left to do is to edit it.

How to Edit Htaccess File WordPress to Limit the Dashboard Access

We are at the end of the process. What is left for you to do is to just double-click the newly created file and fill it with the right text.

But beforehand, there is one mini step you need to take. Find your IP address, so you can put it in the empty file.

To find your IP address, you can just write ‘my IP’ on Google, or go to this website, for example.

Now that you know your IP address, go back to editing the htaccess file.

In it you need to type the following:

order deny, allow
deny from all

allow from 11.11.111.111

Where 11.11.111.111 is your IP address.

To give yourself the chance of editing your website from multiple IP addresses (say one from home, and one from your office), just add a second allow from row, like this:

order deny, allow
deny from all

allow from 11.11.111.111
allow from 22.22.222.222

The post How to Limit WordPress Dashboard Access appeared first on AwardSpace.com.

What Is an SSL Certificate?

SSL was originally developed in 1994 by a company called Netscape. SSL stands for Secure Socket Layer and allows you to view web pages in a secure manner, via HTTPS. Its main purpose is to protect and encrypt transmitted data over the Internet.

Why Is It Important to Have an SSL Nowadays?

Enabling SSL/HTTPS adds an extra level of protection and security to your online pages. When active, SSL protects sensitive information (such as passwords, and credit card details) from being viewed and compromised by third parties. It can also help improve a website’s ranking on search engines.

Having a non-secured page increases the risk of losing potential customers and can lead to a significant drop in sales. That’s why it is recommended to consider SSL for your online page.

How Can I Know If My Website is Not Secure?

A web page will be marked as unprotected if it lacks an SSL certificate or has no HTTPS enabled on it. Additionally, browsers will display a Not Secure message in the address bar of your website.

The screenshot below illustrates what a non-secure web page looks like:

How to Make WordPress Run Over HTTPS and Avoid Any Warning Messages?

You can secure your existing WordPress blog in 3 easy steps:

Step #1: Obtaining an SSL Certificate

When it comes to securing a web page, there are three types of SSL certificates to choose from:

• Dedicated (premium) SSL certificate. Premium SSL certificates have a validity period of up to 2 years and can be purchased directly via the AwardSpace Control Panel’s SSL Certificates section.
• SSL certificates are obtained from an external SSL authority (provider).
• Let’s Encrypt certificates. Let’s Encrypt certificates come free of charge and are valid for a period of 90 days. To get your free certificate, submit a support ticket from your Hosting Control Panel and request Let’s Encrypt for your desired hostname.

Note: It is important to mention that each individual SSL certificate requires a private IP address. Private IP addresses can be purchased from the SSL Certificates page.

Step #2: Installing the SSL Certificate on the Server

Installing a premium SSL certificate can be done within a matter of clicks:

• Sign in to your AwardSpace account and navigate to the SSL Manager page.
• Click on the hostname you’ve purchased an SSL certificate for and open the Upload Your Certificate tab.
• Copy and paste the root certificate, your private key, and intermediate (CA) certificate into the corresponding boxes and press Upload SSL Certificate.

Please kindly review our quick SSL Certificate Installation guide for detailed instructions on how to get your certificate installed on the server.

Step #3: Configuring WordPress to Work with HTTPS

Now that you have your SSL certificate installed, it’s time for you to configure WordPress to work over SSL.

Configuring an SSL certificate in WordPress is seamlessly easy and requires no coding skills.

Here’s a step-by-step guide on how to redirect the HTTP version of your blog to HTTPS:

1. 1. Log in to the admin area of your WordPress website.
   2. Once logged in, please navigate to the Settings page.
   3. Change the WordPress Address (URL) and Site Address (URL) fields from http://mydomain.com/ to https://mydomain.com/.

1. Press Save to submit the changes you have made.

That’s it! WordPress is now configured to use SSL and can be accessed securely.

Mixed Content Warning Appears After Enabling SSL

If you’re seeing a Mixed Content warning, it means that there are certain parts of your web page (such as image, video and css files) still being loaded via HTTP.

The easiest and most straightforward way to remove the Mixed Content warning from being displayed on your page is by using the SSL Insecure Content Fixer plugin.

The post How to Install SSL and HTTPS on a WordPress Site appeared first on AwardSpace.com.