Tips to Keep a WordPress Site Safe

If you want to get a website developed for your business you should definitely take a look at WordPress. It can be considered one of the most convenient methods available for getting a website up and running. But when you are building your website with WordPress, you should never overlook security.

When you are done with creating your website you are open to a whole world. If you have not integrated the necessary security precautions your website might face some serious security issues. Your website might contain sensitive data like; customers credit card details and personal details. Therefore, if you have not taken precautions, you and your customers may be exposed to a considerable risk of being hacked.

Once a hacker gets into your website they can not only steal your information but also destroy all the information of your website. The most dangerous part of such destruction is you can never undo such disastrous act. Therefore it is your duty to take the necessary precautions to discourage hackers and keep your data safe and let the business continue to run smoothly.

Below are some security precautions you can think consider for your website. By taking these steps you can help seriously reduce the chance that you’ll get hacked.

1.  Stay Updated

Be aware of the latest threats in the digital world. You should at least know the basic information of the possible threats and which will help you decide what  precautions you should take. There are few websites which can assist you to get up to date information. You can take a look at those websites and then you will be able to stay updated with ease.

2.  Lock Down Your Access Control

Make sure that your basic precautions are tough enough to discourage a hacker. Never use easy-to-guess passwords and usernames. It is much better if you change the default database prefix from wp to a harder and more random prefix. You can even limit login attempts. If there is more than one user on your WordPress website, you need to introduce strong security policies for all of those users. Following these precautions can give you the peace of mind of knowing that your website cannot be hacked by guessing the password.

3.  Software updates are crucial

It is important to update your software regularly. Do not neglect the updates. What if the most recent update is about security vulnerability and you have neglected it? Hackers are quick to become familiar with security issues in WordPress, so take advantage of the security updates that WordPress provides. Ideally you should automatically install all core WordPress updates.

4.  Install Security Ninja

If you’re wondering how to keep your WordPress site safe, you must take a look at the security plugins available as well. That’s where Security Ninja comes into play. It is one of the best and most popular security plugins available WordPress users. Security Ninja makes it easy to secure your WordPress site.

Security Ninja only takes a minute to scan your whole site for security issues and then helps you deal with them one by one. Easy and efficient!

WP Security Ninja

5.  Maintain a strong network security system

You should pay a good attention to the security your network. You never know if users in your office inadvertently provide easy access to your servers. Therefore, make sure that you have taken action to:

  • Expire user logins after a short idle period
  • Frequently change the passwords
  • Use strong passwords and never write them down.
  • Scan all the peripherals whenever you use them with the computer

6.  Try a Web Application Firewall (WAF)

WAF can be software, hardware or can be a combination of both. It stands between your web server and the data connection to read each and every bit of data transmitted. WAFs have the ability of blocking malicious accesses and hacking attempts to provide you the peace in mind. There are some built-in firewall options available in WordPress for you to try out. You can take a look at them as well. 

Again, we advise checking the Security Ninja PRO plugins which now feature a Cloud Firewall that will protect you.

7.  Install security applications

Although not affective as WAF’s, security applications can make hacking attempts difficult to a certain extent. There are free and paid applications available to download. These are good in preventing automated hacking attempts

8.  Use SSL

You have the option of using an encrypted SSL protocol when transferring your users’ sensitive data. In fact, this can protect your information from being read by unauthorized persons. Setting up SSL with WordPress is pretty easy and should be considered an important step in securing any WordPress installation.

9.  Backing up

Last but not least, you should back up your website’s data both online and offline very often. This will be useful if any damage is caused to your website. Use an automated backup system to backup the website multiple times a day.

Kernl Now Supports Update Icons

Have you ever wished that Kernl supported plugin update icons? Well, your wish is our command!

Before

As you can see, before this change the icon displayed on the WordPress update dashboard for Kernl-based plugins was the default “power cord” image.

Kernl Plugin Update Icon - Before

After

Now you can upload your own icon to Kernl and have it displayed in the update dashboard.

Kernl Plugin Update Icon - After

Getting Started

Using the new plugin update icon feature is easy.

