How to Protect Your WordPress Site from Brute Force Attacks (Step by Step)

Do you want to protect your WordPress site from brute force attacks? These attacks can slow down your website, make it inaccessible, and even crack your passwords to install malware on your website. In this article, we will show you how to protect your WordPress… Read More »

The post How to Protect Your WordPress Site from Brute Force Attacks (Step by Step) appeared first on WPBeginner.

Do you want to protect your WordPress site from brute force attacks? These attacks can slow down your website, make it inaccessible, and even crack your passwords to install malware on your website. In this article, we will show you how to protect your WordPress site from brute force attacks.

protecting WordPress from brute force attacks

What is a Brute Force Attack?

Brute Force Attack is a hacking method which utilizes trial and error techniques to break into a website, a network or a computer system.

Hackers use automated software to send a large number of requests to the target system. With each request, these software attempt to guess the information needed to gain access, like passwords or pin codes.

These tools can also disguise themselves by using different IP addresses and locations, which makes it harder for the targeted system to identify and block these suspicious activities.

A successful brute force attack can give hackers access to your website’s admin area. They can install backdoor, malware, steal user information, and delete everything on your site.

Even unsuccessful brute force attacks can wreak havoc by sending too many requests which slows down your WordPress hosting servers and even crash them.

That being said, let’s take a look at how to protect your WordPress site from brute force attacks.

Step 1. Install a WordPress Firewall Plugin

Brute force attacks put a lot of load on your servers. Even the unsuccessful ones can slow down your website or completely crash the server. This is why it’s important to block them before they get to your server.

To do that, you’ll need a website firewall solution. A firewall filters out bad traffic and blocks it from accessing your site.

How website firewall works

There are two types of website firewalls that you can use.

Application Level Firewall – These firewall plugins examine the traffic once it reaches your server but before loading most WordPress scripts. This method is not as efficient because a brute force attack can still affect your server load.

DNS Level Website Firewall – These firewall route your website traffic through their cloud proxy servers. This allows them to only send genuine traffic to your main web hosting server while giving a boost to your WordPress speed and performance.

We recommend using Sucuri. It is the industry leader in website security and the best WordPress firewall in the market. Since it’s a DNS level website firewall, it means all your website traffic goes through their proxy where bad traffic is filtered out.

We use Sucuri on our website, and you can read our complete Sucuri review to learn more.

Step 2. Install WordPress Updates

Some common brute force attacks actively target known vulnerabilities in older versions of WordPress, popular WordPress plugins, or themes.

WordPress core and most popular WordPress plugins are open source and vulnerabilities are often fixed very quickly with an update. However if you fail to install updates, then you leave your website vulnerable to those old threats.

Simply go to Dashboard » Updates page in WordPress admin area to check for available updates. This page will show all updates for your WordPress core, plugins, and themes.

Updates page in WordPress admin area

For more details, see our guide on how to properly update WordPress plugins.

Step 3. Protect WordPress Admin Directory

Most brute force attacks on a WordPress site are trying to get access to the WordPress admin area. You can add password protection on your WordPress admin directory on a server level. This would block unauthorized access to your WordPress admin area.

Simply login to your WordPress hosting control panel (cPanel) and click on the ‘Directory Privacy’ icon under Files section.

Note: We’re using Bluehost in our screenshot but similar settings are available on other top hosting companies as well like SiteGround, HostGator, etc.

Directory privacy in cPanel

Next, you need to locate the wp-admin folder and click on the folder name.

Browse and locate the wp-admin folder

cPanel will now ask you to provide a name for the restricted folder, username, and password. After entering this information click on the save button to store your settings.

Password protect WordPress admin directory

Your WordPress admin directory is now password protected. You will see a new login prompt when you visit your WordPress admin area.

Login prompt

If you run into a 404 error or error too many redirects message, then you need to add the following line to your WordPress .htaccess file.

ErrorDocument 401 default

For more details, see our article on how to password protect WordPress admin directory.

Step 4. Add Two-Factor Authentication in WordPress

Two-Factor authentication adds an additional security layer to your WordPress login screen. Basically, users will need their phones to generate a one-time passcode along with their login credentials to access the WordPress admin area.

Enter two-step authentication code

Adding two-factor authentication will make it harder for hackers to gain access even if they are able to crack your WordPress password.

For detailed step by step instructions, see our guide on how to how to add two-factor authentication in WordPress

Step 5. Use Unique Strong Passwords

Passwords are the keys to gain access to your WordPress site. You need to use unique strong passwords for all your accounts. A strong password is a combination of numbers, letters, and special characters.

It’s important that you use strong passwords for not just your WordPress user accounts but also for FTP, web hosting control panel, and your WordPress database.

Most beginners ask us how to remember all these unique passwords? Well, you don’t need to. There are excellent password manager apps available that will securely store your passwords and automatically fill them in for you.

To learn more, see our beginner’s guide on best way to manage passwords for WordPress.

Step 6. Disable Directory Browsing

By default, when your web server does not find an index file (i.e. a file like index.php or index.html), it automatically displays an index page showing the contents of the directory.

Directory index

During a brute force attack, hackers can use directory browsing to look for vulnerable files. To fix this, you need to add the following line at the bottom of your WordPress .htaccess file.

Options -Indexes

For more details, see our article on how to disable directory browsing in WordPress.

Step 7. Disable PHP File Execution in Specific WordPress Folders

Hackers may want to install and execute a PHP script in your WordPress folders. WordPress is written mainly in PHP, which means you cannot disable that in all WordPress folders.

However, there are some folders that don’t need any PHP scripts. For example, your WordPress uploads folder located at /wp-content/uploads.

You can safely disable PHP execution in the uploads folder which is a common place hackers use to hide backdoor files.

First, you need to open a text editor like Notepad on your computer and paste the following code:

<Files *.php>
deny from all
</Files>

Now, save this file as .htaccess and upload it to /wp-content/uploads/ folders on your website using an FTP client.

Step 8. Install and Setup a WordPress Backup Plugin

WordPress backup plugins

Backups are the most important tool in your WordPress security arsenal. If all else fails, then backups will allow you to easily restore your website.

Most WordPress hosting companies offer limited backup options. However, these backups are not guaranteed, and you are solely responsible for making your own backups.

There are several great WordPress backup plugins, which allow you to schedule automatic backups.

We recommend using UpdraftPlus. It is beginner friendly and allows you to quickly setup automatic backups and store them on remote locations like Google Drive, Dropbox, Amazon S3, and more.

