10 Comments


  1. That’s a great post and I’ve been using these plugins on most of my sites (in addition to some alternatives of the Exploit Scanner).

    My favorite one is definitely the WordPress File Monitor, as most of the hacked sites I’m dealing with are due to hacked account on a shared hosting or a plugin vulnerability that allows for shell upload, or anything like that. Catching that break in an early stage allows you to take actions and prevent future issues, and rewind through the logs and see how/when it happen exactly.

    Reply

  2. Hi Sarah
    I use the paid Sucuri service on all my sites.
    The guys there are very good and will take a look if you think you have a problem.

    Wordfence looks like a fabulous plugin with tons of features. The problem with complex plugins like that is knowing how to configure them.

    Good in-depth post Sarah thanks for putting it together.

    Reply
  3. bb

    Thanks a lot Sarah…more beer for ya!

    Reply

  4. I disagree a little with your post. First, detection is important, but far better to lock the door so they just can’t get in. I use a layers approach to security that has worked very well (fingers crossed)(knock on wood). About 18 months ago, I have over 1,000 WP sites, and had done everything you suggest above File Monitoring, WordFence, and Sucuri – and within 30 days over 70% of my sites were hacked. I deleted every site and started over, and experimented until I found a combo that kept them out. The bad news, is that is comes with a performance cost. But here is MY checklist:

    1: Find a theme that has a good history of updates – this is one of your most important defenses. And keep it updated. If the theme hasn’t been updated for a least 6 months, dump it and go to a newer theme with good reviews and a recent history.
    2: Better Security Plugin – use it all, turn on everything
    3: Bulletproof Security – both Better and BulletProof do different things, and reinforce each other well – forget WordFence
    4: Sucuri – it’s 1 click feature fills in a couple of gaps, and gives you a good scanner
    5: ManageWP – this is a paid external monitoring service – worth it’s weight in gold if you have more than one site – though BetterSecurity disables some of it’s update features – but WP 3.7.1 + an Auto Update Plugin interface makes up for that.
    6: Captcha plugin, defeats most dictionary password hack attempts, and is constantly updated.

    So in summary, there are a few things you are doing: Login Security layered, htaccess security layered, Banning bad visitors and auto updating your banned lists (learn how to ban by country too using IP addresses), monitor changes sanely, do security.

    One more thing, WUSSUP or SLIMSTAT plugin, these give you a easy way to see spammers and hack attempts – see one, then throw their IP in your Banned Visitors list (BetterSecurity) – because they don’t give up, and most are automated using the same IPs constantly. Block them and they go away.

    If this sounds like a lot of work? It’s not as much as you thing, once you have this down to muscle memory. Once you understand your tool, you can easily update and maintain. This is all a lot of overhead, but it works – until it doesn’t, but at least we finally have auto updating to fix the single biggest problem – old WP versions.

    One last thing, if you are on a virtual or shared host, be sure to check you host IP address against the Google and other services to see if someone else that has an account on your shared IP has malware, because it can get you blacklisted too!

    One last thing you must do. Sign up with Google Webmaster Tools, they will alert you directly of problems. And it gives you some help if you get blacklisted.

    Good luck, this is not easy, and it requires both learning and work, but you can improve your odds with the above!

    Cheers,
    Dr. Tim,
    McGuinnessPublishing®

    Reply

  5. @Tim McGuinness – Thanks for your input, Tim. I agree, there’s a lot more to security than what’s included in this post. I wanted to take the angle of file monitoring specifically, as file tampering is a problem that WordPress users often encounter. Certainly there are a myriad of solutions for providing greater levels of security for other threats.

    Reply


  6. Great Post

    A great plugin i would recommend to wordpress users is Better WP Security, with its multiple features, which are to many to list. and its one to have a browse at if not install.

    Reply

  7. Thanks for this list of plugins! WordPress File Monitor Plus looks good, but it was last updated over a year ago. I’d be concerned that by using that plugin, it may notify me of changed files, but it may also put my site at risk since it’s outdated!

    Reply

Leave a Reply