  1. Add the latest version of the plugin_update_check.php file to your plugin.
  2. Upload an icon (64×64) to Kernl in the plugin meta tab.

How to upload new plugin icon

That’s it! Deploy your update so that all of your customers get the new plugin_update_check file and Kernl will start serving your update icon when you release your next update.

If you have any questions or need help getting set up, shoot and email to jack@kernl.us

Feature Flags – Managing a WordPress Beta Program

Let’s say that you’re an author of a premium (i.e. paid for) WordPress plugin or theme. You’ve been hard at work on an amazing new feature but it really needs some testing before it goes out to all of your customers. How do you manage this process? What’s the best way to get new code into the hands of your beta users with the least effort on your part? This blog post is going to walk you through the process of using Kernl Feature Flags to easily manage a beta program without having two separate builds of your product.

Table of contents

What is a feature flag and how does it work?

Feature flagging is a software best practice for controlling the release of features (sometimes called “gating”). Feature flagging is important because it allows you to turn features on/off without having to do a deploy. But how does this impact you? How does it make things easier?

Feature flags allow you to manage beta programs with a single version of your product. What most people currently do is have 2 version of their product at any given time: The live version (what everyone sees) and the beta version (what your beta users see).  Wouldn’t it be easier to just have one version, one deployment process, and highly granular control over who sees what features?

Feature Flags Product View

For example, in the image above you can see that I have two feature flags: “GitLab CI” and “Download Invoice”. Right now they are both active and people can see the features that they represent. If I decided to change “Download Invoice” to inactive, the feature would be immediately deactivated in my plugin. I wouldn’t have to do another deploy and release a new version to make it happen. It happens automatically in the code that’s already with your customers.

Seems great right? Let’s do a full example so you can truly appreciate the power of feature flags.

Example: Adding a feature flag to the Kernl Example Plugin

The Kernl Example Plugin is intentionally very simple. The goal of the plugin is to show off Kernl’s various features while not overwhelming the person who is looking at it. To illustrate how and why feature flags are awesome, let’s add a simple setting to the “Settings -> General” menu.

The example plugin currently looks like this:

<?php
/**
* Plugin Name: Kernl Example Plugin
* Plugin URI: https://kernl.us
* Description: The Kernl Plugin for testing.
* Version: 3.3.0
* Author: Jack Slingerland
* Author URI: http://re-cycledair.com
*/
require 'plugin_update_check.php';

$MyUpdateChecker = new PluginUpdateChecker_2_0 (
    'https://kernl.us/api/v1/updates/5544bd7e5b8ae0fc1fa5e7a5/',
    __FILE__,
    'kernl-example-plugin',
    1
);
?>
All it does is require “plugin_update_check.php” and instantiate the update checker. Let’s make things a little more complicated by adding a setting to the example plugin.

Add a setting to the plugin

// This is added below plugin update instantiation.

function feature_flagged_settings_api_init() {
   add_settings_section(
        'feature_flagged_setting_section',
        'Feature Flag Example Settings in General',
        'feature_flagged_setting_section_callback_function',
        'general'
    );
   add_settings_field(
        'feature_flag_setting_name',
        'My Feature Flag Setting',
        'feature_flag_setting_callback_function',
        'general',
        'feature_flagged_setting_section'
    );
   register_setting( 'reading', 'feature_flag_setting_name' );
}
add_action( 'admin_init', 'feature_flagged_settings_api_init' );

function feature_flagged_setting_section_callback_function() {
   echo '<p>This section is hidden completely behind a Kernl Feature Flag.</p>';
}

function feature_flag_setting_callback_function() {
    echo '<input name="feature_flag_setting_name" id="feature_flag_setting_name" type="checkbox" value="1" class="code" ' . checked( 1, get_option( 'feature_flag_setting_name' ), false ) . ' /> This checkbox is hidden behind a feature flag.';
}
 The above code simply uses the ‘admin_init’ hook to call the WordPress Settings API and add a menu item. It looks like this when you run the code:
Feature Flags Example Setting Image
 Awesome! We’re off to a great start. Now let’s wrap this in a feature flag so only our beta user’s can see it.

