How to Block IP Addresses in WordPress

Do you want to block specific IP addresses from accessing your WordPress site? Blocking IP addresses is used as a solution to block spam and hacking attacks on your website. In this article, we will show you how to block IP addresses in WordPress, and… Read More »

The post How to Block IP Addresses in WordPress appeared first on WPBeginner.

Do you want to block specific IP addresses from accessing your WordPress site? Blocking IP addresses is used as a solution to block spam and hacking attacks on your website. In this article, we will show you how to block IP addresses in WordPress, and we will also show you how to find out which IP addresses needs to be blocked.

How to Block IP Addresses in WordPress

What is an IP Address?

If internet was a physical world, then think of IP addresses as country, street, and house numbers. They are basically 4 sets of numbers from 0-255 separated by dots and look like this:

172.16.254.1

Each computer connected to the internet has an IP address assigned to them by their internet service provider.

All visitors to your website have an IP address which is stored in your website’s access log files. This means that all websites that you visit also stores your IP address.

You can hide this information by using a VPN service. This allows you to hide your IP address and other personal information.

Why & When You Need to Block IP Addresses?

Blocking an IP address from accessing your website is an effective way to deal with unwanted visitors, comment spam, email spam, hacking attempts, and DDOS (denial of service) attacks.

The most common sign that your website is under a DDOS attack is that your website will frequently become inaccessible or your pages will start taking forever to load.

The other attacks are more obvious such as when you start getting spam comments or a lot of spam emails from your contact form. We have a list of ways to fight spam comments, but the last solution is to block IP addresses.

Finding Out IP Addresses You Want to Block in WordPress

WordPress stores an IP addresses for users that leave a comment on your website. You can see their IP address by visiting the comments page in your WordPress admin area.

IP addresses stored in WordPress comments

If your website is under DDOS attack, then the best way to locate the IP addresses is by checking your server’s access log.

To see those logs, you will need to login to the cPanel dashboard of your WordPress hosting account. Next, locate the ‘logs’ section and click on the ‘Raw Access Logs’ icon.

Raw access logs

This will take you to the access logs page where you need to click on your domain name to download the access logs file.

Download access log file

Your access log file will be inside a .gz archive file. Go ahead and extract the file by clicking on it. If your computer does not have a program to handle .gz archive files, then you will need to install one. Winzip or 7-zip are two popular choices among Windows users.

Inside the archive, you will see your access log file which you can open in a plain text editor like Notepad or TextEdit.

The access log file contains raw data of all requests made to your website. Each line begins with the IP address making that request.

IP addresses in access log file

You need to make sure that you don’t end up blocking yourself, legit users, or search engines from accessing your website. Copy a suspicious looking IP address and use online IP lookup tools to find out more about it.

You will have to carefully look at your access logs for suspicious unusually high number of requests from a particular IP address. Tip: there’s a way to automate this that we share at the bottom of this article.

Once you have located those IP addresses, you need to copy and paste them in a separate text file.

Blocking IP Addresses in WordPress

If you just want to stop users with a specific IP address from leaving a comment on your site, then you can do that inside your WordPress admin area.

Head over to Settings » Discussion page and scroll down to ‘Comment Blacklist’ text box.

Blacklist IP addresses in WordPress comments

Copy and paste the IP addresses that you want to block and then click on the save changes button.

WordPress will now block users with these IP addresses from leaving a comment on your website. These users will still be able to visit your website, but they will see an error message when they try to submit a comment.

Blocking an IP Address Using cPanel

This method completely blocks an IP address from accessing or viewing your website. You should use this method when you want to protect your WordPress site from hacking attempts and DDOS attacks.

First, you need to login to cPanel dashboard of your hosting account. Now scroll down to the security section and click on ‘IP Address Deny Manager’ icon.

IP Address Deny Manager tool in cPanel

This will take you to the IP Address Deny Manager tool. Here you can add the IP addresses you want to block. You can add a single IP address or an IP range and then click on the add button.

Blocking IP addresses in cPanel

You can come back to the same page again if you ever need to unblock those IP addresses.

When IP Address Blocking Doesn’t Work – Automate It!

Blocking an IP address would work if you are just blocking some basic hacking attempts, specific users, or users from specific regions or countries.

However, many hacking attempts and attacks are made using a wide range of random IP addresses from all over the world. It is impossible for you to keep up with all those random IP addresses.

That’s when you need a Web Application Firewall (WAF). For the WPBeginner website, we use Sucuri. It is a website security service that protects your website against such attacks using a website application firewall.

Basically, all your website traffic goes through their servers where it is examined for suspicious activity. It automatically blocks suspicious IP addresses from reaching your website altogether. See how Sucuri helped us block 450,000 WordPress attacks in 3 months.

We hope this article helped you learn how to easily block IP addresses in WordPress. You may also want to see our ultimate step by step WordPress security guide for beginners.

If you liked this article, then please subscribe to our YouTube Channel for WordPress video tutorials. You can also find us on Twitter and Facebook.

The post How to Block IP Addresses in WordPress appeared first on WPBeginner.

How to Install and Setup Wordfence Security in WordPress

Do you want to install and setup Wordfence security plugin on your website? Wordfence is a popular WordPress plugin that helps you tighten the security of your WordPress site and protects it from hacking attempts. In this article, we will show you how to easily… Read More »

The post How to Install and Setup Wordfence Security in WordPress appeared first on WPBeginner.

