WordPress Security: Keeping your WordPress Website Secure

WordPress Security should be a part of the website development process

With every web development project we undertake, we include WordPress Security as a key deliverable. Here is why …

Nobody wants to wake up to find that their website had been hacked overnight. WordPress security is often not something that businesses consider when setting up their website.

A hacked WordPress website can cause damage to the reputation of your business to your clients.

Why was MY website hacked?

Everyone who has been hacked has probably asked this question. Rule #1, do not take it as a personal attack against you.

There are a variety of reasons why your website was hacked.

• WordPress required an update
• WordPress themes or plugins required an update
• A user used a weak password for their account
• A vulnerability with your hosting provider

More than 50% of hacked WordPress websites were the cause of outdated core files, themes or plugins. Roughly 40% of hacked websites were due to hosting provider vulnerabilities with about 10% being from weak user passwords.

What are some signs my WordPress Website has been Hacked?

One of the most prominent methods that people are notified that their WordPress website has been hacked is when they try to visit their website and they are greeted with a big Warning or Error screen from their browser saying access to their website has been blocked.

A second method is if you noticed strange sub-folders or directories showing up. Something like http://example.com/jkhjfhfd.

Yet another method is when you see a long string of characters in the header section of every page. This is usually a trigger to Google to block your site but sometimes you get through and can see the horrible code presenting itself.

If any of these situations exists for you at the moment, your WordPress website has been compromised. It is time to take action and address WordPress Security as an important investment for your business. You should read our article Help – My WordPress Website was Hacked – Click Here!! before continuing on with the rest of this article.

Securing Your WordPress Website

In most cases, I would provide code based solutions to implement. But for this topic, the plugins available are powerful and take the pain out of making WordPress secure.

The most effective way to keep WordPress secure is with a WordPress Security plugin.

WebARX

WebARX is a website security and monitoring platform that helps freelancers, digital agencies and website owners protect and monitor every website on a single dashboard. We wrote about our personal experience using WebARX in this article; WebARX Website Security & Monitoring Platform.

If you care about your business and your customers’ businesses, you need protection from hackers. For this you need to have a complete overview of your websites, first line of defense and an intelligence system that will let you know when there’s a risk and how to eliminate it in time.

WebARX will monitor uptime, site speed, defacement (and hacking databases), blacklists, software vulnerabilities, domain expiration, site errors and much more. It even allows you to set up alerts for all of them via E-mail or Slack.

Not only does WebARX analyze over 3000 website hacking incidents per day and provide that info to national CERTs (Computer Emergency Response Teams) around Europe, they also use the same data to update the firewall on your website in real-time.

You get a 14-day, free trial when you register. After that, the basic service is $39 per month. They have more expensive packages that increase the number of websites you can monitor and the level of support you receive.

iThemes Security

On this website, we use the iThemes Security plugin. Once installed, it has a wizard for quickly securing a WordPress website. It protects against Malware and a variety of common hacks known to the WordPress Security community.

iThemes Security works to lock down WordPress, fix common holes, stop automated attacks and strengthen user credentials. With advanced features for experienced users, our WordPress security plugin can help harden WordPress. One of the most used features, and most valuable from our perspective, is its ability to automatically block users that make an attempt to attack our website with brute force. We have been very happy so far.

They offer both a free and a paid version of their plugin.

Wordfence Security – Firewall & Malware Scan

Our WordPress Security team has had good comments about this plugin. They use what they term a “Threat Defense Feed” that keeps the plugin up to date with the newest firewall rules, malware signatures and malicious IP addresses it needs to keep your website safe.

This is a very powerful security plug-in. For me, it was not as intuitive but I understand they have updated their User Interface and it provides a much richer and informative picture of your website WordPress Security situation.

WordFence also offers a free version and a premium (paid) version of their plugin.

Sucuri Security – Auditing, Malware Scanner and Security Hardening

Sucuri is a major player in the web security community, not only WordPress Security. So it is no surprise they offer a robust security plug-in for the WordPress platform. Thee number of features and options offered can be a little over whelming. But this is a serious WordPress Security solution that does a great job of keeping WordPress secure.

They also offer an online service that reports on common threats for WordPress as they are discovered.

Additional Steps to Keep WordPress Secure

Good website security is always accompanied by good preventative security measures.
It is my opinion that any website owner should expect to be hacked, and therefore take the necessary steps to guard against such an event. There are a few steps you can take to prevent an attack. The WordPress Security plugins above come with some of this functionality included to assist you.

Another good security policy is to configure layers of protection for your website. A layer of security worth serious consideration is a website firewall. You can learn more from our post Why you Should use a Website Firewall.

Scan Your Website Now

The first scanner I tried is WPSCAN. (https://wpscans.com) They have a website that lets you scan 1 website to determine the level of security deployed. It should return results that identify potential security issues with your WordPress website. I ran it on my website with the Security plugin active and I was getting an error telling me the website was not a WordPress website. So the security plugin must have been doing its job properly.

The next scanner I tried is from Sucuri at https://sitecheck.sucuri.net/. I liked this scanner as it provided a more complete picture on my WordPress Security situation. What I really liked was they did a lookup at a number of places to make sure my website was not blacklisted. Sucuri also provided me with feedback on the WordPress Security elements that are not implemented and probably should be.

Backups

Take frequent backups of the files and database and keep them in a safe place. That way, if you ever have a security issue, you are only a day or so behind with your websites content.

Keep Activity logs

Monitor the activity of visitors and users. See who is logging in, activating/updating plugins, etc.

As I mentioned, the WordPress Security plugins above handle some of these tasks nicely as well.

Other Helpful WordPress Security Resources

• The Ultimate WordPress Security Guide – Step by Step (2018)
• Hardening WordPress
• An Introduction to WordPress Security

Best of success in keeping WordPress Secure.

Conclusion

Pick a WordPress Security plugin and give it a try. Don’t deliberate too much on this. All three are considered good choices and extremely helpful to keeping WordPress Secure.
You should be able to sleep well at night now knowing one of these tools is helping to protect your online assets.

Would you like us to help make your WordPress Website Secure? Let us know how to reach you and we will help you.