Even though some people will tell you that WordPress is insecure, you should know that the core of WordPress is one of the most secure open source content management systems there is today.
Even the latest hack attempts were not targeted to the software itself. It was an attack by sending brute-force password hack attempts for default users names and weak passwords. So make sure you don't use admin as your administrator username and have a good strong password. If you want to learn more about those attacks, read WordPress Security Attacks and Solutions.
To secure your site there is one plugin that I highly recommend. It will check and monitor your WordPress website, it's called Wordfence.
Wordfence Security Plugin
Wordfence is free and you can get it for your WordPress security by following these steps:
- Sign in to your WordPress website.
- Go to your “Plugins” menu and click “Add New”.
- Enter “Wordfence” in the search box.
- Install Wordfence and set your options.
To set the Options, go to the Wordfence plugin options choice.
In the settings screen you get large screen with a lot of options!
Start with the basics and set your email address and the option on How does Wordfence get IP's. Save the changes.
Now lets see what else you need to set, most of the options can remain as offered by the standard installation.
There are only a few things that I change:
- Disable the Life Traffic View options
- Set Scan theme files and plugins files against repository to enabled
- Enable the Firewall rules and set the block fake crawlers option to active
- Under Other Options put in your own IP address to the Whitelist
- I choose not to set the option to Participate in the Wordfence Security Network, but that is just my personal choice
Save all the options you have set, and run a first scan.
Working with WordPress Security Alerts
After the scan is complete you will get some WordPress security notifications, especially if you have the option active to scan plugin files against the repository.
You have several options on how to proceed with this notification.
It depends on the severity of the problem and on what kind of file it is.
In this case I only check to See how the file has changed to make sure it is just a minor change, if that is the case I choose to Restore the original version of the file. Wordfence will then get the file from the repository and overwrite your current file.
Most of these kind of notifications will be around readme files, so no problem there. After the check, do the restore to prevent a new notification next time the scan runs.
Since I do run Dutch websites I also get errors on language settings, in that case I will choose to Ignore until the file changes.
Check out the options and see if you want to use by the options mentioned before and run a scan on your own site. You will see that Wordfence will monitor your site and scan it once a day (free version) and send you an notification if somethings changes.
I even got a Warning: * Your DNS records have changed notification today after my hosting company replaced some servers and had to change the IP addresses…
So this Wordfence plugin sounds great, but is there a down side to it?
Yes there is, but its minor. It has to do with the database tables it uses. As you can see they can grow pretty large.
Here are the same tables after optimization with the WP-Optimize Plugin.
Still pretty large right? I did not see any performance problems though and I do think that these tables will improve over time.
Nothing to worry about directly, but certainly something to look out for and do preventive maintenance on your database. You can also choose to not back-up these tables if you run into trouble with your back-up files.
Despite this drawback I do recommend your install, configure and use Wordfence to secure your WordPress website!