Did you know that 30,000 WordPress sites are hacked each day? With the WordPress Brute Force Attack that’s been going on this month and the generally insecure nature of WordPress itself, it pays to harden your blog against probes and attacks by hackers.
WordPress doesn’t have any inbuilt security (a major oversight) and those new to the platform may not be at all aware that a WordPress blog is easily hacked. So anyone using WordPress should educate themselves about how to protect their blogs. My report details how you can protect your blogs and how to recover if your site is hacked.
Secure Scan Pro
Coincidentally, at the time when there’s been a major attack on WordPress sites, a new security plugin has become available. There are already several security plugins, some free, some you pay for and each does its thing in a different way. Some are resource hungry, so can’t be used in a shared hosting environment. Other free plugins only provide premium features for a premium fee.
Secure Scan Pro is the new plugin. It’s light on resources and uses a traffic light system to tell you what vulnerabilities there are on your blog. 14 of the most common security holes in WordPress can be fixed by clicking a few buttons. Here’s what the plugin looks like when first installed:
There’s a single button on the screen to kick off a scan of vulnerabilities on your site which takes a minute or so to run and return results. Here’s what came up for one of my sites:
To fix an issue, it’s just a matter of clicking the Fix It button for any items that are listed as Bad . And once that’s done, the plugin settings look like this:
The Advanced Settings
SecureScanPro also has a section for advanced settings. These are not items that can be fixed with a Fix It button, but require you to manually change files like the php.ini file and some WordPress theme files.
Ironically, some of these changes (like making the change for Check if full WP version info is revealed in page’s meta data) need to be done BEFORE the “Fix It” button for the non-advanced setting Check if plugins/themes file editor is enabled is clicked, since this Fix It option disables the file editor in WordPress.
You should strive to get as many green Good indicators in the Advanced Settings as possible, as each one will further secure your blog.
The Core Scanner
WordPress has a set of core files that are normally only changed by the WordPress developers themselves. Normal users should never change these files. What the Core Scanner does is check your WordPress core files against those on the WordPress Repository itself. Any changed flies will be flagged. If you haven’t changed any core files, then it’s a fair bet that a hacker has made the changes.
Just click the Scan Core Files button to run a scan of your WordPress install and you’ll see results like these (unless your blog has been compromised):
The Scanner Scheduler
Rather than having to remember to manually run a scan of your blog, SecureScanPro has a built-in scheduler. You can set it to run a scan of the SecureScanPro settings, the WordPress core files or both. Various intervals for running a scan are provided. I opted to run a core scan daily and be notified at my email address of any changes to those files so I can take any necessary remedial action.
The Login Protector
SecureScanPro also comes with a login protector. One very bad thing WordPress does when a login attempt fails is it tells you whether the username or password is incorrect. Hackers use this information as they then know which piece of information to hammer away at so they can crack it. If they’re never told what bit of login information is incorrect, they won’t know if it’s the username, password or both, making it harder to crack your site.
SecureScanPro removes the message that indicates which bit of your login info is incorrect.
It also (by default) adds a captcha to the login screen. Captchas can be machine readable but SecureScanPro uses a challenge question captcha in the form of a bit of math (e.g. Are you human? Please solve: 5+9).
Since most hackers don’t expect a captcha or challenge question on the login form, their attacks aren’t able to cope with them, so again it’s another level of security on your site.
SecureScanPro’s Login Protector Settings allow you to change the Captcha question text and colors and whether noise is added to the captcha image to make it more difficult for machines to read:
The other part of the Login Protector is the Banned IPs section. Here you can enter IP addresses for people you’d like to ban from accessing your blog. Typically, you’d get notified that someone on a particular IP address has made say five attempts to log into your blog. This is a sure sign that someone is probing your site for weaknesses. So you could put that IP address into the Banned IPs screen and prevent that person from ever seeing your site again. If you don’t do this, then how you set up the Login Protector will determine how long someone on that IP address is locked out for.
My Thoughts on SecureScanPro
I like this plugin’s simplicity in securing a WordPress blog. The Fix It buttons make it an easy process to implement 14 ways of hardening your blogs from attack. Some of the Advanced Settings require a bit more technical knowledge to implement (e.g. editing a php.ini file if one exists in your site’s main folder, changing file permissions) but it’s a good idea to learn these skills as doing so means you’ll be able to further secure your blog against hacks.
There are free plugins available that will do what SecureScanPro offers but you need several plugins on your site to match its features. Each plugin on your site uses some resources and will slow your page load times to one degree or another (so the more plugins you have on your blog, the slower it will load).
Some free security plugins only offer advanced features at a price (i.e. you need to pay to upgrade). Others are very resource intensive and will not run in a shared webhosting environment.
SecureScanPro’s Login Protector adds a couple of extra levels of security to your blog as well and means you don’t need to have a separate login protector plugin on your blog. The recent (and still ongoing Brute Force Attack against WordPress) attempts to identify the username and password for a blog, but it doesn’t expect to see the captcha box on the login screen that SecureScanPro adds. So that’s a real plus in today’s online environment.
SecureScanPro is light on resources so it does run happily in a shared hosting environment. The scanner scheduler means your blog can check itself regularly for vulnerabilities and hacked WordPress files and notify you if it spots a problem. That means you can take action fast rather than finding out that your blog has been hacked days or weeks later, and possibly after Google has penalized your site for hosting malware.
This plugin is going to replace a couple of the other plugins I use to secure my site so for me it was definitely a worthwhile purchase. It is included by default as part of the Affordable Managed Blogs service that I also offer.
There are three variants of this new plugin available should you be interested in acquiring it yourself:
- SecureScanPRO PRO License – Install on your own and client sites: 50 Site license [$147 – launch discount price]
- SecureScanPRO Standard License – Install on your own sites only: 15 Site license [$97]
- SecureScanPRO Lite License – Install on your own sites only: 3 Site license [$47]
- My Bonus: Buy through my link and you’ll also get a copy of my Repairing A Hacked WordPress Blog report
Next Article: Why It’s important You Back Up Your Blogs Yourself
Filed under: WordPress Security