Tips on how to secure a WordPress site from getting hacked, including recommended security plugins.
WordPress is a frequent target for hacking. Hackers are targeting the theme, the core WordPress files, plugins and even the login page. These are the steps to take to make it less likely to be hacked and to be able to recover easier if it should still happen.
How Hackers Attack WordPress
All sites on the web are under constant attack, whether it’s a phpBB forum or a WordPress site, all sites are being probed by hackers. It’s not unusual for a hacker to scan thousands of pages or try to login in hundreds of times a day.
And that’s just one hacker. Sites are under attack by several hackers at the same time.
Typically it’s not a person who is trying to hack you. Hackers employ automated software to crawl the web to probe for specific weaknesses in website.
These automated software programs crawling the web are called bots. I call them hacker bots in order to distinguish them from scraper bots (software that is trying to copy content).
Protect Your WordPress Site with a Firewall
A firewall is a software program that blocks an intruder. In my opinion, the best WordPress firewall is a plugin called Wordfence.
What Wordfence does is to check if a website visitor’s behavior matches that of an abusive bot. If the bot breaks certain rules, like asking for too many web pages in a short amount of time, Wordfence will then automatically block the bot.
Wordfence is also programmed to allow legitimate bots like Google and Bing on the site.
There are advanced features that let a publisher see what bots are attacking a site and to view where the bot is coming from, like if it’s bad bot coming from Amazon Web Services or Bluehost for example. Wordfence provides the publisher the ability to block the bot by their IP address, the entire IP address range or even by a fake browser user agent that the bot is using.
About User Agents (UA)
A user agent is identifying information that a browser sends that tells a website what browser it is (Chrome, Firefox, Vivaldi), and what operating system it is operating on (Windows 10, Mac OS X).
For example, this is a user agent string for a Safari 11 browser on a Mac OS X computer:
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.1.2 Safari/605.1.15
Bots use a lot of different user agents in order to fool websites and sneak in. For example, some bots pretend to be a browser on Windows XP.
The actual amount of real users on Win XP are close to zero, I can create a rule with Wordfence to block all user agents with Windows XP as the operating system and with that one rule I can block thousands of bad bots, regardless of what country they are coming from or IP address.
The bad bots will sometimes respond by changing to another user agent, so by combining these rules, a publisher stands a chance of blocking a wide range of bad hacker bots.
And that’s with the free version of Wordfence.
The paid version can block entire countries. So if you don’t have legitimate site visitors from certain countries, you can block every visitor that’s coming from those countries.
WordPress Defense Against Exploits
Additionally, the paid version of Wordfence will protect you in advance from many compromised themes and plugins before those plugins are fixed.
Once Wordfence researchers are aware of an exploit they will update the premium version of the firewall to provide subscribers with protection from those exploits, sometimes weeks before the exploit is fixed by the compromised theme or plugin developer.
Website Security Hardening
Another free plugin that provides an additional layer of protection is called, Sucuri Security. Sucuri (owned by GoDaddy) helps harden the WordPress security to block bad bots from taking advantage of certain kinds of attacks. It also has a malware scanning feature that checks all files to see if they’ve been altered.
Sucuri will alert you every time someone logs into your site, helping publishers to identify if a hacker is logging in. Sucuri can also alert a publisher if a file was changed, something that hackers do.
These are the features of the free version of Sucuri:
“Security Activity Auditing
File Integrity Monitoring
Remote Malware Scanning
Effective Security Hardening
Post-Hack Security Actions
The paid version of Sucuri includes a website firewall.
Limit Logins to Your Site
WordFence is able to block bots that are repeatedly filling in user names and passwords in the WordPress login page.
But if you want to focus on limiting those logins, there is a plugin called, Limit Login Attempts Reloaded that allows publishers to automatically block all hackers who enter a set number of failed name and password combinations. For example, you can set it to block hackers after three attempts to guess the password.
These are the features of the login blocker:
- “Limit the number of retry attempts when logging in (per each IP). This is fully customizable.
- Informs the user about the remaining retries or lockout time on the login page.
- Optional logging and optional email notification.
- It is possible to whitelist/blacklist IPs and Usernames.
- Sucuri Website Firewall compatibility.
- XMLRPC gateway protection.
- Woocommerce login page protection.
- Multi-site compatibility with extra MU settings.
- GDPR compliant. With this feature turned on, all logged IPs get obfuscated (md5-hashed).
- Custom IP origins support (Cloudflare, Sucuri, etc.)”
The Limit Login Reloaded plugin provides a fast way to shut down hack bots that are trying to guess a password.
Backup Your WordPress Site
It is important to automatically create a daily backup of your website. Any catastrophic event that takes the site down can be recovered from with a backup.
There are many backup solutions but the one that I have found to be immensely useful is called UpdraftPlus WordPress Backup Plugin. UpdraftPlus is trusted by over two million users, it’s a well regarded choice.
It can be configured to email the backups every day or send them to a cloud storage location like Dropbox.
I once accidentally removed all the theme layout files from a site, completely removed the look of the site. But I was able to restore the site to exactly how it was before by using an UpdraftPlus backup. It was easy to do and I was so thankful.
Update all Themes and Plugins
It’s important to always update all themes and plugins. WordPress provides a way to update all plugins automatically, which is convenient for publishers or businesses who don’t log in and do updates often.
By enabling the autoupdate feature a publisher can be assured of having the most up to date software. Having an out of date plugin is one of the leading causes of being hacked.
There are reasons not to enable the autoupdate feature, but the negatives tend to happen rarely. For example, an updated plugin might be incompatible with other plugins.
But for sites that don’t change frequently, the autoupdate feature is probably a good thing to enable.
Beware of Abandoned Plugins
A final warning about abandoned plugins. Some plugins can continue to work years after they’ve been abandoned by their developer. What can happen is that these old plugins may contain a vulnerability. But because they are abandoned, it will never get fixed.
Another issue is that hackers sometimes buy the old plugins and update them with malware and viruses.
Check all your WordPress plugins to make sure that they have not been abandoned and appear to be updated on a fairly frequent basis.
Protect Your WordPress Site from Hackers
For many sites, simply taking these small steps to secure a website is enough to keep the sites from getting hacked. The free versions of these plugins provide an extraordinary amount of protection and the premium versions give even more protection.
There are many security type plugins and some of those have actually contained vulnerabilities themselves. Wordfence and Sucuri are in my opinion top choices for WordPress security.