For step by step instructions, see our guide on how to how to backup and restore your WordPress site with UpdraftPlus

All above-mentioned tips will help you protect your WordPress site against brute force attacks. For a more comprehensive security setup, you should follow the instructions in our ultimate WordPress security guide for beginners.

We hope this article helped you learn how to protect your WordPress site from brute force attacks. You may also want to look out for the signs that your WordPress is hacked and how to fix a hacked WordPress site.

If you liked this article, then please subscribe to our YouTube Channel for WordPress video tutorials. You can also find us on Twitter and Facebook.

The post How to Protect Your WordPress Site from Brute Force Attacks (Step by Step) appeared first on WPBeginner.

14 Best WordPress Security Scanners for Detecting Malware and Hacks

Recently one of our readers asked if there is an easy way to scan your website for security, hacks, and vulnerabilities. If you suspect that your website may be hacked, then a quick WordPress security scan can be a good starting point. In this article,… Read More »

The post 14 Best WordPress Security Scanners for Detecting Malware and Hacks appeared first on WPBeginner.

Recently one of our readers asked if there is an easy way to scan your website for security, hacks, and vulnerabilities. If you suspect that your website may be hacked, then a quick WordPress security scan can be a good starting point. In this article, we have handpicked some of the best WordPress security scanners that will help you run quick security checks.

Best WordPress vulnerability scanners

What WordPress Security and Malware Scanners Can Do?

Online vulnerability or malware scanners can help you check your website for some very common security risks. For example, they can look for malicious code, suspicious links, suspicious redirects, WordPress version, and more.

However, they are quite limited because they cannot run tests on your WordPress database, user accounts, WordPress settings, plugins, and more.

Hackers can easily disguise malicious code and go unnoticed by these basic security checkups. This is why we recommend using Sucuri‘s web application firewall. It is a complete website security service that detects and neutralizes any malicious code even before it reaches your website.

To make your WordPress site more secure, see our complete WordPress security guide with step by step instructions to protect your website.

Having said that, let’s take a look at some of the best WordPress vulnerability scanners that you can try.

1. Sucuri SiteCheck

Sucuri SiteCheck

SiteCheck is an online tool by Sucuri, the best WordPress firewall and security service. It offers a thorough check of your website looking for malicious code, spam injection, website defacement, etc.

It also checks your website on several domain name blacklist tools including Google Safe Browsing. Sucuri’s SiteCheck tool not just scans the URL you enter, it will also crawl other pages linked from it to offer a thorough and fast scan.

2. IsItWP Security Scanner

IsItWP Security Scanner

IsItWP Security Scanner allows you to quickly check your WordPress website for malware and other security vulnerabilities. It is powered by Sucuri and helps you quickly check your website with step by step instructions to tighten WordPress security.

It also checks your website in Google Safe Browsing and other malware blacklists to make sure that your domain is clean.

3. Google Safe Browsing

Google Safe Browsing

Google’s Safe Browsing tool allows you to see if a URL is marked unsafe to visit by Google. Google monitors billions of URLs and if they suspect that a website is distributing malware, then they mark it as unsafe to visit.

This could potentially ruin your website’s reputation as users coming from Google search or Google Chrome will be shown a warning page when they visit your website. If you are using Google Search Console, then you will be warned when your website is marked as unsafe with instructions to get the warning removed.

4. WPScans

WPScans

WPScans checks your website against known vulnerabilities and suspicious code. They maintain an index of vulnerabilities detected by their system and check your website for those security leaks.

It also tries to detect your WordPress version, installed plugins, and robots.txt files. After the scan, results are presented in an easy to understand format with the explanation of each item.

5. ScanWP

ScanWP

ScanWP is a very basic WordPress vulnerability scanner. It tries to detect your WordPress version to see if you are using the latest version. It also detects the WordPress generator tag, and whether or not your site is showing it.

The generator tag shows which WordPress version you are using. Some security experts believe that this could help hackers to effectively target a website and they recommend removing the WordPress generator tag.

6. WordPress Security Scan

WordPress Security Scan

WordPress Security Scan runs a thorough test by attempting to detect your WordPress plugins, usernames, WordPress version, active theme, and more. It also checks your website on Google Safe Browsing index to make sure it is not blacklisted.

It provides a detailed report of your site status with a brief explanation of each item. These are mostly the items that are common WordPress security best practices like using the latest version of WordPress and keeping your plugins updated.

7. wprecon

wprecon

wprecon is another basic WordPress vulnerability scanner tool. It detects WordPress version to see if you need updates, checks Google Safe Browsing index, and then attempts to detect installed WordPress plugins.

It also scans for directory indexing, theme path detection, external links, iframes, and JavaScripts. Results are presented in a nice format with good explanation for each scanned item.

8. Quttera

Quttera

Quttera offers a useful online vulnerability scanner tool. It runs a deep test crawling through your website to search for suspicious files, malicious code, iframe embeds, redirects, and external links.

It also checks for your domain among blacklisted domains databases including Google Safe Browsing, Malware Domain List, PhishTank, and more. The detailed report is broken down into different sections and you can click on each item to view scan status.

9. Web Inspector

Web Inspector

Web Inspector’s online website security scanner is another useful tool that can be used to test your WordPress site. It first checks your website in Google Safe Browsing and Comodo analysts indexes. After that, it scans for malware downloads, drive-by malware, suspicious code resembling a WordPress backdoor, worm, trojan, iframes, suspicious scripts and files.

10. WordPress Vulnerability Scanner

WordPress Vulnerability Scanner

WordPress Vulnerability Scanner will test your WordPress site for common website vulnerability indicators. It scans for your WordPress version, installed plugin and themes, check for plugins with known vulnerabilities.

The website also provides several other scanning tools for advanced users which can be useful in detecting a website with compromised security.

11. UpGuard Cloud Scanner

UpGuard Cloud Scanner

UpGuard Cloud Scanner is another online utility to scan your WordPress site for security risks. It first checks your domain’s records, DNS, open ports, and mail settings. Domain and server-based hacks can hijack your domain name or misuse it to send spam or malware.

After that, it looks for known malicious code, malware patterns, suspicious links, and phishing attempts. The scan result is displayed in a nice easy to understand format.

12. urlquery URL Scanner

urlquery URL Scanner

A common technique used by hackers and malware is to redirect your website visitors to a spam website. These hacks only redirect non-logged in users, which allows them to go unnoticed for a long time.

urlquery URL scanner simply checks a given URL to detect if it redirects users, initiates a malware download, sets cookies, and more. This information can be used to further analyze your website’s security status.

13. VirusTotal

VirusTotal

VirusTotal is another way to quickly scan a URL for security vulnerabilities and malware. It checks your websites URL in dozens of malware databases and presents a detailed report. It also scans for redirects and suspicious code in the website header.

