Categories
WordPress

Reset your WordPress Website Lost Password From cPanel in 4 Simple Steps

Are you stuck outside of your WordPress website admin panel & cannot use “Forgot Your Password” feature for any reason?

If yes, this small step-by-step article will help you recover your WordPress websites’ login credential from the database in Cpanel (web hosting control panel software).

How to Recover WordPress Password from cPanel?

Step 1: Login to your cPanel (yourwebsite.com/cpanel)

You can type /cpanel after your website URL (www.example.com/cpanel) & you’ll be redirected to the cPanel (credentials are provided by your hosting provider, try checking your email with the search term “cpanel” if you don’t remember your credentials).

Step 2: Locate the database section & go to “phpMyAdmin”

phpMyAdmin is a popular tool for database management & you can find it inside of your cPanel dashboard. Just hover down to the database section & find phpMyAdmin. Or use the search tool inside of cPanel.

In database section inside of cPanel, you will find phpMyAdmin or you can use the search bar the the top

Step 3: Find The WordPress Website Database

Once you’re inside of phpMyAdmin area, you would see an expandable hierarchy at the left sidebar. This includes the databases you’ve created till now, you need to expand the table & find the database that you’re using for the WordPress website (of which the password is lost & you want to reset it).

To get to the username & password files of your WordPress website, we need to locate the website database first. Database name hierarchy are available at the left sidebar

How do I know which database is associated with which WordPress Website?

Considering the above example, the database names are in alphanumeric patterns which is hard to differentiate & recognize. This happens when we do not rename the default database name at the time of WordPress installation. To find out which is the database for what website, simply expand the table & analyze the file names. For example, if you see a file name with “WooCommerce” in it, that indicates this database is associated with your WooCommerce Website.

Coming to the point, what we are looking here is for a database file that stores registered users’ information. This file would have the term “users” in it.

See screenshot below:

Inside of your website database folder, you need to find wp_users or similar file that includes the registered user details - including the password

Step 4: Reset password by editing the user details

Once you locate the user’s file, you will see a list of registered users. Locate the user you want to change the password of & click on edit.

See screenshot below:

The user_pass that you see here is the password in an encrypted format. We need to put our new password here & save it.

Before changing the password, make sure the function is set to “MD5” as shown in the screenshot below

from the dropdown cell in column user_pass, select function as MD5 and type your new password & save.

Once you save it. Your password is reset & now you’re good to go.

If you found this article helpful, please leave a comment below & don’t forget to check out my other articles on WordPress.

FAQs About Recovering Lost Password in WordPress from cPanel

How to check WordPress password from cPanel?

You can see your username but can’t see your password from cPanel. However, you can reset your current password by following the steps explained in this article above.

Categories
WordPress

Create & Sell Online Courses: Free Yet Best LMS Plugins For WordPress

If you’re planning to create, host & sell online courses or related education material on your WordPress website, this article has got you covered.

To enable this, there are a bunch of LMS plugins available for WordPress, some are paid & some are free – depending on the features & requirements.

All the plugins mentioned in this article do have a free version as well as paid. A free plugin can suffice your needs if you’re a small business or an individual creator.

This article is based on Public reviews of the product as well as my personal experience as I’ve installed each plugin & tested it out. Rest assured & keep reading, the content is not biased & note that the plugin listing order is not based on rankings/score.

1. LMS by LifterLMS (Freemium)

It’s an online Course, membership & learning management system plugin for WordPress built by LifterLMS.

This is a fantastic plugin with awesome features & is user-friendly for beginners. The plugin is incorporated with many options that you would need to create & sell online courses in few simple steps.

LifterLMS is super-friendly for course creation! Most of your plans & thoughts can be achieved with this solid tool by merely customizing to your own taste.

LMS by LifterLMS - Online Course, Membership and Learning Management System plugin for WordPress

Customer Support: Customer support is great & they take your issues very seriously. The team knows that feedback is the backbone of any business & that’s what they are focusing & leveraging on. They are knowledgable, active & very helpful. Their community (Facebook group, forum) & responsive customer service is all that you need for any advice and help.

System Requirements

LifterLMS has no additional requirements other than those required to run WordPress. WordPress system requirements can be found at https://wordpress.org/about/requirements/

Recommended Minimum Requirements

  • WordPress version 5.6
  • PHP 7.4
  • MySQL 5.6 or greater or MariaDB 10.1 or greater
  • Nginx or Apache with mod_rewrite module

LifterLMS Freemium Features:

  • Separate courses for users using course difficulty tags/filter (Beginner, Intermediate, Advanced)
  • Content restriction & prerequisite options available for users who attempt to access course content directly without enrolling & to set a prerequisite course or course track before enrolling
  • Set Enrollment Period: set registration start and end dates for your courses
  • Course Time Period: Set start and end dates for this course. Content can only be viewed and completed within the selected range.
  • Course Capacity: Limit the number of users that can enroll in this course.
  • Student management options also available
  • Engagement options to trigger events based on students’ behavior. For example, trigger an engagement count when a student completes the quizzes
  • You can also sell memberships

LifterLMS Plans & Pricing

The core plugin with minimal features is available for free, and to extend functionalities, below are the plans & pricing of LifterLMS

LifterLMS plans & pricing

LifterLMS Pros:

  • Freemium for Non-Profits: It’s free if you are not accepting any payments for the courses.
  • Resources for starters: The team keeps on publishing valuable resources & detailed (video) instructions to help you through the entire journey – from website layout, setup of your first online course & even helping with custom websites if requested,
  • Super Customizable LMS: The customizable features offered by Lifter LMS are commendable & you can make it suit your requirements.
  • It seems like the ThimPress team has made this product a killer piece. Why I am saying this? Have a look at their reviews & date patterns in different reviews. The five-star reviews are recent & they haven’t got any bad reviews from the past few years. That’s a good sign. What do you think?
  • Plenty of features (listed above already)
  • The courses are easy to navigate and use by students.
  • LifterLMS comes with some already built pages (or say templates) that you’d need & if you are a bit familiar with CSS, you can apply your own styles.
  • Helpful documentation for developers

LifterLMS Cons:

  • Even though the plugin is compatible with most of the themes, you still need to check if it is working for you or not. The good thing is that you don’t need to start from scratch & spend time checking this – there is already some demos import course content available that you can use.
  • You need to upgrade to a premium plan if you want to sell your courses & accept payments. This is a good thing for small businesses as setting up everything takes time & you don’t want to pay 60 bucks or more during this phase when your website is not even online yet. When everything is done, you can easily switch to the paid add-ons or bundles.

Conclusion: The plugin is awesome and backed with small but important features – some of them as we discussed above. The customization is also user-friendly & beginners can also use this tool. Head over to the plugins section, install it, import some content & check if the plugin works well with your theme or not.

