We published a rundown on our favorite security plugins for WordPress a few months ago. Since then we’ve had a pretty big attack on the domain that hosts our WordPress demo sites. Hack attacks come in different forms, from Brute Force attacks where the hacker uses a program to try and guess your password by pounding your login page with repeated login attempt. Other hackers are a little more sneaky and try to gain entry via some of your back end files which are for some reason left totally naked and without protections. So, today we’re going to talk about what happened to us and our newest recommendations for protecting your site from the vile miscreants out there trying to jack your site.
The most recent attacks
Our site gets attacked pretty much all the time. Mostly nuisance attacks like SPAM or short-lived brute force attacks. Because we run a shop, hackers seem to think they can break in and get our customers’ financial data or other info. News for them is that we don’t store any customer data in our site databases. Totally zero. All of those records are stored behind the massive security protections our ecart vendor uses. But that doesn’t stop the hackers. They keep trying.
The most recent attack was one of those sneaky back end deals. They tried attacking a file known as xmlrpc.php. This WordPress core file USED to be a security issue way back before WordPress version 3.5.1 dealt with the security problem. The current version of WordPress is 4.5.2. But apparently, some people still run those older versions and are vulnerable or else hackers wouldn’t try this type of attack still, right. (Seriously, if you’re still running 3.5.1, you almost deserve to be hacked…I’m not saying anyone deserves to be hacked, but seriously, UPDATE!).
We always run with the current version of WordPress on our site, so there wasn’t really a danger of them gaining access this way. However, when they use a bot attack that accesses a file over and over again in an attempt to crack it, they burn up our CPU usage (basically like page views, sort of) for the month. We got a notice from our web host and then literally got cut off because we went over our CPU usages, which we never do. So, to keep our sites live, we were forced to upgrade to the next highest plan.
This got us thinking about our current hosting and security situation. We made a few changes recently to deal with the situation and we wanted to share our solutions with you so that you can prevent this kind of thing from happening to you.
We love our current web host. They’re great, but honestly, you get what you pay for and their plans are very economical. One of the reasons we chose them in the first place. Because they are so cheap however, we were primarily responsible for making sure our sites were secure. Our host had some server side security in place, but for the price, no, it wasn’t A+.
We’ve already given you some recommendations in our previous post on keeping your site secure. Here are a couple we want to really highlight:
Sucuri comes in a few different flavors. The free plugin is great but it lacks a firewall. YOU MUST HAVE a firewall.
If the free version of Sucuri just isn’t quite cutting it, we recommend you upgrade to either the Pro version or looking at Managed WordPress that includes Sucuri (more later). The Pro version is $19.98 USD per month. That’s quite a chunk of change when your web hosting might only cost you $3.95 but if you’re getting hammered with attacks or getting hacked, it’s worth the investment. We went with a different option that we’ll discuss later.
Get a Firewall
In general, I am not a fan of firewall plugins. Host server side firewalls are preferable. Plugin firewalls mess with files in your WordPress core and can really f$#% things up. There is 1 (one) WordPress firewall plugin that I recommend. It’s easy to use and specifically designed to interact with your Core files as little as possible. If you can’t justify footing the $19.98/month bill for Sucuri Pro, then add Shield WordPress Security Firewall to your site along with the free Sucuri plugin. DO. IT. It will save you so many headaches.
Managed WordPress Hosting
With our main site, which gets a fair amount of traffic, our Blogger help site and all of our WordPress demos plus some other projects we have in the works, it was time for us to upgrade to some better hosting. The latest hack attack just lit a fire under me to Get. It. Done.
I did some truly exhaustive research and came to the conclusion that Managed WordPress Hosting was the way to go.
What is Managed WordPress Hosting?
With true Managed WordPress Hosting, your web host handles all the back end WordPress maintenance for you.
- They install WordPress
- Some will transfer your sites for free if you need it
- They also handle updating WordPress and all your plugins
- Plus they optimizing caching, security and anything that makes your head hurt just thinking about it.
With as many sites as we run and will be running in the future (more news coming soon), we need something that is low maintenance yet worry free so Managed WordPress was a no brainer.
But of course, this higher level of service comes with a bigger price tag. Managed plans can cost a pretty penny. After looking at hosts like WP Engine, Pagely, Web Synthesis and Media Template, we decided on an almost unknown company because they said all the right things.
Who is WPCloud.ca and why are we moving our sites to their hosting plans?
WP Cloud is a company based in Canada. One thing we loved was that their website gave us all the answers we needed about what their hosting offers. Most of the hosts we looked at glossed over some details but we found all the answers to all of our questions right there in blue and white.
WP Cloud offers managed hosting at reasonable price along with some really great features like integrated Sucuri security measures (!&). The entry level plan is for 2 WordPress sites (MultiSites welcome unlike many Managed Plans) for $24.00 CAD per month. At today’s exchange rate that was about $19/month for the plan. Wait…Sucuri alone is $19.98 per month for one site. Do you see where we’re going here? Totally worth it.
Some other features we liked:
- WPCloud also automatically keeps 15 days of backups on all your sites with 1 click restore should you need it.
- The Sucuri services include fixing your sites for you if you get hacked.
- The plans also include Varnish caching which means your sites are wicked fast.
- Our page load times dropped by 75%!!! That’s huge. Our page load times are now under 3 seconds, right where you should be for max SEO.
- Unlike many other Managed Plans, WP Cloud includes email hosting, so you’re not shelling out extra to host your domain-specific email at some place like GoDaddy – more savings!
- Another big plus for us was Site Staging. We can easily make a copy of our existing site, make updates and changes, give it a whole new look and then push out the updates with zero interruption or downtime. A great advantage when you site is ready for a makeover.
- CDN and image optimization (part of what makes your sites so fast)
- If you’re from Canada, their email is Canadian Privacy law compliant
They do not, however, do domain registration, so you will need to have your domain through another company like GoDaddy. But redirecting your name servers is easy enough.
The Wrap Up
We still recommend Siteground as a great low-cost hosting option. They have very reasonable plans, great resources like Google Page Speed Caching (makes your site wicked fast), automatic WordPress core updates (optional), and more. And their Customer Services is great. But you are responsible for all that back end maintenance and making sure our site is secure beyond the usual server-side security they include. Siteground is also recommended by WordPress.org.
We DO NOT recommend BlueHost at this time. We’ve had horrible times lately dealing with them under client accounts.
But if you’re ready to take the next step up and get a premium level of hosting that includes Managed WordPress with all it’s benefits, we totally recommend WPCould.ca.
If you’re not quite ready for that kind of monetary commitment, install Sucuri and Shield WordPress Firewall Security. Here are some helpful links if you need help configuring Sucuri: https://sucuri.net/wordpress-security/wordpress-security-plugin-installation.
Please, seriously, use protection. It’s a nasty world out there.