As the most popular content management system online, WordPress websites are a common target for hackers, spammers, and other malicious parties. That is why it is vital to take measures to make your website more secure.
The goal of most hackers is to infect your website with malware. Common malware threats include:
- Pharma Hacks – Injects spam into your website database or files
- Backdoors – Allows hackers to gain access to your website at any time using FTP or your WordPress admin area
- Drive by Downloads – When a hacker uses a script to download a file to the users computer, either without their knowledge or by misleading the visitor and saying the software does something useful
- File and Database Injections – Inserts code into your files or database that lets the hackers do a number of different things
- Malicious Redirects – Redirects visitors to a page of theirs that misleads people into downloading an infected file
- Phishing – Used to acquire usernames, passwords, email addresses, and other sensitive information
When most people think about a website being hacked, they think about the hacker defacing the website and placing a message to visitors e.g. Your Website has Been Hacked by ABCXYZ!.
In reality, defacements are not that common. The majority of hackers do not want you to know that they have tampered with your website, as the first thing a website owner will do when they know that their website has been compromised is remove the malicious files in question.
Hackers who infect your website with malware are more discrete. The longer you are unaware of your website being infected, the longer they can use your website to send spam emails and infect your visitors. Even a secure WordPress website can be hacked without the owner knowing. It is therefore important that you scan your website regularly to detect any hidden malware.
In this article, I would like to show you services and plugin solutions that will help you detect malicious malware on your WordPress website.
Sucuri Malware Scanning
Sucuri have a great reputation as an effective security and malware scanning solution. Their Sucuri SiteCheck scanner will scan your website for common issues free of charge.
The scanner will scan your website for malware, defacements, and spam injections. It will also detect whether your website server has been blacklisted (which can happen if a hacker has been using your server to send spam). The main limitation of the scanner is that you need to scan your website manually yourself.
Upgrading to their $89.99 yearly premium plan will give you automatic alerts via email and Twitter about any malware issues. This plan will also remove your malware for you and remove your website from any blacklists.
Sucuri also offer a WordPress plugin entitled Sucuri Security. In addition to scanning your website for malware, the plugin offers a firewall to make your website more secure, hardening options that address common WordPress security holes, and a “last logins” section that highlights exactly who has logged into your website.
The plugin also has some useful features for recovering your website after an attack, such as updating the WordPress salt keys and resetting user passwords.
Sucuri Security can scan your website for malware and make your website more secure.
CodeGuard is a backup service that provides automated backups and restores at the click of a button. The service also monitors your website for changes every day and alerts you if it detects any malware.
Plans start from only $5 per month to backup and monitor one website. One of its main rivals in the backup niche is VaultPress, however VaultPress only offer daily scanning with their $40 per month plan. If you are looking for an all in one monitoring and backup solution, CodeGuard is a great choice.
Theme Authenticity Checker
Theme Authenticity Checker will scan every theme installed on your website for malicious code. It can find things such as footer links and Base64 code injections.
Theme Authenticity Checker will scan your theme files to check that nothing malicious is there.
Footer links will not stop a WordPress theme from passing their test, however the plugin will give you details of any links that are hard coded into the template. These will usually be harmless, but it is worth checking them nevertheless in case a bad link slips through.
WP Antivirus Site Protection
WP Antivirus Site Protection is a security plugin from SiteGuarding that can scan your website for backdoors, rootkits, trojan horses, worms, fraudtools, adware, and spyware. In addition to scanning theme files, the plugin will scan plugin files and media that has been uploaded to your website.
Their free plan will scan your website every week. Upgrading to their $4.95 per month basic plan offers daily monitoring, however their standard plan at $9.95 per month offers website antivirus and malware removal.
AntiVirus is a free WordPress plugin that can scan your website theme files every day for malicious code and spam. It features a virus alert option in the WordPress admin bar. It can also notify you of any malware detections by email.
The main limitation of the plugin is that it will only scan your current WordPress theme. Your other installed themes will not be scanned. This is not a major issue if you remove inactive themes from your website (which is advisable as old themes that have not been updated can create a security risk).
AntiVirus is a useful free malware scanner that can scan your WordPress theme for malicious code.
Anti-Malware will scan your website for malware and automatically remove any known threats. The plugin can also harden your wp-login.php page to stop brute force attacks.
Quttera Web Malware Scanner
Quttera Web Malware Scanner will scan your website for known threats such as backdoors, code injections, malicious iframes, hidden eval code, and more. The report will show you a list of suspicious files and advise whether your website has been blacklisted by ISPs.
Wemahu is a new WordPress plugin that can detect malicious code on your website. It can perform scans on your website on a regular basis and then email you a report.
Wordfence Security is one of the most popular security plugins available for WordPress. The plugin can scan your website core files, theme files, and plugin files, against known threats.
It also provides a log of changes to your website and offers many options for hardening your website and making it more secure.
WP Changes Tracker & WP Security Audit Log
WP Changes Tracker is not a malware checker. What it does is highlight the changes that have been made to the WordPress database, plugin files, and theme files.