Do you want to install and setup Wordfence security plugin on your website? Wordfence is a popular WordPress plugin that helps you tighten the security of your WordPress site and protects it from hacking attempts. In this article, we will show you how to easily install and setup Wordfence security plugin in WordPress.

How to install and setup Wordfence

What is Wordfence? How it Protects Your WordPress Site?

Wordfence is a WordPress security plugin that helps you protect your website against security threats like hacking, malware, DDOS and brute force attacks.

It comes with a website application firewall, which filters all traffic to your website and blocks suspicious requests.

It has a malware scanner that scans all your WordPress core files, themes, plugins, and upload folders for changes and suspicious code. This helps you clean a hacked WordPress site.

The basic Wordfence plugin is free, but it also comes with a premium version that gives you access to more advanced features such as country blocking, firewall rules updated in real time, scheduled scanning, etc.

Having said that, let’s see how to install and easily setup Wordfence for maximum security.

How to Install and Setup Wordfence in WordPress

First thing you need to do is install and activate the Wordfence Security plugin. For more details, see our step by step guide on how to install a WordPress plugin.

Upon activation, the plugin will add a new menu item labeled Wordfence to your WordPress admin bar. Clicking on it will take you to the plugin’s settings dashboard.

Wordfence settings dashboard

This page shows an overview of the plugin’s security settings on your website. You will also see security notifications and stats like recent IP blocking, failed login attempts, total attacks blocked, etc.

Wordfence settings are divided into different sections. The default settings will work for most websites, but you still need to review and change them if needed.

Let’s start by running a scan first.

Scanning Your WordPress Site Using Wordfence

Head over to Wordfence » Scan page and then click on ‘Start a Wordfence Scan’ button.

Start a Wordfence scan

Wordfence will now start scanning your WordPress files.

The scan will look for changes in file sizes in the official WordPress core and plugin files.

It will also look inside the files to check for suspicious code, backdoors, malicious URLs, and known patterns of infections.

Typically these scans need a lot of server resources to run. Wordfence does an excellent job of running the scans as efficiently as possible. The time it takes to complete a scan will depend on how much data you have, and the server resources available.

You will be able to see the progress of the scan in the yellow boxes on the scan page. Most of this information will be technical. However, you don’t need to worry about the technical stuff.

Once the scan is finished, Wordfence will show you the results.

It will notify you if it found any suspicious code, infections, malware, or corrupted files on your website. It will also recommend actions you can take to fix those issues.

Free Wordfence plugin automatically runs full scans on your WordPress site once every 24 hours. Premium version of the plugin allows you to set up your own scan schedules.

Setting up Wordfence Firewall

Wordfence comes with a website application firewall. This is a PHP based application level firewall.

The Wordfence firewall offers two levels of protection. The basic level which is enabled by default allows the Wordfence firewall to run as a WordPress plugin.

This means, that the firewall will load with rest of your WordPress plugins. This can protect you from several threats, but it will miss out on threats that are designed to trigger before WordPress themes and plugins are loaded.

The second level of protection is called extended protection. It allows Wordfence to run before WordPress core, plugins, and themes. This offers a much better protection against more advanced security threats.

Here is how you would set up the extended protection.

Visit Wordfence » Firewall page and click on the Optimize Firewall button.

Optimize Wordfence firewall

Wordfence will now run some tests in the background to detect your server configuration. If you know that your server configuration is different from what Wordfence has selected, then you can select a different one.

Click on the continue button.

Next, Wordfence will ask you to download your current .htaccess file as a backup. Click on the ‘Download .htaccess’ button and after downloading the backup file click on the continue button.

Wordfence will now update your .htaccess file which will allow it to run before WordPress. You will be redirected to the firewall page where you will now see your protection level as ‘Extended protection’.

Extended protection enabled

You will also notice a ‘Learning Mode’ button. When you first install Wordfence, it attempts to learn how you and your users interact with the website to make sure that it doesn’t block legitimate visitors. After a week it will automatically switch to ‘Enabled and Protecting’ mode.

Monitoring and Blocking Suspicious Activity Using Wordfence

Wordfence shows a very useful log of all requests made to your website. You can view it by visiting Wordfence » Live Traffic page.

Here you can see the list of IPs requesting different pages on your website.

Live traffic tool in Wordfence

You can block individual IPs and even full networks on this page.

You can also block suspicious IPs manually by visiting the Wordfence » Blocking page.

Manually block IPs in Wordfence

Advanced Settings and Tools in Wordfence

Wordfence is a powerful plugin with lots of useful options. You can visit Wordfence » Options page to review them.

Wordfence options

Here you can selectively turn features on and off. You can also enable or disable email notifications, scans, and other advanced settings.

On Wordfence » Tools page, you can run password audit to ensure that all users on your website are using strong passwords. You can run whois-lookup for suspicious IP addresses and view diagnostics information to help debug issues with the plugin or your WordPress site.

Premium version users can also setup two-factor login to strengthen login security on their websites.

Wordfence vs Sucuri – Which One is Better?

Now some of you will probably be thinking how Wordfence stacks against Sucuri?

Sucuri is another popular website security suite that comes with a website application firewall, malware scanner and removal.

At WPBeginner, we use Sucuri. Check out our Sucuri review to see how it helped us block more than 450,000 WordPress attacks in 3 months.