It is a highly recommended tool by many, and many can’t be wrong 🙂

2. LearnPress – WordPress LMS Plugin (Free)

LearnPress is a free LMS plugin that comes with power-packed premium LMS-like features. Backed with a good technical team & community support, LearnPress has seen signifant growth in the past few years & is competing with many old players in the market.

LearnPress - WordPress LMS Plugin

Customer Support: LearnPress is built by ThimPress & they offer pretty good support to their users. If you might experience any bugs or errors, you can simply report them to the team. The team answers your queries very comprehensively & they will soon start working on the fix. In many cases, the team respond to your & even fix your issues within 48 hours – which is pretty commendable when you are using the tool for free

System Requirements: Compatible with basic WordPress installation

LearnPress Freemium Features & Addons:

  • Supports multi-site
  • Create, manage & sell courses: User-friendly interface with users statistics dashboard & payment integration
  • Course content export/import feature available
  • Communicate with students
  • Student List Add-on
  • Coming soon addon page
  • LearnPress – Course Review

You can view complete list of free as well as paid add-ons by LearnPress here.

LearnPress Plans & Pricing

LearnPress Plans & Pricing

LearnPress Pros:

  • Since the customer support is great, the team keeps on updating the plugin – which ensures safety, performance, bug fixes & more.
  • Good customization features available for techies – the plugin is developer-focused & if you have coding skills or you are a small team with a tech guy – you can customize it than other LMS plugins!

LearnPress Cons:

  • There are cases when this plugin broke the website theme & layout (especially when used with the WooCommerce plugin), so it’s important that you take a backup of your website to restore if something goes wrong.
  • While LearnPress offers comprehensive features, but you might still need some additional plugins for few more features. To ensure safety & speed, the LearnPress team should work on extending the features.
  • Some fatal errors have been reported by users, but there are many who love this tool too.

Additional Information:

Recommended themes:

  • Eduma
  • IvySchool
  • CourseBuilder
  • ElearningWP
  • CoachingWP
  • Academy LMS
  • Education Pack

Conclusion: The plugin might be free with comprehensive features, but it is still half-backed with important features. If you’re a beginner with no or very few technical skills, this tool might be not the best for you. However, nothing is super perfect & you can give it a try to test it out yourself. Maybe the support offered by the team will soon make this plugin the best.

3. Tutor LMS – eLearning and online course solution

TutorLMS is one of latest LMS plugins with rich features to cater modern course building requirements. Like LearnPress, TutorLMS is also new in the market & has retained many consumers worldwide

TutorLMS - eLearning & Online course creation

Customer Support: Customer support is okay – not too good not too bad. Despite being the setup is beginner-friendly, the support team can help you get everything up in case you get stuck.

System Requirements

  • PHP – 7.0 (or later)
  • Database – MariaDB – 10.1 or later / MySQL – 5.7 or later
  • WordPress 5.5 or higher
  • Browser – Chrome, Firefox, Safari
  • Internet Explorer is not supported
  • Server Modules – mod_rewrite, cURL, fsockopen

TutorLMS Features (free version):

  • Create & Manage course
  • Limit the number of maximum students
  • Set course duration & additional details
  • Set difficulty level
  • Students management
  • Set course announcements (if any)

TutorLMS Paid Add-Ons & Features (not limited to):

  • BuddyPress integration: so that students & instructors can discuss the course and exchange knowledge within a community
  • Gradebook: to display student progress from assignment and quiz
  • Content Drip: You can set some conditions so that students can unlock lessons by schedule or when progress meets some specific conditions.
  • Paid Membership Pro: It allows you to sell memberships for students to access all of your courses.
  • Restrict Content Pro: To set restrictions on content, or say, prerequisites
  • Tutor Assignments: It helps you assign tasks to students seamlessly.
  • Tutor Certificate: It allows you to assign downloadable certificates after course completion.
  • Tutor Course Attachment: To add unlimited files to any tutor course
  • Tutor Course Preview: It gives access to some of the content before enrollment so that students can see what course they are going to buy
  • Tutor Email: for Email automation & management
  • Tutor Multiinstructors: Set & assign multiple instructors for a course
  • Tutor Prerequisites: To set a specific course as mandatory before you can enroll in a new one
  • Tutor Report: To allow students & instructors to check course progress & display course performance
  • Tutor Zoom Integration
  • Google Classroom Integration

TutorLMS Plans & Pricing:

TutorLMS Pros:

  • Beginner-friendly with the intuitive user interface.
  • A dedicated & detailed dashboard for both students & instructor
  • Tutor LMS is Multi-instructor based: An individual instructor can run a solo course selling website or an educational institute can use to collaborate, multiple instructors, & run an institutional type LMS.
  • Frontend Course Builder: This is an awesome feature that allows registered instructors to create their course from the frontend itself, they don’t need to get into the backend of a website. (this is a premium feature though)
  • Quiz Builder: You can create interactive quizzes of more than 10 types
  • Documentation & resources: Excellent documentation & tutorials (how-to guides) that a beginner can easily grasp
  • Captcha integration to avoid spam
  • Tutor LMS can be integrated with a mobile app using RestAPI
  • Yes, we offer a flat 30% discount for non-profit organizations

TutorLMS Cons:

  • The free version lack some of the important features
  • No priority support for free plan users
  • Free templates are available but not highly customizable
  • No free trial: they should provide a 15 or 30-day free trial so that users can make an informed decision

Additional Information*

Recommended themes to use with Tutor LMS plugin:

  • Skillate
  • EduMax
  • Docent Pro
  • Language School
  • Blocksy
  • Storefront
  • Astra
  • OceanWP
  • Divi
  • Edubin
  • eCademy
  • Efor
  • Turitor
  • Educavo
  • Edumodo
  • Edali
  • Edumall

Compatible Plugins (each plugin is tested with Tutor LMS plugin):

  • Cart2WP / ThriveCart
  • Groundhogg
  • WP Fusion
  • MathJax-LaTeX
  • WooCommerce PDF Invoices & Packing Slips
  • Yoast SEO
  • Funnel Builder by CartFlows
  • GamiPress – Tutor LMS integration
  • Change Author
  • BadgeOS
  • Automator
  • AffiliateWP
  • Oxygen Tutor LMS
  • Member Wishlist
  • WPML
  • Loco Translate
  • Elementor Website Builder
  • Divi

Conclusion: If you are a beginner & looking for a free LMS to use – go ahead, but if you’re a business – you need to make sure that the product would suffice your needs before purchasing the plan. Their refund policy also seems good & that’s a good sign.

Conclusion: Which LMS is best for me?

The plugins mentioned above are currently the most popular ones to enable a seamless learning management system on your WordPress website.

However, each plugin is built by a different organization & may not cater to the needs of everyone – there’s no one-size-fits-all.

Also, some of the LMS plugin working well for others might not work well with your theme & hence compatibility can be an issue.

