How to protect your WordPress site against malware and brute-force attacks like a pro

Worpdress security protect against malware brute force plugins

It’s every WordPress site owner’s nightmare to find ones carefully crafted website to be hacked or brought down to its knees by malicious attackers.

We are going to highlight the best practices in this post when it comes to choosing security plugins for WordPress and monitoring tools that can alert you and prevent disasters happening to your online presence.

How do you know that your site is being attacked?

If you don’t know about it that’s already a problem you need to solve: monitoring (see step 1 below).

A good clue is when your site goes down and you need to restart your server or contact your hosting to resolve the issue of an inaccessible site.

Your website performance issues – namely pages loading slower or completely timing out – can also originate from “brute force” attacks that are very common nowadays even against small – medium sized websites (you don’t need to be a traffic giant to get attacked).

So what can you do to fight against these intruders?

Fortunately I succeeded in driving the attackers out of the blog thanks to a handful list of practical plugin.

Step 1: Monitoring

Use Jetpack’s security features such as Monitor. And we recommend switching on the multiple login attempt challenge option as well to maximise your protection. These are not fool-proof but are decent “first line of defence” methods of security.

If you want something more robust that will alert you when your server is totally offline, we recommend Pingdom or Uptime Robot. Both of them has free and paid services – so you can make your choice.

Step 2: Have a backup!

Even the best security software can fail so it’s recommended to have regular copies of your database and website files.

We use 2 different solution on our sites:

  1. UpdraftPlus WordPress Backup Plugin: simple to setup backup solution that can use cloud storage like Dropbox, Google Drive, Amazon S3, etc.
  2. VaultPress: enabled lighting fast and easy restoration. This service comes directly from the company behind WordPress.com and Jetpack (Automattic). From $5 a month it will enable daily backup and premium support if you need any help from the best WP experts around straight from the WP mother company.

Step 3: Use a security plugin

You wouldn’t run your computer without some kind of antivirus shield, would you? So why would you have a website without a security plugin running on it? I used to use AVG or ZoneAlarm free antivirus protection on my PC since I can remember and fortunately there are some freely downloadable WordPress security plugins too that will do the same on your hosting. Here are two plugins we recommend that are widely used by hundreds of thousands of people:

  1. Sucuri Security Plugin: monitors any file changes on the server and detects malware or exploits being injected into your source code and alerts you about it. You can also run manual scans if you have a suspicion of an infection.
  2. WordFence Security Plugin: you can lock down your WP installation like it was “Area 51”. It’s a very complete security plugin, it also have a scanning functionality where your site is checked for adware, trojans, viruses, malware, you name it it will discover it. It can restore core WP files if they were corrupted, You can tweaks the settings to limit login attempts, get alerted about various suspicious activities affecting your website, detect dubious injected links, block and / or ban IPs where hack attempts are originated – so overall it is a must have for your installed plugins list.

+ Bonus Step 4: Use CloudFlare service

By using CloudFlare’s global CDN network your pages are delivered to your visitors at top speeds. It caches assets and pages to accelerate the site and to repel / filter certain threats.  It’s also set up to block malicious threats from abusive bots, hackers and nasty crawlers to safeguard your server resources while also saving you bandwidth. This additional measurement is not only a good way to boost your site loading speed but to make your site more robust towards attackers too.

You might be wondering: Why me? Why an Earth would any hacker want to get into your site?

God knows of their intention but in 99% of the cases it’s not an actual geeky hacker trying to get through the gates but the hacking tool written by them which is actually a script that is released onto the internet and roams from server to server trying to do its devilish things.

How hard is it really to crack your login?

So how do these robots guess your password? Sure enough, brute force attacks have a common point with riddles. In fact, this kind of attack corresponds to robots trying to discover the username and password of the administrator account of your site.

If, unfortunately, a test proves conclusive. You can bid farewell to your site. The attacker can do whatever he wants (since he will be logged in as an administrator). So how do these robots guess your password? Well they try, retry and try again tens, hundreds of passwords by combining them with the most used identifiers.

Therefore, banish the identifiers as “admin” or “test” of your site to enhance the work of the aggressors. The next step is to use complex passwords. That is to say with varied characters (uppercase, lowercase, digits and punctuation marks). To generate complex passwords, take a look at this site it is top🙂

I hope your password is not part of the top 25 of the worst passwords of 2017 . If so, hurry to change it because a hacker might be just screwing up your site right now!

Let’s say you have done all the above but you want to go even further…

++ Bonus Step 5: Move the site login page to an unknown URL

Indeed, if the classic login page (located at yoursite.com/wp-login.php) is no longer there, robots and other assailants have it in the bone! Check out the Custom Login URL plugin to relocate the default WP login page which will make hack attempts much more rare.

In any case, these solution should put an end to brute force attacks and security exploits on your site. I hope it will be working for you as it did for us.