WordPress is still the most popular CMS out there and unfortunately it makes it a serious target for no-life nerds/criminals and their bots. Most of the time you can secure your site using security plugins to harden the installation. You can also install monitoring and scanning plugins that check your installation for file changes. The next level of security is a Web Application Firewall (WAF) . Firewalls are awesome because they stop bots before they can even reach your site.
Sometimes all the security plugins in the world just aren’t enough. If your site has been around for a few years or you’re using a lot of plugins, or especially if you’re using a popular or free theme, then you’re at serious risk because there are holes in the code that bots can use to take advantage of your site. The risk is quadrupled to the nth degree if you haven’t been clicking the update button for WordPress, themes or plugins.
Defending Your Site
If you think of your website as a country; hardening plugins are like city walls that need to keep being repaired whenever there’s an attack. Monitoring and scanning plugins are like watch towers who can see when an attack is taking place and tell you what needs to be strengthened or repaired. A firewall like the one from Sucuri is a really effective border control/army that stops invading armies before they even get to your cities.
Here’s some real statistics (these are statistics from only one day) from a few of my customer sites using the firewall. The percentage of blocked (red) vs. allowed (green) visitors doesn’t really make any difference, all it takes is one bad bot to do some damage to your site.
A popular WordPress site with a lot of plugins and a popular commercial theme. 552 attacks blocked that day.
An e-commerce site with a completely custom theme which is more secure. 55 attacks blocked that day.
A regular WordPress site with around 10 plugins. 45 attacks blocked that day.
Hopefully, these statistics will give you a little food for thought. The more popular and older your site is, the more it’s going to be attacked. I should also note that all of these customers are using my WP Ensure service so these attacks are not due to old plugins or ancient WordPress installs. It’d be interesting to see more data from websites that haven’t been updated in a long time. If you have any questions or comments you can contact me directly or leave them in the comments below.