And so to choose the best one for yourself, it’s important to download, install & check with your theme before purchasing. Don’t forget to add demo content & do rigid testing if you are a small business because any unnoticable issue might disrupt your sales as well as brand trust.

Categories
WordPress WordPress Security

90K Attacks Per Minute on WordPress Websites! Are you Secure?

WordPress is probably the best thing that ever happened to many of us who are using it.

For those who don’t know what WordPress is – it is an open-source (free to use & modify) website building & content management tool – developed & managed by some of the most dedicated folks in the World.

But despite being such a powerful & popular CMS tool, it is also the most hacked.

According to statistics from 40,000+ popular WordPress websites, more than 70% of WordPress installations are vulnerable to hacking attacks.

WordFence, a popular WordPress security plugin once reported that there are over 90,000 attacks per minute on WordPress.

These stats are extreme & clearly indicates the importance minimizing your risks of getting attacked or -hacked!

If you’re serious about your WordPress website, stick to this article to understand some common WordPress security vulnerabilities & how to prevent attackers from targeting your website:

Common WordPress Websites Security Issues/Vulnerabilities

While WordPress is very secure & is audited regularly by top developers, hackers can still find a way to exploit weak security points.

Below are some commonly-used security exploitation attempts by hackers on WordPress websites:

SQL Code Injection Attacks

Every website has some open paths that hackers can exploit & use to inject malicious scripts to your database or core website files. Any WordPress website that fails to filter user-submitted data before processing & saving it into the database, is vulnerable.

Since WordPress uses MySQL language for database, SQL code injection attacks are the most common attacks on WordPress websites.

Such malicious scripts can be injected to your website through some common user-submission forms like:

  • Contact Form
  • Website Search Bar
  • Comments Section
  • Upload Documents
  • User Registration
  • Newsletter
Contact forms in websites can cause security vulnerabilities if data is not properly sanitized & filtered - hackers can inject malicious SQL commands to your wordpress website

To avoid any kinds of script injections from these open paths, you would need to apply data filtration/validation on such forms.

Take this screenshot below for example, it rejects any other data than email:

example of form that uses data sanitization to avoid SQL injection wordpress attacks

This is how a data validation must be in place & working if you use any form or feature that allows users to submit information from the frontend.

If hackers found a way to inject any malicious data, then possibly they will further find a way to execute these scripts inside of your database & execute certain functions – eventually, you will be locked out of your WordPress website.

Brute Force Attacks

In general, a brute force attack means trying multiple & random usernames + password combinations until a successful combination is found.

Hackers create a database of some commonly used passwords & program automated scripts to attempt different combinations.

Did you know that “Brute Force” attacks have success rate of 10%.

If your WordPress login credentials are weak, there are high chances that these automated bots will finally crack a combination that works & breaks into your website.

File Inclusion Exploits

A file inclusion vulnerability allows attackers to include files on a web server through a browser. This exploit can occur when your website allows users to submit inputs into files (in file format) or upload files to the server but fails to sanitize the file before accepting.

There are two types of file inclusion vulnerabilites in WordPress:

  • Local File Inclusion – When attackers find a way to read and sometimes execute files on a website’s server.
  • Remote File Inclusion – When attackers find a way to submit a remote file in your web server

If you’re curious to know more, here is a detailed guide on WordPress file inclusion vulnerabilities.

Cross Site Scripting (XSS) Vulnerabilities

Did you know that 84% of total security vulnerabilities on the whole internet are cross-site scripting?

This is a process wherein hackers try to find ways to exploit weak websites that can be manipulated by executing malicious Javascript code within a victim’s web browser – it mostly targets the functionality of a web page.

Cross-site scripting attacks are one of the most popular attack types on websites worldwide & pose major risks to both your business & its visitors/users.

Remember that these attacks do not take over your website, instead, a malicious piece of code is inserted as an additional element with your website into the browser – which is then executed & displayed to the user.

XSS attacks can harm your website visitors by showing them a link to malicious websites or misleading them with a contact form to steal their information.

XSS attacks are & most commonly used to:

  • Take over user accounts
  • Trick your website visitors into giving out personal data by showing them a misleading form
  • Capturing login credentials
  • Stealing session cookies
  • Defacing websites
  • Injecting trojans
  • Showing disguised links to malicious websites

In WordPress, cross-site scripting (XSS) vulnerabilities occur mainly because of plugins & themes – so it is important to choose plugins & themes wisely & keep them updated.

Secure Your WordPress Website From Getting Hacked

While no technology is 100% secure & WordPress security team also works on improvising the security, as a website owner, you are also responsible to keep your website safe by following security best practices.

Below are some informative & actionable steps to prevent common security exploitations & attacks on your WordPress website:

Outdated Technology Puts You In Danger

Whenever any plugin, theme, or WordPress core update is released, it often comes with increased security by eliminating vulnerabilities & strengthening the code against malicious attacks.

Release notes are also pushed with the updates for users to read the information on what comes with the update, like feature enhancements, UX improvements, security & bug improvements.

Because attackers also keep an eye on these release notes – it could be sometimes useful for them to learn & exploit vulnerabilities that are available in the older versions (of plugins, themes, or core-updates)

WPBeginner says, 86% of sites are hacked due to outdated plugins, themes or WordPress core.

Now you might have understood why it is important to keep the plugins, themes & core WordPress updated as soon as the updates are released – it reduces the risk of your website being attacked or compromised in some other way!

Plugins Can Become The Biggest Culprits: Use Them Wisely

Since plugins are a piece of code that adds functionalities to your website, some plugins have deep access to your website, so it’s vital to be careful with these culprits that may invite hackers.

Below are some security measures to keep in mind before you choose & use plugins:

Install Plugins Only When Required

Not all features that you think good are actually good, or required!

What happens with most WordPress beginners is that they try to integrate more & more features into their website – using plugins.

However, you are liking those features because you are new to WordPress & website building. Over time, you will realize that it is best to stick with minimal & simple features.

On the top of that, there are many cons to using unnecessary plugins.

Sometimes we end up installing plugins that are not frequently updated & maintained by developers. As we have already above in this article, plugins can cause many security vulnerabilities to your website.

Not to mention, the more plugins you use, the heavy your website will be – high loading time – negative effects on SEO.

Remove Inactive Plugins

WordPress websites with more inactive plugins are tempting target for hackers.

It is recommended to remove all inactive plugins as soon as you don’t need them anymore. This is because any of these unnoticed plugins can cause security exploitations – prevention is better than cure.

removing inactive plugins keep your wordpress website more secure as these plugins if gets outdated & left unnoticed - can be used by hackers

Don’t worry, you can reinstall it anytime you want in a fraction of minutes, but website security should be the utmost priority.

Verify Plugins Before Installing

Just because plugins are freebies does not mean they are worth using. It is very important to know your plugin before you install it on your website.

things to look for before installing a plugin on your wordpress website.

As we already discussed above, plugins have deep access to your WordPress website – and so is the importance of choosing plugins only from trusted developers & businesses.

