News, tips, advice, support for Windows, Office, PCs & more. Tech help. No bull. We're community supported by donations from our Plus Members, and proud of it
Home icon Home icon Home icon Email icon RSS icon

ISSUE 17.28.0 • 2020-07-20

Logo
The AskWoody PLUS Newsletter

In this issue

BEST UTILITIES: Freeware Spotlight — Antivirus Removal Tool

LANGALIST: Sometimes, Wi-Fi just won’t fly

PATCH WATCH: July’s Outlook Click-to-Run update lays an egg

SMALL BUSINESS: Six steps for securing your WordPress site


Best Utilities

Freeware Spotlight — Antivirus Removal Tool

Deanna McElveenBy Deanna McElveen

One of the lesser-known causes of poor PC performance is the detritus left behind by uninstalled anti-malware programs.

Our shop regularly receives PCs whose owners have removed antivirus programs properly — but services and processes for those apps are still running!

Most anti-malware vendors offer free tools for cleaning out leftover bits and pieces. But why should we have to take this extra step? Why not include a complete uninstall process right from the start? It’s really annoying!

As you probably know, I love independent software developers who make things easier for us geeks. One of those talented coders — who goes by the name “Alex C” — has given us the indispensable Windows Repair Toolbox. I can’t imagine not having WRT in my diagnostic toolkit (on a flash drive, of course).

Now Alex gives us the Antivirus Removal Tool, a free utility that you can also run from a flash drive. It has the 29 most common antivirus-removal tools built into one utility. Here’s the list:

  • Adaware
  • Avast
  • AVG
  • Avira
  • BigFix
  • Bitdefender
  • Comodo
  • Dr.Web
  • Emsisoft
  • eScan
  • ESET
  • F-Secure
  • G DATA
  • K7 Computing
  • Kaspersky
  • Malwarebytes
  • Max Secure
  • McAfee
  • Microsoft Security Essentials
  • Norton
  • Panda
  • Symantec Endpoint Protection
  • Trend Micro
  • Total Defense
  • TrustPort
  • VIPRE
  • Webroot
  • WinPatrol
  • ZoneAlarm

Now here’s the cool part! You don’t need to know which antivirus apps were previously installed — Antivirus Removal Tool (ART) will find them for you.

Grab a copy from our OlderGeeks website and unzip it to your PC or flash drive. Right-click the executable and run as an administrator (that’s important).

When ART opens, you’ll see four simple sections on the single ART window:

1) Find current AV applications: The utility automatically scans for working anti-malware applications and displays those it finds (see Figure 1).

ART main screen
Figure 1. Antivirus Removal Tool shows that AVG Antivirus is running on my system.

2) Find the leftovers: Click the Search button; ART scours the system for remnants of previously installed AV products and then lists what it discovers (see Figure 2).

Finding leftover AV apps
Figure 2. In this example, ART found pieces of McAfee AV scattered about.

3) Try the traditional Windows method: If ART locates pieces of “uninstalled” AV apps, you then have two choices for removing them. Clicking the Open Windows “Add/Remove Programs” button in Section 3 (see Figure 3) lets you try Windows’ built-in uninstall system. But since it probably didn’t do a complete job previously, what are the odds it’ll do better the second time around? 😂

Use the Windows Add/Remove Programs tool
Figure 3. Click the “Open Windows … ” button if you want to try to remove an anti-malware app with Windows.

4) Use the right tool for the job: If there are pieces of an AV app left on the system, you’re better off trying one of the custom removal tools listed in Section 4, Run the specialized uninstaller (see Figure 4). ART should automatically select the right cleaner. But if it doesn’t, simply click the dropdown box and pick the appropriate tool from a list of AV products.

Run the specialized uninstaller option
Figure 4. Section 4 lets you select a more robust uninstaller tool.

List of cleaners
Figure 5. A partial list of anti-malware products that ART can scrub from a PC

To complete a cleaning, click the Run button and follow any prompts. Figure 6 shows the working tool for removing the McAfee product.

