WordPress sites are under a real attack and whoever, is behind it wants to damage your site. The problem is that most people are not aware of it due to two reasons. First, there is not enough knowledge available on the subject. Second, people cover it with too much jargon or do not provide enough information.

WordPress Security Threat

Hostgator was first to recognize the threat publicly in their post Global WordPress Brute Force Flood, Another great source is a series of posts made by Sucurri’s security team. These posts are how to protect your site, the reality of the attacks, and the consequences of such attacks another post which covers it extensively is Krebs on Security. What happens is that someone uses botnets to subvert your site.

He has two primary goals. That will be discussed further on. Anyway, these botnets try to get into your system and failing that, they try to overwhelm it by creating so many login requests that your server is overloaded. In order to do that, they use many different computers that they have penetrated through different malwares.

All of these computers are trying to guess your password to get into your site. They will try different combos of possible logins and passwords to gain access.

Aim of the attack

It is obvious they want to subvert your site to send spam and use your site for their illegal activities. They can use the botnets to close down the websites and breach the security of secured systems. In short, they want to make using the internet a nightmare. That is why it is imperative that people who are operating these websites should be vigilant against all such efforts.

Danger to your site

You can classify the danger into two categories. First is that they succeed in breaking your password. Obviously, they will be able to enter the site as an administrator. It means that they will be able to execute all kinds of changes to the site and they may even access and damage the server.  Second is that they will not be able to enter the site, but they will flood your server with attempts to log in. Causing undue pressure on the server and depending on the package it can cause the host to block your site.

There is always a discernible pattern

Fortunately, there is always a pattern to these attacks and if you are diligent, enough you can discern that pattern and organize your defense accordingly.

Most of these attacks are to login as the admin to the site. If you look at the stats, you will find a vast majority of these attacks are for that particular login. Other logins that botnets try more often after that are moderator and editor. Similarly, you can easily identify a pattern among the passwords that has been successfully breached.

These passwords are admin, 123456, 12312, 1234, admin123, password, root, 12345678789, qwerty, welcome, 1234567, 12345, 1111, 12345678, monkey, i loveyou, dragon, test, pass and demo

You can clearly see that passwords that botnets break easily have a fixed pattern. It usually consists of alphabets or digits that are easy to type. Mix it with the fact that several computers take place in an attack.

One of the site showed that a login request was made from as many as 264 unique IP addresses. You can easily see that it is only a matter of time before they break into your system with hundreds may be even thousands of computers working to guess the combination.

Possible answer to the problem

One of the possible solutions is to use Login Ninja plugin. It is going to restrict the access to an IP from which someone made a failed attempt. However, botnets are using a wide range of IP addresses to mount their attack so this may not work very well. Therefore, you may need another solution.

Create a new username for admin

Your biggest weakness is that you are using admin as your username. It makes it easy for the botnet to predict your username and password. It is usually better to make an entirely new username rather than simply changing the old one. To do that, you will need a new email account. Logout of your account and login as a new user to your website now remove the old admin user by deleting that account.

When you are prompted what to do with all the links and emails of the previous admin use the option, “Attribute all the posts and links to” to attach all of them to your new account, which you can choose from a drop down menu. Once you have done that, you can attach your new email address to this account and use it for everything.

You can also change the password from the database or with the help of plugins who do that. However, there are some scripts that target ID I to hack the website. As usually, ID 1 belongs to admin, it works. Therefore, changing your Id provides extra protection to your account.

Stronger Password

Unfortunately, this is the most common mistake people make. Despite constant imploring, they just do not make passwords with sufficient strength. It means that you are always vulnerable to attacks even if you have changed your login from admin. There are many guides available online, which can help you in creating passwords that are easy to remember, but it will be very difficult to break them.

Another thing that you have to guard against is to use the same password for all of your accounts. As soon as one of your accounts is compromised, all of your accounts become vulnerable. Therefore, it is better that you use different passwords for different accounts.

It means that we have to consider four rules for making passwords. First, they should be easy to remember, difficult to break, they should not be too tedious to type in and you should have different passwords for different sites. Experts also add another rule that your passwords should not follow a pattern that someone can guess. However, it is very difficult to follow these rules as if you are using multiple passwords with varying degrees of difficulties. Soon enough you will forget something and you will not be able to use it.

One possible situation is to use LastPass. It is a service that generates very complex and hard to break passwords for you. You can use LastPass to generate different passwords for different sites. It means that you will have to remember just one password that logs you into LastPass and it will remember all other passwords. However, an important thing to remember is that your password should be a very strong one as your slight mistake can compromise all of your accounts. LastPass also offers services for your mobile phones and tablets. Some other products that perform the same service are KeePass, 1Password, Keeper and RoboForm.

Keep your WordPress website performing at its optimum capability

With your website safe now, you have to look for the ways to keep its performance parameters at its peak. If your server is under constant pressure from hundreds even thousands of login requests, it will affect your server’s performance. One possible solution is to seek help from your hosting company. They have some effective techniques to help combat this problem.