Both Wordfence and Sucuri are great choices to improve your WordPress security. However, we believe that Sucuri has some features that give it a slight edge over Wordfence.

One of them is website application firewall. Wordfence WAF is an application level firewall, which means it is initiated on your server.

On the other hand, Sucuri website firewall is a DNS level firewall. This means all traffic to your website goes to their cloud proxy before reaching your website. This helps Sucuri block DDOS attacks more efficiently and also reduces server load on your website.

We hope this article helped you learn how to install and properly setup Wordfence on your website. For more security tips, you should also check out our ultimate WordPress security guide for beginners.

If you liked this article, then please subscribe to our YouTube Channel for WordPress video tutorials. You can also find us on Twitter and Facebook.

The post How to Install and Setup Wordfence Security in WordPress appeared first on WPBeginner.

The Ultimate WordPress Security Guide (Step by Step)

WordPress security is a topic of huge importance for every website owner. Each week, Google blacklists around 20,000 websites for malware and around 50,000 for phishing. If you are serious about your website, then you need to pay attention to the WordPress security best practices.… Read More »

The post The Ultimate WordPress Security Guide (Step by Step) appeared first on WPBeginner.

WordPress security is a topic of huge importance for every website owner. Each week, Google blacklists around 20,000 websites for malware and around 50,000 for phishing. If you are serious about your website, then you need to pay attention to the WordPress security best practices. In this guide, we will share all the top WordPress security tips to help you protect your website against hackers and malware.

Improve WordPress Security

While WordPress core software is very secure, and it’s audited regularly by hundreds of developers, there is a lot that can be done to harden your WordPress website.

At WPBeginner, we believe that security is not just about risk elimination. It’s also about risk reduction. As a website owner, there’s a lot that you can do to improve your WordPress security (even if you’re not tech savvy).

We have a number of actionable steps that you can take to improve your WordPress security.

To make it easy, we have created a table of content to help you easily navigate through our ultimate WordPress security guide.

Table of Contents

Basics of WordPress Security

WordPress Security in Easy Steps (No Coding)

WordPress Security for DIY Users

Ready? Let’s get started.

Why Website Security is Important?

A hacked WordPress site can cause serious damage to your business revenue and reputation. Hackers can steal user information, passwords, install malicious software, and can even distribute malware to your users.

Worst, you may find yourself paying ransomware to hackers just to regain access to your website.

Why WordPress Security is Important

In March 2016, Google reported that more than 50 million website users have been warned about a website they’re visiting may contain malware or steal information.

Furthermore, Google blacklists around 20,000 websites for malware and around 50,000 for phishing each week.

If your website is a business, then you need to pay extra attention to your WordPress security.

Similar to how it’s the business owners responsibility to protect their physical store building, as an online business owner it is your responsibility to protect your business website.

[Back to Top ↑]

Keeping WordPress Updated

Keeping WordPress Updated

WordPress is an open source software which is regularly maintained and updated. By default, WordPress automatically installs minor updates. For major releases, you need to manually initiate the update.

WordPress also comes with thousands of plugins and themes that you can install on your website. These plugins and themes are maintained by third-party developers which regularly release updates as well.

These WordPress updates are crucial for the security and stability of your WordPress site. You need to make sure that your WordPress core, plugins, and theme are up to date.

[Back to Top ↑]

Strong Passwords and User Permissions

Manage strong passwords

The most common WordPress hacking attempts use stolen passwords. You can make that difficult by using stronger passwords that are unique for your website. Not just for WordPress admin area, but also for FTP accounts, database, WordPress hosting account, and your professional email address.

The top reason why beginners don’t like using strong passwords is because they’re hard to remember. The good thing is you don’t need to remember passwords anymore. You can use a password manager. See our guide on how to manage WordPress passwords.

Another way to reduce the risk is to not give any one access to your WordPress admin account unless you absolutely have to. If you have a large team or guest authors, then make sure that you understand user roles and capabilities in WordPress before you add new user and authors to your WordPress site.

[Back to Top ↑]

The Role of WordPress Hosting

Your WordPress hosting service plays the most important role in the security of your WordPress site. A good shared hosting provider like BlueHost or Siteground take the extra measures to protect their servers against common threats.

However, on shared hosting you share the server resources with many other customers. This opens the risk of cross-site contamination where a hacker can use a neighboring site to attack your website.

Using a managed WordPress hosting service provides a more secure platform for your website. Managed WordPress hosting companies offer automatic backups, automatic WordPress updates, and more advanced security configurations to protect your website

We recommend WPEngine as our preferred managed WordPress hosting provider. They’re also the most popular one in the industry. (See our special WPEngine coupon).

[Back to Top ↑]

WordPress Security in Easy Steps (No Coding)

We know that improving WordPress security can be a terrifying thought for beginners. Specially if you’re not techy. Guess what – you’re not alone.

We have helped thousands of WordPress users in hardening their WordPress security.

We will show you how you can improve your WordPress security with just a few clicks (no coding required).

If you can point-and-click, you can do this!

Install a WordPress Backup Solution

Install a WordPress backup solution

Backups are your first defense against any WordPress attack. Remember, nothing is 100% secure. If government websites can be hacked, then so can yours.

Backups allow you to quickly restore your WordPress site in case something bad was to happen.

There are many free and paid WordPress backup plugins that you can use. The most important thing you need to know when it comes to backups is that you must regularly save full-site backups to a remote location (not your hosting account).