Remove AVG
Figure 6. ART launched McAfee’s specialized cleaning tool.

The program comes in eight languages (English, French, German, Italian, Portuguese, Russian, Simplified Chinese, and Spanish). And as always, ART is free of charge and free of junkware. And it’s portable. Everything we love!

Happy Computing!

Questions or comments? Feedback on this article is always welcome in the AskWoody Lounge!

Deanna and Randy McElveen are celebrating over 20 years in the computer business, ten years running OlderGeeks.com, and more than 26 years of putting up with each other. Their computer store is in a small town in the Missouri Ozarks. Believing that happy customers are always the best advertisement, they hope to do it for another 20 years.


LANGALIST

Sometimes, Wi-Fi just won’t fly

Fred Langa

By Fred Langa

Steel-framed walls in the Langas’ new apartment made Wi-Fi connections ludicrously slow and unusable in the home office.

The router’s “SON” (self-organizing network) features didn’t help. But a hardware end-run — gigabit-speed powerline network adapters and a 5G smartphone-powered hotspot — got the office communicating again.

Welcome to my Faraday cage

Hooo boy, this was not good.

A few days into moving house, I’d unpacked my most important office gear and set up my desk and laptop in their permanent place. (If you missed the two earlier articles on my moving experience, see “Tech insights from relocating home and office,” AskWoody Plus 2020-07-06, and “‘Moving house is great fun,’ said no one ever,” AskWoody Plus 2020-07-13.)

When the technician from Verizon Fios finished pulling cables and had my router connected to the outside world, I set up my Wi-Fi just as I had in my previous office. I then ran the usual tests to make sure all was working properly.

It wasn’t! Not even close!

Due to the vagaries of apartment wiring, my router had to live in my living room. My office is in an adjacent room, with my desk and laptop literally just six feet (two meters) away from the router — but separated by an interior wall.

Unfortunately, that wall, framed with steel studs, acts like a Faraday cage, blocking most of the Wi-Fi signal on both the 2.4GHz and 5GHz bands.

On the router side of the wall, I could get a roughly 100 Megabits per second (Mbps) wireless connection (both receive and transmit) with a Wi-Fi 5 (formerly known as “802.11ac”; see references below) connection.

However, on the office side of the wall, the connection speed dropped to a paltry 6Mbps for downloads and 585Mbps for uploads. Figure 1 shows Win10’s Network Status for the severely attenuated connection. (Some values blurred for privacy.)

Slow link speed
Figure 1. Just one interior wall cut the download speed from 100Mbps to 6Mbps!

I’d expected some drop-off in speed, but this was ridiculous.

To troubleshoot the performance hit, I started by resetting the router to factory defaults and then rebuilt the connections from scratch. I tried different channels and bands, with and without the router’s built-in “SON” features (Wikipedia info). I also tried moving the router to various locations along the living room wall, placing it at different elevations and in different orientations. But nothing helped much — the connection speed remained abysmal.

The office side of the connection offered few options. My standing desk (with laptop) would fit in only one location and orientation. And because my new home is an apartment, I didn’t want to drill holes in the wall — or have an Ethernet cable snaking along the floor and through a doorway.

I ruled out placing a Wi-Fi repeater or extender in the office because those devices would still have to receive a usefully strong signal to amplify or redistribute. A 6Mbps connection was just too anemic.

Hotspot as temporary solution: Oddly, the steel framing did not affect the 5G cellular signal to my smartphone — even in the office. So as a short-term expedient, I set up my phone’s hotspot feature and used its Wi-Fi 4 (802.11n) signal as a bridge between my laptop and the Internet. That combination produced better performance — much better! I now had a symmetric 144Mbps local link, up and down. (See Figure 2.)

5G hotspot
Figure 2. My phone’s 5G connection, shared via temporary hotspot, yielded much better Wi-Fi speeds in the office.

But that wasn’t a viable long-term solution. Aside from the complications of using a smartphone-based hotspot whenever I was working in the office, cellular connections can be highly variable, depending on uncontrollable external factors such as weather (e.g., “rain fade”; info) and how many other people are pumping data through the same cell tower. There are also additional security concerns with broadcast (wireless) connections as opposed to hardwired.

