I wrote a post awhile back about ways to protect your WordPress site from being hacked. Since then, I’ve worked with several clients whose sites had already been compromised to help them rid their blogs of infected files and malware warnings. Here are a few reminders for keeping your WordPress site secure:
1. Don’t rely on your host. Some hosts will help you clean up your website after an infection, while others will simply point you to a list of the infected files and tell you to clean them up. Never assume that your host will take care of everything if your site is hacked. (And consider a new host if they don’t!)
2. BACKUPS, people. I have said this a million times but it’s worth saying again. I offer web hosting and I schedule backups to run every Sunday night. That means if your site is hacked late Saturday night and we have to restore from my backups, you’re going to lose a week of posts and comments. Get a backup plugin, preferably one with a restore feature, and set it to create a new backup every day.
3. Don’t make it easy for hackers. If your password is “password” or you use a version of WordPress from 2007, I don’t have a lot of sympathy if your site is hacked. There is no excuse for failing to take 20 minutes to secure your site against people who might randomly try to break into it.
What WordPress Security Plugins Should I Use?
A few months ago I started using a fantastic free plugin called Wordfence Security. This plugin will scan your WordPress core files, plugin files, and even theme files for anything that doesn’t match the original versions in the WordPress repository. Best of all, it gives you a list of anything that seems “off” and tells you how to fix it (often by replacing the altered file with one mouse click).
Wordfence also gives you tons of options for locking down your site - you can block IPs that try to break in, hide your WordPress version to make it harder for hackers to know what to exploit, scan your comments for known phishing URLs (it found a ton of spam trackbacks on my personal blog), and even see a view of “live traffic” on your site. While I’ve been writing this post, a fake Googlebot tried to access this site and Wordfence blocked it.
The best thing about Wordfence? While I still recommend plugins like Limit Login Attempts and WP Firewall, it performs all the actions that those plugins do. Which means I can get rid of the other plugins and use only one to do most of the legwork to protect my WordPress sites. There is also an active support forum in case you have questions about anything Wordfence discovers while scanning.
Other Great WordPress Security Plugins
While I’m a huge fan of Wordfence, there are lots of other awesome plugins you can use to protect your site.
TimThumb Vulnerability Scanner - You’d be surprised how many themes and plugins use an outdated version of TimThumb (a common script that helps WordPress render thumbnail images). This leaves your site vulnerable for exploits, but luckily there’s a plugin that will fix it. The TimThumb Scanner quickly evaluates your themes and plugins, notifies you of any issues, and allows you to update TimThumb with one click.
WP Notifier - If you don’t log into your dashboard on a regular basis, this plugin will notify you via email when your themes, plugins, and/or WordPress core need to be updated. Simple yet effective, especially if you own static or niche sites that don’t need to be updated very often.
Better WP Security - This one is a serious contender with Wordfence. It hides various parts of your WordPress site that are common targets for hackers. It also makes backups and emails them to you - an awesome feature for those of you who don’t want to spend time creating them manually.
The Bottom Line
WordPress security is something that all bloggers and website owners should take seriously. As I’ve said before, you don’t have to be internet famous or even popular for your site to be at risk. People who destroy WordPress sites usually do it because they can - it’s not because of anything personal toward the site’s owner.
What steps have you taken to secure your WordPress site(s) from hackers? Any security plugins you love that I haven’t mentioned?
WordPress security should always be of central importance when developing websites using WordPress or any other CMS and you've combined some great WordPress security advices and plugins here.
I've been using BulletProof Security on many production sites and never had any hacking issues, or at least not yet
Thanks for a great informative/reminder, Andrea! Keep up the good work.
Abdelhak.
I have had "backup plugin" on my to-do list for a long time but never seem to get around to it. Now seems like a good time. LOL
Better WP Security sounds awesome! On the plugin info page, it warns that the plugin makes major changes to your database and you should back up your site before installing it. But that's why I want the plugin! Would you just do install it anyway and hope for the best if you were me?
I would definitely make a backup first. It’s very unlikely that the plugin will break your site, but you have to ask yourself what you’d do if it did. If the risk is worth it, go for it! If not, get another backup plugin first, make a backup, then get rid of that plugin once you install the other one successfully.
Andrea, I've come to value your advice recently, so I had no hesitation in trying out Wordfence - and I love it. Best of all it combines the functions of a number of different plugins all into one. You know how much I like my plugins
Is it possible to use Wordfence and Bulletproof at the same time?
I’m sure you could, though I think it would be overkill. Would make more sense to choose one or the other.