Keep Plugins Up To Date: Enable Auto Updates

Outdated plugins are dangerous as the older versions might contain security flaws. It is important to keep your plugins up to date as soon as the latest version is released.

The best practice is to enable auto-updates for Plugins directly from plugins section in WordPress admin

image to show how you can enable plugins auto update feature on to avoid security vulnerabilities caused by outdated plugins

Strict “NO” to Nulled or Torrent Themes & Plugins

What could be more foolish than using untrusted, nulled & torrented versions of plugins or themes on your website, just because you get premium benefits at no cost?

Such pirated products are primarily used to distribute malwares & contain malicious scripts.

Since plugins & themes have deep access to your WordPress core directory & database, installing their torrent versions means nothing useful but inviting hackers by yourself to gain access to your website.

These pirated plugins/themes can also contain scripts to steal information from your website – which then could be circulated on the dark web.

Securing a website isn’t a joke. Your website is like a folder available on the internet that you need to protect from unwanted/unauthorized access that can get deep into this folder, i.e into root files.

Use strong & unique passwords at vulnerable areas

Using weak passwords make your website prone to brute force attacks, so it is important to create strong and unique passwords that minimize this risk.

A strong password consist of:

  • At least 10 characters
  • Uppercase & lowercase numbers
  • Numbers
  • Symbols

Using a complex combination of different characters create a strong password.

WordPress also has a strong password generator – go to profile section in users from the left navigation & click on “create new password”

You will also find a password strength indicator there.

wordpress inbuilt strong password generator for website security
wordpress inbuilt strong password indicator for website security

It would be a good practice to use such strong passwords at every step & potential areas that connects with your like:

  • WordPress user account
  • FTP accounts
  • WordPress database password
  • Your hosting account
  • Primary / Secondary Email addresses

Avoid Commonly Used Demo Usernames

Hackers create automated bots/scripts to commit scans on the internet & attempt brute-forcing. When these bots find a WordPress admin login page, they start guessing numerous usernames & passwords combination until they guess the best.

Using commonly used usernames (as well as passwords) makes your WordPress website one step closer to a successful brute force attack.

Keep usernames that are hard to guess & avoid using commonly used ones like:

  • Admin
  • Root
  • User
  • test

Use security bridges (Firewall) to protect the WordPress admin area

To keep attackers away from brute-forcing or compromising your website security in other ways, it is recommended to create a strong firewall that prevents access of unauthorized traffic to your WordPress login panel, below are some ways to do it:

Change Default WordPress Access URL

By default, WordPress websites use the URL string: www.yourwebsite.com/wp-admin to log in inside the WordPress admin area.

But using this default URL to access the admin area makes your website one step closer to getting attacked.

C’mon, they are hackers! This is the basic thing we need to protect from them because they are well aware of this.

One quick way to secure this stage of your WordPress website is by using WordPress security plugins.

Almost every WordPress security plugin has this feature to change custom login slug

Be Cautious: It’s common to get locked out of your website if you try changing the login page slug. I would recommend you shoot an email to your hosting provider first & let them know what you are about to do.

Password Protect Admin Directory

If you don’t want to change the default WordPress access URL “wp-admin”, then you should password protect this directory from your hosting cPanel.

Just login to your cPanel account & locate the Directory Privacy icon. From here, the password protects the directory “wp-admin” & saves changes.

Password protecting this directory adds one more layer of authentication before logging in to your WordPress panel.

password protecting your directory enables a security firewall that asks for user name & password before getting the wordpress login page

Enable Two Factor Authentication

Two Factor authentication is an ultimate firewall every WordPress should use.

Many times, hackers manage to steal your exact login credentials. In such a case, using a two-factor authentication help you minimize the security risks.

Even if someone has the right credentials, they can’t log in to the admin area until a second code is provided to successfully log in.

You can enable two factor authentication based on many factors, some most common approaches are:

  • OTP via Email or SMS
  • Security Questions
  • QR Code Authentication
  • Push Notification on Other Devices
two factor authentication example for improved wordpress security

Two popular plugins for two-factor authentication are Google Authenticator & miniOrange 2 Factor Authentication to secure this vulnerability.

Limit Login Attempts

limiting login attempts using plugin can help better secure your website

You can use a plugin to limit the number of wrong password attempts to secure yourself from brute forcing.

Conclusion

It’s not just WordPress, but any other open source resources are vulnerable to all sorts of attacks.

As a WordPress website owner, you should know that in addition to WordPress’s own core security, you have to take some security measures to keep hackers & malicious scripts/bots away from your website.

I would also recommend you read this article – Try Hacking Your WordPress Website Before Hackers Do! – to dive deeper into WordPress security best practices by implementing some advanced security tactics on both WordPress core as well as server files.

I hope the article helped you understand some of the WordPress website security exploitations & how you can prevent them.

Did I miss something to add? What do you think is the most effective way to secure your WordPress website & keep hackers away?

Categories
WordPress WordPress Security

Try Hacking Your WordPress Website Before Hackers Do!

If you use WordPress, it is really important to get yourself familiar with some security measures to keep your website safe from potential hacking attacks.

There were over 90 billion malicious login attacks from 57 million unique IP addresses at a rate of 2,800 attacks per second targeting WordPress, says WordFence.

WordPress, being a powerful & open source CMS, invite potential security threats as well.

There has been a long history of WordPress websites being targeted by hackers because of security issues.

News about WordPress websites getting hacked

Here are some of the WordPress security vulnerability stats you should look at:

  • 41% of WordPress attacks are caused because of vulnerability on the hosting platform. [Souce: Unknown]
  • 61% of infected WordPress websites were out of date. [Souce: Sucuri]
  • 8% of WordPress websites are hacked due to weak passwords
  • Over 30% of Alexa’s top 1 million websites were using outdated WordPress, making them vulnerable to hacking attempts. [Source: WPWhiteSecurity]
  • 52% of WordPress vulnerabilities are due to WordPress Plugins [Source: WPScan]
  • In a study, over 4000 websites were infected by malware due to a fake SEO plugin [Souce: Unknown]
  • There are almost 90,000 attacks per minute on WordPress websites. [Source: WordFence]

Aren’t these stats shocking?

Who are these hackers? Well, we are not here for this answer!

After reading this piece of content, you will understand how hackers can find a way to exploit security vulnerabilities in your website, & what you can do to avoid any such security exploitations.

Moving ahead, we will execute some basic & initial techniques used by hackers use to find potential weak WordPress websites.

Finally, we will see some fixes to protect your WordPress website from hacking or similar attacks.

How Hackers Hack Your WordPress Website?

The Anatomy of WordPress Hacking

It all starts with Reconnaissance & Scanning. Hackers use various techniques to scan & shortlisting WordPress websites with security vulnerabilities that can be exploited.

They can do this in many ways, like executing browser-side automated scripts, creating automated bots to scan the world wide web & many more.