We recommend storing it on a cloud service like Amazon, Dropbox, or private clouds like Stash.

Based on how frequently you update your website, the ideal setting might be either once a day or real-time backups.

Thankfully this can be easily done by using plugins like VaultPress or BackupBuddy. They are both reliable and most importantly easy to use (no coding needed).

[Back to Top ↑]

Best WordPress Security Plugin

After backups, the next thing we need to do is setup an auditing and monitoring system that keeps track of everything that happens on your website.

This includes file integrity monitoring, failed login attempts, malware scanning, etc.

Thankfully, this can be all taken care by the best free WordPress security plugin, Sucuri Scanner.

You need to install and activate the free Sucuri Security plugin. For more details, please see our step by step guide on how to install a WordPress plugin.

Upon activation, you need to go to the Sucuri menu in your WordPress admin.

Sucuri Admin Menu

The first thing you will be asked to do is Generate a free API key. This enables audit logging, integrity checking, email alerts, and other important features.

Sucuri Generate Free API

The next thing, you need to do is click on the Hardening tab from the Sucuri Menu. Go through every option and click on the “Harden” button.

Sucuri Hardening

These options help you lock down the key areas that hackers often use in their attacks. The only hardening option that’s a paid upgrade is the Web Application Firewall which we will explain in the next step, so skip it for now.

We have also covered a lot of these “Hardening” options later in this article for those who want to do it without using a plugin or the ones that require additional steps such as “Database Prefix change” or “Changing the Admin Username”.

After the hardening part, most default settings of this plugin are good and doesn’t need changing. The only thing we recommend customizing is the Email Alerts.

The default alert settings can clutter your inbox with emails. We recommend receiving alerts for key actions like changes in plugins, new user registration, etc. You can configure the alerts by going to Sucuri Settings » Alerts.

Sucuri Email Alerts

This WordPress security plugin is very powerful, so browse through all the tabs and settings to see all that it does such as Malware scanning, Audit logs, Failed Login Attempt tracking, etc.

Enable Web Application Firewall (WAF)

The easiest way to protect your website and be confident about your WordPress security is by using a web application firewall (WAF). The firewall blocks all malicious traffic before it even reaches your website.

Sucuri Website Application Firewall

We use and recommend Sucuri as the best web-application firewall for WordPress. You can read about how Sucuri helped us block 450,000 WordPress attacks in a month.

Sucuri Attack Block Chart

The best part about Sucuri’s firewall is that it also comes with a malware cleanup and blacklist removal guarantee. Basically if you were to be hacked under their watch, they guarantee that they will fix your website (no matter how many pages you have).

This is a pretty strong warranty because repairing hacked websites is expensive. Security experts normally charge $250 per hour. Whereas you can get the entire Sucuri security stack for $199 per year.

Improve your WordPress Security with the Sucuri Firewall »

Sucuri is not the only firewall provider out there. The other popular competitor is Cloudflare. See our comparison of Sucuri vs Cloudflare (Pros and Cons).

[Back to Top ↑]

WordPress Security for DIY Users

If you do everything that we have mentioned thus far, then you’re in a pretty good shape.

But as always, there’s more that you can do to harden your WordPress security.

Some of these steps may require coding knowledge.

Change the Default “admin” username

In the old days, the default WordPress admin username was “admin”. Since usernames make up half of login credentials, this made it easier for hackers to do brute-force attacks.

Thankfully, WordPress has since changed this and now requires you to select a custom username at the time of installing WordPress.

However, some 1-click WordPress installers, still set the default admin username to “admin”. If you notice that to be the case, then it’s probably a good idea to switch your web hosting.

Since WordPress doesn’t allow you to change usernames by default, there are three methods you can use to change the username.

  1. Create a new admin username and delete the old one.
  2. Use the Username Changer plugin
  3. Update username from phpMyAdmin

We have covered all three of these in our detailed guide on how to properly change your WordPress username (step by step).

Note: We’re talking about the username called “admin”, not the administrator role.

[Back to Top ↑]

Disable File Editing

WordPress comes with a built-in code editor which allows you to edit your theme and plugin files right from your WordPress admin area. In the wrong hands, this feature can be a security risk which is why we recommend turning it off.

Disable file editing

You can easily do this by adding the following code in your wp-config.php file.

// Disallow file edit
define( 'DISALLOW_FILE_EDIT', true );

Alternatively, you can do this with 1-click using the Hardening feature in the free Sucuri plugin that we mentioned above.

[Back to Top ↑]

Disable PHP File Execution in Certain WordPress Directories

Another way to harden your WordPress security is by disabling PHP file execution in directories where it’s not needed such as /wp-content/uploads/.

You can do this by opening a text editor like Notepad and paste this code:

<Files *.php>
deny from all
</Files>

Next, you need to save this file as .htaccess and upload it to /wp-content/uploads/ folders on your website using an FTP client.

For more detailed explanation, see our guide on how to disable PHP execution in certain WordPress directories

Alternatively, you can do this with 1-click using the Hardening feature in the free Sucuri plugin that we mentioned above.

[Back to Top ↑]

Limit Login Attempts

By default, WordPress allows users to try to login as many time as they want. This leaves your WordPress site vulnerable to brute force attacks. Hackers try to crack passwords by trying to login with different combinations.

This can be easily fixed by limiting the failed login attempts a user can make. If you’re using the web application firewall mentioned earlier, then this is automatically take care of.