Create an On/Off feature flag

Kernl has extensive documentation for feature flag usage, but it all boils down to:

  1. Add the feature flag library to your plugin/theme.
  2. Create a feature flag product in Kernl. A good rule here is 1 plugin / theme to 1 feature flag product.
  3. Create a flag.
  4. Instantiate the feature flag library and wrap your code.
  5. Manage who see’s the feature using Kernl.

So let’s do step one. If you’re using Composer, follow the directions in the feature flag documentation. If not, you can go to https://github.com/wpkernl/WPFeatureFlags and download the WPFeatureFlags.php file and drop it into your plugin or theme.

<?php
// ... snip ...
require 'plugin_update_check.php';
require 'WPFeatureFlags.php';
// ... snip ...
Easy. Next, go to Kernl and add a new product in the Feature Flags section.
Feature Flags Add Product Button
When you click “Add Product” you’ll get to choose a product name. Since I’m using feature flags with my example plugin, I’ll name mine “Kernl Example Plugin”.
Feature Flags Add Product Modal
After you click save, you’ll see the new product at the bottom of your feature flag product list.
Feature Flags Created product in product list
Now here is something important! See the “key” next to your product’s name? You’ll need that to instantiate the WPFeatureFlags class. I’d go ahead and copy it to your clipboard now.
Next up, let’s add a simple feature flag for this new setting we’re adding. This is the thing that will control visibility for all of our users. Click “Manage Flags” in the product menu, and then click the “Add Flag” button. You’ll be presented with this screen.
Add / Edit Feature Flags screen
All the options look straight-forward, but let’s go over them anyways.
  • Active – Will this feature be toggled on or off for everyone.
  • Name – A descriptive name. I’m filling this in with “General Setting Checkbox Example”.
  • Identifier – This is how we identify the flag in code, so I like to make it short and easy to understand. I’ll be using “GENERAL_SETTINGS_CHECKBOX”.
  • Flag Type – Kernl has 3 different types of feature flags for your enjoyment.
    • On/Off – As expected, this toggles the feature on and off for every user. No granularity here, but super useful for quickly disabling things. We’ll be starting with this flag.
    • Individual – You can select specific users that a feature will be toggled on for. This is what we’ll be using eventually, but there are some caveats that come with it.
    • Percentage – Kernl will roll out your feature to a percentage of your user base. Nice if you don’t want to specify individual users, but also don’t want the feature turned on for everyone.

Edit feature flags example

When things are filled out, press save and get ready to move on.

Now that we have our feature flag created, let’s instantiate the WPFeatureFlag class and wrap our code.

<?php
/**
* Plugin Name: Kernl Example Plugin
* Plugin URI: https://kernl.us
* Description: The Kernl Plugin for testing.
* Version: 3.3.0
* Author: Jack Slingerland
* Author URI: http://re-cycledair.com
*/
require 'plugin_update_check.php';
require 'WPFeatureFlags.php';

$MyUpdateChecker = new PluginUpdateChecker_2_0 (
  'https://kernl.us/api/v1/updates/5544bd7e5b8ae0fc1fa5e7a5/',
  __FILE__,
  'kernl-example-plugin',
  1
);

// We add the feature flag code inside the init() function
// so that we can have access to who the current user is.
function feature_flagged_settings_api_init() {
  // The feature flag product key. Remember the key I said you should add to your clipboard? This is it.
  $kernlFeatureFlagProductKey = '5a24035ee48da05271310a71';

  // The user identifier is how Kernl identifies the user requesting flags.
  // This should be unique for every user.
  $current_user = wp_get_current_user();
  $user_login = $current_user->user_login;
  $site_url = get_site_url();
  $userIdentifier = "{$site_url} - {$user_login}";

  $kff = new kernl\WPFeatureFlags($kernlFeatureFlagProductKey, $userIdentifier);