14. Norton Safe Web

Norton Safe Web

Norton Safe Web is another useful tool to scan your WordPress site for security threats. It uses Symantec’s advanced detection technologies to look for common malware, phishing, and spam patterns.

The results will display computer threats, identify threats, and annoyance factors. A clean website will get the perfect 0 on all three scans. If your website is unsafe, then it will display the detected threats which can help you further investigate and fix the problem.

We hope this article helped you find some of the best WordPress vulnerability scanners online. You may also want to see our beginner’s guide on fixing a hacked WordPress site.

If you liked this article, then please subscribe to our YouTube Channel for WordPress video tutorials. You can also find us on Twitter and Facebook.

The post 14 Best WordPress Security Scanners for Detecting Malware and Hacks appeared first on WPBeginner.

12 Signs That Your WordPress Site is Hacked

We are often asked what are some signs that indicate a WordPress site is hacked? There are some common telltale signs that may help you figure out if your WordPress site is hacked or compromised. In this article, we will share 12 common signs that… Read More »

The post 12 Signs That Your WordPress Site is Hacked appeared first on WPBeginner.

We are often asked what are some signs that indicate a WordPress site is hacked? There are some common telltale signs that may help you figure out if your WordPress site is hacked or compromised. In this article, we will share 12 common signs that your WordPress site is hacked.

Signs that your WordPress site is hacked

1. Sudden Drop in Website Traffic

Drop in website traffic

If you look at your Google Analytics reports and see a sudden drop in traffic, then this could be a sign that your WordPress site is hacked.

There are many malware and trojans out there that hijack your website’s traffic and redirect it to spammy websites. Some of them don’t redirect logged in users which allows them to go unnoticed for a while.

Another reason for the sudden drop in traffic is Google’s safe browsing tool, which might be showing warnings to users regarding your website.
Each week, Google blacklists around 20,000 websites for malware and around 50,000 for phishing. That’s why every blogger and business owner needs to pay serious attention to their WordPress security.

You can check your website using the Google’s safe browsing tool to see your safety report.

Spam and malware injection

One of the most common signs among hacked WordPress sites is data injection. Hackers create a backdoor on your WordPress site which gives them access to modify your WordPress files and database.

Some of these hacks add links to spammy websites. Usually these links are added to the footer of your website, but they really could be any where. Deleting the links will not guarantee that they will not come back.

You will need to find and fix the backdoor used to inject this data into your website. See our guide on how to find and fix a backdoor in a hacked WordPress site.

3. Your Site’s Homepage is Defaced

website homepage defaced after hacking

This is probably the most obvious one as it is clearly visible on the homepage of your website. Most hacking attempts do not deface your site’s home page because they want to remain unnoticed for as long as possible.

However, some hackers may deface your website to announce that it has been hacked. Such hackers usually replace your homepage with their own message. Some hackers may even try to extort money from site owners.

4. You are Unable to Login to WordPress

Failure to login in WordPress

If you are unable to login to your WordPress site, then there is a chance that hackers may have deleted your admin account from WordPress.

Since the account doesn’t exist, you would not be able to reset your password from the login page. There are other ways to add an admin account using phpMyAdmin or via FTP. However, your site will remain unsafe until you figure out how a hacker got into your website.

5. Suspicious User Accounts in WordPress

Suspicious user accounts in WordPress

If your site is open to user registration, and you are not using any spam registration protection, then spam user accounts are just common spam that you can simply delete.

However, if you don’t remember allowing user registration and notice new user accounts in WordPress, then your site is probably hacked.

Usually the suspicious account will have administrator user role, and in some cases you may not be able to delete it from your WordPress admin area.

6. Unknown Files and Scripts on Your Server

Unknown files and scripts in WordPress folders

If you’re using a site scanner plugin like Sucuri, then it will alert you when it finds an unknown file or script on your server.

You need to connect to your WordPress site using a FTP client. The most common place where you will find malicious files and scripts is the /wp-content/ folder.

Usually, these files are named like WordPress files to hide in plain sight. Deleting these files immediately will not guarantee that these files will not return. You will need to audit the security of your website specially file and directory structure.

7. Your Website is Often Slow or Unresponsive

Slow or unresponsive website

All websites on internet can become victims of random denial of service attacks. These attacks use several hacked computers and servers from all over the world using fake ips. Sometimes they are just sending too many requests to your server, other times they are actively trying to break into your website.

Any such activity will make your website slow, unresponsive, and unavailable. You will need to check your server logs to see which ips are making too many requests and block them.

It is also possible that your WordPress site is just slow and not hacked. In that case, you need to follow our guide to boost WordPress speed and performance.

8. Unusual Activity in Server Logs

Server logs

Server logs are plain text files stored on your web server. These files keep record of all errors occurring on your server as well as all your internet traffic.

You can access them from your WordPress hosting account’s cPanel dashboard under statistics.

serverlogscpanel

These server logs can help you understand what’s going on when your WordPress site is under attack. They also contain all the ip addresses used to access your website which allows you to block suspicious ip addresses.

9. Failure to Send or Receive WordPress Emails

Email errors in WordPress

Hacked servers are commonly used for spam. Most WordPress hosting companies offer free email accounts with your hosting. Many WordPress site owners use their host’s mail servers to send WordPress emails.

If you are unable to send or recieve WordPress emails, then there is a chance that your mail server is hacked to send spam emails.

10. Suspicious Scheduled Tasks

Suspicious scheduled tasks

Web servers allow users to set up cron jobs. These are scheduled tasks that you can add to your server. WordPress itself uses cron to setup scheduled tasks like publishing scheduled posts, deleting old comments from trash, and so on.

A hacker can exploit cron to run scheduled tasks on your server without you knowing it.

11. Hijacked Search Results

If the search results from your website show incorrect title or meta description, then this is a sign that your WordPress site is hacked.

Looking at your WordPress site, you will still see the correct title and description. The hacker has again exploited a backdoor to inject malicious code which modifies your site data in a way that it is visible only to search engines.

12. Popups or Pop Under Ads on Your Website

Spam popup ads

These types of hacks are trying to make money by hijacking your website’s traffic and showing them their own spam ads for illegal websites. These popups do not appear for logged in visitors or visitors accessing a website directly.

They only appear to the users visiting from search engines. Pop under ads open in new window and remain unnoticeable by users.

Securing and Fixing Your Hacked WordPress Site

Cleaning up a hacked WordPress site can be incredibly painful and difficult. This is why we recommend you to let experts clean up your website.