However, if you don’t have the firewall setup, then proceed with the steps below.

First, you need to install and activate the Login LockDown plugin. For more details, see our step by step guide on how to install a WordPress plugin.

Upon activation, visit Settings » Login LockDown page to setup the plugin.

Login LockDown settings

For detailed instructions, take a look at our guide on how and why you should limit login attempts in WordPress.

[Back to Top ↑]

Change WordPress Database Prefix

By default, WordPress uses wp_ as the prefix for all tables in your WordPress database. If your WordPress site is using the default database prefix, then it makes it easier for hackers to guess what your table name is. This is why we recommend changing it.

You can change your database prefix by following our step by step tutorial on how to change WordPress database prefix to improve security.

Note: This can break your site if it’s not done properly. Only proceed, if you feel comfortable with your coding skills.

[Back to Top ↑]

Password Protect WordPress Admin and Login Page

Password protecting wp-admin

Normally, hackers can request your wp-admin folder and login page without any restriction. This allows hackers to try their hacking tricks or run DDoS attacks.

You can add additional password protection on a server side which will effectively block those requests.

Follow our step-by-step instructions on how to password protect your WordPress admin (wp-admin) directory.

[Back to Top ↑]

Disable Directory Indexing and Browsing

Directory browsing

Directory browsing can be used by hackers to find out if you have any files with known vulnerabilities, so they can take advantage of these files to gain access.

Directory browsing can also be used by other people to look into your files, copy images, find out your directory structure, and other information. This is why it is highly recommended that you turn off directory indexing and browsing.

You need to connect to your website using FTP or cPanel’s file manager. Next, locate the .htaccess file in your website’s root directory. If you cannot see it there, then refer to our guide on why you can’t see .htaccess file in WordPress.

After that, you need to add the following line at the end of the .htaccess file:

Options -Indexes

Don’t forget to save and upload .htaccess file back to your site. For more on this topic, see our article on how to disable directory browsing in WordPress.

[Back to Top ↑]

Disable XML-RPC in WordPress

XML-RPC was enabled by default in WordPress 3.5 because it helps connecting your WordPress site with web and mobile apps.

However because of it’s powerful nature, XML-RPC can significantly amplify the brute-force attacks.

For example, traditionally if a hacker wanted to try 500 different passwords on your website, they would have to make 500 separate login attempts which will be caught and blocked by the login lockdown plugin.

But with XML-RPC, a hacker can use the system.multicall function to try thousands of password with say 20 or 50 requests.

This is why if you’re not using XML-RPC, we recommend that you disable it.

There are 3 ways to disable XML-RPC in WordPress, and we have covered all of them in our step by step tutorial on how to disable XML-RPC in WordPress.

Tip: The .htaccess method is the best one because it’s the least resource intensive.

If you’re using the web-application firewall mentioned earlier, then this can be taken care of by the firewall.

[Back to Top ↑]

Automatically log out Idle Users in WordPress

Logged in users can sometimes wander away from screen, and this poses a security risk. Someone can hijack their session, change passwords, or make changes to their account.

This is why many banking and financial sites automatically log out an inactive user. You can implement similar functionality on your WordPress site as well.

You will need to install and activate the Idle User Logout plugin. Upon activation, visit Settings » Idle User Logout page to configure plugin settings.

Logout idle user

Simply set the time duration and uncheck the box next to ‘Disable in wp admin’ option for better security. Don’t forget to click on the save changes button to store your settings.

For more detailed instructions, see our guide on how to automatically log out idle users in WordPress.

[Back to Top ↑]

Add Security Questions to WordPress Login Screen

Security questions on login screen

Adding a security question to your WordPress login screen makes it even harder for someone to get unauthorized access.

You can add security questions by installing the WP Security Questions plugin. Upon activation, you need to visit Settings » Security Questions page to configure the plugin settings.

For more detailed instructions, see our tutorial on how to add security questions to WordPress login screen.

[Back to Top ↑]

Fixing a Hacked WordPress Site

Many WordPress users don’t realize the importance of backups and website security until their website is hacked.

Cleaning up a WordPress site can be very difficult and time consuming. Our first advice would be to let a professional take care of it.

Hackers install backdoors on affected sites, and if these backdoors are not fixed properly, then your website will likely get hacked again.

Allowing a professional security company like Sucuri to fix your website will ensure that your site is safe to use again. It will also protect you against any future attacks.

For the adventurous and DIY users, we have compiled a step by step guide on fixing a hacked WordPress site.

[Back to Top ↑]

That’s all, we hope this article helped you learn the top WordPress security best practices as well as discover the best WordPress security plugins for your website.

If you liked this article, then please subscribe to our YouTube Channel for WordPress video tutorials. You can also find us on Twitter and Facebook.

The post The Ultimate WordPress Security Guide (Step by Step) appeared first on WPBeginner.

Sucuri vs CloudFlare (Pros and Cons) – Which One is Better?

Due to an increased emphasis on website security in today’s digital landscape, one of the most common requests we’ve gotten from readers is to do a pros and cons analysis of Sucuri vs CloudFlare to explain which one is better. Sucuri and CloudFlare are online… Read More »

The post Sucuri vs CloudFlare (Pros and Cons) – Which One is Better? appeared first on WPBeginner.

