11 WordPress Security Solutions

Numerous WordPress security solutions are available in the WordPress ecosystem. But a lot of them address just a few security issues rather than addressing threats comprehensively. And a lot of them don't have the staying power and support to be viable for years to come. With far too many WordPress website designers knowing little to nothing about security, you need to be aware of the threat and with reliable website security solutions. Or, you can hire experts to do that for you.

One simple security theory that we follow is that the more difficult we make it for bots to scan your site looking for vulnerabilities, the quicker they'll move on to find other, less secure websites. With that in mind, eleven of the website security methods we employ on your behalf are listed below.

1. Hardening your website against hackers in multiple ways, including...
   • Requiring strong user login credentials such as mandatory complex passwords, refusal of compromised passwords, mandatory periodic updating of passwords, and requiring use of 2 factor authentication (2FA) and/or CAPTCHA
   • Optional time of day and day of week limits on when your website's backend admin panel can be accessed
   • File change detection for WordPress core files and plugin files, with file changes then put through a file comparison system to see if the changes match the approved versions at a central database location

2. Blocking / filtering spam from your website form(s)
   • Protection against spam form submissions that integrates with popular WordPress forms processing solutions and that creates an optional separate spam folder for your review.
   • Protection against spam user comments on your blog articles so that good, relevant comments get through but spam gets blocked
3. We run daily malware scans to identify and eliminate viruses and malicious code insertions
   • Two different malware scans are run daily for our full security clients. These provide daily notification so that security vulnerabilities can be assessed and addressed quickly.
   • We review weekly security reports from a compendium of WordPress website security experts detailing newly discovered security issues for WordPress core files, WordPress plugins and WordPress themes and we proactively take action before an actual problem occurs when any of our client sites might be affected.
4. Reducing your website's target profile by changing and hiding default locations that hackers expect for important WordPress files and functions
   • We change / hide your login location so it is not the default /wp-admin/ login location, so brute force attack hackers can't even find a place to run thousands of username & login combinations attempting to gain entry to your website. We can change the login address to almost anything. For example, instead of using the default "/wp-admin" location, we could make the login location at "/7tiny-flying-giraffes" or "/popcorn-meatball-salad". And we can change that periodically so that no nefarious actor will ever know where your website's back door is located.
   • We hide your WordPress version which an person of bot can lookup so hacker bots cannot see which version of WordPress you are running. By default, your WordPress version shows when looking at your website's source code, which is publicly available for any website page with only two clicks. Your WordPress version helps hackers identify out-of-date websites so that they can attack old vulnerabilities that have not been patched in your out-of-date version of WordPress.
   • We can hide all kinds of important system files like .htaccess, wp-config.php, wp-includes.php. We can disable directory browsing and we can change the prefix of all files that begin with the ubiquitous "wp-whatever.php". For example, the default prefix to files could become "xq-whatever.php". Since bots look for "wp-" your website will be safer hiding with the alternate "xq-" or "kz-" or any other prefix we want to use.
5. Protecting your website against brute force attacks
   • We limit the number of login attempts in a short time span, and block anyone who exceeds the threshold; hacker bots can't just keep guessing your username and password because they get blocked quickly
   • Our brute force attack protection uses a login ban list that is aggregated and continually updated from brute force attack data from multiple security networks nationwide and worldwide
   • We run brute force attack protection at both the website level and at the server level
6. Updating back-end components on your website (plugins, themes, WP core) to eliminate security vulnerabilities from out-of-date components
   • On either a weekly, monthly or quarterly basis, we make updates to all WordPress website components; WordPress core files, plugins and themes.
   • Your website is viewed and tested on multiple pages to assure that updates did not cause any errors. Updates to any components involving your inquiry forms are also tested by doing test form submissions to assure that your customers and potential customers can still contact you.
7. Backing up your website regularly to off-site, redundant locations
   • We offer daily or real-time backups of your website to off-site locations that are resilient through multiple, redundant server locations that are spread thousands of miles apart.
   • Most of our plans allow restoration to any point within the past 30 days. We can also quote you on a 365 day archive of backups to allow restoration to points farther back.
   • Additionally, we can restore to specific points after site updates on any day.
8. Installing secure socket layer (SSL) / transport security layer (TSL) for security, which is better SEO and trustworthiness. When SSL/TSL is present, you will see a padlock in the left side of the address bar and you will avoid your site visitors getting a warning screen about an insecure website.
9. Monitoring your website regularly for security issues, server performance and unscheduled downtime
   • We can use one, two or three website monitoring systems to provide instant notification when your website is down
   • Because of these timely notifications, we usually fix any website problems causing your downtime before you even notice there was a problem
10. Reporting security stats on a monthly or quarterly basis to clients
    • Optional reports that show an overview of some of the security issues that arise each month.
11. Redundant WordPress website security systems - We have tested numerous WordPress website security systems over the years and never found one yet that fully satisfied our security requirements. So for our clients, we use two different security suites that complement each other well in their capabilities. Not only do the two security systems fill in gaps for each other, they also double the monitoring and malware scans for your website. Plus, the redundancy assures that your WordPress website security will continue even if one of those security systems has any temporary downtime.

Few website & digital marketing agencies offer this comprehensive approach to your website’s security. So if your website is important to your business and you don't want to gamble with getting hacked, contact us today for a WordPress website security review! Or go to our WordPress Security Threats page to review or learn more about website security threats faced by all small businesses every day.

Numerous WordPress security solutions are available in the WordPress ecosystem. But a lot of them address just a few security issues rather than addressing threats comprehensively. And far too many WordPress website designers know little to nothing about security.

One of the most simple security tests for WordPress websites is to check their backend login location. Follow these two simple steps to test any website you want. For example, you could test your own website, a competitor's website, or just any website that you like.

1. How do I know if a website is a WordPress website? Simple... copy their URL from the address bar (like https://anywebsite.com) and paste it into the "Detect CMS" box at WhatCMS.org . If it says "WordPress" in the results, then it is a WordPress website.
2. If it is indeed a WordPress website, add "/wp-admin" to the end of the website's domain. Be sure to use the "/" forward slash (without the quotes) as shown. So, for example, "https://anywebsite.com" would become "https://anywebsite.com/wp-admin" (without the quotes). Put that in the address bar and press enter on your keyboard. If you see a login box (see image on the right), then this is one of the most basic security failures that should be fixed; Your login location should not use the default "/wp-admin" because it is so easy for bots to attack... See #4 above.

Your WordPress website is not secure unless you take active, comprehensive, ongoing measures to protect it. We know that you're busy running every aspect of your company daily, and that as a small business, you probably don't have employees experienced in WordPress security solutions.

Baer Web Design can be your WordPress security solution experts. We are experienced in WordPress website security and we can work with you to secure your website.