So I still wanted a hardwired broadband connection to the router for better security and privacy, and for more reliable speed.

Some head-scratching ensued … until I remembered powerline networking, a technology that lets you use your home’s internal AC wiring as a conduit for Ethernet signals. You simply plug two or more small powerline adapters into convenient electrical sockets (Figure 3) and then connect Ethernet cables from the adapter to a router, notebook, desktop, printer, or other digital device.

Powerline network adapter
Figure 3. A powerline network adapter safely sends Ethernet over ordinary, unmodified electrical wiring.

This technology isn’t new, but over the years powerline adapters have become faster, more reliable, and more secure.

These boxes convert standard Ethernet data packets into high-frequency, encrypted signals that ride over standard electrical wiring. There’s typically no interference between data signals and the electrical current. Your common electrical appliances shouldn’t notice the Ethernet signal, either.

So I bought a pair of TP-LINK powerline adapters (there are many other brands and models to choose from; examples). Using a short Ethernet cable, I connected one box to the local, firewall-protected side of my router and plugged the adapter into a nearby AC socket. I plugged the other adapter into an outlet in the office and connected it to my laptop’s Ethernet port.

Presto! Win10 verified that my laptop’s local link now had 1,000Mbps available — a full 1 gigabit per second (see Figure 4). That’s the rated speed of my current router, so the powerline adapters are delivering 100 percent of the router’s potential LAN speed. Excellent!

Full speed at last!
Figure 4. Powerline networking provides a full 1Gbps local link to my router.

I’ve now turned off my laptop’s Wi-Fi; the powerline network is my office’s primary connection to the router — and to the outside world. If that connection goes down for any reason (say, Verizon suffers an outage), I can quickly switch to a T-Mobile 5G smartphone-powered hotspot as a backup. The odds are slim that both networks would go down at the same time. And either setup can provide fully adequate speeds for my home office needs.

I can now wave goodbye to the ludicrous 6Mbps Wi-Fi in my little Faraday cage of an office!

More on powerline networking

This technology can be an excellent way to get online from places where Wi-Fi won’t work, and where you can’t — or don’t want to — run a standard network cable. Here’s some additional info on this topic:

Send your questions and topic suggestions to Fred at fred@askwoody.com. Feedback on this article is always welcome in the AskWoody Lounge!

Fred Langa has been writing about tech — and, specifically, about personal computing — for as long as there have been PCs. And he is one of the founding members of the original Windows Secrets newsletter. Check out Langa.com for all of Fred’s current projects.


PATCH WATCH

July’s Outlook Click-to-Run update lays an egg

Susan BradleyBy Susan Bradley

Yes, it’s a bit macabre, but I affectionately call the day after Patch Tuesday “dead-body Wednesday.”

I coined that term because Wednesday morning is when we get to see whether our systems survived the updates installed the night before. (These are, of course, my test platforms; I would never subject my production machines to immediate/automatic updating.)

There’s always some anticipation as to which Windows or Office component will be wounded by an update. This time around, it was Outlook’s turn to be placed on the life-support list. As Woody posted on the AskWoody home page, if you were running the Click-to-Run version of Office on the “Current Channel” (aka “Monthly Channel”), you probably discovered on Wednesday that Outlook wouldn’t open.

Here’s the interesting part: The Click-to-Run version of Outlook was down worldwide for approximately four hours — and the failure was not caused by a faulty patch. To add to the mystery, Outlook started working again later in the day. We’re still waiting for an official explanation from Microsoft, but the whispers suggest a server issue at MS Central.

Even more interestingly, those of us who had switched to the slower Enterprise Channel (formerly the Semi-annual Channel — yes, I know it’s confusing) were scratching our heads and wondering what the fuss was about. My Outlook, and those of my co-workers, never went down. We didn’t have to roll back Outlook to a prior version (one of the suggested workarounds), set up a new profile (another more-painful option), or use the Web version of Outlook to view our email.

