WordPress security services are an essential component of site management. A WordPress security expert can quickly implement protocols that harden your site. This is an issue that must be taken seriously. There are over +75 million WP websites out there, so devising a successful hack opens up a world of opportunities for bad actors. If your site is not secure, they will eventually find you and gain access.
The WordPress security landscape
Whilst you can expect determined and sophisticated hacking attempts directed against your WordPress sites, there are numerous preventive measures that ensure the integrity of your site will be maintained.
These hacking efforts run the whole gamut of attack variations;
- Blackhole Exploit Kit attacks
- SQL Injection attempts
- Brute Force Login & Password access efforts
- Link Injection and phishing attacks, where links to bank fraud efforts are made
- DDOS – distributed denial of service attacks where thousands of computers simultaneously access your site with multiple requests in order to bring it down
Many attacks are initiated in China, Russia, Poland, Iran, North Korea, Turkey and Indonesia. Many attacks are initiated by unscrupulous competitors, renting bad actors on the Dark Web. Generally speaking, it is easy to minimise the potential threat by a few minutes of preemptive efforts!
In other words, an ounce of prevention is better than a pound of cure!
WordPress Security Plugins
Security best practices urge properly implemented security plugins that will thwart the majority of hacking efforts – particularly the script-based automated ones! Where a human-driven attack is initiated, you can easily make it extremely difficult to access the internals of your website. The more difficult it is, the greater the likelihood of the attacker giving up and seeking out a softer, easier target. Even in the hacking world, time is money…
There are multiple WordPress security plugin applications available, each with its own methodology or variation on a theme. Selection of one over the other will often be based on the server environment – some simply won’t install if the right PHP elements or server settings are not enabled. Those that I have direct personal experience with are;
- Limit Login Reloaded – excellent brute force login security
- Block Bad Queries – fast web application firewall (WAF) that does not intrude into other activities – such as Management Consoles
- Block Bad Bots – reduces the impact on server resources by rogue bots and thwarts many spambots too.
- Disable XML RPC – this is a component that most business websites don’t need
- Disable REST API – except for logged-in users
- Cloudflare CDN – using Cloudflare greatly enhances site security! from brute force attacks, cross-site script injection threats and DDoS attacks.
- SSL Certificates – forcing encrypted traffic via HTTPS
Wordfence & Sucuri
In the quest to ensure the best possible website performance and minimal server resource use, I prefer to use several small “lightweight” WordPress security apps across every WordPress site I manage.
However, on all recent hacked sites I am asked to assist with, I install Wordfence and/or Sucuri to remove malware & repair attack damage and sort out the chaos. Once the site is sanitised, I replace the “heavyweight” plugins.
I’ve used Wordfence on many websites over a number of years… It has grown into a behemoth with a much more complicated interface than previously. Whilst it is very robust, many people don’t ever find all the crucial areas that need settings adjusted. Because of that, it’s not uncommon for me to get asked to “un-hack” sites that the owner thought were well-protected with Wordfence…
When Wordfence is correctly configured, it is going to defeat the most determined hacking efforts! It can be configured to provide email warnings of a variety of threats, including;
- Alert on critical problems
- Alert on warnings
- Alert when an IP address is blocked
- Alert when someone is locked out from login
- Alert when the “lost password” form is used for a valid user
- Alert me when someone with administrator access signs in
- Alert me when a non-admin user signs in
Other important aspects include;
- Enable automatic scheduled scans
- Scan core files against repository versions for changes
- Scan for signatures of known malicious code in files
- Scan file contents for backdoors, trojans and suspicious code
- Scan posts for known dangerous URLs and suspicious content
- Scan comments for known dangerous URLs and suspicious content
- Scan for out-of-date plugins, themes and WordPress versions
- Check the strength of user credentials with emphasis on strong passwords
- Monitor disk space
- Scan for unauthorized DNS changes
- Scan files outside your WordPress installation
- Enforce secure passwords
- Secure the wp-config.php file
The fast alerts on the slightest hint of a problem are comforting. I especially like the “Scan core files/plugins/themes against repository” function!!! If a file changes or an extra one appears, the alarm bells start ringing!