In case, the hosting company does not have a solution or you manage your server yourself. You have to ascertain that you have the problem in first place and make an assessment as to how bad it is. To do that you just have to look at the number of login attempts made on your account, which you can use by looking at access logs.

If your hosting company has, no solutions for your problem you can make use CDN service provider CloudFlare. They have listed in detail how they handle such brute force attacks. There is also a CloudFlare plugin available with caching feature. You can use a solution that suits you the best. If you have neither of these options available to you. You have a serious problem as all other solutions involve serious technical understanding of the whole operation.

Another possible solution is to move your website to a host who has the facilities and the willingness to tackle the problem, which you can determine by contacting them and Apprising them of the whole situation.

One solution that almost everyone will recommend is to use ModSecurity rules on Apache to limit the login attempts. However, in order to use this solution you have to be using Apache in the first place. You can also password protect access to the wp-login.phpfile and wp-admin directory. It will mean that any unauthorized person will have no access to the login page hence, protecting your WordPress site from all kinds of malicious attacks.

Another solution is to update the Wp-config.php keys. There are a set of security keys that WordPress uses for recognizing different security descriptors used by WordPress. The problem is that the older versions did not have this feature making them vulnerable to outside influence. Therefore, it is necessary to update them regularly. After each update everyone will have to log in again, which means that problem will be resolved.

Solution to the problem

The only way to ensure that you are safe is to delete everything after creating a backup. Get yourself a fresh copy of WordPress and upload it to your server. Yu should carefully inspect wp-config.php file to make sure that there is no piece of hidden code in it that will compromise your new server. Easiest way to do that is to compare it with sample file in your new WordPress copy only than copy wp-config to your server. Download all of your plugins themes from where you did before.

Make fresh copies, upload them to your site, and check if the site is working. Change all the passwords that different users use as the attacker may have changed passwords. Go one-step further and remove all users you do not know. Make sure that you are using secure passwords and logins that are hard to predict. Final step is to copy your media files from wp/content upload directory. Please do not copy any PHP files, make sure that you are copying only media files.

This will mean lots of hard work, but unfortunately anything short of that may leave some part of infestation and you may regret it later. If you have multiple sites, you have to repeat these steps with all of them or there is no point in the exercise.

Avoid WordPress security problems in future

One simple fact is that one can never be completely secure until WordPress builds some inbuilt security mechanism to protect websites. However, what you can do is make use of the already mentioned Login Lockdown Plugin. Some people worry that it has not been updated in a very long time. Do not worry, it works just fine with all versions of WordPress. It works very well even if you have installed it with multiple sites.

You have to make sure that all of your plugins and themes are current. Also, make sure that you are using the latest version of WordPress as older version can compromise the security of your website. If you have many different websites, you can use either use multisite install or ManageWP to make it easier to manage your websites from one central location.

After you have dealt with security threats to your WordPress site, you should seriously reconsider your logins and passwords to your hosting account as well as email, which you use to set your passwords. If either of these passwords is compromised, all of your work will be for nothing.

One more thing that you should not ignore is the inactive plugins and themes on your website as a security hazard. Instead of leaving, them on the site make a backup and delete them completely from your site.

The post How to protect your WordPress site from potential security threats appeared first on wpRabbits.

Membership or Pay per Ad?

The most common business model is a membership subscription where visitors can post an unlimited amount of ads based on a monthly fee. This is interesting because you are generating a recurring stream of income.

A membership is only useful if the advertisers post ads on a regular base. If not, you can always offer a pay per ad formula. It makes it easier for smaller advertisers to give it a try, because the risk is lower than a membership subscription. Micropayments for pay per ad can be done through Paypal, text messages, …

Bump Ads

Bumping ads gives users the possibility to put their ad back at the top of the listings. Normally the top ads are the most recent, so when your advertisers are in a competitive market and it’s important to be at the top of your category Bump ads provides an easy way to get it there without having to post another ad again and again.

When using this strategy you should consider to limit the number of pages you show in your pagination. This way the number of ads people can see are limited and advertisers are more likely to bump their ad when they approach the last page ;)

- Bump ads plugin for ClassiPress

Advertisements

Even without charging money to post ads on your classified ad website you can still make some cash with your site. A website where people can post free ads will be more likely to get a steady amount of ads & traffic.

Use advertisement platforms as Google AdSense to put ads on strategic places where you get a good clickthrough rate. Use square banners in your sidebar & text ads in or under your classifieds. Make sure you don’t put to many ads on one page, by adding to much ads the value of a click will drop.

Affiliate Marketing

Affiliate marketing is a type of performance based marketing. Publishers get rewarded when they send converting traffic to advertisers websites. Affiliate networks connect publishers & advertisers, publishers can browse the affiliate programs & get promotional links or banners. There are lots of affiliate marketing platforms, the most popular are:

- Commission Junction
- Amazon
- Google Affiliate Network
- Linkshare
- Clickbank

The benefits for the advertisers are clear. They only pay when publishers send converting traffic. As a publishers you can benefit by publishing relevant ads for your target audience. When visitors click an ad & convert, you will receive a fixed fee or percentage of the sale made. The key for being a good affiliate marketeer is to serve the most relevant ads. If you have a classified website about real estate, you can use ads for loans for example.

Featured Ads

Give your advertisers a way to stand out of the other ads on your website by offering featured ads. Featured ads draw more attention and will have a higher clickthrough rate, so more visitors will take a look at it. Use featured sliders on the homepage or category pages of your classified ad website.

These plugins will help you sell your featured ads:

- Xtreme Carousel slider plugin for ClassiPress
- Paralax Hotspot slider for ClassiPress
- Featured Ads sidebar for ClassiPress

Build your Classified Ads website with WordPress

ClassiPress is a theme developed by AppThemes and turns your WordPress website into a classified ad website. The theme comes with a lot of functionalities out of the box, and many of the monetization strategies we showed you in this post are already available.

The basic design probably won’t be suitable for your niche, but at wpRabbits we provide a collection of custom ClassiPress themes.

Which way should you go?

This depends on your website, niche, traffic, competition, … There is no such thing as a holy grail when it comes to making money online. You should take a lot of things into account when you decide using on or several of the techniques explained above. There’s only one thing that matters: if your classified ad website provides value to your advertisers & visitors you will always be able to monetize it.

Starting a classified ad website isn’t a way to become rich quickly :) you will read lots of stories online, but be honest… Do you believe them? Instead of subscribing to their “secret formula” we recommend you make a plan before you start.

Take a look at some books on marketing & business plans for classified ad websites. You will get plenty of information on how to plan your business & make it grow step by step.

The post 5 ways to make money with your Classified Ads Website appeared first on wpRabbits.

Why childthemes?

There are several reasons why developers are starting to use child themes. Childthemes give you the ability to customize a unique design on top of another existing theme. ClassiPress is a very powerful theme, but the generic design probably doesn’t matches the look & feel you want to use for your niche.

The ClassiPress themes we design give your classified ad website another look, and during our brainstorms we always try to take a look at specific marketplaces’ needs.

Besides a custom look there are other benefits: childthemes are easy to install & don’t change a thing to your original ClassiPress installation. After installation you can just activate it & your classified website will have a custom look.

Checklist custom ClassiPress themes

At wpRabbits we care about the quality and detail of our themes.. The themes that we design and develop are published only if they pass the following template checklist. We look critically at every template, we focus on usability so that the user experience of your website’s visitors is perfect. The result? ClassiPress themes that will engage your visitors.

The result? Visitors spend more time on your site and will be more likely to convert.

wpRabbits theme development checklist

1. Home
2. Categories
3. Tags
4. Index
5. Search Results
6. Content pages
7. Blog (list)
8. Blog (single)
9. Ad detail
10. Dashboard
11. Author page
12. Login
13. Register
14. Password Recovery
15. Edit ad
16. Edit profile
17. Create ad
18. Categories (directory page)
19. 404 page

Customer feedback during design & development

During the design & development process we share our thoughts with our users through Facebook. This gives us valuable feedback that we can already use during developing our themes. We are always open for suggestions to keep improving future themes so if you have some ideas or recommendations don’t hesitate to connect with wpRabbits on Facebook or other channels to share your thoughts!

Take a look at some details of our ClassiPress themes

Don’t forget to check out the complete collection of Classipress themes

The post Classipress theme development checklist appeared first on wpRabbits.

I noticed that there are many ClassiPress users still struggling with their SEO & Analytics, while having a website with lots of potential. With the right focus and some good guidance those websites will found much easier through search engines, and with some additional Analytics configuration, the website owners will have actionable data to keep improving their website.

In the past, I was involved in some ClassiPress based projects with Rubencio, but I never stopped thinking about ClassiPress’ possibilities. With the team at wpRabbits we will take ClassiPress based websites to a whole new level of classified ad websites!

The post ClassiPress SEO & Analytics services added to wpRabbits appeared first on wpRabbits.

We are happy to announce a new ClassiPress theme is being developed at this very moment! We already posted some screenshots of the new design on our Facebook page and received lot’s of positive feedback!

That’s why we shifted gears & are working at full speed to get this new ClassiPress theme ready to be featured in our marketplace.

Want to see the work in progress? Check out http://demo.classipro.com/anunter

Features:

- Optimized for conversions
- Bootstrap layout
- Fast loading time
- Big & bold titles & buttons

Screenshot:

We will be posting more screenshots of future themes on our Facebook page!

The post New Classipress theme coming up appeared first on wpRabbits.

Fans of wpRabbits can join our community on Facebook! On our Facebook page we will post screenshots of new designs, or showcase websites of our clients. We will also be asking feedback or give you the possibility to vote on future designs.

Free copy of the Xtreme Carousel Slider plugin

So what are you waiting for? Join the Rabbit movement!

The post wpRabbits on Facebook appeared first on wpRabbits.