We use Sucuri to protect all our websites. See how Sucuri helped us block 450,000 WordPress attacks in 3 months.

It comes with 24/7 website monitoring and a powerful website application firewall, which blocks attacks before they even reach your website. Most importantly, they clean up your website if it ever gets hacked.

If you want to clean up your site on your own, then take a look at our beginner’s guide on fixing a hacked WordPress site.

You should also check out our ultimate WordPress security guide to follow the best practices and protect your site.

We hope this article helped you look for signs that your WordPress site is hacked. You may also want to see our list of 24 must have WordPress plugins for business websites.

If you liked this article, then please subscribe to our YouTube Channel for WordPress video tutorials. You can also find us on Twitter and Facebook.

The post 12 Signs That Your WordPress Site is Hacked appeared first on WPBeginner.

12 Signs That Your WordPress Site is Hacked

We are often asked what are some signs that indicate a WordPress site is hacked? There are some common telltale signs that may help you figure out if your WordPress site is hacked or compromised. In this article, we will share 12 common signs that… Read More »

The post 12 Signs That Your WordPress Site is Hacked appeared first on WPBeginner.

We are often asked what are some signs that indicate a WordPress site is hacked? There are some common telltale signs that may help you figure out if your WordPress site is hacked or compromised. In this article, we will share 12 common signs that your WordPress site is hacked.

Signs that your WordPress site is hacked

1. Sudden Drop in Website Traffic

Drop in website traffic

If you look at your Google Analytics reports and see a sudden drop in traffic, then this could be a sign that your WordPress site is hacked.

There are many malware and trojans out there that hijack your website’s traffic and redirect it to spammy websites. Some of them don’t redirect logged in users which allows them to go unnoticed for a while.

Another reason for the sudden drop in traffic is Google’s safe browsing tool, which might be showing warnings to users regarding your website.
Each week, Google blacklists around 20,000 websites for malware and around 50,000 for phishing. That’s why every blogger and business owner needs to pay serious attention to their WordPress security.

You can check your website using the Google’s safe browsing tool to see your safety report.

Spam and malware injection

One of the most common signs among hacked WordPress sites is data injection. Hackers create a backdoor on your WordPress site which gives them access to modify your WordPress files and database.

Some of these hacks add links to spammy websites. Usually these links are added to the footer of your website, but they really could be any where. Deleting the links will not guarantee that they will not come back.

You will need to find and fix the backdoor used to inject this data into your website. See our guide on how to find and fix a backdoor in a hacked WordPress site.

3. Your Site’s Homepage is Defaced

website homepage defaced after hacking

This is probably the most obvious one as it is clearly visible on the homepage of your website. Most hacking attempts do not deface your site’s home page because they want to remain unnoticed for as long as possible.

However, some hackers may deface your website to announce that it has been hacked. Such hackers usually replace your homepage with their own message. Some hackers may even try to extort money from site owners.

4. You are Unable to Login to WordPress

Failure to login in WordPress

If you are unable to login to your WordPress site, then there is a chance that hackers may have deleted your admin account from WordPress.

Since the account doesn’t exist, you would not be able to reset your password from the login page. There are other ways to add an admin account using phpMyAdmin or via FTP. However, your site will remain unsafe until you figure out how a hacker got into your website.

5. Suspicious User Accounts in WordPress

Suspicious user accounts in WordPress

If your site is open to user registration, and you are not using any spam registration protection, then spam user accounts are just common spam that you can simply delete.

However, if you don’t remember allowing user registration and notice new user accounts in WordPress, then your site is probably hacked.

Usually the suspicious account will have administrator user role, and in some cases you may not be able to delete it from your WordPress admin area.

6. Unknown Files and Scripts on Your Server

Unknown files and scripts in WordPress folders

If you’re using a site scanner plugin like Sucuri, then it will alert you when it finds an unknown file or script on your server.

You need to connect to your WordPress site using a FTP client. The most common place where you will find malicious files and scripts is the /wp-content/ folder.

Usually, these files are named like WordPress files to hide in plain sight. Deleting these files immediately will not guarantee that these files will not return. You will need to audit the security of your website specially file and directory structure.

7. Your Website is Often Slow or Unresponsive

Slow or unresponsive website

All websites on internet can become victims of random denial of service attacks. These attacks use several hacked computers and servers from all over the world using fake ips. Sometimes they are just sending too many requests to your server, other times they are actively trying to break into your website.

Any such activity will make your website slow, unresponsive, and unavailable. You will need to check your server logs to see which ips are making too many requests and block them.

It is also possible that your WordPress site is just slow and not hacked. In that case, you need to follow our guide to boost WordPress speed and performance.

8. Unusual Activity in Server Logs

Server logs

Server logs are plain text files stored on your web server. These files keep record of all errors occurring on your server as well as all your internet traffic.

You can access them from your WordPress hosting account’s cPanel dashboard under statistics.

serverlogscpanel

These server logs can help you understand what’s going on when your WordPress site is under attack. They also contain all the ip addresses used to access your website which allows you to block suspicious ip addresses.

9. Failure to Send or Receive WordPress Emails

Email errors in WordPress

Hacked servers are commonly used for spam. Most WordPress hosting companies offer free email accounts with your hosting. Many WordPress site owners use their host’s mail servers to send WordPress emails.

If you are unable to send or recieve WordPress emails, then there is a chance that your mail server is hacked to send spam emails.

10. Suspicious Scheduled Tasks

Suspicious scheduled tasks

Web servers allow users to set up cron jobs. These are scheduled tasks that you can add to your server. WordPress itself uses cron to setup scheduled tasks like publishing scheduled posts, deleting old comments from trash, and so on.

A hacker can exploit cron to run scheduled tasks on your server without you knowing it.

11. Hijacked Search Results

If the search results from your website show incorrect title or meta description, then this is a sign that your WordPress site is hacked.

Looking at your WordPress site, you will still see the correct title and description. The hacker has again exploited a backdoor to inject malicious code which modifies your site data in a way that it is visible only to search engines.

12. Popups or Pop Under Ads on Your Website

Spam popup ads

These types of hacks are trying to make money by hijacking your website’s traffic and showing them their own spam ads for illegal websites. These popups do not appear for logged in visitors or visitors accessing a website directly.

They only appear to the users visiting from search engines. Pop under ads open in new window and remain unnoticeable by users.

Securing and Fixing Your Hacked WordPress Site

Cleaning up a hacked WordPress site can be incredibly painful and difficult. This is why we recommend you to let experts clean up your website.

We use Sucuri to protect all our websites. See how Sucuri helped us block 450,000 WordPress attacks in 3 months.