Due to an increased emphasis on website security in today’s digital landscape, one of the most common requests we’ve gotten from readers is to do a pros and cons analysis of Sucuri vs CloudFlare to explain which one is better. Sucuri and CloudFlare are online services that offer website firewall, CDN, and DDoS protection services. In this article, we will compare Sucuri vs Cloudflare with pros and cons to find out which one is better.

Sucuri vs CloudFlare (Pros and Cons)

Even the most secure websites on the internet are vulnerable to distributed denial of service attacks (DDoS), hacking attempts, and malware injection.

As a WordPress site owner you can use some security best practices like password protecting admin directory, limiting login attempts, adding two factor authentication, etc.

However these tips only work on software level which leaves your website mostly open to other types of attacks. These attacks can cause financial damage, data loss, poor search rankings and bad user experience.

Sucuri and CloudFlare offer a website application firewall (WAF).

This means that all your website’s traffic goes through their server scanners. If a request looks malicious, then the firewall would block it before it even reaches your website.

On the surface, these two services look nearly identical, but there are some key differences.

In this comparison, we’ll focus on:

  • Features
  • Pricing
  • Malware Removal Service

By the end, you’ll know exactly which platform is best for you.

Ready? Let’s compare Sucuri vs Cloudflare.

Features

In this section, we will look at the features offered by Sucuri and CloudFlare.

It’s important to note that both services offer different plans that come with different set of features.

As a user, make sure you’re not a victim of their marketing site because not all plans come with all the features.

CloudFlare Features

CloudFlare is best known for their free CDN service. They specialize in mitigating DDOS attacks using their Website Application Firewall product. CloudFlare keep your site available to users during an attack or under heavy traffic when your server is not responsive.

Their website firewall blocks suspicious traffic before it even reaches your website. The firewall also extends to form submissions which protects your website from comment spam and registration spam.

CloudFlare website firewall

CloudFlare also offers free and custom SSL certificates with all their plans. Free and pro plans only allow you to use CloudFlare issued certificate. For custom certificate you will need to upgrade to their Business or Enterprise plan.

While CloudFlare offer a free option that includes CDN, most other features including their Website Application Firewall require a paid plan.

CloudFlare doesn’t offer server scanning service to detect malware. It also doesn’t offer a malware removal guarantee if you were to be hacked on their watch.

Sucuri Features

Sucuri is one of the most reputable website security and monitoring service. They offer comprehensive website monitoring, scanning for malware, DDoS protection, and malware removal services.

Sucuri offers CloudProxy, a website firewall and load balancing service. It blocks suspicious traffic from reaching your website by effectively blocking DDoS attacks, code injection, bad bots, and other website threats. See our case study of how Sucuri helped us block 450,000 attacks in 3 months.

Sucuri offers integration with the free Let’s Encrypt SSL for their basic plan. You can also use custom SSL certificates with their professional and business plans.

Sucuri CloudProxy

Sucuri scans your website regularly for file changes, code injection, and malware. They clean up hacked sites, with support for all popular CMS software like WordPress, Joomla, Drupal, etc.

Winner: Sucuri is a clear winner because they offer a better combination of tools and services (Website Firewall + Load Balancing + Malware Cleanup / Hack Repair).

Pricing

Pricing is an important factor for many small businesses.

Here, we will compare the different pricing plans offered by CloudFlare and Sucuri, so you know exactly what you’re getting for your money.

FREE is not always better :)

CloudFlare Pricing Plans

CloudFlare offers a free CDN service for all. They don’t charge you for the bandwidth which means you will be able to use their free CDN regardless of your traffic volume.

However, this free plan does not come with the website application firewall. Your website may benefit from CDN, but it will not be properly protected against DDoS attacks, spam, bad traffic, etc.

For their web application firewall, you need the Pro plan which costs $20 / month (this is what you need for improved security).

This pro plan does not include advanced DDoS mitigation and custom SSL. For those features, you will need their Business plan which costs $200 per month.

Sucuri Pricing Plans

Unlike CloudFlare, Sucuri doesn’t offer a free plan. Their website security stack plan starts at $199.99 for an year, which is cheaper than CloudFlare’s pro plan.

This basic plan includes full website monitoring, website application firewall, DDoS protection, malware removal, and free LetsEncrypt SSL certificate.

Instead of excluding features from lower level plans, Sucuri uses priority as an incentive for their higher paying plans.

For example, malware removal estimated time for basic plan is 12 hours, 6 hours for professional plan, and 4 hours for business plan. However, the actual cleanup timings are way faster than that for all customers.

They offer 24/7 support as part of all plans. Their business plan subscribers can also use the Live Chat support.

Winner: Sucuri is an obvious choice for small businesses when it comes to pricing. CloudFlare Pro costs $240 / year vs Sucuri cost $199 / year and offer more features. To unlock same features, you’d have move up to CloudFlare’s $2400 / year plan. Sucuri’s most expensive plan is at $499 / year.

Malware Removal Service

Apart from denial of service attacks, malware and code injections are the most common threats faced by WordPress site owners.

Let’s see how both services protect your website against those common threats.

Website security and malware removal

CloudFlare – Security and Malware Removal

CloudFlare free version is basically a content delivery network which helps make your website fast.

The website security firewall comes with their paid plan. It includes CloudFlare’s ready to use custom rules set. These rules protect your site from common code injection hacks, XSS JavaScript exploits, and form submissions.

