I’m really excited about talking to you about the topic of securing your WordPress website. This past weekend I received an email from one of my clients, who was in a bit of a panic because she had received a few hundred emails in her inbox from her website. A minor hassle in the very least! I received a copy of the email so I immediately knew the cuplrit, it was a plugin I had installed on her website called WordFence, which in a simplest description a plugin that helps secure your website. The email notification was letting us know that there was a user trying to login to the website with incorrect information multiple times.
I immediately logged into the WordPress dashboard and proceeded to look at the extent of the issue through a tab on the WordFence menu titled Live Traffic. This tab is brilliant, it allows you to see real time activity of connection attempts made to your website; the good, the bad and the ugly. From here you are able to view past activity, as well as immediately block the “visitors” that are the issue. So I viewed the log and banned the visitors that were the issue. Thank you WordFence!
Self Awareness and Learning Experience
I have to be honest, I was
a bit very embarrassed that my client received over 200 emails about a single issue. Luckily WordFence has settings that can modified on the frequency of email notifications per hour. So after the banning of the offending (and there were lots!) IP’s, I immediately changed these settings to a more appropriate number!
Quality of Service Expectations
Once I was finished making sure my client wouldn’t be inundated with emails again, I figured I would reach out to the hosting company that was hosting her website to let them know that this attempt was happening, in case they wanted to protect the likely hundreds of other websites on the server. Because when you are on a shared server, the likelihood of being impacted by a problem on another website being infected/atttacked/hacked increases dramatically if no security measures are taken. I submitted the ticket, because there was nobody available on the online chat (ok, it was Sunday, let’s give them a bit of a break). After a few hours I received the following “canned” email response.
So this specific website host’s stance is that unless it is an attack from within their own network of sites, they don’t care. I’m sharing this experience because I want you to know that website security is your responsibility unless it is explicitly included as part of your hosting service. The hosting company is not under an obligation to ensure your website is cleaned after being infected, is backed up properly, is kept protected when another site on the same server is hacked and infects all of the websites on the server (there are sometimes hundreds of websites on the same server). Personally I don’t think it’s right, but if you are going to pay $5-10/month for a hosting service simply because it’s cheap, that is the quality of service you will get. There are several managed WordPress options that you can use which are more expensive, but rest assured, you will never have this problem. Flywheel is the WordPress managed host that I would personally recommend. Two of the advantages of using Flywheel are first that they take care of all of the WordPress core updates, and secondly they provide hacking and malware protection from Sucuri. So in the rare chance you do have that problem with your site while on their platform they will fix the website for free. WPEngine and Pantheon are two other managed WordPress hosting providers that are highly recommended as well.
Steps You Can Take to Protect Your Website
Luckily there are some very quick, easy steps you can take to help protect your website. A few require a few weekly tasks, but that will be time well spent to prevent a complete loss of your website from an attack.