How to protect your WordPress site against attackers

Protecting your WordPress site against attackers does not need to be a hard task. You can easily protect WordPress with a few plugins. In this article, we will go over the different options for protecting your site so read along and learn more about protecting your website. Some types of attacks are plugin vulnerabilities, brute force attacks, core and theme vulnerabilities, hosting vulnerabilities. We will also cover a few more types of attacks people rely on so be prepared to learn a lot from this article.

Plugin Vulnerabilities

If you think of the scale of WordPress plugins out there and the number of developers making them you can’t help but think there will be some that are culprits with causing vulnerabilities. One way to protect your site from vulnerabilities in plugins is to install as few plugins as possible. The plugin ecosystem is the major reason people choose WordPress in the first place, so I don’t suggest you avoid plugins altogether. But, if you aren’t using a plugin, remove it. Consider if you need the functionality a plugin provides. Keeping the number of plugins low reduces the surface area for threats. Only download WordPress plugins from reputable sources such as the WordPress repository or Codecanyon. Most of these plugins are perfectly fine and have been checked for security risk.

We have found some plugins can contain malicious code though when downloaded from the WordPress repository the best thing to do is look for reviews of the plugins and then do an assessment on the staging site. If you are familiar with code have a look through the code of the plugin to make sure it doesn’t do anything it shouldn’t. There are plenty of resources out there for peer sourcing code reviews such as Reddit or Quora take a look at those sites for people to gladly help look at the code and see if it is malicious.  Another way to protect against attacks is to update all of your plugins regularly this enables the developers to release fixes for vulnerabilities. We recommend testing all plugins on a staging site before you post them to your live site. With Xenon Cloud you get your very own hosting account for staging when you sign up for Web Hosting.

A great plugin that scans for plugin vulnerabilities is Defender Pro from WPMUDEV. You can download it here: https://premium.wpmudev.org/project/wp-defender/

Brute Force Attacks

Brute force attacks are where bots try and get into your website by guessing your username and password. Bots are very powerful and can try thousands of combinations within minutes. The best thing to do to protect against this is to enable two-factor authentication. This will enable you to securely make sure the bot cannot get access to your site. You should also consider limiting login attempts. Download a plugin that limits login attempts and blocks the IP address of the attacker after a preset amount of failed login attempts.

Core and Theme Vulnerabilities

The best way to protect against these types of attacks is to update regularly. There are some vulnerabilities in themes and the WordPress core but they get updated very quickly from the developers so be sure to update at least once a week or check for updates at least once a week.

Hosting Vulnerabilities

Not all hosting is created equal you need to be careful when choosing a hosting provider and make sure they have virus protection built into their servers. Here at Xenon Cloud, we take steps to protecting our clients on the backend of servers. We log visitors and if we notice suspicious traffic we block it through our firewalls. We also scan hosting accounts for malware and suspicious files and let our users know through email alerts. If you want to learn more about our secure cloud reach out to sales@xenoncloud.org

Plugins:

Here we will discuss different plugins you can use to secure your WordPress site. There are plenty of options out there but these are the ones we have tried and have worked out very well.

Defender Pro:

Keep your site safe from hackers! Brute force attacks and malicious bots are no match for Defender’s mighty WordPress security shields and cloaking technology.

Defender’s regular security scans, vulnerability reports, audit logs, 2-factor authentication, safety recommendations, blacklist monitoring, IP lockout device, simple security tweaks, core, plugin and theme code checker and login masking are too much for even the wiliest villain.

Brute Force Lockout

Limit login attempts to block attackers trying to guess your password.

File Change Detection

Scan plugins, themes and WordPress core files for changes to the code.

404 Lockout

Use 404 detections to stop bots that are scanning for vulnerabilities.

Audit Logs

Keep detailed logs of every user action from file modifications to settings changes.

Email Notifications

Never be left in the dark with customized reports and automate email notifications.

IP Lockout

Trigger timed or permanent site bans with both manual and automatic IP controls.

Defender Pro offers many different ways to secure your website against attackers. It helped us find malicious code in a plugin that allowed other people access to passwords, we tested this on a staging site so always be sure to use a staging site to test plugins and themes before you upload them to your website.

WP Hide & Security Enhancer

The easy way to completely hide your WordPress core files, login page, theme and plugins paths from being shown on the front side. This is a huge improvement over Site Security, no one will know you actually run a WordPress site. Provide a simple way to clean up HTML by removing all WordPress fingerprints. This is a very useful plugin as it doesn’t show attackers you are using WordPress. By hiding the origin of your site you make it one step harder for attackers to exploit your website. Some of the features of WP Hide & Security Enhancer are:

  • Custom Admin Url
  • Block default admin Url
  • Block any direct folder access to completely hide the structure
  • Custom wp-login.php filename
  • Block default wp-login.php
  • Block default wp-signup.php
  • Block XML-RPC API
  • New XML-RPC path
  • Adjustable theme URL
  • New child Theme URL
  • Change theme style file name
  • Clean any headers for theme style file
  • Custom wp-include
  • Block default wp-include paths
  • Block default wp-content
  • Custom plugins URLs
  • Individual plugin URL change
  • Block default plugins paths
  • New upload URL
  • Block default upload URLs
  • Remove WordPress version
  • Meta Generator block
  • Disable the emoji and required javascript code
  • Remove pingback tag
  • Remove wlwmanifest Meta
  • Remove rsd_link Meta
  • Remove wpemoji
  • Minify Html, CSS, JavaScript

As you can see the feature list is very comprehensive and offers a lot, the best part about this is it is a free plugin, they have a premium version you can also download.

WordFence Screenshot

WordFence

WordFence is one of the most popular WordPress security plugins. It keeps on checking your website for malware infection. If scans all the files of your WordPress core, theme and plugins. If it finds any kind of infection, it will notify you. It claims to make your WordPress website 50 times faster and secure. For making your website faster, it uses Falcom caching engine. This plugin is free, but a few advanced features are available for premium users. If you can afford it, do it.

Leave a Reply

Your email address will not be published. Required fields are marked *