In my case, that was a very good thing. In the U.S., Wednesday was the income tax–filing deadline (pushed out from April 15 due to the pandemic). Trust me, I would’ve heard screams from my co-workers if they suddenly could not access their email. It also justifies my switch to the slower patching channel. I still receive security updates every month, but new features are deferred for a while, making it less likely my office will be clobbered by events such as Wednesday’s.

Checking your channel is easy, switching channels … not so much. To check, open any Office application and click File/Account. The channel you’re running under will be listed in the About [Office app] section.

If you want to switch to the Enterprise updating channel, Mark Berry posted an excellent recap of the process. (IT consultants will probably want to pre-set the patching channel you want.) I’ve successfully made this change on various Office versions, ranging from Home editions to those offered by GoDaddy and other hosting sites. A more drastic alternative is to disable Office updating — but you must remember to turn it back on in a few weeks to accept updates. (At some point, you really must add offered patches.) Personally, I’ve found that the slower patching channel works well and causes fewer bumps over time.

My monthly Windows 7 updating warning: If you purchased one or more Win7 Extended Security Update (ESU) keys, here’s a heads-up.

When some users installed July .NET Framework security updates KB 4566517 or KB 4566466, they received the error message “Install failure with Error: 0x643 or error code 1603.” Remarkably, Microsoft has acknowledged the problem and reported it’s working on a fix. When I see a resolution posted, I’ll let you know.

Microsoft wants to make you an offer. The masses running “unmanaged” PCs — i.e., there’s no corporate patching wall between you and Mothership Redmond — are likely to see two offers: Windows 10 2004 and the Chrome version of MS Edge. I still suggest keeping Win10 2004 at bay until further notice. I can tell from the lists of fixes that Microsoft is still busy working through both introduced and reintroduced bugs. For example, Microsoft’s July update information page notes the following (edited for brevity):

  • Addresses an issue in certain apps that use the ImeMode property to control Input Method Editor (IME) mode in Windows 10 Version 2004. For example, this issue prevents input mode from automatically switching to Full-width Katakana mode, Full-width Alphanumeric mode, or Full-width Hiragana mode. For more information, see KB 4564002 and the blog post “Getting the May 2020 Update Ready for Release – UPDATED.”
  • Addresses an issue that might prevent using PowerShell to change the system locale on Server Core platforms.
  • Addresses an issue that might cause certain games and applications to have visual distortion when resizing in windowed mode or switching from full-screen to window mode.
  • Addresses an issue that might cause lsass.exe to fail with the error message “A critical system process, C:\WINDOWS\system32\lsass.exe, failed with status code c0000008. The machine must now be restarted.”
  • Addresses an issue that might prevent some applications from printing documents that contain graphics or large files after installing Windows updates released June 9, 2020.
  • Addresses an issue that might prevent you from connecting to OneDrive using the OneDrive app. This occurs on some older devices or on devices that have older apps that use legacy file system-filter drivers. As a result, this might prevent these devices from downloading new files or opening previously synched or downloaded files.

I still don’t think there’s a truly compelling reason for upgrading to Version 2004 at this time — other than being forced to because you’re running an unsupported Win10 release. Given that Win10 1909 will be fully supported for many months to come, I’m staying on that version. (Microsoft now makes it difficult to upgrade to Versions 1903 or 1909.)

Go Chromium: On the other hand, I do recommend accepting the patch that installs the Chromium-based edition: KB 4559309. The new Edge has good compatibility with Internet sites and applications and will likely be more secure than the original Edge. I find that it just works better. Download KB 4559309 if it’s offered or grab a copy online.

These days, I keep several browsers on my computers. If one doesn’t work well for a particular task, I switch to another one. If you’re looking for a browser with a high level of privacy, check out Brave.

