Securing Your WordPress Blog for Rankings, Revenue & Reputation
:: By Travis Bliffen, Stellar SEO ::
WordPress sites are a primary target for hackers.
Those who haven’t already taken precautions against certain attacks, run a high risk of leaving vulnerabilities open to hackers. A compromised site can impact revenue, reputation and even rankings. Google, for instance, gives users a warning, "this site may be hacked" in the search engine result pages - signaling to users to proceed with caution (if at all). There should be little doubt that this label can be detrimental to a company's SEO efforts and that consumers will not feel comfortable conducting business there.
What's even worse, however, is that nearly anyone can create a breach in a WordPress site. Just download one of the numerous scripts available on the Internet, and run it on any WordPress site you want to scan. To protect your site, you have numerous plugin and scanner options. Two popular options are Sucuri and WordFence. Let’s take a look at the pros and cons of each to help you decide if either of these products is right for you.
What Makes WordPress a Target?
Before we get into the two plugins, let’s take a look at what makes your WordPress site more vulnerable than a custom-coded site.
WordPress itself is typically safe. The developers release a new version and updates several times a year, so the core code is regularly changed to adapt to new security requirements. As long as you log in to your WordPress dashboard regularly, you know when a new update is available to protect from new threats.
What makes WordPress more vulnerable is the plugins that you download. WordPress does not have a stringent code review process when a developer uploads to the repository. As long as the code works, WordPress accepts the submission. The WordPress Codex site is filled with poorly coded plugins that don’t have the necessary code structure to protect a site owner from certain cyber threats. In some cases, the plugin writer leaves a backdoor to gain access to sites that use the plugin. Whether intentional or not, poorly coded plugins make a site as a whole vulnerable to possible backdoors and security breaches if the site owner doesn’t understand penetration testing.
The biggest opened vulnerability is SQL injection. Many new developers (and even experienced ones) build SQL strings within their plugin code. If these strings aren’t validated first, the plugin could be vulnerable to cyber threats. SQL injection is a threat that takes advantage of malformed SQL statements and runs malicious code against the database server. It’s one of the most common threats, and it can be scripted against specific WordPress plugins.
The second most popular vulnerability is denial-of-service (DoS). More advanced versions of DoS are distributed denial-of-service (DDoS). Both of these attacks crash your site. DoS/DDoS flood the server with spoofed packets. The result is that your server’s resources can’t handle the traffic requests, and the server crashes. It’s not just WordPress sites vulnerable to these attacks. Custom coded and other out-of-the-box solutions are also at risk.
Another possible vulnerability includes poorly secured login scripts that leave your credentials vulnerable to brute force attacks. Brute force attacks occur when a hacker iterates through dictionary terms in an effort to “guess” your password. Attackers can download free scripts that brute force the login prompt for the administration panel.
Other attacks threaten WordPress sites, but we focus on these two threats due to the plugins that we’re about to discuss. These two threats are the most common, and WordFence and Sucuri help protect against them. You can find both of these plugins through your WordPress plugin dashboard and install them.
WordFence: Protection from Brute Force Attacks
First, let’s take a look at WordFence. WordFence takes care of brute force attacks on your admin dashboard login as well as DoS attempts. You might be surprised at the amount of attacks you’ll see once you add WordFence and start tracking. Even a low traffic volume site sees brute force hack attempts on the WordPress admin login page. Always have a good password configured, and you might even want to change the admin’s user name for additional protection.
Take a look at what a brute force attack looks like in the WordFence control panel.
This screen capture was taken from a small blog site with only a few dozen visitors a day, which is not a lot of traffic compared to popular sites. You can see that it’s a brute force attack by the short time frame between each login attempt. The login attempts are also from the same IP one after the other. This is a classic brute-force to gain access to the WordPress admin dashboard. Had WordFence not been installed, this attacker could just continue without the site owner’s knowledge until he succeeded. This is just one of several attempts this blog owner defends against every day.
Aside from the obvious brute force protection, WordFence has several other benefits. You can scan your site similarly to the way Sucuri scans a site. You can schedule scans and automate the process, so it’s a “set it and forget it” penetration testing tool. If the scan finds any issues, you’re notified in the control panel and through email.
WordFence has a number of options. What’s available to you depends on whether or not you have a premium membership. For instance, if you want to know if your site is generating spam or block comment spam, you need to upgrade to the premium version. The premium version is $23.00/year, which is much cheaper than Sucuri.
With just out-of-the-box settings, WordFence immediately starts throttling login attempts. You can manually block IPs or set a threshold for blocking. For instance, after 10 failed attempts, lock the IP for a set amount of time. Remember from the image that brute force attacks are detected when numerous login attempts occur in a short amount of time. This type of activity is what you use to set your WordFence settings.