Once they shortlist weak websites, they further execute advanced hacking steps (like brute-forcing, injecting malicious scripts & more.

Most of the part is automated.

Enumeration

With WordPress default configuration, there are several ways hackers can find sensitive information about your website, which can be then exploited to gain administrative access to your website.

Unless you take some steps to hide some critical WordPress information about your website, you are vulnerable to hacking attacks, especially brute-forcing (trying out numerous combinations of some commonly used passwords until the right combination is guessed.).

For instance, if a hacker knows the exact username of your WordPress admin account, he is one step closer to brute force attacking your website.

Similarly,

There are various other information that becomes public with WordPress default installation, hence, making your website vulnerable to hacking attacks.

SQL & PHP Injection Attacks Through Database

An injection attack is a process of submitting malicious functions & scripts via input form fields or other open fields/path opportunities in your Website.

Since WordPress is written in PHP & uses MySQL/MariaDB for database, hackers try to enter malicious PHP/SQL scripts to be saved & processed into database.

Such scripts can be inserted via open form fields available throughout our Website like contact us form, newsletter, comments, etc.

SQL injection vulnerability is the one of the most critical security vulnerability in WordPress.

If your WordPress security failed to filter & identify such malicious data before saving it to the database, it becomes easy for hackers to eventually send scripts that request back confidential information or may execute certain functions.

Man In The Middle Attacks

Man in the middle (MitM) attacks are reffered to attacks wherein the hacker position themselves as intermediator between the process of sending & receiving data.

In simple terms, this means trying to steal information while data communicates/travels from one point to other.

WordPress websites that are still running on HTTP, are prone to man in the middle attacks.

This is because HTTP (Hyper Text Transfer Protocol) is basically a communication between your web browser & website server.

When you put in a website URL, browser send request to the website server & fetches required data.

Since HTTP is not an encrypted protocol, hackers can easily intercept in-between the information shared between web browser & web server.

This means, even the passwords are not secure. The straight forward solution to preventing MiiM attacks is enabling HTTPS protocol on your website.

Hacking Your Website: Testing Out If Your Website Is Vulnerable To Hackers

While no website is secure across the Globe.

SO here’s the catch: Reveal as least information about your website as possible, you will be on a safer side.

Hiding your website potential information means, preventing yourself from falling in the shortlisted website list after their reconsinnance & scanning phase.

SO you might be wondering,

What are these kind of potential information that hackers are looking for to shortlist weak website?

  • Admin Username
  • Websites without HTTPS
  • Websites with outdated themes or plugins
  • Websites with potential open paths to inject malicious scripts

The best way to understand this is by doing some scanning on your WordPress website that real hackers are trying out there using automated bots:

Test 1: WordPress enumeration via REST API

WordPress installation by default includes a rest API that can be used to get active user details on a specific website.

REST stands for Representational State Transfer & it is a client server protocol that makes your website available as web server.

In simplte terms, REST API helps other applications/websites in retrieving information available on your website without having to use a browser to access the website.

To get the requested data, REST architecture uses many formats including plain text, HTML, JSON, XML, YAML, etc.

If we talk about the data in Json format, ,

To check this, enter this URL string after your website URL: /wp-json/wp/v2/users

Example – www.yourwebsite.com/wp-json/wp/v2/users

similarly, https://sureshbhatt.net/wp-json/wp/v2/posts

What did you see? Did you see a blank page or 404 page?

When hacker send a Json request (www.yourwebsite.com/wp-json/wp/v2/users) on your website to get sensitive information, it should return a 404 error

or did you see this kind of information?

an image to showcase how REST API can be exploited & used to hack your WordPress website

If yes, you need to protect this information ASAP.

Don’t take this lightly. As you can see, this string can help hackers get information on registered users.

Here’s the fix, you can directly jump to this fix or continue reading this article to fix everything, including this.

Test 2: Monitoring WordPress Behavior

In this step, we’ll look for minor differences in how your WordPress login page is responding to particular requests.

We will perform this step to help you understand what minor informations hackers try to gather & how costly leakage of these minor information can help hackers gain access to your website

Step 1: Go to your WordPress Login page & try entering a wrong username & dummy password.

See how WordPress responds to this & returns this error message

Step 2: Now Enter right username but wrong password

WordPress response security testing against brute force attacks

As you can see, this returns a message: invalid username & password, this means, WordPress does not indicate that username is correct but password is wrong/

However, hackers have one more way to confirm this, they will try resetting your password.

Not to actually reset your password, but to keep your website in list where usernames are confirmed so they can execute further steps.

Wordpress forget password response testing to check security vulnerabilities helping hackers to get the exact username

But once the right username is guessed, this password reset form will confirm this to hackers.

WordPress response to forget password bruteforce testing when right username is guessed

However, in this case, hackers needs to make sure that they execute things real fast as soon after this step

Because this will also send you a forgot password link

If you ever receive any such forget password email, don’t take it lightly.

Create a new & very strong password again immediately.

Depending on this response, the attackers can determine the exact user name that can be potentially used to execute next larger hacking steps against your website.

This makes hackers one step closer to brute force attacking your Website.

Test 3: Checking If any Directory is visible publically Wp-Content & Wp-Plugin Indexing Status

We will attempt this test to list the directory contents of the uploads & plugins folders to determine if directory Indexing is enabled by default on your WordPress website.

This can lead to information leakage vulnerabilites that can also reveal sensitive information regarding your website configuration.

Screenshot to show enumeration (plugin, content) vulnerability in wordpress

Test 4: Playing With Some Free WordPress Website Security Vulnerabilities Scanner

In this check, we will test our Website vulnerabilites using some pugins.

This test is to see if our website requires attention, because hackers use these tools or similar codes to detect potentially weak websites

WPIntel Chrome Extension

Wp Intel - WordPress Vulnerability Scanner Plugin Free

Pin this extension to your Browser & whenever you visit any website, this tool will scan websites & turn green if it detects any WordPress CMS.

You can use this tool to scan for possible vulnerabilites in your wordpress website & get it fixed as soon as possible.

Some things you can check for using this tool:

  • Version & Vulnerabilities
  • Themes & Plugin information
  • Username Enumeration
  • Scan for registered users details
  • Scan for path disclosure
WPIntel Tool

This is one of the most famous tools used by hackers to find vulnerabilities to your website

This tools helps them in their reconissance phase when they are on their firrst step of gathering data from

There are other popular tools too you can easily find.

Test 5: Finding PHP or SQL Injection Vulnerabilities

Any input field in your website with submit button is vulnerable.

In this test, we will check for any open paths in our frontend that does not filter data before processing & saving into the database.

Create a list of all the available options on your website from where a data can be sent to be stored on our website database , sent by a user from frontend.

This could be:

  • Newsletter Form
  • Custom HTML form you might have created
  • Comments Section

Now test if your website is filtering this data before sending to database or not.

Didn’t get what I mean?

What you need to do is try improper format for entering data,

such as in the phone number field, try entering texts & phone number greater than 10digits, if the website accepts this data, this means, data is not getting filtered properly & hackers can inject malicious scripts to your database which can be executed in their next hacking steps.

How Can I Protect My WordPress Website from Hackers?

You’re not alone in this fight!

Hide Rest API

As we discussed above, REST API in WordPress can be used to get potentially sensitive information about your website.

TO prevent this, you need to insert the following code to functions.php file.

add_filter( 'rest_authentication_errors', function( $result ) {

  if ( ! empty( $result ) ) {

    return $result;

  }

  if ( ! is_user_logged_in() ) {

    return new WP_Error( 'rest_not_logged_in', 'You are not currently logged in.', array( 'status' => 401 ) );

  }

  if ( ! current_user_can( 'administrator' ) ) {

    return new WP_Error( 'rest_not_admin', 'You are not an administrator.', array( 'status' => 401 ) );

  }

  return $result;

});

Add Security Headers

When it comes to WordPress security, adding security headers to your website block malicious attacks like script injecting or Man-in-the-Middle attacks.

For example, there are many scripts that hackers can use to access your website in HTTP even if you’ve configured SSL properly.

Below are some important security headers that we need to add to our Website at server level.

  • HTTP Strict Transport Security (HSTS) – Prevent your website from loading on HTTP
  • X-Frame-Options – Prevents cross-domain iframes or click-jacking
  • X-XSS-Protection – Blocks cross-site scripting
  • X-Content-Type-Options – blocks content mime-type sniffing.

We need to add these headers on the website server level, on .htaccess file

To do this, login to your cPanel & using File Manager, go to public_html > .htaccess

Add this piece of script inside this file & Save Changes.

<ifModule mod_headers.c>
Header set Strict-Transport-Security "max-age=31536000" env=HTTPS
Header set X-XSS-Protection "1; mode=block"
Header set X-Content-Type-Options nosniff
Header set X-Frame-Options DENY
Header set Referrer-Policy: no-referrer-when-downgrade
</ifModule> 

Keep Everything Up To Date

Be it plugins, theme files, WordPress core update or anything else on your website.

Keep everything up to date. This is most important.

Outdated technology is very dangerous & you should enable auto updates for your WordPress website, for themes, plugins.

Choose A Reliable & Trusted Hosting Partner

Did you know that security vulnerability issues by Hosting services accounts 41% of hacked WordPress websites?

This news is around 6-7 years old & the original author of this post has deleted the page.

But let me tell you why choosing a reliable hosting services are important:

  • Website Security – A reliable business means you are in the best hands, a good host will have a security firewall & other means to protect your website from getting hacked.
  • Just in case your WordPress website gets hacked, a good hosting provider will prioritize this situation to help you the best way they can
  • While performing certain functions to strengthen your website security, you would need to edit core files. Just in case something goes wrong & you lose access to your website, a reliable web host will not only make sure to fix the issues, but also educate you on what you’ve done wrong & what you should avoid in the future.

Cybersecurity is one of the biggest concern in the tech world.

Let the professionals manage server security & other critical security measures while you focus on strengthening your WordPress website.

I personally use HostGator & have been associated with them as an affiliate partner.

Meaning, the hosting is reliable & if you sign up from here, I will get some commission that will help me keep this blog live 🙂

The tech support staff is really helpful & willing to provide you the best customer experience.

Bluehost is also good, but might be expensive for beginners.

Password Protect WordPress Admin Directory

This is kind of two factor authentication to login to your admin dashboard.

Just like your WordPress dashboard is protected with a password, you can add another layer of security by password protecting this directory itself.

That is, protecting the URL www.yourwebsite.com/wp-admin by asking a prompt before accessing the login page

This is how a password protected WordPress admin page looks like, this adds an extra layer of security to your wordpress website

To do this, you need to login to your hosting cPanel account & locate Directory Privacy icon

How to enable password on Wp-Admin page, password protect Wp-Admin directory

Locate wp-admin directory inside public_html & click on edit as shown below

Demonstration on how to enable paswword protection on Wp-Admin

Final steps to password protect wordpress admin & improve security

Now save this & try logging into your dashboard in incognito mode.

Seeing “too-many-redirects” or “404” error after setting up password on wp-admin directory?

Try adding this piece of code to your .htaccess file inside cPanel of your hosting account:

public_html > .htaccess

ErrorDocument 401 default

Add this code before WordPress rules start

Click save & try now.

Seeing Admin ajax issue?

This means Ajax functionality is broken.

Locate wp-admin .htaccess file (This is different .htaccess file, not the one that we edited above) inside hosting cPanel

public_html > wp-admin > .htaccess

& paste the following code into it:

<Files admin-ajax.php>
Order allow,deny
Allow from all
Satisfy any 
</Files>

Hide /wp-admin URL & keep hackers away

The default WordPress installation settings invite security vulnerabilities to your Website.

One such vulnerability it the default login page URL, i.e, /wp-admin

You just need to add this at the end of website URL to get to the login page.

Hackers already know this & you must change this URL slug to keep hackers away from this page, which is a gateway to the core of your Website.

While this can also be done manually, you can also use WPS Hide Login plugin

Caution: It is important to backup your website before changing /wp-admin/ login URL, this is because in some cases, you may end up losing access to your website & locked out.

Limit Login Attempts

As the term suggests, limiting login attempts to our WordPress website keep it secure from hackers trying to brute force attack your website.

By enabling this feature, you will be able to limit the number of failed login attempts.

Since brute force attacking needs a lot of combinations to be tried before guessing the right password, limiting login attempts make sure that no bot can try more than three wrong credentials to your website.

WordPress Installation does not include this feature so we need to use a plugin for this.

Enable Two-Factor Authentication

Enabling two factor authentication adds an extra layer of security to your website.

Just in case an automated script is able to brute force login into your WordPress, your website will still be secure until hackers find a way to disable/exploit that specific plugin used for two factor authentication.

Almost every WordPress security plugin allows you to enable two factor authentication

Block Script Injections – PHP & SQL

As we know, WordPress is written in PHP & uses MySQL or MariaDB database.

This means hackers can potentially inject malicious SQL & PHP scripts to your website.

This can be done via sending requests from your website frontend or using global PHP functions.

We’ve already done this test to see if hackers can get a way to inject scripts.

However, there is one more step that needs to be done, we need to prevent any kind of global PHP requests from outside of our website.

TO do this we need to add this script to our .htaccess file

# BEGIN Protect Against Script Injections, Thank you Suresh

Options +FollowSymLinks 
RewriteEngine On RewriteCond %{QUERY_STRING} (<|%3C).*script.*(>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} GLOBALS(=|[|%[0-9A-Z]{0,2}) [OR] 
RewriteCond %{QUERY_STRING} _REQUEST(=|[|%[0-9A-Z]{0,2}) 
RewriteRule ^(.*)$ index.php [F,L] 

# END Protect Against Script Injections, Thank You Suresh

You will find .htaccess file inside File Manager in your website cPanel.

Once you save this code to .htaccess file, your website will block any request or scripts which can be used to hack your website.

Just by adding this code, you are taking your WordPress security to next level

Disable Frontend Debugging Messages

Some WordPress theme comes with debugging messages enabled on the frontend.

While developers use this feature to detect bugs, hackers can potentially use this feature to gather information which will then be used to trick your WordPress system & gain unauthorized access to your website.

If you spot any debug messages on the frontend, place this code into the wp-config file:

define( ‘WP_DEBUG_DISPLAY’, false );

Disable File Editing – Theme Editor & Plugin Editor

WordPress comes with two useful features named “Theme Editor” & “Plugin Editor”.

This allows you to edit theme files & plugins directly from the WordPress dashboard, rather then manually editing from the cpanel.

However, this is a huge security vulnerability & if you are non-tech savvy, it is recommended to turn it off.

To disable these features, you simply need to add the below piece of code to your wp-config.php file

// Disallow file edit
define( ‘DISALLOW_FILE_EDIT’, true );

Use Recommended Security Plugins

Though I don’t want you to rely on plugins because plugins can be exploited easily & also slows down your website.

But still, I am not an ethical hacker or security evangelist, so I would say install some security plugins that experts recommends on the internet.

But rest assured, if you wish to not use plugins, you can totally skip them, I’ve mentioned some good preventive measures to save your website from hackers.

Conclusion

As we all know, no security solution works 100%, this means, we need to do the best part as we can.

TO best protect your website against hacking, I would recommend you to not just install plugins/firewalls etc, but understanding how actually it works.

If you get to know only what I’ve explained in the post above, then it will be easy for you to make smart decisions in future related to your website security.

Another important reason to understand this is that you don’t have to rely on plugins everytime.

What’s important is to make hackers lives hard by not giving them the initial information their bots need about our website.

Rest everything is being done by some great minds working behind to keep WordPress a happy place for all of us 🙂

I hope this article helped you understand WordPress security flaws & their fixes.

Do you think I missed adding any WordPress security vulnerability that hackers can potentially use to gain access to our website? Please let me know in the comment section 🙂

Categories
WordPress

Choose The Right WordPress Theme: The Only Guide You Need

WordPress, being the most widely used Website CMS, comes with a pool of over 10,000+ themes & this makes it a little complex for us to choose which WordPress theme would be right for my website or blog.

A theme is basically a group of files (graphics, CSS, etc) that control our website’s overall feel & appearance.

Not all themes available in the WordPress theme directory are good, & not all themes that look good are actually good.

We live in a tech-savvy world, we are modern, we expect modern interfaces with intuitive designs.

On the other hand, the ever-evolving SEO game makes it critical nowadays to thoroughly test a theme before owning it.

For example, it is mandatory to have a responsive website if you are planning to leverage SEO.

Similarly, there are a lot of factors to consider before sticking to a theme for your website.

What are those factors?

Don’t worry, this blog post has got you covered.

I’ve listed all the important points that need to be taken into account before finalizing a theme for your WordPress blog/website:

Things to Consider When Choosing a WordPress Theme

1. Determine Your Website Purpose & Features

Before searching for your website theme, it is important to determine what type of website you are looking for & what all features you’d want to be incorporated.

For example, a service offering business website will require different layouts, structures & features, while, a simple blog would not need many customizations at the beginning.

On the other hand, if you wish to enable Ecommerce features, you’d want a WooCommerce theme that is well suited for Ecommerce operations.

Just in case you wish to create an eCommerce website using WordPress, I’d suggest you go to a different article that is solely created to help users choose the right WooCommerce theme.

Here are some types of Websites you can create using WordPress:

  • Blog
  • Business / Services Website
  • Portfolio
  • Ecommerce Websites (Using WooCommerce)
  • Digital Magazine

Once you know what website you are going to need, it’s time to utilize WordPress feature filter

Determine Your Niche

There are many WordPress themes that offers a wealth of customizations.

Depending on your target market (niche), you can search & get themes that include features/functionalities related to your niche.

For example, if you’re into Real Estate, you will see some themes that allows features like Property Listing, Agents Managements, Google Maps Integration & many more.

Utilize Feature Filter

Most of us may not notice this, but while searching a theme for your blog, WordPress allows you to use some filter so that you get a theme as per your requirements.

As a beginner, I understand it feels amazing to have many features as my website can.

But, being in marketing for over 5 years made me realize that less is always more, so stick to less features.

The more features your website will have, the heavy coding your theme files will contain.

2. Get Some Demo Content to Start With

There are a lot of free & paid wordpress themes available in the official wordpress directory.

You can’t just finalize a theme at first place if you have done no research on theme or whatsoever.

Since there are a lot of themes available, it is best to preview those themes only after you have some demo content to start with.

This way you can preview, install & play with the themes you like, using dummy content.

Having some demo content allows you to test the themes you like & play around with dummy content to see how the final version of your website will look like.

Some WordPress themes come with demo content import Kit, but not all.

The easiest & best way to create demo content is by yourself. Here’s what you will need in demo content to start testing your website theme:

  • 3-4 Demo Blog Posts (With Featured Image)
  • 2-3 Demo Pages (With Featured Images)
  • Add Some Categories For These Posts
  • Create Menus & Widgets

That’s all.

3. Analyze What Customizations Your Theme Offers

Right after you install your theme, take some time to visit every features available to customize your website.

What we need to look here is for small features like

  • Does my website allows me to change font? (In case the theme fonts are not good)
  • Does my website allows me to change website theme color? (In case you wish to create brand visuals)
  • What features I can embed at the Homepage?

You can quickly analyze what features your theme is offering by going to WordPress Dashboard > Customize Your Theme

Remember: Avoid those themes at any cost that does not allow you to tweak or customize the code files. You must have the liberty to do so because this is your website, even if you think this feature is not necessary, keep in mind what I am telling you 🙂

4. Check The Theme Speed

Not to mention, the website speed has always been a critical key to improving overall performance of your Website, & hence the SEO.

And so is the importance of checking the theme’s speed before choosing it for your next project.

Some WordPress themes are cleanly coded that loads quickly, with minimal delay on sending/receiving requests, however, the pool of WordPress themes is vast, hence, not every theme that appears to be good is actually not good.

You need to do some homework by testing your theme’s speed on various speed testing tools.

Some of the tools I use are, there are plenty of other tools too.

Once you do some speed test, it will help you understand what

5. Checking For Browser Compatibility is Important

Cross browser compatibility is a part of responsive web design testing.

Responsive web design testing focuses on website design adaptability while cross-browser testing focuses on functional ability & interoperability.