However, they do not offer file change detection, malware scanning, blacklist monitoring, and many other security features. You can add third-party apps for malware scanning, but these services will cost you additional fees.

Sucuri – Security and Malware Removal

Sucuri is a security focused company. They specialize in monitoring websites and protecting them against malware and other attacks.

Sucuri’s website application firewall protects you against DDOS, SQL injections, XSS JavaScript injections, comment and contact form spam.

However, if something crosses all those security barriers and somehow reaches your website, then Sucuri offers to clean up your website (for free).

If you already have a website affected with malware, then Sucuri will clean that up as well.

Winner: Sucuri – For combining website application firewall with monitoring, malware protection, and clean up services.

Conclusion

CloudFlare and Sucuri both offer protection against DDoS attacks on your website. CloudFlare does a little better in the content delivery network area.

Sucuri fares better in the overall features, better security monitoring, and lower prices. If you are using a CMS like WordPress, then Sucuri is what you need.

We hope this article helped you compare pros and cons of Sucuri vs CloudFlare. You may also want to see our list of 7 best WordPress backup plugins.

If you liked this article, then please subscribe to our YouTube Channel for WordPress video tutorials. You can also find us on Twitter and Facebook.

The post Sucuri vs CloudFlare (Pros and Cons) – Which One is Better? appeared first on WPBeginner.

How to Add McAfee SECURE Seal to Your WordPress Site for Free

If you’ve shopped on the internet, then you’re probably familiar with website security seals such as Norton and McAfee. These badges show users that you have taken all the necessary precautions to make your website safe and secure. This social proof helps increase user’s trust… Read More »

To leave a comment please visit How to Add McAfee SECURE Seal to Your WordPress Site for Free on WPBeginner.

If you’ve shopped on the internet, then you’re probably familiar with website security seals such as Norton and McAfee. These badges show users that you have taken all the necessary precautions to make your website safe and secure. This social proof helps increase user’s trust level to subscribe to your website and make a purchase. In this article, we will show you how to easily add McAfee SECURE seal on your WordPress site for free.

cAfee SECURE Trust seal on a WordPress site

What is McAfee SECURE?

McAfee SECURE is a new certification program by McAfee that lets your visitors know that your website is safe.

This is a great solution for small business owners because it allows you to display McAfee SECURE seal on your website for up to 500,000 visitors per month, at no charge.

Social Proof like security seals are proven to boost engagement and increase sales. The video below explains what this security seal does in 50 seconds:

How to Install McAfee SECURE in WordPress

First thing you need to do is install and activate the McAfee SECURE plugin on your website. Upon activation, you need to visit Settings » McAfee SECURE to configure the plugin.

McAfee SECURE plugin settings

Simply provide your email address and your website’s domain name and then click on the get started button.

This will take you to McAfee Secure website, where you need to provide your personal and business information like name, company name, phone number, etc.

Creating your McAfee SECURE account

McAfee will now run some tests on your site, and you will land on a confirmation page. This page will show all tests passed under the security heading. You will also be reminded to confirm your email address. Simply check your inbox for an email from McAfee and then click on the confirmation link inside it.

Confirmation page

Since you already have the plugin installed on your WordPress site, the McAfee SECURE trust badge will be automatically installed on your site. You can simply visit your website to see it in action.

To further strengthen your security, you can add an SSL and HTTPS in WordPress. We also recommend using Sucuri, to regularly monitor your website for malicious code and activity.

We hope this article helped you add McAfee Secure badge to your WordPress site. You may also want to take a look at our list of 40 useful tools to manage and grow your WordPress blog.

If you liked this article, then please subscribe to our YouTube Channel for WordPress video tutorials. You can also find us on Twitter and Facebook.

To leave a comment please visit How to Add McAfee SECURE Seal to Your WordPress Site for Free on WPBeginner.

Why You Should Always Use the Latest Version of WordPress

Every time a new WordPress update comes out, we get several emails from users asking whether it’s safe to update their WordPress site. Are you wondering whether you should update your WordPress to the latest version? Want to know the pros and cons of updating… Read More »

To leave a comment please visit Why You Should Always Use the Latest Version of WordPress on WPBeginner.

Every time a new WordPress update comes out, we get several emails from users asking whether it’s safe to update their WordPress site. Are you wondering whether you should update your WordPress to the latest version? Want to know the pros and cons of updating WordPress? In this article, we will explain why it is crucial that you always use the latest version of WordPress as well as show you how to properly update WordPress.

Update WordPress

WordPress is free, and it is developed by a community of developers. With each new release, they fix bugs, add new features, improve performance, and enhance existing features to stay up to date with new industry standards.

So in other words, when you do not update your WordPress site, you are risking your website security and missing out on new features / improvements.

Let’s take a look at pros and cons of updating WordPress.

1. Security

Security is arguably the most important reason why you should keep your WordPress website up to date.

WordPress currently powers 23% of all websites in the world. Due to it’s immense popularity, WordPress is a popular target for hackers, malicious code distributors, data thieves, and wanna be hackers.

CMS Marketshare

Since WordPress is open source, anyone can study the source code to learn and improve it. However it also means that hackers can study it too and find ways to break into websites.

Now the good part is that not all hackers are bad. There are a lot more good hackers than bad ones which means that security experts around the world can study the code and properly report security bugs / fixes. Every time a security vulnerability is reported, the core WordPress team works diligently to release an update that fixes the issue.

