Protecting Your WordPress Site From Exploits

Securing your website on the WordPress platform is no longer as expensive, time-consuming, or complicated as it used to be. Below we’ll go over some of the best security plugins for your WP site and a few quick recommendations to build the perfect WordPress website will follow.

1. Wordfence Security

One of the most highly rated security plugins for WordPress hands down. Currently the most downloaded plugin from the repository. Wordfence recently expanded their free security suite into enterprise-class territory after adding a built-in web app firewall and their Falcon caching engine for vastly improving website load time. You can alternately purchase their premium API for country blocking, scheduling web scans, auditing passwords, and analyzing your website IP address to check for spamming.

2. Sucuri Security

This is a security tool which integrates site monitoring, security hardening, and malware detection which makes a perfect complement to the first plugin mentioned. When it comes to exploits, Sucuri will let you check for file integrity through malware scanning and the monitoring of blacklists.. all of which can be scheduled in advance. Sucuri also offers a firewall add-on for those not using it alongside Wordfence’s built-in firewall.

3. Exploit Scanner

Wxploit scanner is completely free and can be used as a gauge for detecting possible exploits in the posts and comments tables of your database, and additionally will check all activated plugins. After a scan, it gives you data based on threat level. Since exploit scanning picks up many false positives, searching by highest threat level helps speed up the manual threat search.

One example is finding instances of eval() code which functions to evaluate and execute code. This may be a potential indicator of a hack if you’re finding large strings of encrypted data that seem out of place; it would be wise to follow up and research when necessary to confirm if the code is safe.

As for further recommendations, here are a few things to remember:

  • Always backup your files. That means your database SQL file and your WordPress installation via FTP. You may want to use automation to transfer scheduled backups to an off-site location.
  • Set permissions to your /wp-content/uploads/ directory as writeable. If you’re using a caching plugin, do the same for your cache directory via FTP.. All other permissions for files and directories should be set to read only.
  • Uninstall and delete any plugins that you don’t need, or are currently disabled. This is often the source of many exploits.

By using the plugins above and following these recommendations, you’ll be able to avoid the typical security issues most WordPress users face. The less time you spend on security, the more time you can devote towards building and growing your website.