As of 2024, around 810 million websites use WordPress, making it the most popular content management system (CMS) in the world. The fact that over 43% of websites are built on WordPress isn’t what makes it prone to hacking. One of the main reasons WordPress sites get hacked is due to neglecting core file, plugin, and theme updates. To ensure your WordPress site remains secure, it’s important to follow basic security practices, including installing a reliable security plugin. WordPress is safe to use providing you’re following basic security practices.
For a security plugin, I highly recommend Wordfence, which I’ve been using since 2015. Wordfence includes a firewall and malware scanner designed to protect WordPress websites and is currently installed on over 4 million websites. This is not to say that Wordfence is absolutely the best security plugin for your website. Like all plugins, it does come with its flaws, such as the firewall can be overly aggressive at times and will lock you out of your own site.
As for protecting your site from all bad actors, I don’t know of any plugin that’s capable of that level of security. If there was, then no site would ever get hacked. No website is “hack-proof.” If it was at all possible to make a website, or ANYTHING using the Internet, hack-proof, you wouldn’t be hearing about websites like Target, Chase, Google, government websites, and countless other large corporate sites being hacked and/or compromised.
When it comes to security plugins, you have a lot of options, depending on your needs; such as size and purpose of your website. What will work for a small to medium-sized site will most likely not work for a large eCommerce site with a lot of traffic. While there are other security plugins available, Wordfence has consistently met my expectations for going on a decade. As with all WordPress plugins, if they don’t live up to expectations I certainly wouldn’t recommend them.
Wordfence Free vs Premium
Wordfence provides a free version of their plugin, and a premium. They also have other programs available that may suit your website security needs.
The free version will give your website a good level of protection, and is suitable for small to medium-sized websites. The scanner protects your site from threats, though it doesn’t check the database, and new firewall rules get updated 30 days after the premium version. If you do happen to need them to clean up malware or malicious code on your site, you’ll need to upgrade to the premium.
While the free version is great for basic security needs, the premium version provides enhanced features and peace of mind for website owners.
The benefits of the premium version of Wordfence include the Country Blocking feature, which allows you to restrict access to your website from specific countries. This can be extremely useful in preventing malicious activity and targeted attacks. Additionally, the premium version offers advanced scanning options, real-time firewall rules, and priority support.
Then there’s the very important matter of login protection.
Of utmost importance is the aspect of login protection. Hackers frequently attempt to gain access to the admin area by employing automated programs that guess usernames and passwords through brute force attacks. Hence, it is crucial to avoid using easily guessable passwords (i.e. words that can be found in a dictionary, or your name), and refrain from using “admin” as your username. Admin is this username that is automatically used by default when installing WordPress, so be sure that you change the “admin” username before you launch your new site. It can be changed via PHP database, but taking care of this matter beforehand is easier. Also avoid reusing the same login credentials across different platforms.
Wordfence addresses this concern by providing default brute force protection settings within its firewall section. Moreover, you have the flexibility to customize settings such as lockouts for incorrect login attempts, the number of login attempts allowed per user, and the duration of user lockouts. Personally speaking, I tend to set the lockout period for days… or even weeks. But that’s mainly because I have a lot of websites to maintain and a long lockout period buys me some time.
Why Would a Hacker be Interested in Your Website When You’re not Collecting Credit Card Information?
Sometimes hackers have targeted or focused attacks, such as sites that contain credit card information, government secrets, or control infrastructure. You may think that your website is too small for hackers to care about, but keep in mind that hacking attempts are not personal; it’s a matter of “an opportunity” to make some money. Sometimes hackers just want to redirect your website to one of their own websites that generates income for them.
Most hacking attempts are automated and don’t differentiate between small personal websites and large corporate websites. They use bots to search out vulnerabilities, which are easy to find on your site when you’re not properly maintaining it.
Why leave the doors to your website unlocked and wide open for hackers to waltz on in and wipe out everything you’ve spent a considerable amount of time and money building up over the years?
This is where a plugin like Wordfence can help protect your online property.
Wordfence Security For WordPress Sites
Wordfence is one of several security systems for WordPress and should be used in conjunction with other security measures. Of all the security plugins that I’ve used, this one has become my “weapon of choice” when it comes to protecting a WordPress site.
Wordfence stops hackers from exploiting vulnerabilities, blocks automated attacks from bots, and even protects your own users from reusing passwords involved in data breaches.
If you’re on one of my Website Maintenance Plans, then I’ve already installed Wordfence on your site. And, since you are on a maintenance program, I’m having the warning emails sent to me so that I can quickly investigate and help resolve any issues.
If I’m in the process of designing your new WordPress site, the free version of Wordfence is being installed. You can always upgrade to their paid version if you want extra security, along with a Country Blocking feature. However, if you’re not on a maintenance plan it will be up to you to take care of any warnings and notices that will be emailed to you via Wordfence once your new site is launched.
If you’re installing the plugin yourself (instructions provided in the video below), once installed and configured, run your first scan. If there are any problems, or warnings, you’ll see exactly what they are and you’ll then be provided with options as to what to do about said warning(s). Take prompt action to address these concerns and ensure the security of your website. Hopefully, you won’t hit that “ignore this for now” option. Unless, of course, you know for sure that it’s safe to do so.
Bottom Line: Be Proactive
You’ve put a lot of time, money and energy into growing your business and building your online reputation. You may have also invested a good chunk of money into promoting your website, and have been keeping it fresh and up-to-date. Don’t let all of your efforts be destroyed in a New York minute by an opportunist hacker!
Protecting your website from hackers is crucial in today’s digital landscape. By installing the Wordfence Security Plugin, you can proactively safeguard your website from potential threats.
Additional Resources Regarding Website Security
Do you have any malware on your site right now? You can check by using Sucuri’s free website security check and malware scanner. Enter your URL and Sucuri SiteCheck scanner will check your website for known malware, viruses, out-of-date software (which you will not have if you’ve been maintaining your website), and malicious code.
There are also websites that you can use to find out if your email, or phone number, has been compromised in a data breach. The most popular and oldest one is Have I Been Pwned.
This Wordfence Security Plugin Tutorial 2023 | Step-by-Step Setup Video provides you with instructions on how to install and set up the free version: