Have you ever had your WordPress website hacked? Don’t worry if you have, it doesn’t say anything negative about you. WordPress is a big target because tens of millions of individuals and businesses depend on WP to power their website. Until recently I have never had a client whose site was hacked. Just a couple of weeks prior to the writing of this post that changed. In my defense I actually had recently inherited development of the site from another company but I should have immediately called their attention to the missing security.
Securing WordPress isn’t really that difficult to do. The best time to take measures is before you are hacked. In this post I’m going to tell you about two plugins that you can use (and there are others) to help defend your website. One of them I use regularly and personally and the other I have used at client request. Either one seems to work well so do your own research and make your own selection. I will begin with the one I use personally and recommend most often.
Using WordFence to Secure WordPress
My preference is a plugin called Wordfence. To install it simply go to Plugins > Add New then search for Wordfence. You can also download it from the site and install it as a zip file using the Upload Plugin feature at the top of the Add New plugins page.
For the most part, you will be fine with the default settings. Just make sure when you activate Wordfence you input your email address in the popup window so you will receive notifications and alerts from the plugin about issues which need to be addressed. Let me add here that you should strongly consider adding the Premium Upgrade (currently shows at $59 per year) for the added functions, though all I will write about here are the free functions.
Scan you site immediately. Here are the results from a scan I did with a free version earlier today:
[Jul 05 09:03:29]Preparing a new scan. Done.
[Jul 05 09:03:29]Remote scan of public facing site only available to paid members Paid Members Only
[Jul 05 09:03:31]Check if your site is being Spamvertized is for paid members only Paid Members Only
[Jul 05 09:03:33]Checking if your IP is generating spam is for paid members only Paid Members Only
[Jul 05 09:03:35]Checking if your site is on the Google Safe Browsing list is for paid members only Paid Members Only
[Jul 05 09:03:37]Scanning your site for the HeartBleed vulnerability Secure.
[Jul 05 09:03:38]Fetching core, theme and plugin file signatures from Wordfence Success.
[Jul 05 09:03:39]Fetching list of known malware files from Wordfence Success.
[Jul 05 09:03:40]Comparing core WordPress files against originals in repository Problems found.
[Jul 05 09:03:40]Comparing open source themes against WordPress.org originals Secure.
[Jul 05 09:03:40]Comparing plugins against WordPress.org originals Problems found.
[Jul 05 09:03:40]Scanning for known malware files Secure.
[Jul 05 09:04:14]Check for publicly accessible configuration files, backup files and logs Secure.
[Jul 05 09:04:14]Scanning file contents for infections and vulnerabilities Secure.
[Jul 05 09:04:14]Scanning files for URLs in Google's Safe Browsing List Secure.
[Jul 05 09:06:12]Scanning posts for URLs in Google's Safe Browsing List Secure.
[Jul 05 09:06:14]Scanning comments for URLs in Google's Safe Browsing List Secure.
[Jul 05 09:06:14]Scanning for weak passwords Secure.
[Jul 05 09:06:17]Scanning DNS for unauthorized changes Secure.
[Jul 05 09:06:17]Scanning to check available disk space Secure.
[Jul 05 09:06:17]Scanning for old themes, plugins and core files Secure.
[Jul 05 09:06:17]Scanning for admin users not created through WordPress Secure.
[Jul 05 09:06:18]Scan complete. You have 3 new issues to fix. See below. Scan Complete.
You can likely already see the value of this scan. Had there been any issues which needed to be addressed the system would have indicated as you see in the “Scan Complete” line. The actual reports are in color and give visual clues to help you see urgent issues. As issues are discovered, the system will give you clues and assistance in making the necessary corrections. You also see the “Paid Members Only” items. Those can be very critical to your overall success so do consider upgrading.
One important setting is the Firewall setting. Wordfence can take care of this automatically if your .htaccess file is writable. If you don’t know what this means or if you don’t know how to take care of this, it falls under my $35 service – plus I will make sure your settings are good on your Wordfence install. The firewall keeps the contents of your directory separated from other websites hosted on your server. There can be as many as thousands of other websites hosted on your server and many infections can jump to any site hosted on that server. One of note is Darkleech which quickly infects all WordPress sites on the same server.
Make sure you allow Wordfence to update itself. This helps you stay closer to the current technology which can infect your site. Also make sure you pay attention to the email notifications you receive from Wordfence – they can be very important. There are many other features of Wordfence but, in the interest of time, I’ll leave them for another blog post.
The Other Plugin Is Sucuri
Another option is Sucuri. They are well known in the field as well with about 1/5th the number of users as Wordfence but still a noteworthy solution. They offer similar services and an online scan that *may* find an infection.