A note on microcode updates: Recently, an AskWoody member wondered why I seldom call out these fixes for Intel processors, delivered via Microsoft. I confess to skipping over this topic for the most part. I can only say that I rarely see these updates offered on my machines. There are many different CPUs in use, and microcodes typically target specific hardware. Perhaps I’ve been a bit lax covering them. If so, my apologies.

That said, I have a slight problem with microcode security update KB 4497165. I’ve yet to see an actual attack on the types of systems that you and I typically use. The high level of sophistication needed for the “side-channel” exploits addressed by the patch just isn’t going to be used by malicious hackers against individuals. An attacker is still likely to take the much easier social-engineering and phishing path. Moreover, installing microcode patches can result in performance hits. So I’m really on the fence as to the benefits of these updates.

On the other hand, if you’re the network administrator for a defense department or say … an admin at twitter, then yes, you really do need to install all microcode patches — along with checking that the firmware on your systems is fully up to date.

Here’s some good news about the July updates: they fix the printing problem that cropped up last month. (The alternative was to grab the hotfix from the Microsoft Update catalog.)

That DNS threat: If you follow tech news carefully, you probably read about a Domain Name System vulnerability. As Woody pointed out, this is a problem mostly for network administrators and IT consultants. Moreover, there are no reports of active attacks. Still, Microsoft sent out a security alert recommending that domain controllers need to be fixed as soon as possible. (This is probably the only July update I’ll recommend fast-tracking.)

July’s list of Win7 vulnerabilities

If you have a Windows 7 ESU subscription, there’s an issue with some properly licensed machines: they might fail to install the .NET Framework update. Microsoft is aware of the problem and is reportedly working on a fix. Stay tuned.

For those running unprotected Win7 systems, here’s the list of new threats. (See also the cumulative list on the AskWoody Master Patch List page.)

Remember, you can still purchase ESUs for Win7 Pro PCs via Amy Babinchak’s Harbor Computer Services form.

Here are the latest threats that are patched in July:

Denial of Service: This form of attack keeps a system too busy to complete normal processes.

  • CVE-2020-1267 – Local Security Authority Subsystem Service (LSASS)

Elevation of privilege: These exploits let malicious hackers acquire admin rights on targeted machines. Typically, the attacker must sign in directly, install a bogus app, and then trick a user into running it. Large businesses have the highest risk.

Information disclosure: Used by attackers to steal information stored in a computer’s memory. Typically combined with other exploits.

Remote-code execution: The most dangerous form of exploit, it lets attackers take control of systems. Typically, users must be tricked into opening malicious websites, image files, fonts, etc.

Remember: Don’t put your personal information and/or business at risk. If you must use Win7, get an ESU subscription (more info) or, at the very least, use the 0patch service.

July patching summary

If you use MS Edge — or even if you don’t — download the new Chromium-based Edge browser. I think you’ll like it.

- What to do: It’s the standard drill: Defer Windows and Office updates for at least two weeks. By then, any rotten fruit should have dropped from the patching tree. Win7 users possessing ESU subscriptions must have any needed servicing-stack updates in place in order to complete the patching process. (Look for our history of Microsoft patches in our online Master Patch List documents.)

Windows 10

Servicing-stack updates

  • 4566785 for Version 2004
  • 4565554 for Version 1903 and 1909
  • 4558997 for Version 1809 and Server 2019
  • 4565552 for Version 1803
  • 4565553 for Version 1709
  • 4565551 for Version 1703
  • 4565912 for Version 1607 (Long-Term Servicing Channels) and Server 2016

Cumulative updates

  • 4565503 for Version 2004
  • 4565483 for Version 1903 and 1909
  • 4558998 for Version 1809 and Server 2019
  • 4565489 for Version 1803 (Enterprise and Education editions only)
  • 4565508 for Version 1709 (Enterprise and Education editions only)
  • 4565499 for Version 1703 (Long-Term Servicing Channels)
  • 4565511 for Version 1607 (Long-Term Servicing Channels) and Server 2016

