Securing Your WordPress Site Against Constant Hacking

Securing Your WordPress Site is something you dont think about until it is to late. With most of us we setup a WordPress site and hope we never get hacked or get a malware infection. This can only lead to having your site blacklisted and your email delisted rendering your site down, invisible to Google, and gone off the internet landscape leaving your audience or customers wondering.

There are a few things you can do to make sure you have a more secure site. But no one can prevent all malicious attacks, as you can see from even the biggest of companies getting there systems intruded upon. But for us smaller fish you can do these few things to make sure there are no obvious vulnerabilities.

Change your hosting, email, and WordPress passwords frequently and use strong passwords.
Login to your WordPress installation at least twice a week to make sure all your plugins are up to date.
If you purchased a theme and installed it differently then through your WordPress installation you may need to go to the themes website for upgrades.
Hire a service to watch your site and clean it. Sites like Sucuri and WeWatchYourWebsite both can scan and remove malware and protect your site for a yearly fee. A VPS server can be protected by then for about $200 a year.

So what if you are serious about security but you dont have that kind of money. You just started your new site and you need to watch every expense until revenue starts to come in. If this is your situation I would look at some free plugins that can at the very least offer a small level of protection, malware scanning, and constant file verification. Luckily we have installed all three of our recommended plugins and will give you a review on each of them.

Our 3rd Recommendation is BulletProof Security

WordPress Website Security Protection: Firewall Security, Login Security, Database Security… Effective, Reliable, Easy to use…this system is by far the most comprehensive of the three.

SPECIFICATIONS:

According to their website here are the main benefits of this product;

.htaccess Website Security Protection (Firewalls)
Login Security & Monitoring
DB Backup: Full|Partial DB Backups | Manual|Scheduled DB Backups | Email Zip Backups | Cron Delete Old Backups
DB Backup Logging
DB Table Prefix Changer
Security Logging
HTTP Error Logging
FrontEnd|BackEnd Maintenance Mode
UI Theme Skin Changer (3 Theme Skins)

INSTALLATION:

The installation of this, like most plugins, when done inside of WordPress is very easy. And that is where it all changes, is after you get it installed and go to the setup. But that is another story for the next section.

SETUP:

This is where this plugin differs from other plugins. It is by far the most difficult to configure. We spent over two hours looking at the configuration, trying different parts of the plugin. While the site did not break we had some trouble with the overall verification that the system changes we made were working. Below is a brief video on the steup of the plugin. This will allow you to see what you are getting yourself into.

Alot of the system is a one click system and you can eaily configure the most basic of the plugins features. The more comprehensive parts of the plugin are as follows:

The htaccess Core Website Security (Security|Firewalls) allow you to lock down the file. But by doing this you may lock other programs out if you decide to deactivate or uninstall the plugin. The other problem was an issue we had with our Cloud Flare CDN module. But those with a little more advanced knowledge of WordPress files will probably have no problem getting around this and appreciate the more advanced features. But we are all about setting things up ourselves so we need simple.
This also has brute force login security and login tracking. This was also and area that we had some trouble with our CDN.
DB backup was pretty straight forward but there are a lot of other plugins we have installed that do the same thing without much setup.
The speed boost cache system was not as easy to setup as we wanted it to be.

While this program is the more difficult to configure it is probably one of the most secure plugins of the three you can use. So if you understand the setup and configuration methods of this plugin then this may be the correct choice for you.

Our 2nd Recommendation is Sucuri Security

The Sucuri WordPress Security plugin is a security tool set for security integrity monitoring, malware detection and security hardening.

SPECIFICATIONS:

According to their website here are the main benefits of this product;

Security Activity Auditing
File Integrity Monitoring
Remote Malware Scanning
Blacklist Monitoring
Effective Security Hardening
Post-Hack Security Actions
Security Notifications
Website Firewall (add on)

INSTALLATION:

Like each and almost every plugin that is installed within your WordPress admin screen it is easy and quick. All you need to do is activate it and move to the setup portion of the plugin.

SETUP:

The first thing you will need to do is generate an API key that will use the email address you have on the account. If you have not setup one you will need to do so in order to get the key. Once setup you get access to the Dashboard where you can setup a firewall (for an additional cost), harden certain elements withing your WordPress installation with a single click, and change any other settings, see past logins and see site info.

The main tool to use is the Malware Scan where Sucuri will scan you site, and after a few minutes you will get an all clean or recommendations on what you may need to do to fix your site. To see a brief overview of Sucuri and their plugin watch the video below;

This plugin is probably one of the easiest to setup and it is all about security. While it will not slow down your site according to the plugin authors it does not offer additional caching. Its additional hardening options allow for additional security peace of mind, and if you want to pay a little more you can upgrade to a pretty heavy duty fire wall.

