Since we design our web themes specifically with bloggers in mind, I frequent a lot of sites ABOUT blogging. I read a lot of great posts about content creation, social media and even DIY design tips. The topic that seems to get the least attention should probably get the most: how to protect your WordPress.org site.
In this post, we’re going to break down WHY you need to protect your site and some measures that ANYONE can take to protect their site from hackers and bot attacks.
Not too long ago, one of my full service, site install clients contacted me because her web host was getting ready to shut down her site because she’d gone over her monthly allotted “executions”.
The site owner was bewildered. Her site is pretty darn popular but she bought a larger hosting package to make sure she had plenty of monthly page visits. But sure enough, she checked her site stats and her site had seen a massive traffic spike the day before; 3 times the traffic she usually gets in a month in one day.
Her host sent her an email filled with steps she could take to fix the problem. To her, it was all a bunch of mumbo jumbo. So, she contact me.
What the heck happened?
The site owner was the victim of a malicious bot attack. An automated program was set to access her site over and over, specifically her admin login page. The bog was trying to “guess” her admin login and password using a Brute Force attack. We had already set up a plugin that sent her email notifications any time someone tried to log into her site, whether they failed or succeeded, so we knew her site hadn’t been accessed. But the bot had burned through her “executions” for the month. (At her host, executions are roughly equivalent to page visits).
Once bots gain access to a site, their goals can be a number of things. If you run a shop and store secure customer info (we don’t by the way – all our customer info is stored by our Cart vendor with powerful encryption – we recommend never storing customer or visitor info in your site databases if you can avoid it), they might gain access to credit card numbers. Or they might use your server to send their own SPAM mail.
Whatever the hacker’s goal, you know it’s not good. But there are some simple, free plugins that can help. All you need to do is install and setup. Nothing can promise you 100% protection. Hackers learn new tricks all the time. But at least you’ll know you have roadblocks in place to prevent the most common types of attacks. So, follow the steps below to protect your site!
Update, update, update!
The first and foremost way to keep your WordPress site safe is to keep your site updated. This includes WordPress core, themes and plugins.
WordPress provides lovely automatic update notices. You can even activate automatic update installation (although a lot of people don’t recommend this – check out this article to learn more). Or there are services like WP Maintainer that will make sure your site stays up-to-date (although they can be quite spendy).
The bottom line is, pay attention to that update icon in the top of your admin toolbar, the one that looks like two arrows going around in a circle.
When it comes to plugins, especially free ones, make sure you’re using ones that are updated regularly and recently. If a plugin hasn’t been updated in 2 years (the WordPress repository will warn you), avoid it. And don’t forget to deactivate and delete any plugins you’re not actively using. Don’t leave hackers an open back door to your site!
When it comes to themes, look for theme shops that offer free upgrades with in-dashboard update notices and update processes. (We do!)
Protect with plugins
The name of this plugin pretty much says it all. It limits the number of times someone can try to login to your site. Easy to setup up and great for helping prevent Brute Force Attacks. There are other plugins similar to this one but this one is the most updated and most used.
This is really the only plugin we’ve find of it’s kind but it’s a good one for sure. You can achieve the same thing by editing your .htpaccess file on your root folder on your server, but this is just plain easier. Install, activate, protect from common bad bots known to crawl sites.
There are lots of WordPress security plugins out there, many of which are full-suite protection that include anti virus protection but sometimes plugins with a very specific purpose are the best. This performs an automatic scan of your site on a regular basis and shoots you an email if it finds anything.
For an antivirus program on steroids, check out the WP Antivirus Site Protection plugin.
This plugin comes automatically installed by a lot of web hosts. It helps catch spam comments on your site. You have a couple simple configuration options to tell the plugin what to do with SPAM. Personally we prefer to never even see the worst offenders.
Another plugin you’ll commonly find automatically installed, JetPack is actually a suite of plugins grouped together. There are all kinds of useful modules in JetPack. We personally love Photon, which helps speed up your site by caching your images and photos. But the BruteProtect also helps protect your site from Brute Force Attacks.
Protect your site from comment SPAM with that “I’m not a Robot” verification box made popular by Google. No need for your users to squint at fuzzy pictures and try to guess the letters.
Another great way to prevent Brute Force attacks is to “hide” your login page. WordPress comes with a standard login page address that hackers don’t even have to guess at. This simple plugin helps you change your login page address to something less predictable. Make sure you write down your new login page address!
Full suite WordPress security options can be a little intimidating. The setup process can be a little confusing and lengthy. Sucuri is one of the best free full suite solutions. I love that it emails me each time there is a successful or failed login attempt.
Another great full suite security plugin, iThemes Security wins our award for being easier to set up than most.
So, have you ever been hacked or SPAMMED? Feel free to share your experiences and any tips to help other bloggers prevent/fix this kind of issue.