If you are hacked, this information may help you see what exactly was changed and how someone compromised your website. The plugin is also useful for tracking changes that have been made by staff.
WP Changes Tracker shows you what has been changed on your website.
A great alternative to WP Changes Tracker is WP Security Audit Log. The plugin will keep a log of every single change on your website. Security alerts can be sent to you for a number of reasons, including failed login attempts, changes to file templates, and plugin installation.
WP Security Audit Log keeps a log of every action on your website.
Other plugins to consider using for malware scanning are:
I encourage you all to scan your website regularly to help detect malicious files and changes. It is in your best interests to detect any successful hack attempts as soon as possible to minimize the damage from an attack.
If you know of any other good malware scanners and malware detection plugins, please share them in the comment area below.
WordPress is insanely popular. It is widely used by large corporations and small DIY bloggers alike. All in all, WordPress websites make up more of the web than any other platform. This fact makes WordPress an attractive target for security attacks of all kinds.
In past posts here on Elegant Themes we have discussed WordPress security in detail and if you follow the advice in those posts you will be well on your way to making your WordPress website as secure as it can be. However, in this post, we’re going to discuss something that the other posts only mentioned indirectly or not at all–firewalls.
How Firewalls Work
A firewall, contrary to popular opinion, is not just something that keeps you from getting on all of the best websites at work or school. It is actually a valuable network security measure that places a set of rules on incoming and outgoing traffic in order to protect networks, servers, websites, and individual computers.
These rules are meant to place a wall between a trusted source (say, the server your WordPress website is hosted on) and an untrusted source (the internet) in which only trusted data is allowed entry. One, two, or all three of the methods below are implemented to make this happen.
Filtering: all of the packets of data coming in contact with your firewall are analyzed against a set of filters.
Proxy: a “middleman” is established between your website and the internet. This middleman, or proxy, passes along the good traffic while stopping the rest before it can get to your site.
Inspection: instead of analyzing all data coming at your site, key elements are identified and compared to a database of trusted information. If the data is a match then it’s allowed through.
Why You Should Use a Firewall with WordPress
When it comes to WordPress security there is no such thing as a perfect setup. No perfectly secure websites. Instead, the idea behind WordPress security is “hardening”. You want to harden your website against the inevitable possibility of attack by taking a wide variety of security measures–just one of which is a firewall.
Many of today’s top WordPress security plugins and features offer an extensive array of tools that cover the full breadth of security hardening options available to WordPress users. So at least you don’t have to worry about needing to manage a lot of different security options, each with their own plugin or service.
However, even within these tools and services you may choose to only use some of the security measures available. This will no doubt be for personal reasons based on the specific needs of your website. But there are some good reasons you may want to make a firewall one of those measures.
First, you can never have too many appropriate measures in place to secure your website. And the only inappropriate kind are those so stringent that they keep good data/traffic from reaching you.
Secondly, once you set up the rules that govern your firewall, it manages itself. You do not need to do anything afterwards.
And finally, there’s a reason firewalls have been around for so long (from the beginning of network security). They work.
So what I would recommend is that if you’re running a WordPress website (which you probably are, since you’re here) is that you pick out a tool or service from the list below and harden the security of your WordPress website with a firewall.
Tools for Hardening WordPress with Firewalls
For the vast majority of WordPress users setting up a WordPress firewall “manually” would be extremely impractical. Not to mention require technical chops possessed by a bare few. Thankfully though, some of those bare few within the WordPress community have created tools and services that the rest of us can use to establish firewalls that help harden the security of our WordPress website.
I’ve listed the highest rated and most recommended WordPress firewall tools and services below. If I missed any, please let me know in the comments below.
Price: from $9.99/month | More Information
Sucuri may be the most trusted name in WordPress security. Their firewall service creates a proxy that essentially makes the Sucuri network a middleman between your website and the rest of the web. They take care of all the malicious attacks and traffic, sending only legitimate traffic to your website.
While other options below have premium upgrades available, this is the only strictly premium option I’ve featured on this list. Based on my personal experience and the research for this post, Sucuri is a a trusted brand many bloggers and other WordPress professionals trust to handle their security.
If you’re interested in this service, I’d recommend thinking big picture before buying though. For example, many managed WordPress hosts already partner with Sucuri and if you buy their service the Sucuri service is included.
WordPress Simple Security Firewall
Price: FREE | More Information
WordPress Simple Security Firewall is a new WordPress security plugin growing in popularity. Their reason for creating the plugin grew out of a frustration with the current WordPress Security Plugin status quo. Particularly the way other such plugins deal with WordPress’ .htaccess file.
WordPress Simple Security Firewall promises to keep your site as safe as possible without “frying it” due to unnecessarily altering of your .htaccess file. So far, users really seem to be liking it. If you’re interested in learning more about their approach you should check out their post series “Why We Built It”.