Our 1st Recommendation is WordFence Security

Wordfence Security is a free enterprise class security and performance plugin that makes your site up to 50 times faster and more secure.

SPECIFICATIONS:

According to their website here are the main benefits of this product;

Wordfence starts by checking if your site is already infected. We do a deep server-side scan of your source code comparing it to the Official WordPress repository for core, themes and plugins. Then Wordfence secures your site and makes it up to 50 times faster.

Includes Falcon Engine, the fastest WordPress caching engine available today. Falcon is faster because it reduces your web server disk and database activity to a minimum.
Includes support for other major plugins and themes like WooCommerce.
Real-time blocking of known attackers. If another site using Wordfence is attacked and blocks the attacker, your site is automatically protected.
Sign-in using your password and your cellphone to vastly improve login security. This is called Two Factor Authentication and is used by banks, government agencies and military world-wide for highest security authentication.
Includes two-factor authentication, also referred to as cellphone sign-in.
Scans for the HeartBleed vulnerability – included in the free scan for all users.
Wordfence includes two caching modes for compatability and has cache management features like the ability to clear the cache and monitor cache usage.
Enforce strong passwords among your administrators, publishers and users. Improve login security.
Scans core files, themes and plugins against WordPress.org repository versions to check their integrity. Verify security of your source.
Includes a firewall to block common security threats like fake Googlebots, malicious scans from hackers and botnets.
Block entire malicious networks. Includes advanced IP and Domain WHOIS to report malicious IP’s or networks and block entire networks using the firewall. Report security threats to network owner.
See how files have changed. Optionally repair changed files that are security threats.
Scans for signatures of over 44,000 known malware variants that are known security threats.
Scans for many known backdoors that create security holes including C99, R57, RootShell, Crystal Shell, Matamu, Cybershell, W4cking, Sniper, Predator, Jackal, Phantasma, GFS, Dive, Dx and many many more.
Continuously scans for malware and phishing URL’s including all URL’s on the Google Safe Browsing List in all your comments, posts and files that are security threats.
Scans for heuristics of backdoors, trojans, suspicious code and other security issues.
Checks the strength of all user and admin passwords to enhance login security.
Monitor your DNS security for unauthorized DNS changes.
Rate limit or block security threats like aggressive crawlers, scrapers and bots doing security scans for vulnerabilities in your site.
Choose whether you want to block or throttle users and robots who break your security rules.
Includes login security to lock out brute force hacks and to stop WordPress from revealing info that will compromise security.
See all your traffic in real-time, including robots, humans, 404 errors, logins and logouts and who is consuming most of your content. Enhances your situational awareness of which security threats your site is facing.
A real-time view of all traffic including automated bots that often constitute security threats that Javascript analytics packages never show you.
Real-time traffic includes reverse DNS and city-level geolocation. Know which geographic area security threats originate from.
Monitors disk space which is related to security because many DDoS attacks attempt to consume all disk space to create denial of service.
Wordfence Security for multi-site also scans all posts and comments across all blogs from one admin panel.
WordPress Multi-Site (or WordPress MU in the older parlance) compatible.
Premium users can also block countries and schedule scans for specific times and a higher frequency.

INSTALLATION:

Again this is an easy setup and should be no problem for you to install within your WordPress installation.

SETUP:

Once installed you can activate the plugin and away you go. The first thing you can do is go the the WordFence tab and click on the options menu option. From there make sure all the scans you want to make sure are done are checked under the Scans to include heading.

Next take a look at the Live Traffic menu item, from here you can see live traffic stats unless you have the cache Falcon engine enabled. But at the very least you can see login and log out attempts. This is an interesting thing as you may see a lot of false logins using your Admin credentials.

Under Performance Setup you can enable caching and supposedly make your site up to 50 times faster using the Falcon engine. We have been testing this and so far do not have enough data to form an opinion on this claim.

Then from there you can choose some of the other menu items to further configure your plugin, when your done go to the SCAN menu item and perform a scan of your site. This scan is different from the other two plugins above because you can actually see what is going on while it is scanning. When done you will get some recommendations on how to fix any problems as well as a pretty comprehensive way to fix the problem.

So if you are serious about securing your WordPress site you need to look at least to one of these plugins to make sure your website is protected. These are all three good options to give you some peace of mind that while you are sleeping someone is looking out for your site and all the hard work you put into it.