How to Protect a WordPress Site from Hackers

For many WordPress sites, simply taking small steps to secure a website is enough to keep the sites from getting hacked. Read about it here.

WordPress is a frequent target for hacking. Hackers are targeting the theme, the core WordPress files, plugins, and even the login page. These are the steps to take to make it less likely to be hacked and to be able to recover easier if it should still happen.

How Hackers Attack WordPress

All sites on the web are under constant attack – whether it’s a phpBB forum or a WordPress site – all sites are being probed by hackers. It’s not unusual for a hacker to scan thousands of pages or try to login in hundreds of times a day.

And that’s just one hacker. Sites are under attack by several hackers at the same time.

Typically it’s not a person who is trying to hack you. Hackers employ automated software to crawl the web to probe for specific weaknesses in the website.

These automated software programs crawling the web are called bots. I call them hacker bots in order to distinguish them from scraper bots.

Secure Your WordPress Site With a Firewall

A firewall is a software program that blocks an intruder. In my opinion, the best WordPress firewall is a plugin called Wordfence.

What Wordfence does is to check if a website visitor’s behavior matches that of an abusive bot. If the bot breaks certain rules, like asking for too many web pages in a short amount of time, Wordfence will then automatically block the bot.

Wordfence is also programmed to allow legitimate bots like Google and Bing on the site.

There are advanced features that let a publisher see what bots are attacking a site and to view where the bot is coming from, like if it’s a bad bot coming from Amazon Web Services or Bluehost for example. Wordfence provides the publisher the ability to block the bot by their IP address, the entire IP address range, or even by a fake browser user agent that the bot is using.

Website Security Hardening

Another free plugin that provides an additional layer of protection is called Sucuri Security. Sucuri (owned by GoDaddy) helps harden the WordPress security to block bad bots from taking advantage of certain kinds of attacks. It also has a malware scanning feature that checks all files to see if they’ve been altered.

Sucuri will alert you every time someone logs into your site, helping publishers to identify if a hacker is logging in. Sucuri can also alert a publisher if a file was changed, something that hackers do.

These are the features of the free version of Sucuri:

• Security Activity Auditing.
• File Integrity Monitoring.
• Remote Malware Scanning.
• Blacklist Monitoring.
• Effective Security Hardening.
• Post-Hack Security Actions.
• Security Notifications.

The paid version of Sucuri includes a website firewall.

Update All Themes and Plugins

It’s important to always update all themes and plugins. WordPress provides a way to update all plugins automatically, which is convenient for publishers or businesses who don’t log in and do updates often.

By enabling the auto-update feature a publisher can be assured of having the most up-to-date software. Having an out-of-date plugin is one of the leading causes of being hacked. There are reasons not to enable the auto-update feature, but the negatives tend to happen rarely. For example, an updated plugin might be incompatible with other plugins.