It comes with 24/7 website monitoring and a powerful website application firewall, which blocks attacks before they even reach your website. Most importantly, they clean up your website if it ever gets hacked.

If you want to clean up your site on your own, then take a look at our beginner’s guide on fixing a hacked WordPress site.

You should also check out our ultimate WordPress security guide to follow the best practices and protect your site.

We hope this article helped you look for signs that your WordPress site is hacked. You may also want to see our list of 24 must have WordPress plugins for business websites.

If you liked this article, then please subscribe to our YouTube Channel for WordPress video tutorials. You can also find us on Twitter and Facebook.

The post 12 Signs That Your WordPress Site is Hacked appeared first on WPBeginner.

How to Reset a WordPress Password from phpMyAdmin

Do you want to reset your WordPress password using phpMyAdmin? If you are unable to reset your WordPress password, then there is a way to reset it directly in your WordPress database using phpMyAdmin. In this article, we will show you how to easily reset… Read More »

The post How to Reset a WordPress Password from phpMyAdmin appeared first on WPBeginner.

Do you want to reset your WordPress password using phpMyAdmin? If you are unable to reset your WordPress password, then there is a way to reset it directly in your WordPress database using phpMyAdmin. In this article, we will show you how to easily reset a WordPress password from phpMyAdmin.

Reset your WordPress password from phpMyAdmin

Why Reset WordPress Password from phpMyAdmin

WordPress makes it super easy to reset your password. You can simply go to the login screen and click on the ‘Lost your password’ link.

Recovering lost password in WordPress

Clicking on it takes you to password reset page where you can enter your username or email address to reset the password. After that WordPress sends a password reset link to the email address associated with that user account. For more details see our guide on how to recover a lost password in WordPress.

However, if you don’t have access to the email address, or your WordPress site fails to send an email, then you will not be able to reset your password.

In such a situation, you will need to reset your WordPress password directly in the database. The easiest way to do that is by using phpMyAdmin.

Having said that, let’s see how you can easily reset a WordPress password from phpMyAdmin.

How to WordPress Password From PhpMyAdmin

If you don’t want to watch the video tutorial, then you can continue reading the text version below:

First you need to login to the cPanel dashboard of your WordPress hosting account. Next, you need to click on the phpMyAdmin icon under the database section.

phpMyAdmin in cPanel

This will launch the phpMyAdmin app where you need to select your WordPress database.

Select your WordPress database

You will now see the list of tables in your WordPress database. Now you need to look for the ‘{table-prefix}_users’ table in this list and click on the ‘Browse’ link next to it.

Browse users table in phpMyAdmin

Note: Table names in your WordPress database may have a different table prefix than the one we are showing in our screenshot.

You will now see the rows in your WordPress users table. Go ahead and click on the edit button next to the username where you want to change the password.

Editing user in phpMyAdmin

PhpMyAdmin will show you a form with all the user information fields.

You will need to delete the value in the user_pass field and replace it with your new password. Under the function column, select MD5 from the drop down menu and click on the Go button.

Change your password

Your password will be encrypted using the MD5 hash and then it will be stored in the database.

Congratulations! You have successfully changed your WordPress password using phpMyAdmin.

Now some of you may be wondering why did we select the MD5 hash to encrypt the password.

In the older version, WordPress used MD5 hash to encrypt passwords. Since WordPress 2.5, it started using stronger encryption technologies. However, WordPress still recognizes MD5 to provide backward compatibility.

As soon as you login using a password string stored as a MD5 hash, WordPress recognizes it and changes it using the newer encryption algorithms.

We hope this article helped you learn how to reset a WordPress password from phpMyAdmin. You may also want to see our ultimate step by step WordPress security guide to keep your WordPress site safe.

If you liked this article, then please subscribe to our YouTube Channel for WordPress video tutorials. You can also find us on Twitter and Facebook.

The post How to Reset a WordPress Password from phpMyAdmin appeared first on WPBeginner.

14 Vital Tips to Protect Your WordPress Admin Area (Updated)

Are you seeing a lot of attacks on your WordPress admin area? Protecting the admin area from unauthorized access allows you to block many common security threats. In this article, we will show you some of the vital tips and hacks to protect your WordPress… Read More »

The post 14 Vital Tips to Protect Your WordPress Admin Area (Updated) appeared first on WPBeginner.

Are you seeing a lot of attacks on your WordPress admin area? Protecting the admin area from unauthorized access allows you to block many common security threats. In this article, we will show you some of the vital tips and hacks to protect your WordPress admin area.

Tips and hacks to protect WordPress admin area

1. Use a Website Application Firewall

A website application firewall or WAF monitors website traffic and blocks suspicious requests from reaching your website.

While there are several WordPress firewall plugins out there, we recommend using Sucuri. It is a website security and monitoring service that offers a cloud based WAF to protect your website.

Website Application Firewall

All your website’s traffic goes through their cloud proxy first, where they analyze each request and block suspicious ones from ever reaching your website. It prevents your website from possible hacking attempts, phishing, malware and other malicious activities.

For more details, see how Sucuri helped us block 450,000 attacks in one month.

2. Password Protect WordPress Admin Directory

Your WordPress admin area is already protected by your WordPress password. However, adding password protection to your WordPress admin directory adds another layer of security to your website.

First login to your WordPress hosting cPanel dashboard and then click on ‘Password Protect Directories’ or ‘Directory Privacy’ icon.

Directory privacy

Next, you will need to select your wp-admin folder, which is normally located inside /public_html/ directory.

On the next screen, you need to check the box next to ‘Password protect this directory’ option and provide a name for the protected directory.

After that, click on the save button to set the permissions.

Password protect directory settings

Next, you need to hit the back button and then create a user. You will be asked to provide a username / password and then click on the save button.

Now when someone tries to visit the WordPress admin or wp-admin directory on your website, they will be asked to enter the username and password.

Enter password

For more detailed instructions, see our guide on how to password protect WordPress admin (wp-admin) directory.

3. Always Use Strong Passwords

Always use strong passwords

Always use strong passwords for all your online accounts including your WordPress site. We recommend using a combination of letters, numbers, and special characters in your passwords. This makes it harder for hackers to guess your password.

We are often asked by beginners how to remember all those passwords. The simplest answer is that you don’t need to. There are some really great password manager apps that you can install on your computer and phones.

For more information on this topic, see our guide on the best way to manage passwords for WordPress beginners.

4. Use Two Step Verification to WordPress Login Screen

WordPress login screen with Google Authenticator enabled

Two step verification adds another security layer to your passwords. Instead of using the password alone, it asks you to enter a verification code generated by the Google Authenticator app on your phone.