This means that if you are not using the latest version of WordPress, then you are using software with known security vulnerabilities. Hackers can search for websites running the older version, and you may become a victim of a sophisticated attack.

Not just WordPress itself, plugins can also be exploited by hackers. You need to make sure that all your WordPress plugins, themes, and the core itself is always up to date.

2. Cool New Features

Each major WordPress release comes with new features and changes to the software. For example, WordPress 4.0 came with improved plugin install experience, 4.1 introduced inline image editing, and 4.2 came with faster plugin updates.

WordPress 4.2 introduced faster plugin updates

Now if you were using an older version of WordPress, then your WordPress experience would be a lot different than someone using the latest version.

You will have trouble finding WordPress help online because you are using an older version. Users on WordPress support forums will assume that you are using the latest version of WordPress.

3. Speed

Each new WordPress version improves performance

WordPress developers are always trying to make things faster. Each new release comes with several performance improvements that makes WordPress run faster and more efficient.

For example, WordPress 4.2 improved JS performance for navigation menus, and WordPress 4.1 improved complex queries which helped with performance of sites using those queries.

Since speed is a huge factor in SEO, you should definitely keep your WordPress updated to ensure maximum performance benefits.

4. Bug Fixes

Older WordPress versions may have bugs

Despite the rigorous testing of major WordPress releases, sometimes bugs may slip through the cracks. That’s why there are timely minor WordPress releases (the ones with X.X.X) to account for that. For example, the most recent WordPress 4.2.3 update fixed 20 bugs from the 4.2 release.

Now if you go to WordPress support forums asking for help, the first advice you will get is to update WordPress because that may fix the issue. If you insist on not updating WordPress, then you will be unable to receive help.

5. Compatibility (or NOT)

Often plugin and theme developers coordinate their updates with major WordPress releases to ensure they’re taking advantage of newly available features and enhancements.

However in some cases, an update can break your existing WordPress plugins if they weren’t following the best practices and coding standards.

This is why it is crucial that you keep regular WordPress backups.

To sum this up, the only downside is that in some rare cases your site will break. However the upside is that you have:

  • Improved WordPress security
  • Cool new WordPress features
  • Faster WordPress experience
  • A bug free WordPress website
  • Better compatibility

Now that you know why it’s important to keep your WordPress site updated, let’s take a look at how to update WordPress.

How to Keep Your WordPress Site Updated

Updating your WordPress core, plugins, and themes whenever there is a new update for them is fairly easy. WordPress comes with a built-in update notification system. It highlights the number of available updates when you log into your WordPress dashboard.

WordPress updates screen

All you need to do is visit Dashboard » Updates page and install those updates. This is a one-click process.

However since many website owners do not login to their WordPress dashboard daily, they may not even know that there is an update available for days. Thankfully, you have a few options.

If you’re using WordPress 3.7 or above, then automatic updates are turned on for minor releases (which are reserved for security and bugfixes). You can turn on automatic updates for major releases, plugins as well as themes.

Alternatively, you can get email notifications when there is a new update for your WordPress site.

Get Email Notifications for Updates in WordPress

When you’re busy running your business, logging into your site to check for updates is usually the last thing on your mind. Wouldn’t it be easier if you could get an email notification whenever there is an update on your WordPress sites?

Well that’s possible.

First thing you need to do is install and activate the WP Updates Notifier plugin. Upon activation, visit Settings » Updates Notifier to configure the plugin settings.

WordPress update notification plugin settings

This plugin uses WordPress cron to check your site for updates every hour. You can change that to once or twice daily. When there is a new update available, this plugin will send you an email notification.

By default it checks for WordPress core update, plugin updates, and theme updates. All you need to do is click on save settings with test email button.

If you do not recieve the test email from the plugin, then check out our guide on how to fix WordPress not sending email issue.

Auto Install WordPress Updates

You can automate the process even further. WordPress allows you to enable automatic updates for major releases, plugins, and themes.

This option is risky if you’re not using managed WordPress hosting. Managed WordPress hosting companies automatically update your site to major WordPress versions and keep an eye out if something breaks.

If you turn on automatic updates, then there is a slight risk that your site may break and you won’t be online to fix it right away. Having that said, if you like to enable automatic updates, then there are two ways to do it (plugin method and code method).

Let’s take a look at the plugin method first.

First you need to install and activate the Easy Updates Manager plugin. Upon activation, you need to visit Dashboard » Update Options page to configure the plugin.

Setting up WordPress automatic updates

Now you need to scroll down to automatic updates section where you can enable automatic updates for core, plugins, themes, and translation files. Once you are done, simply save your settings.

Enable Auto Updates Using wp-config File

You can enable automatic updates for WordPress core by simply adding this line to your wp-config.php file.

define('WP_AUTO_UPDATE_CORE', true);

If you also want to automatically update your themes and plugins, then you would need to add this to your theme’s functions.php file or a site specific plugin.

add_filter( 'auto_update_plugin', '__return_true' );
add_filter( 'auto_update_theme', '__return_true' );

We hope this article helped you learn why you should always use the latest version of WordPress. You may also want to check out our expert pick of 20 must have WordPress plugins for 2015.

If you liked this article, then please subscribe to our YouTube Channel for WordPress video tutorials. You can also find us on Twitter and Facebook.

To leave a comment please visit Why You Should Always Use the Latest Version of WordPress on WPBeginner.