These plugins outlined above are sure to solve the particular security issues on your WordPress website. They provide a known base from which to start your countermeasures. Secure WordPress hosting usually includes daily file scans for phishing and malware, plus out-of-date software.
Securing your website
There are several basic elements that need to be addressed as part of any recommendations on WordPress security services.
Secure User ID
The default WP User ID is “admin” and you should NOT use that on your site. Doing so immediately means half of the “site access equation” is known, and all that’s required is the password! That’s pretty reckless in this day and age…
A secure User ID ought to be a minimum of 10 + 12 characters containing a mix of upper and lower case and including numeric and/or special character variations and no recognisable words e.g.; Tgp#1BzsB4Fc
In addition, you should then assign a different User Account “nickname” so that there is no clue as to the Admin identity if you inadvertently use the account to publish any pages or posts! Ideally, you should publish the pages and posts from an “Editor” level account…
Securing your passwords
Most people foolishly use a password related to their life in some guessable way. Phone numbers, wife’s name, child’s name, dog’s name etc… A little bit of research, a bit of trial and error on the part of a smart hacker or competitor and your site is wide-open! Common sense security measures insist that you protect your website with a strong password is essential. If you can remember it then it’s definitely a weak password!
There are several websites specialising in secure password generation…
USE one of them as part of ensuring your username and password are impregnable!
These contribute negatively to your website’s online profile. Eliminate the majority of potential issues by using the inbuilt automation options;
- Don’t allow registration unless it’s absolutely necessary!
- Don’t allow comments on pages
- Close comments on posts after 2 – 4 weeks
- Don’t allow trackbacks/pingbacks on posts
- Disable XML RPC – if you don’t know what it does, you don’t need it…
Installing and configuring the Zero Spam plugin is not at all difficult and it effectively screens out the worst of the remaining garbage!
I use Cleantalk on sites that get a lot of spam post attempts.
Protect your WordPress plugins and themes
It’s extremely important to diligently maintain the WordPress core, themes and plugin applications. When a security breach or flaw occurs, fixes are put in place, but word of the potential exploit quickly circulates among the hacking community. Hackers immediately start looking for sites that are at risk, and target them!
A ‘once a week’ login to your Admin are should be a standard task, in order to check if there are upgrades available. Install any upgrades immediately! Having a plugin like Wordfence installed ensures you are notified immediately the core, a plugin or theme has upgrades available. Updates often incorporate patches for security vulnerabilities.
WordPress themes and plugins: now have an “Enable Auto Updates” option – activate it!
Make sure your version of WP is always current by turning auto-updates” on.
Themes can also be auto-updated: this can be problematic on themes like Avada, even (or especially) where a child theme is used.
Having an automated monthly backup process scheduled, with off-server storage, makes sound business risk management sense.
The best backup available is Updraftplus. I use the premium version on all sites I manage.
- Schedule regular backups – Database daily with 7 rotating, Files weekly with 2 rotating
- Upload them to cloud storage (Dropbox, OneDrive etc.)
How to deal with hacking
Don’t panic, because it absolutely won’t help! Usually, the hacking efforts I’ve seen relate to exploits of inherent security weaknesses in;
- No WordPress WP security was implemented at all
- Out-of-date or vulnerable Plugins or Themes
- Weak passwords
- Use of “admin” as the Administrator User ID
The first indication may be;
- an email from Fraudwatch requesting you delete the offending content
- a warning from your hosting company that the site is compromised and in danger of being shut down
- a tip from a friend or client that Google is displaying malware or virus warnings about your website
These days, it’s rare to have an overt, immediately obvious hacking occur. It’s more often an out-of-sight, deeply planted problem that the hacker hopes won’t be discovered for weeks or months.
Dealing with the problem is explained by a WordPress security expert on the How to deal with WordPress Hacking page.
WordPress security is a crucial element of website operation. Getting hacked can destroy your search engine traffic and reputation.
- Avoiding the problem is not particularly difficult.
- Eliminating a site breach is usually straightforward.
If you need Technical Support to secure WordPress, please use the form below to get in touch.
The SEO Guy provides a comprehensive annual Website Management Plan that addresses all of the issues covered in this article, for a very modest annual cost.
Last Updated 4 weeks ago by Ben Kemp