.NET Framework for Windows 10

  • 4565627 for Versions 2004
  • 4565633 for Versions 1903 and 1909
  • 4566516 for Version 1809 and Server 2019
  • 4565631 for Version 1803 (Enterprise and Education editions only)
  • 4565630 for Version 1709 (Enterprise and Education editions only)
  • 4565629 for Version 1703 (Long-Term Servicing Channels)
  • 4565628 for Version 1607 (Long-Term Servicing Channels) and Server 2016
Windows 8.1/Server 2012 R2
  • 4566425 – Servicing-stack update
  • 4565541 – Monthly rollup
  • 4565540 – Security-only
  • 4565479 – Internet Explorer 11 (install with the security-only update)
  • 4566519 – Monthly .NET rollup
  • 4566468 – Monthly .NET security-only
Windows 7/Server 2008 R2 SP1

Before attempting to install the July updates, be sure you have June servicing-stack update KB 4562253 installed (you can get it at its Microsoft Update Catalog download page). Otherwise, July’s patches won’t show up. You’ll also need July’s servicing-stack update KB 4565354 in place to receive August fixes. (It should show up after installing the July updates.)

  • 4565524 – Monthly rollup
  • 4565539 – Security-only
  • 4565354 – Servicing-stack update (installs after quality updates)
  • 4565479 – Internet Explorer 11 (install with the security-only update)
  • 4566517 – Monthly .NET rollup
  • 4566466 – Monthly .NET security-only
Server 2012
  • 4566426 – Servicing-stack update
  • 4565537 – Monthly rollup
  • 4565535 – Security-only
  • 4565479 – Internet Explorer 11 (install with the security-only patch)
  • 4566518 – Monthly .NET rollup
  • 4566467 – Monthly .NET security-only
Windows Server 2008 SP2
  • 4565353 – Servicing-stack update
  • 4565536 – Monthly rollup
  • 4565529 – Security-only
  • 4565479 – Internet Explorer 11 (install with the security-only patch)
  • 4566520 – Monthly .NET rollup
  • 4566469 – Monthly .NET security-only
Office security and non-security updates

July’s batch of security updates:

Office 2016

Office 2013 SP1

Office 2010 SP2

The following Office non-security enhancements and fixes should also be deferred on production systems.

Office 2016

  • 4484174 – Office; Peek view fails in Outlook
  • 4484326 – Skype for Business; various fixes
  • 4484437 – Excel; scrolling issues when sharing with Teams
  • 4484439 – Office; Hangs or delays when opening Word docs, time-display errors

Office 2013 SP1

  • 4484349 – PowerPoint; Business bar display enhancements/fixes
  • 4484442 – Office; Business bar display fixes

These days, more than ever, stay safe out there.

Questions or comments? Feedback on this article is always welcome in the AskWoody Lounge!

In real life, Susan Bradley is a Microsoft Security MVP and IT wrangler at a California accounting firm, where she manages a fleet of servers, virtual machines, workstations, iPhones, and other digital devices. She also does forensic investigations of computer systems for the firm.


SMALL BUSINESS

Six steps for securing your WordPress site

Nathan Segal

By Nathan Segal

There’s a good reason WordPress is the foundation for many small-business websites: it’s comprehensive, flexible, and relatively easy to use.

But poor security practices also make these sites popular targets for malicious hackers. Fortunately, there are tools for protecting your WordPress-based assets.

To make sure I have WordPress security set up correctly, I spoke with FortiPress creator Brandon Zundel, a WordPress security expert. Here are his suggestions.

1. Passwords: We all know that robust security always starts with strong passwords. But you might be surprised at the number of WordPress sites that use “admin” for administrator sign-ins.

Ideally, admin credentials are at least 30 characters long and contain a mix of numbers, lower-case/upper-case letters, and special characters. LastPass is a good choice for creating virtually unbreakable passwords. However, WordPress’s user-profile screens also include a password generator (Figure 1). And with free plugins, you can apply settings in WP to enforce strong credentials (Figure 2).

WP password generator
Figure 1. The password generator in WordPress user profiles

WP password controls
Figure 2. The iThemes Security plugin includes a suite of security tools — including enhanced password management.

