It's been another of “those” weeks, with WordPress security services causing me to tear my hair out. Do they work, or do they not? I have tried several over the last months and yet I still find myself in crisis every so often.
I was working away on my blog quite happily last week, made my usual weekly post, then later that night I just wanted to check – before going to bed – that I had “handled” all my comments.
Can't Login To WordPress
Hmmm – well it was late (it always is) so I decided to leave everything until the next day, because sometimes these things sort themselves out with a reboot and a sleep (by me AND the PC).
But no – I was solidly locked out, not just a “forgotton password” type of lock out, but “weird messages appearing on my screen” type of lock out. That's as technical as I want to get!!
Let me say first off that I already have in place what I consider as the “basics” of security on my site.
WordPress Security Basics
There are some basic tips that everyone should follow, and I have been doing these since I learned how important they are.
- My theme and plugins are up-to-date, I check almost daily
- I do not use admin as a username
- I use a strong password – it is 24 characters long and includes symbols
- I use a strong hosting password – 18 characters and symbols
- I stop brute force attacks by limiting the number of times people can attempt to login using the free plugin Wordfence for this
Compromised Or Not?
I contacted my hosting company and they responded pretty fast saying my site had been compromised and sent a scan of “suspect” files to delete or repair, plus standard advice about securing a WordPress site (all of which was already in place).
However, when I looked at the “suspect” files list, I couldn't see anything wrong with them (not that I was sure what I was looking for!) and one of the files was a text file within my security plugin Wordfence!
It seemed a bit crazy just to start deleting random files so I decided to investigate further.
- I have a paid security plugin WP Site Guardian too, so I contacted their support desk because, for a non-techy blogger, the messages from their plugin aren't terribly user-friendly. They couldn't see a problem and said that often hosting company scans report “false positives”.
- I downloaded my site to my PC and scanned with a couple of anti-virus programs, nothing found.
Free Online Malware Scan
If only I had known about Sucuri Free Website Malware and Security Scanner.
As of today, I have checked my site and it's all clean, but unfortunately I didn't find this free version of Sucuri until several days later; the hosting company pointed me in the direction of a paid version.
Now admittedly (a) I have fixed the problem that ManageWP's scan identified and (b) the Sucuri free scan doesn't promise to be 100% effective. You need the paid version for that!
But it's a helpful start, so you may like to bookmark it!
However, going back to where I was a week ago from now, without the benefit of knowing how to do the free online malware scan, I was flummoxed as to whether my site had WordPress security issues or not.
All I knew was that I couldn't login into WordPress and I had no idea why. Then I found……
Another Way In!
I remembered that there's a security scan on my ManageWP.com dashboard, so I logged into that.
- First surprise, I could actually login to my site – which I couldn't from the usual WP login
- Second surprise – the ManageWP.com scan showed my sites as “clean”. (Google webmaster tools did too.)
I asked ManageWP.com why I could login via their dashboard and not the usual login, and they were super helpful. That's much appreciated given that their application was working perfectly!
They did an entirely different and more in-depth scan which showed a problem in “mu-plugins” (apparently that's “must-use” plugins) that hadn't been picked up by the hosting company. I emailed the new scan to the hosting company and a different advisor from my first one deleted the corrupt area, recreated it “empty”, and all was well.
Although I've condensed that into a few words, it took HOURS to resolve and ended up with me staying up until 5am to finally get my site back again about 30 hours after I first noticed the problem.
This isn't fun. I seem to spend more time fighting my site than writing it.
Enstine Muki To The Rescue
I was chatting by email with Enstine Muki about something entirely different and mentioned that I was stressed (again) because of problems with my site being compromised.
He asked me if I was using a CDN (Content Delivery Network).
Although I'd heard of them, I didn't know much about them, because I'd assumed they were “expensive and technical to set up”. Quick education from Enstine in the form of recommendation to read the two articles below – plus the revelation that CDN can be free with CloudFlare.com and there should be a free service with my hosting company.
Free Or Not Free?
Although there was free access to Cloudflare, including WordPress security services, within my hosting company account, their free plan didn't include SSL support, although CloudFlare's free plan does support it.
The hosting company say that their free plan gives extra speed instead.
I was tempted to switch off my SSL until Enstine reminded me that having SSL could help with ranking in Google.
So, instead, Enstine suggested it looked pretty straight-forward to set up CloudFlare direct, instead of via the hosting company.
We decided to give it a try!
Easy Or Not Easy?
Well, we've all heard that certain technical things are “easy” but the question is “easy for whom?” I'm not a “technical” blogger, and have no aspirations to become one!
I want my blog to be like my car – start it up, and away I go.
To my relief I can honestly say that setting up CloudFlare WAS easy, and I had it done in a few minutes.
Setting Up A Content Delivery Network
Enstine explained that the stages involved were:
- First, create a CloudFlare account
- Then add your domain to it
- CloudFlare will give you Nameservers for your domain
- Change the Nameservers at the level of your domain registrar
I did everything without a hitch and received a “Welcome” email from CloudFlare. They assured me that my site wouldn't be “down” at all.
There was only one potential worry, because my hosting company advised me that I would need to:
Keep in mind that after using their DNS Zone you will then need to point the “A” record for your domain to your server at your hosting company
This threw me a little, because although I have heard of “A” records I don't know how to change them.
I rang my domain registrar, GoDaddy.com, and they were very helpful but explained that the A records would be associated with the CloudFlare DNS. So I checked my CloudFlare account and found it had already been done with the automatic set up. So even that potential scary bit had been handled!
Enhanced Security Protection With CDN
Amazingly, while he was helping me do all this by email, Enstine had an idea for a blog post about WordPress Security showing how the CloudFlare CDN had protected his site from hackers. If you haven't got a CDN, it makes scary but essential reading!
To have produced a blog post of that quality while still answering my emails, I can only think (as I've thought all along) that Enstine is a complete productivity genius, and one really kind blogger to have taken so much trouble to help me!
Effect Of CDN On My WordPress Security
You've seen Enstine's results above and they're impressive.
Even though I only implemented Cloudflare yesterday, I can already see that 12 threats have been stopped. That may not seem many to people with high traffic, but if I can keep 12 hackers off my site in just one day, that's good enough for me.
I'll be watching with interest as I spend longer using Cloudflare.
Your WordPress Security Services?
- Are you using a CDN?
- Does you often get WordPress security issues?
- If not, what extra measures are you using that I'm missing?
- What WordPress security services do you trust?
I'd love to read your comments about your experiences with WordPress security services.