  // This says "For the product defined above, does this flag exists, and if so, is it active for the given user?".
  if ($kff->active("GENERAL_SETTINGS_CHECKBOX")) {
    add_settings_section(
      'feature_flagged_setting_section',
      'Feature Flag Example Settings in General',
      'feature_flagged_setting_section_callback_function',
      'general'
    );

    add_settings_field(
      'feature_flag_setting_name',
      'My Feature Flag Setting',
      'feature_flag_setting_callback_function',
      'general',
      'feature_flagged_setting_section'
    );

    register_setting( 'reading', 'feature_flag_setting_name' );
  }
}

add_action( 'admin_init', 'feature_flagged_settings_api_init' );

function feature_flagged_setting_section_callback_function() {
  echo'<p>This section is hidden completely behind a Kernl Feature Flag.</p>';
}

function feature_flag_setting_callback_function() {
  echo'<input name="feature_flag_setting_name" id="feature_flag_setting_name" type="checkbox" value="1" class="code" '.checked( 1, get_option( 'feature_flag_setting_name' ), false ) .' /> This checkbox is hidden behind a feature flag.';
}

?>
Now that we have the feature flag in our code, let’s talk about some of the optimizations the WPFeatureFlag library has. One of the nice things about WordPress and PHP is that the code itself is stateless. Meaning that without some storage mechanism (MySQL, Redis, Memcache) the entire page and all of it’s data is rebuilt from scratch on every request. This is great for fast development cycles but not always for performance.
The WPFeatureFlag library helps with performance by storing flags for a given user as a WordPress transient for 5 minutes. This way repeated page requests by a user don’t constantly call Kernl and introduce network latency on the request. Kernl’s feature flag API is heavily cached but it’s better for the end user if flags are served out of your own store. What this means for you is that your user’s won’t see changes for a maximum of 5 minutes when you toggle a flag on/off. This is usually fine, but if you need shorter or longer intervals you can use the API directly.
That being said, go ahead and toggle the feature flag off in Kernl. In 5 minutes (or less) you’ll see the setting disappear from the admin. No code deploy needed. “That’s great!” you say, but what about beta program management? Easy. Let’s change this flag to an “individual” flag.

Create an individually targeted feature flag

The video below show’s you how to create an individually targeted feature flag. It’s the same as the on/off flag, except that you get to pick which user’s see the feature. One caveat with this is that if Kernl hasn’t seen the user yet we can’t target them. Why? Because we don’t know how to identify a user that we haven’t seen. If you went to target an individual user without having identified them yet, you would need to register them manually.

Now that the flag is targeted at an individual, that selected person will be able to see the menu setting. This is a contrived example, but you can see how this can be easily expanded to running a beta program. The best part is that you don’t need to have multiple versions of your plugin/theme out there. You can simply release one version, and toggle on features for specific people. In the future Kernl will support making groups of users so managing beta programs will be even easier!

If you have questions feel free to drop them in the comments!

Further Reading on Feature Flags

There’s a lot of great reading out there on feature flags and their uses. If you’re looking for more information about them, I highly recommend these resources.

Introducing WordPress License Management with Kernl

For the past several years Kernl has been trusted with securing access to many people’s hard work via our license management system. We recently re-imagined our entire WordPress license management system, so we want to introduce it to you.

WordPress License Management

If you’ve ever sold a plugin or theme out on the open market, worrying about your plugin getting pirated is often at the top of your mind. One way to mitigate some of that risk is to use a license management solution. Kernl’s new license management system allows you to restrict access to your plugin or theme by forcing customers to activate before functionality is enabled. We can also check license codes before updates to your plugin or theme are downloaded, allowing you to restrict how many free upgrades a customer receives.

To summarize:

  • Kernl allows you to manage license keys for your product.
  • Kernl will restrict the number of updates a license is allowed to download for your product.
  • Kernl has a REST API that can allow you to restrict usage of your plugin until a license has been activated.

License Management Example

So how might you use Kernl’s WordPress license management? An example will illustrate this best.

The example above has a function to validate if a user’s license is valid. This can be used anywhere in your code to expose functionality only if the Kernl license is valid.

Restricting Update Downloads with WordPress License Management

If you would like to simply prevent your customers from downloading updates to your plugin or theme for free, just add the license parameter when you instantiate the Kernl update check class. This works the same for both plugins and themes.

The only difference between the sample above and a normal Kernl update instantiation is the inclusion of the ‘license’ property, which tells which license to try and validate with.