You can even block by country. For instance, a blogger in the U.S. who never travels to China isn’t blocking important traffic if Chinese IPs are blocked. Most bloggers block countries where cyber threats are common. China and Russia are two countries that you should block if you don’t see a need to ever log in from those locations.
Another good reason to block by country or IP is to secure the site from DoS attacks. WordFence protects from DoS, which is a form of attack that floods your site with spoofed traffic. Most WordPress owners don’t know it’s happening until the site slows and crashes. With WordFence, you can throttle the number of visits from any country or IP and stop an attack before it happens.
You set these rules in WordFence’s options section.
Notice that the first option is to block fake Google traffic. This is important since many scrapers and malicious scripts spoof Google’s useragent or referer code.
This setting brings us to one of the “cons” or disadvantages in WordFence. These settings are great for DoS protection, but in the hands of the wrong person, they can accidentally cause crawling issues. First, Google doesn’t always send a user agent or referer code to a site to check for cloaking and blackhat type of SEO. If you happen to be crawled with one of these crawlers, you could accidentally block the bot, which can then cause ranking issues.
In other words, be careful with the firewall settings and don’t overdo the throttling.
Another disadvantage is if you forget your password. You can actually lock yourself out of your own site. If you travel and block that country, you can’t log in to your site. Although, these disadvantages are minor compared to having your admin dashboard hacked.
Sucuri: Scan Your Site for Hacked Content
Although WordFence has penetration testing and scanning capabilities, nothing beats Sucuri when it comes to identifying malicious code. If you pay for their premium version, they’ll even help you remove it.
Sucuri has a plugin, but you can also do a quick scan on your site without installing anything. This is one advantage over WordFence, since you can basically test the product without installing anything first.
We did a quick scan of a site, and it looks like Sucuri gave us a green light. It did detect that the site had no firewall installed.
Let’s take a look at the interface for the plugin.
As you can see, Sucuri has a much more in-depth scan compared to WordFence. The firewall section overlaps with WordFence, so having both options active in WordPress is probably overkill. However, several of these options are beneficial for numerous reasons.
Another common hack is a conditional redirect. When you directly access your site, you see the site content just fine. However, when a user searches your site in Google, they are redirected to another site when they click on your link. This is called a “referer hack” or a “conditional hack.”
Sucuri detects several forms of these types of compromised content in a much better way than WordFence.
Let’s take a look at a compromised site.
The disadvantage of Sucuri is the price. Not every blogger starting out has plenty of startup capital. Most bloggers have a limited budget, so the $199/year for just a basic plan is a bit much. If you’re an e-commerce store, the price goes up to $299.99/year.
The cost may seem high, but if you have the budget, you should at least sign up for the basic plan. Sucuri not only scans your site, but premium site owners get the advantage of support. Sucuri helps you clean up the site if you’re hacked. If you’re already hacked, you might not have a choice but to pay to have the site cleaned up. Some exploits allow access to more critical files and even elevates user privileges. A hacked site is definitely something you should consider a priority even if it doesn’t seem to affect users.
One advantage of Sucuri over WordFence is that Sucuri supports several platforms and not just WordPress. WordFence is specific to WordPress, but Sucuri can scan any open or closed source application. It also scans other out-of-the-box solutions such as Joomla and Drupal. Custom websites built in PHP or .NET can also use Sucuri. In other words, if you have several sites that aren’t using WordPress, you have a tool that protects them without buying additional scanning software.
Sucuri also works with SSL compliance. SSL is the certification that allows your site to use HTTPS. Google even announced that it’s made SSL/TLS a minor ranking factor in its algorithm. WordFence is more of a DoS and brute force attack protection plugin, so SSL is not a part of its features. If you take any credit card numbers or private information from your visitors, you should have SSL installed.
Which One Should You Use?
WordFence and Sucuri target different markets, so you should use both. WordFence protects your site from brute force password hacks, and Sucuri scans the site for vulnerabilities. Premium Sucuri users can even have their site cleaned if they get hacked. For the price, though, a new blogger might just want WordFence to start off and then invest in Sucuri later.
Still not sure? Here’s a breakdown of who we think wins for each feature.
Whatever you choose, it’s important to choose at least one of these security plugins. They can stop numerous hack attempts, and WordPress is a major target for hackers. Don’t implement security after you’ve been hacked. Install a security plugin now.
Travis Bliffen is the founder of Stellar SEO, a Web design and marketing firm located in Marion, IL. Travis and his team are equipped to handle any size SEO project and have helped numerous businesses to date build a rock solid online presence. When you are ready for more leads and sales, it is time to get #stellarized. Connect on Facebook or Twitter @theseoproz