Categories
WordPress

How To Protect WordPress From Attacks

WordPress is one of the easiest DIY content management systems to install and use. You can set it up in a minute or two and be up and running, typing out your first blog post for the world to enjoy before breakfast.

The problem is that as soon as your site is “live” it is vulnerable to attack. I have experienced numerous attacks on my WordPress installations. Sometimes the site had not even been advertised anywhere.

And yet, boom, out of nowhere, a sneak attack injected malicious code into my website.

Usually you don’t know that you’ve been hacked until it’s too late.

“Why didn’t you back up?” I hear you say.

Well once time I did a back up and only after did I discover the backup was already contaminated.

I discovered the hack because I was adding some code to the header.php file when I noticed a weird bit of text. It was a message in the website’s header saying “you have been hacked by the [name withheld] brotherhood” and a link to some flag gif.

Another attack one of my sites experienced was a massive SQL injection which created a one by one pixel image backlinks to various sites on every single one of my site’s pages. That was a headache to clean up.

Yet another time hackers had managed to get some kind of script running which was creating and deleting folders dynamically on my site’s server. I’d delete the folders and new ones would appear. I shudder to think what may have been funneled through my site during that time.

Another time I found that all the javascript files on my site had some extra code at the end of the file. And that was on a site that wasn’t even a WordPress site. It was on the same shared hosting account with WordPress on another domain. Yep. I had installed WorPress without security software. I delayed the installation of a security plugin because I wasn’t going to promote the site just yet. Well I learned soon enough that this was a mistake. The WordPress site got hacked and ruined my other sites on the same server which I didn’t even have WordPress!

I now install a security plugin first thing.

WordPress Security Plugins

To avoid getting hacked I have used a few security plugins over the years and they’ve all worked well. My WordPress installations have never succumbed to attack when I have had these security plugins up and running. The main difference I found between the different plugins was in the ease of use. Some require a bit of getting used to. But as I will show you it can be worth learning to use a new plugin.

WordFence

Protecting websites since 2012

WordFence I found to be one of the easiest security plugins to use. Their team has focused not only on extremely tight security for your WordPress installation, they have gone to extra lengths to make it easy to use. You don’t have to be a geek to use this plugin.

It’s easy for beginners, but also great for more experienced computer users who maybe don’t have time to fiddle with settings and just want to get on with creating content.

I’ve used both the free version and the premium version of WordFence.

The big question that you probably have in the front of your mind is:

Is the free version good enough?

I’d say yes, but make sure you have backups of your site. The free version delays updates by 30 days when compared to the premium version.

If someone uses a zero-day exploit on your site of course neither plugin will save you. So in the end it’s really only about managing and reducing risk. The risk is never zero, so backup, always backup. If your site is bringing in a solid income stream then WordFence Premium is hard to beat as far as providing protection and being super easy to use.

Of course if you are just getting started with your site and it’s not yet paying for itself much less making a profit there are other options that are not as costly.

And WordFence won’t budge on price.

I asked WordFence if they could consider a better price for me, but they said they felt their price reflected the value they offered. That may be true, but once the number of websites I wanted to protect started to grow WordFence started getting a little prohibitive.

BulletProof Security

Protecting websites since 2007

I switched to BulletProof Security Pro by AIT Pro when I had more than three websites to protect. It was merely a financial decision. Having been hacked so many times in the past I was determined to use a premium product. But I had to keep the costs down.

BPS Pro, while a little less user friendly, only charges a once off fee for as many websites as you want to protect. And it’s not an annual subscription either. It’s really a once off fee. This definitely appealed to me. I don’t mind a bit of DIY if it saves me some money. All I had to do was read their documentation and ask for help when I needed it. BPS Pro have extensive documentation both in the form of videos and a user forum. They answered any support tickets promptly, so it ended up not being as hard as I’d initially thought it was going to be.

It may take a little bit of your time to get your head around the way BPS Pro works, but I found it to be a fair tradeoff.

To me it was worth the learning curve.

If you ever have an issue you can’t work out by reading the documentation or by watching the instructional videos you can send them a question and BPS Pro support will either fix it themselves or direct you on what to do.

BPS Pro is the longest established WordPress security plugin I list here.

iThemes Security Pro

Another WordPress security plugin worth mentioning is iThemes Security Pro. This plugin has been around since 2014. I haven’t used this one so you will have to rely on other user reviews for a first hand account as to what it’s like to use it. From what I gather it has a strong fan base. Just like with anything there are a few users for whom this plugin didn’t work. Well it worked a little too well, by locking them out of their site. Still, 90% of reviewers gave this plugin 5 stars. Fortunately there is a free version of the plugin so you can see if it is to your liking. It’s probably a good idea to use the free version first before shelling out $80 or more for the Pro version.

Sucuri

Sucuri has a free WordPress Plugin, but they also offer a Website Security Solution which can be installed on any site whether WordPress or not. My experience with Sucuri was in the form of a free scan of a website I suspected was infected. Sucuri identified the threat and had a solution on their blog. Their security blog was what impressed me so I feel they definitely should be mentioned here. Sucuri is well known for the place you go once you have a problem and need someone to clean it up. There are admittedly a number of customers that were annoyed because the malware on their site was hard to clean up and got impatient while the Sucuri team was busy working on the clean up. Sucuri have mentioned that they are aware of this and said they will improve in this area. But as you can imagine anyone going through a site meltdown is going to be prone to a meltdown themselves. It’s no wonder that some of them had themselves a little rant on Trustpilot.

Pricing Compared

Free plugins are great but sometimes you want that extra security and reassurance provided by the premium version.

If you are only worried about a single WordPress installation then the price difference for one year isn’t huge. I agree with WordFence that their pricing reflects the value of their product. They make it so easy to use that the time saved is absolutely worth it.

Plugin1 Website10 Websites100 WebsitesRecurring CostsSupport
BPS Pro$69.95UnlimitedUnlimitedNoneUnlimited
iThemes$80$127$199YearlySubscription
Wordfence$99$792$7,425YearlySubscription
Sucuri$199.99??YearlySubscription

Total Cost After 10 Years for 1, 10, 100 & 1,000 Websites

Once you start looking at the long term costs combined with the individual cost per license for each website it gets very expensive. If each of your sites is making enough money to justify the expense then by all means choose the one that you find is the easiest to use.

However if you are launching new websites and don’t want to risk too much expense before seeing if they pan out it will pay to get to know BPS Pro.

 Plugin1 Website10 Websites100 Websites1,000 Websites
BPS Pro$69.95$69.95$69.95$69.95
iThemes$800$1,270$1,990$1,990
Wordfence$990$7,920$74,250$740,250
Sucuri$1,999.90???

Leave a Reply

Your email address will not be published. Required fields are marked *