Going Forward

Want to give Kernl WordPress license management a try? Check out https://kernl.us and sign up. It’s free for 30 days and doesn’t require a credit card! In addition to license management and updates, we also have some great features like WordPress continuous deployment and feature flags.

Private Premium Plugin Updates with Kernl.us

If you’ve ever created a plugin for WordPress and wanted to sell it you’ve likely run in to the problem of delivering updates to your customers. Agencies and internal developers run in to this problem as well.  You can’t upload your plugin to the WordPress.org repository because then it will be free for everyone, but you still really want integrated update functionality.

Kernl.us is a SaaS product that helps solve this problem (and so many others!). Kernl allows you to distribute updates to your premium plugin automatically using the built-in WordPress update functionality. So how does it work?

  1. Sign up for Kernl
  2. Create an entry for your plugin in Kernl
  3. Add 2 lines of code to your plugin.
  4. Upload your plugin to Kernl and then distribute it to your customers

Lets dive in an see how this works!

Creating a Plugin in Kernl

After you’ve signed up for Kernl, the first step to configure seamless automatic updates is to create a plugin entry in Kernl. To do so, click  the “Plugins” button in the left-hand menu.

Next, click the “Add Plugin” button.

The next step is easy. Just enter the name, slug, and description of your plugin then press “Save”.

Adding Kernl Update Code

Now that you have a plugin entry in Kernl, you can add the Kernl update code to your plugin. Download the Kernl plugin update code from https://kernl.us/static/php/plugin_update_check.php. and place it in the root directory of your plugin. Next, take note of the UUID of the plugin that you just created.

In your plugin’s main file, add the following code:

require 'plugin_update_check.php';
$MyUpdateChecker = new PluginUpdateChecker_2_0 (
    'https://kernl.us/api/v1/updates/MyUuidFromKernl/',
    __FILE__,
    'kernl-example-plugin',
    1
);

Replace “MyUuidFromKernl” with the UUID of the plugin you just created.

Uploading Your Plugin to Kernl

Now that you have Kernl inside of your plugin you need to zip it up. At the folder level, go ahead and zip the plugin using the zip tool of your choice.

If you were to extract your plugin, it should look like:

/my-plugin-slug
   plugin_update_check.php
   functions.php
   someOtherFile.php

If it looked like this (notice there is no nesting), Kernl will not work:

plugin_update_check.php
functions.php
someOtherFile.php

Take your plugin and click “Add Version” inside Kernl.

Next enter the version number (of the format MAJOR.MINOR.PATCH, ex 1.4.14), select the zip file you just created, and press “Save”.

Distribute Your Plugin

Now that Kernl has this version of your plugin, feel free to distribute this ZIP file to your customers. If you ever need to release an update, just make your code changes, zip them up, and upload the new version to Kernl. Within 30 seconds the update will be visible to your customers at which point they can download it!

Kernl: Important BitBucket Changes

It came to my attention that the way BitBucket handles deployment keys has changed. Until recently the same deployment key could be shared across multiple repositories. That rule has been changed and now each repository requires a unique deployment key. So what does this mean for you? You’ll need to take a few steps to make sure that your “push to build” functionality continues to work as you expect it to.

  1. I’ve deployed changes that allow you to add unique deployment keys to all of your repositories. For those of you with a lot of repositories this is going to be pretty tedious, but in the end it will give you greater access control to your repositories. Documentation for adding deployment keys can be found at https://kernl.us/documentation#deploy-key , but you likely won’t need it. Just go to “Continuous Deployment” and then click “Manage Deployment Keys” (if you don’t see that button, hard refresh).
  2. Starting tomorrow (February 21, 2017) at 7pm EST, access with the old Kernl deployment key will be cut off. From this point forward only the new deployment keys will be able to access your repository.
  3. After February 21, 2017 @ 7pm EST you can delete the old Kernl deployment key from your repositories. If you do it before then your builds will fail.

Sorry for the short notice and inconvienience of this change, but it’s necessary to make sure that all customers are able to deploy continuously with Kernl. If you have any questions or concerns about this change, please reach out. And once again, sorry for this inconvience!