As the name suggests, cross-browser testing revolves around what browsers the visitors are using while responsive design testing focuses on what device visitors are using.

At the end, both are aimed at offering seamless user experience to website visitors, irrespective of the device or browser they are using.

Hence, it is very important to execute cross browser testing on the theme you have chosen.

In general, theme developers perform strict cross-browser compatibility testing using various tools, however, it is also important to perform some tests at your end.

TO do this, you can either simply access your website on different browsers or use any browser compatibility testing tools on the web.

6. Color & Typography

The modern audience demands visually appealing website with amazing readability.

This is where your theme color palette & font type comes into consideration.

Once you finalize a theme, take one or two minutes to see what color options your theme is offering.

Just in case you already have brand color palette for your next blog/website, it’s better to stick with theme that offers color customizations (font color, background color, mouse hover color, button color etc)

7. Theme’s Responsiveness & Mobile-Friendliness is Must To Check

A responsive website automatically adjusts its design, content & elements to match the screen size on which it is viewed.

The ultimate goal of responsiveness is to avoid unnecessary efforts like zooming, resizing, etc to read the content of a web page, irrespective of the device used.

Long time ago when the responsive web design approach was not introduced, website owners had to design multiple website versions for different devices.

We are now living in a multi-tech society. People are using a variety of devices (Mobile, Tablets) to browse the internet.

Since you never know what device your target audience might use to access your site, it’s important to prepare your website design to be appropriately viewable across as many devices as possible.

Also, Google has been very strict with User Experience

You can use Google Mobile-Friendly Test to see if your website is responsive or not

8. Be Aware of Bloated Monstrosities Themes & Developers

Not all theme features you might think good are actually not required.

Focus on delivering minimal aesthetics & don’t get attracted to themes offering a wide functionalities & features.

If you wish to cover more features at once, you will end up with a slow website.

I would also like to take this moment to put a shot on some overloaded WordPress themes you might find on Themeforest occasionally.

Remember: Don’t fall into the trap of their reviews, I’ve pretty bad experience with Themeforest. I do not like their rating & reviews policies, i.e., if you ask for a refund /money back, they will delete your reviews.

This means, all the people who have figured out the theme is not good, are no longer able to aware users of that theme.

I am not pointing my gun at all theme developers, but, some to of the bloated monstrosities whom this shoe fits well.

As a beginner, it’s best to stick with WordPress official directory themes & stick to minimal features.

Minimal is the best always, no matter what.

9. Do Not Ask Search Engines or Other Source To Give You The Best Theme

Is WordPress secure?

The answer to this question is simple – “As long as you follow WordPress best practices, it’s very much secure”

There are many WordPress security issues that hackers can take advantage of.

One of the most common ways that hackers use to find vulnerabilities is by targeting websites with poorly written & outdated code.

Since themes (and plugins also) can be a potential source of this security vulnearability, it is strongly recommended to choose themes for your website only from the official WordPress themes respitory.

Just in case you wish to opt for premium themes from outside WordPress, make sure to do a thorough check on the business you’re dealing with.

Many times, you might also think to download & install a free torrented version of a premium theme – avoid this at any cost.

These pirated & free version of WordPress themes might contain malware or malicious scripts, therefore, comes at an expense of your websites’ security.

10. Free Theme vs Paid Theme: Expert’s Opinion

Important things first: If you are using a free theme WordPress theme, it is very critical to stick with the official WordPress theme directory as I mentioned earlier too. This is advised to you to not download & install any WordPress themes (or plugins) that are distributed outside of the WordPress platform.

The comparasion between free & paid wordpress themes is subjective.

What I would consider as disadvantage for my website, may not be a concern for you.

Here are some common disadvantages of using a free WordPress theme:

  • Limited or very less customer support
  • Limited features & functions
  • Not so visually tempting
  • No warranty – if something goes wrong, you are on your own

Now, let’s see some of the advantages of using Premium WordPress themes:

  • More features & customization options
  • Dedicated & priority customer support (which is important if you scale)
  • Streamlined functions like drag & drop homepage elements, multiple layouts, shortcodes, etc
  • Premium themes are unique & visually appealing

However, there are some disadvantages of using premium themes too.

For example, too many features might slow down your website.

Does this mean you should opt for premium WordPress theme?

No, as I said earlier, this answer is very subjective & you need to rethink of your goals & objectives.

Below are some questions to ask youself if you are confused between paid & free theme:

  • Do you really need a lot of features and customizations that premium themes are offering?
  • Can you troubleshoot & edit WordPress theme files on your own, if required?
  • Do you need a professional looking website to improve conversion rate? or a basic website would suffice your initial needs?

If you are a small business, I would recommend you to opt for a premium theme as it will give you a better design, more customization/features & peace of mind whenever you need support.

However, if you are just starting out with WordPress, a free theme would suffice your needs.

11. Do Some of Your Research

If there is a pro, there are chances of cons too.

Same goes with the website themes.

The best way to avoid any critical problems in the future is to do some research on the theme & see how the experience of people has been with this theme.

If using WordPress themes from the official WordPress directory (recommended), you will find theme rating & reviews on the theme page itself.

You can also type in the theme name on Google & check if someone had faced any bad experience with the theme that you must be aware of.

This way, you can have a solid idea of what theme you are using.

12. Consider Theme Documentation & Customer Support

Before choosing a theme for your WordPress website, it is important to keep in mind the support theme developers will provide you.

Usually, with free WordPress themes, there is poor theme documentation, very less or no customer support.

In such case, you will end up losing money on a third party developer if you mess up with the theme files.

However, if you go for a paid theme, you will get good theme documentation & priority customer support for long run.

Not only this, with the paid themes, you can be assured of the code quality because the developer must have taken many things into account before making the theme paid.

13. Spy For Competitor’s Website Themes & Plugins

How about spying to make your website better? Sounds cool!

Peeking at other killer websites to see which theme & tools they are using is a great way to make big moves with your WordPress website.

Being a blogger, it is common to get blogging inspirations & ideas from other websites. Many times, we see certain features or themes these websites are using & want them on our website too.

In this case, WordPress website theme detecting & spying tools come really handy, that helps you discover new themes & plugins.

Here are some good WordPress theme detector & spying tools that you can use for free:

Top WordPress Themes with Free Versions [2021 Updated]

  • Astra
  • OceanWP
  • Hestia
  • Bento
  • Go
  • Blocksy
  • SiteOrigin Unwind

Conclusion

It is not easy to find a good theme quickly for your WordPress website, especially if you are a beginner.

Hopefully, this blog post helped you get a better idea of what to look for while choosing a theme for your WordPress website.

As mentioned above, certain quality tests/checks like Mobile Responsiveness, Theme speed are a must to do.

However, other opinions are entirely subjective & depends on your goals/objectives.

Was this article informative? Do you think there should be a few more factors to consider before finalizing on a theme?


Suggested Reads: