WordPress Website Security: Block Hackers and Scrapers

Did you know that by 2021, the estimated global cost of cybercrime is predicted to be $6 trillion? Financial loss from downed websites or data breaches can harm corporations and small businesses, alike. So, how can you block hackers and content scrapers without breaking the bank? This step-by-step WordPress security guide shows you how.

Using WordPress security to block hackers.

Photo: © User:Colin / Wikimedia Commons / CC BY-SA 4.0

 

In this blog, you’ll see how to set up the SecuPress WordPress security plugin to:

  • Protect e-commerce transactions
  • Stop scrapers from duplicating content
  • Block spammers 
  • Lock out hackers immediately
  • Prevent “user creation”
  • Ban bad IPs, spambots, and more

I’m not a SecuPress affiliate, by the way. I’m just sharing which WordPress security plugin gives me more security for less money.

Here’s a SecuPress versus Wordfence comparison chart that shows exactly what I mean.

 

 

As you can see, SecuPress Pro costs about $40 less than Wordfence Premium, yet has more features. Likewise, the free SecuPress option also provides more security features than free Wordfence.

The best features that both SecuPress Pro and SecuPress Free share include the Hide my Login page, XML-RPC and REST API management, and Hide WordPress, WPML, and WooCommerce.

Ready to learn more? Continue reading or download SecuPress first.

 

Website Security to Lock Out the Bad Guys

locks to depict locking out hackers

Photo: Wall of Locks, Pixabay

STEP 1: BACK UP YOUR SITE

Always back up your site before adding or updating new plugins. If possible, it’s also wise to test new plugins and major updates on a staging/demo site. That’s because new code can sometimes conflict with existing code.

So, have you backed up your site? Did you install SecuPress? Great—let’s move on to the next step.

 

STEP 2: SCAN YOUR SITE

The first thing you’ll notice is how clean and intuitive the SecuPress user interface is. Call me a design geek, but I appreciate these easy-on-the-eye modules. Once you’ve looked around, the next thing you’ll want to do is use the SecuPress site scanner.

Just go to your WordPress Dashboard, scroll down to the SecuPress section on the left-hand side, and click on Scanners. This takes a minute or two and will produce your website’s report card.

 

Your Website Security Report

Website Scan to improve WordPress Security

SecuPress Scan: Security Report

One-Click Fix It 

Don’t be alarmed about a bad grade. With one click of the “Fix It” button, SecuPress automatically fixes issues for you. Just click the issues that you wish to resolve.

 

Scan results with Fix It options

 

 

Pro-tip: Always read up on unfamiliar features before selecting them. SecuPress provides informative links on these, so it’s easy.

To learn how to manually activate SecuPress plugin settings, continue reading.

 

STEP 3: WORDPRESS SECURITY SETTINGS

User and Login Settings

 

Heard of Brute Force? No, it’s not a cheap cologne. It’s one of the most common attack points on WordPress websites.

With a Brute Force attack, a hacker relentlessly slams the wp-login.php file until they break in. Consequently, the server may fail.

So, how do you barricade your site from brute force? One way is to hide your login page.

Luckily, that’s easy with the Move the Login Page feature. This allows you to invent your own login suffix to replace the default /wp-admin.

For example, you can make it www.mydomain.com/mynewlogin. Obviously, it should be something hard to guess; never use any info you’ve shared online.

Once a hacker fails that login URL, they are immediately blocked and redirected to the page of your choice. I like tossing them to my home page.

Other “Users and Login” module settings include:

  • Control user sessions
  • Require Captcha for logins 
  • Prevent new user creation
  • Get two-factor authentication

Here’s just a portion of what those settings look like:

 

Website Security Settings

Login protection settings

Protect Sensitive Data

Sensitive data is the soft underbelly of your website. And unfortunately, many site owners leave it exposed.

Well, SecuPress Pro has you covered. In fact, they offer several settings built to block hackers and content scrapers. This image shows a small portion of that module.

 

Website Security settings for SecuPress WordPress plugin.

SecuPress WordPress security settings

Block Content Scrapers

Other sections of the Sensitive Data module protect your site from content scrapers. Why is that so important? Content Scraper bots steal your hard-earned web content which damages your SEO. In fact, if you’ve noticed that your search ranking has suddenly fallen off a cliff, content scrapers may have pushed you. Here’s how to push back.

Within the Sensitive Data module, be sure to select settings that:

  • Block access to your PHP, readme, and robots.txt files
  • Disable XML-RPC and Directory Listing
  • Forbid bad URL access to your files
  • Protect your profile and settings pages

 

 

Block Content Scrapers from accessing your website.

Settings that fix PHP vulnerabilities

 

As you can see, you can quickly block hackers from accessing PHP vulnerabilities just by clicking a few SecuPress boxes.

 

Firewalls and Bad IPs

We’d all like to think we know a bad guy when we see ‘em. But these days, new malicious user agents show up regularly. It’s enough to make your head spin.

Well, relax, because SecuPress has a naughty list or two—located in the Firewall and Anti-Spam modules. Just click all the settings that block these bad guys:

  • Suspicious long URLs
  • SQLi scanners/scripts 
  • IPs of brute force attempts
  • Bad user-agents and requests

Here’s something else you’ll appreciate in the Firewall module…

 

Block Country and IP Settings

A recent client balked when I said WordPress is prone to Russian hackers. Then I showed her this report from Wordfence.

 

 

Bad IPs on a WordPress site

 

As you can see, within one week, the Russian Federation had made 191 attacks, compared to less than a handful from most other countries. To think, I actually tried blocking these IPs by hand, once. It was an endless task—new IPs pop up every day!

Thankfully, SecuPress Pro lets you block whole countries with one checkbox. Of course, you can also set up blacklists to ban particularly worrisome IPs.

Lock WordPress Core, Plugins, and Themes

Aside from a Data Security section, SecuPress has a Plugins and Themes module. This lets you block new plugins, themes, and zip files from being uploaded to your site. You can also protect your existing plugins from being deleted.

In the WordPress Core Protection module, you can disallow unsafe file edits within WordPress. You can also set your WordPress updates to occur automatically.

Pro-tip: Just tick all the boxes in these two modules.

Alerts, Logs, and Schedules

Finally, SecuPress Pro regularly backs up and monitors your site. The Alerts, Logs, and Schedules modules have settings that:

  • Block comments and fight spam
  • Schedule backups and malware scans
  • Send email alerts and reports
  • Log WordPress actions and banned IPs

SecuPress Services and Support

It’s good to know that SecuPress also offers hacked-site cleanups, plugin configuration, and technical support.

Conclusion

In summary, whether you want to try the free version or go for pro, you won’t be sorry. In my opinion, SecuPress offers the best value for WordPress website security. If you’re ready to try SecuPress, here’s a link for both the free and pro options. As I said earlier, I get no commission or perks for sharing this. I just enjoy helping people save money and protect their websites.

For more articles about writing, design, marketing, and WordPress plugins, visit our Freesources page. For links to articles I’ve written for others, check out my writing samples page. Thanks for reading!