Another step for securing admin credentials is adding two-factor authentication (2FA). WordPress.org offers a free plugin that can help protect your website from password hacks such as automated guessing and brute-force attacks. The plugin also supports mobile 2FA apps such as Google Authenticator.

2. Plugins: Make sure all your WordPress plugins are fully up to date. Malicious hackers have been known to exploit unsecure versions.

Note that WordPress.org does not guarantee that the themes and plugins in its vast repository are free of vulnerabilities. But if a security flaw is found in a plugin, the organization states it will either work with the developer to patch the vulnerability, or it’ll pull the plugin from the public directory (more info).

3. Backups: Set up a schedule for backing up your site. Two good plugins for that task are BackupBuddy (USD $80 and up) and UpdraftPlus (free and paid; Figure 3). Just be sure you back up both the WP database and the site files. Backup plugins can also be used to move your WordPress site to another host.

Updraft
Figure 3. UpdraftPlus is one of the better WordPress site-backup plugins.

For added security, store your backup files on a cloud service such as Google Drive, Dropbox, MS OneDrive, or Amazon S3.

4. Install Wordfence: This free/paid plugin adds enhanced security via a special firewall and malware scanner. When you install it, you’ll see the setup screen shown in Figure 4. With the free version, you will, of course, also get a pitch to upgrade to the paid Premium edition.

Wordfence setup
Figure 4. Wordfence starts with a simple setup window.

Purchasing Wordfence Premium adds real-time updates, country blocking, spam checking, and other enhanced features. Still, most small-business installations can get by with the free edition.

With Wordfence installed, look for its heading in the WordPress dashboard. Among the options below Wordfence is All Options — click it to bring up a new window with a long list of configuration options. Scroll down to the Scan Options section and then look for General Options. Click to open it.

In the list of settings, ensure that Scan theme files against repository versions for changes and Scan plugin files against repository versions for changes are both checked, as shown in Figure 5. (They’re typically not enabled by default.) According to Brandon, these two options are crucial because they check that your installed Wordfence edition is fully up to date.

Wordfence setup
Figure 5. Checkmark these two settings to keep your copy of Wordfence current.

Also under the general options, enable Update Wordfence automatically when a new version is released. And under the Brute Force Protection section, enable Block IPs who send POST requests with blank User-Agent and Referer.

With configuration done, return to the WordPress dashboard and click the Scan link under Wordfence. If you see any PHP errors, contact your web-hosting service for help. (In order to send security notifications, Wordfence must be able to complete scans.)

Figure 6 shows an example scan-results screen. In this case, Wordfence found nine potential problems. You can choose to DELETE ALL DELETABLE FILES OR REPAIR ALL REPAIRABLE FILES.

Wordfence setup
Figure 6. In this scan, Wordfence found nine WordPress problems.

Warning: If you choose the Repair option, you’ll receive the message: “Are you sure you want to repair? Do not repair files on your system unless you’re ABSOLUTELY sure you know what you’re doing.” If that’s a bit scary, choose CANCEL and contact either your web host or a Wordfence agent for support — or contact Brandon via the above FortiPress link.

5. Install iThemes Security: This plugin adds over 30 security tools for WordPress admins. When you first launch the plugin, it might immediately pop up the Security Check option (see Figure 7) that can automatically enable recommended settings. Don’t check the box for “Enable Security Check Pro … .” Just click Close and then click the Settings link under Security on the WP dashboard (Figure 8).

Initial iThemes setting list
Figure 7. The list of recommended iThemes settings

Initial iThemes setting list
Figure 8. iThemes settings are grouped under one screen. Click All at the top of the window to see the full list.

Next, run through the following settings changes:

Global Settings

  • Click the Configure Settings link.
  • Make sure the Allow iThemes Security to write to wp-config.php and .htaccess box is enabled. This allows iThemes to write to the wp-config and .htaccess file.
  • Midway through the Global Settings section, you’ll see the Lockout White List (see Figure 9) and an empty parameters box on the right. Directly below this box is a blue “Add my current IP to the White List” button. Click it to add your IP.

