Security in WordPress: how to protect your website from attacks

WordPress as an editorial system is used by over 30% of websites worldwide. WordPress does not avoid individualized and global attacks that seek to harm the site's operator, abuse the attacked website to spread threats or self-inflicted earnings. How can I protect my site from such attacks?

WordPress and similar editorial systems have a common denominator. Users install plug-ins and third-party extensions to the system. It virtually prevents the security of the entire code, and the system becomes more vulnerable to attacks from outside.

Wordfence 1

In our previous articles, we've already mentioned several tips that will help you make your site more resistant to attacks. Now we will mention the security solution that you should have installed on your site created in WordPress.

Read more tips on how to improve your site's security:

Find out How to secure WordPress without plugins, by using the .htaccess file and how to increase security of your website by Changing the URL of the login page.

1.Free Antivirus, firewall and malware search – Wordfence 

Wordfence Security is the most popular addon for WordPress. It has several reasons. It is very similar to antivirus for computers and it can effectively protect the web from hacker attacks, including brute attacks and plugin attack with a security hole. All this in real time and with regular checks that report potential risks and defense options. It is available both for free and in a paid version. Let´s have a look at the free version. It provides enough features to increase website security. 

  1. In the WordPress administration, in the left column, click on „Plugins“ > „Plugin installation"
  2. Enter „Wordfence Security“ into the search bar.
  3. Click „Install“.
  4. Activate by clicking the „Activate“ button

You will now see a bookmark „Wordfence“ in the left column of web administration.  When you open it, you will see a window where you enter an e-mail address to which you will receive  safety warnings. You can skip to enter a license key. It is only available for the Premium version.

Wordfence 2

Wordfence is running now. Plugin will perform it´s functions even without any more detailed settings.

2. Security of templates and add-ons? Rely on automated checks. 

Automatic controls are one of the advantages of Wordfence. They are constantly checking the status of the current plug-ins and alerting the webmaster of possible threats.  Addons and templates updates are checked – if the latest version is installed. Plugins consistency is also checked - whether or not some of their components have been altered and if they contain malicious code.

  1. In the left column of the administration, click Wordfence and select „Scan“.
  2. Run a new test by clicking „Start new scan“ or look directly at the results.
  3. A check is running and the results of the solution suggestions appear on the page below.

Wordfence 3

Wordfence greatly serves as a mean of preventing repeated attacks on the web, deleting the content of the site, or redirecting a visitor to another site.

Wordfence 4

The free version runs checks every 24 hours. More detailed checks are performed every 72 hours. However, the planning of controls is only available in a paid version

3.Logon protection and blocking of suspicious IP addresses

Wordfence automatically detects and can block IP addresses that are repeatedly unsuccessful trying to sign in to the site in a short time.  Such behavior is indicative of so-called dictionary attacks. Suspicious addresses, often originating from Russia and Asia, can block the system and prevent further access to the server.

In case a user with access to administration is blocked, he can be manually unblocked using a link that comes to the administrator's email.

4. Live server operation overview

Wordfence allows you to monitor live server traffic. Live users can be tracked like in Google Analytics. However, you will see all approaches to the server - including crawlers and search engine bots.

Wordfence 6

How do I track server traffic live?

  1. In the WordPress administration, in the left column, click on Wordfence and select „Tools“.
  2. Click the bookmark „Live Traffic“.
  3. You will see a live log with IP addresses and information about the type of visit you are performing. The overview shows when it comes to living people „Human“ and when it comes to a robot „Bot“.
  4. Click to see a detail - you will find out more information about the IP address. You will be able to block in if necessary.

You can edit the plugin in two places, if necessary.  See the policy settings in „Wordfence Global Options“ – e.g. when to notify the administrator.

Wordfence 7

Detailed settings can be found under „All options“. You will be able to change the form and frequency of regular email reports, or set up protection against brute force attacks. You can also choose after how many unsuccessful attempts the user will be blocked or locked. We recommend a similar setup to experienced users at their own risk.

Article rating

Average rating: 4.1/5

Votes: 8