Subscribe Now

* You will receive the latest news and updates on your favorite celebrities!

Trending News

28 Mar 2024

Blog Post

Two free tools that blocked 1,596 attacks on my WordPress website (in one month)
Security

Two free tools that blocked 1,596 attacks on my WordPress website (in one month) 

Has your WordPress website been hacked or do you think it might have been? The chances are high that even if you have never experienced a hack, your website has been the target of many attacks by bots and malware. Websites are lucrative targets for hackers. Bots and malware are a couple of the tools that malicious parties use to infiltrate websites, often with ease. Many websites have very little protection, and as WordPress is the most widely used website system on the internet, it is the most significant target by hackers. Hackers are continually looking for vulnerabilities, and while WordPress developers are quick to release security updates, that doesn’t stop malicious actors from finding new ways to inject malware into your WordPress site.

High-end security can be expensive, but there are free tools that can help to protect your website from many common attacks. In this article, I want to show you what tools I used to block 1,596 attacks on one WordPress website (ours) in just one month. These two tools don’t cost a cent (unless you upgrade to their premium plans) and are easy to set up in minutes.

Most small businesses are unwittingly subject to hundreds, if not thousands of attacks against their websites every day. These attacks can cost you a lot of money. Ransomware and malware are the most common threats. If you don’t catch infections quickly, they can result in SEO penalties, and potentially even getting your website flagged as dangerous by search engines and anti-virus software. When that happens, your traffic will drop, and customers will disappear. That’s a big deal.

The most common cost though is from an impact that goes unnoticed: the additional server resources that are required to keep your website online. Add to this the website slow-downs and potential downtime due to a server overload during an attack, and these things can also result in lost visitors and customers while appearing like a simple increase in traffic.

Common attacks like attempts to log into your WordPress dashboard and attempts to access administrative tools, like PHPMyAdmin, all add load to your server even if they fail. Attacks like these all add up and can cost a lot of money over time.

So, let’s talk about the two tools that I used to stop 1,596 attacks on my WordPress website in one month.

Tool 1: Cloudflare Free Edition

Our first free tool protects your website by blocking potential threats before they can reach your server.

Cloudflare provides a free content delivery network with other features included that help to protect and speed up your website. Paid editions and paid upgrades are also available. The free version does, however, have a basic edition of the Cloudflare firewall, a tool that can help to block attacks on your website.

The Cloudflare firewall sits within the Cloudflare network rather than on your server and attempts to stop identified threats before they reach your site. They do this by analysing your website traffic and where it is coming from. Cloudflare uses threat data from around their network to determine whether to block the request. Cloudflare blocks approximately 72 billion attacks around the world every day, and that data can help protect your website too.

This month, they blocked 482 threats to our website.

cloudflare

As a bonus, the Cloudflare content delivery network caches static files like images and serves them directly to visitors. This can speed up your loading times and help to take some of the load off your server, reducing your bandwidth consumption and associated costs.

The signup and configuration process is straightforward, but you do need to be comfortable changing your domain name DNS settings or have someone on your team who can do it for you.

Sign up at www.cloudflare.com and follow the wizard to get your first website up and running. When the setup wizard prompts you to choose a plan, select the free $0/month plan.

As far as negatives go, some websites, particularly those that rely on geolocation data, may have issues when using Cloudflare caching. If this is the case for you, you can turn caching off while still receiving threat protection. You should also test the “auto-minify” options that are available as part of the Cloudflare cache if you use it. I rarely see any issues with HTML and CSS minification, but I do often come across problems with JavaScript minification.

Tool 2: The free Wordfence plugin.

Our second tool protects your website by blocking attacks that get past Cloudflare and have reached your WordPress website.

Wordfence is a firewall that sits on your web server, between your WordPress website and your users, protecting your website from more attacks than you ever knew existed. Besides the firewall function, Wordfence provides several tools to help harden your website against attackers.

Like Cloudflare, Wordfence uses data from across their entire network to learn about new attacks and protect your website against them. Wordfence itself blocks around 11,500 attacks per minute around the world, so they have a lot of data to leverage.

Wordfence provides this extra protection for your WordPress website in the form of a free plugin that you install through your WordPress dashboard. If you want instant protection against the latest attacks, along with a couple of other premium features, you can purchase the optional premium upgrade. The main difference between the free and premium editions is how fast your website receives the latest attack and malware data. Premium editions receive it instantly where the free version has a 30-day delay.

The free plugin gives you:

    • Web Application Firewall: It’s a wall around your website that uses Wordfence’s global attack database to detect and thwart various kinds of attacks on your site. The free version does not include any new attack types identified within the last 30 days, but still gives you miles more protection than not having it at all.
    • Malware Scanner: Helps to detect malware that got through to your website and can help you to remove it, however, it doesn’t include the premium scan with malware data from the last 30 days, and checks to see if you are on any blacklists.
    • Brute-force protection: Blocks users who have too many failed login attempts in a short timeframe.
  • Website hardening: Gives you the ability to add a captcha and two-factor authentication to your WordPress login.

The installation process for Wordfence is very simple, and after activating the plugin from your WordPress dashboard, the wizard guides you through configuring the recommended settings. You can easily have Wordfence up and running in minutes.

For me, the Wordfence Web Application Firewall blocks the majority of attacks. In this one month alone it prevented 1,114 attacks. So even if you only use the firewall, it gives you a massive boost in protection. The malware scanner provides extra peace of mind that if anything does get through the other two layers of protection (Cloudflare and the Wordfence firewall), that it will be detected quite quickly and can be removed easily (in most cases).

wordfence stats

You can get the Wordfence plugin from the WordPress repository here or via your WordPress dashboard, and learn more about the premium upgrade here.

One caveat of Wordfence is that it does put quite a noticeable amount of extra load on your server, mainly while the malware scan is running. On low-cost servers, I’ve seen it put on so much additional pressure that website visitors had trouble accessing the website during the scan. If you are using a budget web host, you will need to assess when the best time is to run malware scans (e.g. when you have the least visitors). It may also be worth disabling the automatic scans in favour of running them manually from time to time and relying more heavily on the other protections that WordFence provides.

Can these two free tools completely protect your WordPress website?

In short, no. While choosing to go with the premium upgrade option for Wordfence will give you more protection, there is no surefire way to guarantee that your site is 100% safe from attacks. Every day new ways of infiltrating WordPress websites are being discovered, and no matter how much protection you have, there is always the possibility that something will sneak through.

The goal is to protect your website from as many threats as possible. It’s always cheaper to prevent an attack than to recover from it. To that end, you should always ensure you have up-to-date backups of your website that you can use to recover from in the event of the worst. If you are interested in other ways to protect your WordPress website, you can read more in this blog post.

Related posts

Leave a Reply

Required fields are marked *