    Initial iThemes setting list
    Figure 9. Clicking the blue button shown above will keep iThemes from locking out your own site.

404 Detection

  • Click the Enable button.

Banned Users

  • Click the Configure Settings link.
  • Make sure Enable HackRepair.com’s blacklist feature and Enable Ban Lists are both checked.
  • The rest of the Banned Users section lists banned IP addresses. If someone accidentally winds up on one of these lists, you can clear their IP from here.

Note: The Banned Users feature can sometimes cause issues with outside integrations such as plugins, third-party applications, and/or APIs.

Local Brute Force Protection

This is a powerful option. My iThemes installation generated dozens of email notifications warning that a hacker was trying to break into my site using “admin” — and was blocked.

  • Click the Configure Settings link.
  • Enable Automatically ban “admin” user and click Save Settings.

Database Backups

We covered the best backup options above — disable this option in iThemes.

File Change Detection

This task is handled by Wordfence, so there’s no need to change anything here.

File Permissions

  • Click the Configure Settings link.
  • Click Load file Permissions Details to ensure everything is okay. Any files flagged with a warning will need attention; contact your web host for support.
  • Click Close.

Hide Backend

(If you don’t see this item in the list of settings modules, search for it.)

  • Click the Configure Settings link.
  • Check Hide Backend and Enable Redirection.

    Look for the Login Slug section (Figure 10). You should change that to something unique to you — something that can’t be easily guessed. For example, use a common word with alphanumeric characters — for instance: humm1n9b1rD (hummingbird) or Avefav0r1+0 (ave favorito). Make sure to write this down so you don’t forget it.

    Hide Backend settings
    Figure 10. Changing the Login Slug will help keep potential attackers out of the WordPress backend.

  • One last point: If your theme or menus have “login” links, you’ll need to get rid of those to make this method effective.

Network Brute Force Protection

  • Click Configure Settings.
  • Make sure Ban Reported IPs is selected and then click Save Settings.

SSL

  • If you have SSL security set up with your web-hosting service, click Enable and configure it for WordPress. Note: If you don’t have SSL, visitors to your site will receive a browser warning that your site is not secure.

System Tweaks

  • Click Enable and then Configure.
  • Select all boxes in this category. But be aware that doing so might cause some conflicts. If problems with the site suddenly pop up, check this area first.

WordPress Tweaks

  • Click Configure Settings.
  • Disable XML-RPC and set Multiple Authentication Attempts per XML-RPC Request to Block (recommended).
  • Set REST API to Restrict Access (recommended).

Be aware this is another group of settings that might cause conflicts.

6. A regular security routine: Congratulations! You’ve now locked down WordPress. But that’s not enough — this is not a set-and-forget scenario. Keeping your site safe requires regular attention. Here are four recommended daily tasks:

  • Make sure your most recently scheduled backup completed. If it didn’t, run it again and check for errors.
  • Check for updates and let them install.
  • Delete all spam comments.
  • Keep in mind that both iThemes and Wordfence will be sending you email alerts. Pay attention to what they report and act on any issues immediately.
Questions or comments? Feedback on this article is always welcome in the AskWoody Lounge!

Nathan Segal has been a technical writer for 21 years. His articles have appeared in many popular publications covering technology, photography, and design. His specialties include computer graphics and photography.


Publisher: AskWoody LLC (woody@askwoody.com); editor: Tracey Capen (editor@askwoody.com).

Trademarks: Microsoft and Windows are registered trademarks of Microsoft Corporation. AskWoody, Windows Secrets Newsletter, WindowsSecrets.com, WinFind, Windows Gizmos, Security Baseline, Perimeter Scan, Wacky Web Week, the Windows Secrets Logo Design (W, S or road, and Star), and the slogan Everything Microsoft Forgot to Mention all are trademarks and service marks of AskWoody LLC. All other marks are the trademarks or service marks of their respective owners.

Your subscription:


Copyright © 2020 AskWoody LLC, All rights reserved.