WordPress security is easy, when you have the right automated tools.
When I started using WordPress I did all the site hardening myself, manually. WordPress security hardening is not difficult, especially if you have a background in web application security. You can also find quite a few checklists online and follow if you are new to WordPress.
However, hardening is just the start. WordPress security is a continuous process of hardening > Monitoring > Testing > Improving. So automation is a must, and that is why you need to use multiple tools, such as a WordPress activity log plugin and an online WordPress security service such as Sucuri.
The Need to Automate WordPress Security with Sucuri
I was never a fan of automated WordPress security services. Being an old school geek I always liked to do things myself. However such approach only works if you have a hobby WordPress site.
When you have more than one business website, and new functionality is occasionally added on the website via new WordPress plugins or a customization (websites constantly evolve to cater for the customers’ needs), things are different. Security becomes unmanageable and requires a lot of resources, which you do not have when running a business.
For example whenever there is a new security tweak, or someone identifies a security issue in one of the plugins we use, I have to test the tweak or update on the testing environment first. If there are no conflicts or functionality issues I update the live site as soon as possible. Timing is critical in application and WordPress security – you cannot afford to have a security hole on your site for very long.
And this is one of the problems that the Sucuri online WordPress firewall solves. Sucuri has a team dedicated to researching security issues and up keeping the firewall. So whenever a new vulnerability is identified in a WordPress plugin or in WordPress core, their firewall is updated to protect your website against it.
This does not mean that you do not have to keep the WordPress core and the plugins up to date, but there is no urgency either. Sucuri are there so a WordPress site admin can take a holiday and not lose any sleep, worrying about a possible mass exploit of a WordPress vulnerability.
Automated & Frequent WordPress Malware Scans
When you use the Sucuri WordPress security platform your website is also scanned for malware infections.
This is necessary, even though there is a firewall. There are several other ways and means how a WordPress site can get hacked, like from an administrator’s infected computer. Hence why it is always important to use a combo of security tools, like a web application firewall, malware scanner and a security audit logs plugin that allows you to see exactly what is happening on your site.
Free Malware Infection Removal
Should your WordPress website get infected with malware, Sucuri also provide unlimited malware removal as part of their packages. No extra costs or hidden charges – if you are subscribed to them drop them an email and they will clean the site for you.
Other Reasons Why Sucuri Packs A Punch As A WordPress Security Platform
Apart from the traditional security features like the automated malware scans and web application firewall, Sucuri also has quite a few other features. Below is a highlight of a few of them:
Content Delivery Network (CDN) Included
Even though CDN is not exactly a security feature it is a must have. A CDN improves page speed and reduced the load on the server. Sucuri offer CDN right out of the box. You do not have to configure anything, unless you want to use a third party CDN solution.
Free HTTPS With Let’s Encrypt
Every website on the internet should be running on HTTPS. When you use Sucuri there are no excuses. You can easily configure and use a free HTTPS/SSL certificate from Let’s Encrypt via the Sucuri dashboard. If you wish you can also use a third party HTTPS certificate.
WordPress Site Access Control Tools
The Sucuri Website Security Platform also has a set of access control and restriction tools with which you can whitelist or blacklist any of the following:
HTTP Cookies and Referrers
You can even configure Geo Blocking and block, or restrict all the traffic from a specific country to GET requests only (view and not post).
The most handy access control tool of them all is the Protected Pages. With this tool you can restrict access to a specific page via IP addresses, or protect it with two-factor authentication or a Captcha challenge.
Since your website traffic is proxied through Sucuri’s web application firewall, any distributed denial of service attack (DDoS) is handled by their servers. So these attacks will not impact your website’s bandwidth, server load, site uptime and responsiveness.
In the Sucuri dashboard you also have a good selection of reports about what was blocked, allowed, and other stats about the website visitors. You can actually see every individual blocked and allowed request and blacklist or whitelist the type of request and the IP address making that request, as shown in the below screenshot.
So if you’d like to really learn more about what type of requests attackers send to your WordPress site, then Sucuri has all the right information for you. Once you are subscribed you also get a weekly report via email which keeps you abreast of how the WordPress web application firewall is working for your site.
Sucuri Reduces Website Bandwidth Usage & Server Load
You do not want malicious traffic eating up your website’s allocated bandwidth, especially when you pay for it. When you use Sucuri, all your website’s traffic passes through their firewall first. So all malicious traffic, including posting of spam contents is blocked by their firewall, saving your bandwidth.
So how much money and resources does Sucuri saves your business when it blocks malicious and unnecessary traffic? It depends on many factors. In our case, Sucuri saves WP White Security an average of 12,000 malicious HTTP Requests per month. You can get an overview of what the firewall blocked from the Sucuri dashboard.
But Web Application Firewalls Can Be Bypassed…
Many argue that both online and on-premises web application firewalls can be bypassed, so why bother? And it is true, there are two types of bypasses.
Online web application firewalls can be bypassed because your web server can be still accessed directly. Your website’s traffic is sent through the WAF because of DNS. However anyone who knows your server’s IP can still attack it. However there is an easy fix for this; simply block all the traffic that is not from the firewall as Sucuri explain.
The other type of bypass that affects both online and on-premises WAFs are software bypasses. Like any other software WAFs can have vulnerabilities. And there have been cases in which these vulnerabilities were exploited to bypass the firewall. Enable Security, a security firm based in Germany had published a few papers about WAFs bypasses.
You can find more recent bypasses, and every firewall vendor had its own share of issues. However do these edge cases justify not using a WAF? Definitely not!
Sucuri has more than a decade of experience in this industry and have dealt with thousands of websites. So I would say that their configuration is certainly more air tights than someone’s individual firewall. Also, they have a very efficient response team. So if something goes wrong, contact them to fix the issue.
Secure & Protect Your WordPress Sites
If you’d ask us as WP White Security, Sucuri is a service we recommend. We use it ourselves for some of our websites and can confirm that it has made a difference. It reduced the overheads or managing a website and made our lives easier. So if you want a secure and well protected website:
- Implement two-factor authentication on your WordPress websites
- Install a WordPress activity log plugin to keep track of what is happening on your site
- Use a file integrity monitoring plugin that alerts you of file changes
- Enforce strong WordPress password security via policies
- Setup a robust site backup service / strategy
- Subscribe to the Sucuri WordPress security platform to maximize the protection!
Note: like all other reviews on this website this is not a commissioned or paid for review. We only review and recommend tools we use ourselves.