Has your WordPress website been hacked, or do you think it might have been? The chances are high that even if you have never experienced a hack, your website has been the target of many attacks by bots and malware. Websites are lucrative targets for hackers. Bots and malware are some tools malicious parties use to infiltrate websites, often with ease. Many websites have very little protection, and as WordPress is the most widely used website system on the internet, it is the most significant target of hackers. Hackers are continually looking for vulnerabilities, and while WordPress developers are quick to release security updates, that doesn’t stop malicious actors from finding new ways to inject malware into your WordPress site.
High-end security can be expensive, but there are free tools that can help protect your website from many common attacks. In this article, I want to show you what tools I used to block 1,596 attacks on one WordPress website (ours) in just one month. These two tools don’t cost a cent (unless you upgrade to their premium plans) and are easy to set up in minutes.
Most small businesses are unwittingly subject to hundreds, if not thousands, of daily attacks against their websites. These attacks can cost you a lot of money. Ransomware and malware are the most common threats. If you don’t catch infections quickly, they can result in SEO penalties and potentially even get your website flagged as dangerous by search engines and anti-virus software. When that happens, your traffic will drop, and customers will disappear. That’s a big deal.
The most common cost, though, is from an impact that goes unnoticed: the additional server resources required to keep your website online. Website slowdowns and potential downtime due to a server overload during an attack can also result in lost visitors and customers while appearing like a simple increase in traffic.
Common attacks, such as attempts to log into your WordPress dashboard and access administrative tools, like PHPMyAdmin, add load to your server even if they fail. Attacks like these add up and can cost much money over time.
So, let’s talk about the two tools I used to stop 1,596 attacks on my WordPress website in one month.
Tool 1: Cloudflare Free Edition
Our first free tool protects your website by blocking potential threats before they can reach your server.
Cloudflare provides a free content delivery network with other features that help protect and speed up your website. Paid editions and paid upgrades are also available. However, The free version has a basic edition of the Cloudflare firewall, a tool that can help block attacks on your website.
The Cloudflare firewall sits within the Cloudflare network rather than on your server and attempts to stop identified threats before they reach your site. They do this by analyzing your website traffic and where it comes from. Cloudflare uses threat data around its network to determine whether to block the request. Cloudflare blocks approximately 72 billion attacks worldwide daily, and that data can also help protect your website.
This month, they blocked 482 threats to our website.
As a bonus, the Cloudflare content delivery network caches static files like images and serves them directly to visitors. This can speed up your loading times and help take some of the load off your server, reducing bandwidth consumption and associated costs.
The signup and configuration process is straightforward, but you must be comfortable changing your domain name DNS settings or have someone on your team who can do it for you.
Sign up at www.cloudflare.com and follow the wizard to get your first website up and running. When the setup wizard prompts you to choose a plan, select the free $0/month plan.
As far as negatives go, some websites, particularly those that rely on geolocation data, may have issues when using Cloudflare caching. If true, you can turn caching off while still receiving threat protection. You should also test the “auto-minify” options available as part of the Cloudflare cache if you use it. I rarely see any issues with HTML and CSS minification, but I often encounter problems with JavaScript minification.
Tool 2: The free Wordfence plugin
Our second tool protects your website by blocking attacks that get past Cloudflare and have reached your WordPress website.
Wordfence is a firewall that sits on your web server, between your WordPress website and your users. It protects your website from more attacks than you ever knew existed. Besides the firewall function, Wordfence provides several tools to help harden your website against attackers.
Like Cloudflare, Wordfence uses data from across its entire network to learn about new attacks and protect your website against them. Wordfence blocks around 11,500 attacks per minute worldwide, so it has a lot of data to leverage.
Wordfence provides this extra protection for your WordPress website as a free plugin that you install through your WordPress dashboard. You can purchase the optional upgrade if you want instant protection against the latest attacks and other premium features. The main difference between the free and premium editions is how fast your website receives the latest attack and malware data. Premium editions receive it instantly, whereas the free version has a 30-day delay.
The free plugin gives you:
-
- Web Application Firewall: A wall around your website that uses Wordfence’s global attack database to detect and thwart various attacks. The free version does not include any new attack types identified within the last 30 days, but it still gives you more protection than not having it.
- Malware Scanner: This tool detects malware that got through to your website and can help you remove it; however, it doesn’t include the premium scan with malware data from the last 30 days and checks to see if you are on any black lists.
- Brute-force protection: Blocks users who have too many failed login attempts in a short timeframe.
- Website hardening: Gives you the ability to add a captcha and two-factor authentication to your WordPress login.
The installation process for Wordfence is straightforward. After activating the plugin from your WordPress dashboard, the wizard guides you through configuring the recommended settings. You can easily have Wordfence up and running in minutes.
For me, the Wordfence Web Application Firewall blocks the majority of attacks. In this one month alone, it prevented 1,114 attacks. So, even if you only use the firewall, it gives you a massive boost in protection. The malware scanner provides extra peace of mind that if anything does get through the other two layers of protection (Cloudflare and the Wordfence firewall), it will be detected quite quickly and can be removed easily (in most cases).
You can get the Wordfence plugin from the WordPress repository here or via your WordPress dashboard, and learn more about the premium upgrade here.
One caveat of Wordfence is that it does put quite a noticeable amount of extra load on your server, mainly while the malware scan is running. On low-cost servers, I’ve seen it put so much additional pressure that website visitors had trouble accessing the website during the scan. If you are using a budget web host, you must assess the best time to run malware scans (e.g., when you have the most minor visitors). It may also be worth disabling the automatic scans in favor of running them manually occasionally and relying more heavily on the other protections that WordFence provides.
Can these two free tools protect your WordPress website entirely?
In short, no. While choosing the premium upgrade option for Wordfence will give you more protection, there is no surefire way to guarantee that your site is 100% safe from attacks. Every day, new ways of infiltrating WordPress websites are being discovered, and no matter how much protection you have, there is always the possibility that something will sneak through.
The goal is to protect your website from as many threats as possible. It’s always cheaper to prevent an attack than to recover from it. To that end, you should always ensure you have up-to-date backups of your website that you can use to recover from in the event of the worst. You can read more in this blog post if you want other ways to protect your WordPress website.
Related posts
Subscribe
* You will receive the latest news and updates on all things Wordpress!
Latest Reviews
Best WordPress Ecommerce Plugins Compared
There was a time when WordPress was known as a mere blogging platform. Now, it has become the need of the hour for several occasions whether you want to develop an e-commerce website or a business website, online marketplace, podcast website, dropshipping website, affiliate website,…
WooCommerce Product personalization – the Ultimate Guide
WooCommerce provides many benefits to web store owners operating in foreign eCommerce markets. Every online store has its style of product representation, but is everyone successful? Representing a product is not the only way to success because it requires many tasks—product promotion, SEO optimization, and…
How to Create a WordPress Image Gallery
Whether you’re a photographer, designer, or creative person who wants to create an impressive image gallery in WordPress, we have prepared some helpful tips. You may already know this, but WordPress provides a basic gallery block. Using the WordPress Gutenberg Block Editor, you can showcase…