Even if someone is able to guess your WordPress password, they will still need the Google Authenticator code to get in.

For detailed step by step instructions see our guide on how to setup 2-step verification in WordPress using Google Authenticator.

5. Limit Login Attempts

Limit login attempts

By default, WordPress allows users to enter passwords as many times as they want. This means someone can keep trying to guess your WordPress password by entering different combinations. It also allows hackers to use automated scripts to crack passwords.

To fix this, you need to install and activate the Login LockDown plugin. Upon activation, go to visit Settings » Login LockDown page to configure the plugin settings.

For detailed instructions, see our guide on why you should limit login attempts in WordPress.

6. Limit Login Access to IP Addresses

Another great way to secure WordPress login is by limiting access to specific IP addresses. This tip is particularly useful if you or just a few trusted users need access to the admin area.

Simply add this code to your .htaccess file.

AuthUserFile /dev/null
AuthGroupFile /dev/null
AuthName "WordPress Admin Access Control"
AuthType Basic
<LIMIT GET>
order deny,allow
deny from all
# whitelist Syed's IP address
allow from xx.xx.xx.xxx
# whitelist David's IP address
allow from xx.xx.xx.xxx
</LIMIT>

Don’t forget to replace xx values with your own IP address. If you use more than one IP address to access the internet, then make sure you add them as well.

For detailed instructions, see our guide on how to limit access to WordPress admin using .htaccess.

7. Disable Login Hints

Disabled login hints

On a failed login attempt, WordPress shows errors that tell users whether their username was incorrect or the password. These login hints can be used by someone for malicious attempts.

You can easily hide these login hints by adding this code to your theme’s functions.php file or a site-specific plugin.

function no_wordpress_errors(){
  return 'Something is wrong!';
}
add_filter( 'login_errors', 'no_wordpress_errors' );

8. Require Users to Use Strong Passwords

If you run a multi-author WordPress site, then those users can edit their profile and use a weak password. These passwords can be cracked and give someone access to WordPress admin area.

To fix this, you can install and activate the Force Strong Passwords plugin. It works out of the box, and there are no settings for you to configure. Once activated, it will stop users from saving weaker passwords.

It will not check password strength for existing user accounts. If a user is already using a weak password, then they will be able to continue using their password.

9. Reset Password for All Users

Concerned about password security on your multi-user WordPress site? You can easily ask all your users to reset their passwords.

First, you need to install and activate the Emergency Password Reset plugin. Upon activation, go to visit Users » Emergency Password Reset page and click on ‘Reset All Passwords’ button.

Reset all passwords

For detailed instructions, see our guide on how to how to reset passwords for all users in WordPress

10. Keep WordPress Updated

WordPress often releases new versions of the software. Each new release of WordPress contains important bug fixes, new features, and security fixes.

Using an older version of WordPress on your site leaves you open to known exploits and potential vulnerabilities. To fix this, you need to make sure that you are using the latest version of WordPress. For more on this topic, see our guide on why you should always use the latest version of WordPress.

Similarly, WordPress plugins are also often updated to introduce new features or fix security and other issues. Make sure your WordPress plugins are also up to date.

11. Create Custom Login and Registration Pages

Many WordPress sites require users to register. For example, membership sites, learning management sites, or online stores need users to create an account.

However, these users can use their accounts to log into WordPress admin area. This is not a big issue, as they will only be able to do things allowed by their user role and capabilities. However, it stops you from properly limiting access to login and registration pages as you need those pages for users to signup, manage their profile, and login.

The easy way to fix this is by creating custom login and registration pages, so that users can signup and login directly from your website.

For detailed step by step instructions, see our guide on how to create custom login and registration pages in WordPress.

12. Learn About WordPress User Roles and Permissions

WordPress comes with a powerful user management system with different user roles and capabilities. When adding a new user to your WordPress site you can select a user role for them. This user role defines what they can do on your WordPress site.

Assigning incorrect user role can give people more capabilities than they need. To avoid this you need to understand what capabilities come with different user roles in WordPress. For more on this topic see our beginner’s guide to WordPress user roles and permissions.

13. Limit Dashboard Access

Some WordPress sites have certain users who need access to the dashboard and some users who don’t. However, by default they can all access the admin area.

To fix this, you need to install and activate the Remove Dashboard Access plugin. Upon activation, go to Settings » Dashboard Access page and select which users roles will have access to the admin area on your site.

For more detailed instructions, see our guide on how to limit dashboard access in WordPress.

14. Log out Idle Users

Idle user logout

WordPress does not automatically log out users until they explicitly log out or close their browser window. This can be a concern for WordPress sites with sensitive information. That’s why financial institution websites and apps automatically log out users if they haven’t been active.

To fix this, you can install and activate the Idle User Logout plugin. Upon activation, go to Settings » Idle User Logout page and enter the time after which you want users to be automatically logged out.

For more details, see our article on how to automatically log out idle users in WordPress.

We hope this article helped you learn some new tips and hacks to protect your WordPress admin area. You may also want to see our ultimate step by step WordPress security guide for beginners.

If you liked this article, then please subscribe to our YouTube Channel for WordPress video tutorials. You can also find us on Twitter and Facebook.

The post 14 Vital Tips to Protect Your WordPress Admin Area (Updated) appeared first on WPBeginner.

14 Vital Tips to Protect Your WordPress Admin Area (Updated)

Are you seeing a lot of attacks on your WordPress admin area? Protecting the admin area from unauthorized access allows you to block many common security threats. In this article, we will show you some of the vital tips and hacks to protect your WordPress… Read More »

The post 14 Vital Tips to Protect Your WordPress Admin Area (Updated) appeared first on WPBeginner.

Are you seeing a lot of attacks on your WordPress admin area? Protecting the admin area from unauthorized access allows you to block many common security threats. In this article, we will show you some of the vital tips and hacks to protect your WordPress admin area.

Tips and hacks to protect WordPress admin area

1. Use a Website Application Firewall

A website application firewall or WAF monitors website traffic and blocks suspicious requests from reaching your website.

While there are several WordPress firewall plugins out there, we recommend using Sucuri. It is a website security and monitoring service that offers a cloud based WAF to protect your website.

Website Application Firewall

All your website’s traffic goes through their cloud proxy first, where they analyze each request and block suspicious ones from ever reaching your website. It prevents your website from possible hacking attempts, phishing, malware and other malicious activities.

For more details, see how Sucuri helped us block 450,000 attacks in one month.

2. Password Protect WordPress Admin Directory

Your WordPress admin area is already protected by your WordPress password. However, adding password protection to your WordPress admin directory adds another layer of security to your website.

