One of the challenges of hosting your own site and using WordPress is security. As WP has gotten more and more popular, it has become a huge target for hackers of all sorts. I’ve had my own fair share of old installations getting hacked and causing problems for live sites, rogue files, brute force login attempts that create a denial of service, DOS attacks against XMLRPC, and so on over the years.
Recently, I came across a mention of a security plugin called Wordfence and decided to try it out. It scans your install for any changes made to the WordPress core, theme and plugin files by comparing them to the original from the WordPress codex. Sure enough, for the couple of placers where I had made some customizations, it noted those as changed files and warned me about them. It then let me mark those as safe to ignore, provided they don’t change again, which is nice. I’m always nervous when a security app allows the user to set it to ignore a file, and then that’s the file that gets corrupted, and it continues to ignore it. It even warned me about a corrupt file that I had missed about 8 folders deep when I was cleaning up that infection last year, so that’s also nice!
Eventually though, I got everything cleaned up and verified with one more scan!
After that initial scan, the Wordfence plugin continues to monitor what’s going on. It scans new comments for links to malware, it tracks traffic, keeping an eye out for rogue spider traffic, tracks visitors and login attempts and gives you plenty of options for blocking traffic sources. In fact, the options page is full of ways to really keep an eye on your install at the deepest levels.
Wordfence will even email you if it finds a potential problem, or if you have plugins or themes that have updates available. Since outdated theme and plugin files are often a hackers best friend, it’s good to know that I will get those emails even if I haven’t had a chance to log into the admin interface in a few days.
In short, while hosting your own WordPress installation is rife with potential security headaches, with some vigilance it can be done. Having a plugin like Wordfence running on the site can go a long way toward helping you be vigilant and on top of any changes that some one else might be making to your site!