All In One WP Security & Firewall
Price: FREE | More Information
All In One WP Security & Firewall is has definitely grown in the last few years to be one of a handful of top, dominating, WordPress Security Plugins. They offer a comprehensive array of features that are all designed to help harden your WordPress security as much as possible; a primary one being their firewall feature.
The All In One firewall has features ranging from basic, to intermediate, to advanced. All of which are designed to stop malicious code from ever being processed by your site. Once installed you will be able to easily configure them from the WP Admin menu options.
Price: FREE | More Information
NinjaFirewall is a web application firewall designed to sit between the web and your WordPress installation. It will “hook, scan, sanitize or reject any HTTP / HTTPS request sent to a PHP script before it reaches WordPress or any of its plugins”.
Price: FREE | More Information
Wordfence has proven itself over the last few years to be a complete WordPress Security Monster. And I mean that in the best way possible. As a free WordPress Security Plugin it offers an outstanding service with a wide array of features. Of which, a great firewall is but one.
The Wordfence firewall is designed to block common security threats like fake Googlebots, malicious scans from hackers and botnets–all which can cause major headaches and (even if they don’t take down your website) hurt its search rankings and more.
Price: FREE | More Information
Another popular WordPress Security plugin is BulletProof Security. Again, like a few of the others above, they offer a wide variety of security options. BulletProof proudly states that their plugin will protect you from “100,000’s” of different WordPress attacks–which is nice, you know, since that many exist in the first place.
Based on their description of it, the BulletProof security firewall takes the inspection route we defined above. It has a database of attack patterns that it matches against incoming data. When malicious patterns are detected it blocks that data from reaching your WordPress site.
WordPress security is not to be taken lightly. Firewalls are a great way to add an extra layer of hardening to your security efforts. Thankfully, there are plenty of tools and/or services to help the average WordPress user in terms of both broad security and specific actions–like enacting an effective firewall.
Any of the tools/services above should serve to protect your WordPress site well, but of course everyone will have their own needs and preferences to consider. If you’ve used one or another of these tools/services we would love to hear about your experiences in the comments below and help the rest of the community here make the most informed decisions possible.
Have you ever had your WordPress site hacked and did you have to pay somebody to restore it? It’s a bit of a mare when your website gets hacked. Most security specialists will charge you a premium to restore your site but they won’t tell you what’s involved. Shhhhh – it’s a secret!
We’re different so I’d like to share our 22-step plan on how to restore a hacked WordPress site so that you can see exactly what we do and how much effort it takes.
I love it When a Plan Comes Together:
- zip up the entire remote site files and download to local
- wipe the remote root folder (everything goes)
- Change FTP, cPanel, email account and MySQL passwords
- unzip local site and scan for any malware using, say Norton IS or SpyBot
- search all the local site file contents for terms such as preg_replace(“/.*/e” and base64_decode
Note: there are legitimate uses base64 decoding. What you are looking for are a large number of hex or escape strings
- do a windows search across the local folder for timthumb.php – if found – you need to scrap the plugin and find an alternative – read why timthumb.php is evil !!
- check that your .htaccess file hasn’t been compromised and check that there are no other .htaccess files in any other folder (windows search)
- create a new separate root folder and unzip latest wordpress version there
- copy your wp-config.php fom the old site over to the new folder
- change your DB_PASS and your secret keys (leave wp_ table prefix for now)
- upload new clean bare WP to remote site
- login to WordPress and immediately change all user passwords – try to use random password generator like http://www.thebitmill.com/tools/password.html and bump the characters up to 12 or 16
- install “WordFence” or “BulletProof Security” firewall plugins
- if you don’t want to install a full firewall plugin (whaaat are you nuts? Your site just got hacked!) at the very least install “Limit Login Attempts” plugin and set to 3 attempts
- install “WordPress Security Scan” plugin. Remove meta generator tag and rename DB prefix from wp_ to something else
- create a new administrator user. Hint: don’t call it Admin, Sys, System, Administrator, Operator, WordPress or anything like that
- delete the old administrator users making sure the posts/pages are inherited by the new administrator user created in the previous step
- now you have a working and secured core WP installation
- reinstall all the plugins from the Admin Dashboard and reactivate them if WP has already had them deactivated. The settings should be already stored in the DB
- upload / ftp your theme to the live server and reactivate the theme. Theme settings should be picked up from the DB but I’ve had instances where you have to set up menus again – bad theme!
- last to upload / ftp is your wp-content/uploads (and any other non-WP folders in there after checking they are OK and contain only the correct media)
Note: this is a favoutire place for hackers to store their .php or .cgi scripts sometimes named “cache”
- I recommend using xcloner as a backup tool and setting up a cPanel crontab job to perform your backups. Either ftp them to another site or purchase an Amazon S3 storage bin – it’s ultra cheap
Depending on how familiar you are with WordPress and hosting control panels and how many plugins and uploads a site has, this process is very time consuming. Restoration time depends on how many files make up your website as they all need to get checked.
Has your WordPress site been hacked recently? Tell us your story.