First login to your WordPress hosting cPanel dashboard and then click on ‘Password Protect Directories’ or ‘Directory Privacy’ icon.

Directory privacy

Next, you will need to select your wp-admin folder, which is normally located inside /public_html/ directory.

On the next screen, you need to check the box next to ‘Password protect this directory’ option and provide a name for the protected directory.

After that, click on the save button to set the permissions.

Password protect directory settings

Next, you need to hit the back button and then create a user. You will be asked to provide a username / password and then click on the save button.

Now when someone tries to visit the WordPress admin or wp-admin directory on your website, they will be asked to enter the username and password.

Enter password

For more detailed instructions, see our guide on how to password protect WordPress admin (wp-admin) directory.

3. Always Use Strong Passwords

Always use strong passwords

Always use strong passwords for all your online accounts including your WordPress site. We recommend using a combination of letters, numbers, and special characters in your passwords. This makes it harder for hackers to guess your password.

We are often asked by beginners how to remember all those passwords. The simplest answer is that you don’t need to. There are some really great password manager apps that you can install on your computer and phones.

For more information on this topic, see our guide on the best way to manage passwords for WordPress beginners.

4. Use Two Step Verification to WordPress Login Screen

WordPress login screen with Google Authenticator enabled

Two step verification adds another security layer to your passwords. Instead of using the password alone, it asks you to enter a verification code generated by the Google Authenticator app on your phone.

Even if someone is able to guess your WordPress password, they will still need the Google Authenticator code to get in.

For detailed step by step instructions see our guide on how to setup 2-step verification in WordPress using Google Authenticator.

5. Limit Login Attempts

Limit login attempts

By default, WordPress allows users to enter passwords as many times as they want. This means someone can keep trying to guess your WordPress password by entering different combinations. It also allows hackers to use automated scripts to crack passwords.

To fix this, you need to install and activate the Login LockDown plugin. Upon activation, go to visit Settings » Login LockDown page to configure the plugin settings.

For detailed instructions, see our guide on why you should limit login attempts in WordPress.

6. Limit Login Access to IP Addresses

Another great way to secure WordPress login is by limiting access to specific IP addresses. This tip is particularly useful if you or just a few trusted users need access to the admin area.

Simply add this code to your .htaccess file.

AuthUserFile /dev/null
AuthGroupFile /dev/null
AuthName "WordPress Admin Access Control"
AuthType Basic
<LIMIT GET>
order deny,allow
deny from all
# whitelist Syed's IP address
allow from xx.xx.xx.xxx
# whitelist David's IP address
allow from xx.xx.xx.xxx
</LIMIT>

Don’t forget to replace xx values with your own IP address. If you use more than one IP address to access the internet, then make sure you add them as well.

For detailed instructions, see our guide on how to limit access to WordPress admin using .htaccess.

7. Disable Login Hints

Disabled login hints

On a failed login attempt, WordPress shows errors that tell users whether their username was incorrect or the password. These login hints can be used by someone for malicious attempts.

You can easily hide these login hints by adding this code to your theme’s functions.php file or a site-specific plugin.

function no_wordpress_errors(){
  return 'Something is wrong!';
}
add_filter( 'login_errors', 'no_wordpress_errors' );

8. Require Users to Use Strong Passwords

If you run a multi-author WordPress site, then those users can edit their profile and use a weak password. These passwords can be cracked and give someone access to WordPress admin area.

To fix this, you can install and activate the Force Strong Passwords plugin. It works out of the box, and there are no settings for you to configure. Once activated, it will stop users from saving weaker passwords.

It will not check password strength for existing user accounts. If a user is already using a weak password, then they will be able to continue using their password.

9. Reset Password for All Users

Concerned about password security on your multi-user WordPress site? You can easily ask all your users to reset their passwords.

First, you need to install and activate the Emergency Password Reset plugin. Upon activation, go to visit Users » Emergency Password Reset page and click on ‘Reset All Passwords’ button.

Reset all passwords

For detailed instructions, see our guide on how to how to reset passwords for all users in WordPress

10. Keep WordPress Updated

WordPress often releases new versions of the software. Each new release of WordPress contains important bug fixes, new features, and security fixes.

Using an older version of WordPress on your site leaves you open to known exploits and potential vulnerabilities. To fix this, you need to make sure that you are using the latest version of WordPress. For more on this topic, see our guide on why you should always use the latest version of WordPress.

Similarly, WordPress plugins are also often updated to introduce new features or fix security and other issues. Make sure your WordPress plugins are also up to date.

11. Create Custom Login and Registration Pages

Many WordPress sites require users to register. For example, membership sites, learning management sites, or online stores need users to create an account.

However, these users can use their accounts to log into WordPress admin area. This is not a big issue, as they will only be able to do things allowed by their user role and capabilities. However, it stops you from properly limiting access to login and registration pages as you need those pages for users to signup, manage their profile, and login.

The easy way to fix this is by creating custom login and registration pages, so that users can signup and login directly from your website.

For detailed step by step instructions, see our guide on how to create custom login and registration pages in WordPress.

12. Learn About WordPress User Roles and Permissions

WordPress comes with a powerful user management system with different user roles and capabilities. When adding a new user to your WordPress site you can select a user role for them. This user role defines what they can do on your WordPress site.

Assigning incorrect user role can give people more capabilities than they need. To avoid this you need to understand what capabilities come with different user roles in WordPress. For more on this topic see our beginner’s guide to WordPress user roles and permissions.

13. Limit Dashboard Access

Some WordPress sites have certain users who need access to the dashboard and some users who don’t. However, by default they can all access the admin area.

To fix this, you need to install and activate the Remove Dashboard Access plugin. Upon activation, go to Settings » Dashboard Access page and select which users roles will have access to the admin area on your site.

For more detailed instructions, see our guide on how to limit dashboard access in WordPress.

14. Log out Idle Users

Idle user logout

WordPress does not automatically log out users until they explicitly log out or close their browser window. This can be a concern for WordPress sites with sensitive information. That’s why financial institution websites and apps automatically log out users if they haven’t been active.

To fix this, you can install and activate the Idle User Logout plugin. Upon activation, go to Settings » Idle User Logout page and enter the time after which you want users to be automatically logged out.

For more details, see our article on how to automatically log out idle users in WordPress.

We hope this article helped you learn some new tips and hacks to protect your WordPress admin area. You may also want to see our ultimate step by step WordPress security guide for beginners.

If you liked this article, then please subscribe to our YouTube Channel for WordPress video tutorials. You can also find us on Twitter and Facebook.

The post 14 Vital Tips to Protect Your WordPress Admin Area (Updated) appeared first on WPBeginner.

5 Best WordPress Firewall Plugins Compared

Are you looking for the best WordPress firewall plugin for your website? WordPress firewall plugins protect your website against hacking, brute force and distributed denial of service (DDoS) attacks. In this article, we will compare the best WordPress firewall plugins, and how they stack up… Read More »

The post 5 Best WordPress Firewall Plugins Compared appeared first on WPBeginner.

Are you looking for the best WordPress firewall plugin for your website? WordPress firewall plugins protect your website against hacking, brute force and distributed denial of service (DDoS) attacks. In this article, we will compare the best WordPress firewall plugins, and how they stack up against each other.

Best WordPress firewall plugins compared

What is a WordPress Firewall Plugin?

A WordPress firewall plugin (also known as web application firewall or WAF), acts as a shield between your website and all incoming traffic. These web application firewalls monitor your website traffic and blocks many common security threats before they reach your WordPress site.

Aside from significantly improving your WordPress security, often these web application firewalls also speed up your website and boost performance.

There are two common types of WordPress firewall plugins available.

DNS Level Website Firewall – These firewall route your website traffic through their cloud proxy servers. This allows them to only send genuine traffic to your web server.

Application Level Firewall – These firewall plugins examine the traffic once it reaches your server but before loading most WordPress scripts. This method is not as efficient as DNS level firewall in reducing the server load.

We recommend using a DNS level firewall because they are exceptionally good at identifying genuine website traffic vs bad requests.

They do that by tracking thousands of websites, comparing trends, looking for botnets, known bad IPs, and blocking traffic to pages that your users would normally never request.

Not to mention, DNS level website firewalls significantly reduce the load on your WordPress hosting server which makes sure that your website does not go down.

Having said that, let’s take a look at the best WordPress firewall plugins that you can use to protect your website.

1. Sucuri

Sucuri

Sucuri is the leading website security company for WordPress. They offer DNS level firewall, intrusion and brute force prevention, as well as malware and blacklist removal services.

All your website traffic goes through their cloudproxy servers where each request is scanned. Legitimate traffic is allowed to pass through, and all malicious requests are blocked.

Sucuri also improves your website’s performance by reducing server load through caching optimization, website acceleration, and Anycast CDN (all included). It protects your website against SQL Injections, XSS, RCE, RFU and all known-attacks.

Setting up their WAF is quite easy. You will need to add a DNS A record to your domain and point them to Sucuri’s cloudproxy instead of your website.

At WPBeginner, we use Sucuri to improve our WordPress security. See how how Sucuri helped us block 450,000 WordPress attacks in 3months.

Pricing: Starting from $199.99/year billed annually.

Grade: A+

2. Cloudflare

Cloudflare

Cloudflare is best known for their free CDN service which includes basic DDoS protection as well. However, their free plan doesn’t include website application firewall. For WAF you will need to signup for their Pro plan.

Cloudflare is also a DNS level firewall which means your traffic goes through their network. This improves performance of your website and reduces downtime in case of unusually high traffic.

The Pro plan only includes DDoS protection against layer 3 attacks. For protection against advanced DDoS layer 5 and 7 attacks, you will need at least their business plan.

Cloudflare has its pros, which include CDN, caching, and a larger network of servers. The downside is that they do not offer application level security scans, malware protection, blacklist removal, security notifications and alerts. They also do not monitor your WordPress site for file changes and other common WordPress security threats.

For more details see our comparison of Sucuri vs Cloudflare.

Pricing: Starting from $20/month for Pro plan and $200/month for Business.

Grade: A

3. SiteLock

SiteLock

SiteLock is another well-known website security company offering website application firewall, DDoS protection, malware scan and removal services.

SiteLock’s WAF is a DNS level firewall with a CDN service included in all plans to improve performance of your website. They offer daily malware scans, file change monitoring, security alerts, and malware removal.

All plans include basic DDoS protection while advanced DDoS protection is available as an add-on. They also allow customers to display SiteLock trust seal on their websites.

They have also partnered with many hosting companies to offer their basic plan as an addon. If you start your WordPress blog with Bluehost then you will be shown SiteLock as an addon that you can add to your hosting package.

However, it is unclear what’s included in that addon, and how it is different than the plans offered on SiteLock’s official website.

Pricing: Accelerate Plan costs $299 / year and Prevent plan costs $499 / year.

Grade: B+

4. Wordfence Security

Wordfence

Wordfence is a popular WordPress security plugin with a built-in website application firewall. It monitors your WordPress site for malware, file changes, SQL injections, and more. It also protects your website against DDoS and brute force attacks.

Wordfence is an application level firewall which means that firewall is triggered on your server and bad traffic is blocked after it reaches your server but before loading your website.

This is not the most efficient way to block attacks. Large number of bad requests will still increase load on your server. Because it’s an application level firewall, WordPress does not come with a content delivery network (CDN).

Wordfence comes with on-demand security scans as well as scheduled scans. It also allows you to manually monitor traffic and block suspicious looking IPs directly from your WordPress admin area.

To learn more about Wordfence, see our guide on how to install and setup Wordfence security in WordPress.

To get their sophisticated application level firewall, you really need the Premium version.

Pricing Basic plugin is Free. Premium version pricing starts from $99/year for a single site license.

Grade: B

5. BulletProof Security

BulletProof Security

BulletProof security is another popular WordPress security plugin. It comes with a built-in application level firewall, login security, database backup, maintenance mode, and several security tweaks to protect your website.

BulletProof security does not offer a very good user experience and many beginners may have difficulty understanding what to do. It does come with a setup wizard that automatically updates your WordPress .htaccess files and enables firewall protection.

It does not have a file scanner to check for malicious code on your website. The paid version of the plugin offers extra features to monitor for intrusion and malicious files in your WordPress uploads folder.

Pricing: Free basic plugin. Pro version costs $59.95 for unlimited sites and lifetime support.

Grade: C

Conclusion

After careful comparison of all these popular WordPress firewall plugins, we believe that Sucuri is undoubtedly the best firewall protection you can get for your WordPress site.

It is the best DNS level firewall with the most comprehensive security features to give you complete peace of mind. On top of that, the performance boost that you get from their CDN is very impressive.

We hope this article helped you find the best WordPress firewall plugin for your website. You may also want to see our ultimate step by step WordPress security guide for beginners.

If you liked this article, then please subscribe to our YouTube Channel for WordPress video tutorials. You can also find us on Twitter and Facebook.

The post 5 Best WordPress Firewall Plugins Compared appeared first on WPBeginner.