(Minor geek-alert, some parts may appear too technical.)
I have been using WordPress since its early days and even made it a part of my course Marketing on the Internet when I was teaching. It has grown to be a robust, well-supported, and highly popular content management platform over the years. The WordPress team delivers periodic functional version updates and interim releases to deal with potential security holes. The core WordPress code along with all the available themes, add-ons, plugins, widgets, can easily make any WordPress installation quite complex with various kinds of security issues. Add to the equation the increase in hacking and easily available hacking software, your WordPress site may look like a sitting duck under constant threat, and possibly crippling attack as it happened to one of my client’s site.
There are many tools and approaches to secure your site. I have been using a couple of services to protect my sites and would like to share my experience with them. Now, as comfortable with technology as I am, I don’t have the slightest idea how the inner workings of these services may function. I am mainly interested in the following:
- Installation and setup
- Easy to use features
- Performance and protection
I will write about the services below and share my experiences with them, your experience may vary. Using these services is your own decision.
CloudFlare is an online service that essentially sits between your site and the outside world acting as a gatekeeper. It has free and premium versions both with significant benefits to the performance and security of your site. In normal operation it caches static content and delivers it from its distributed network of servers depending on the visitors’ access points. This will add some performance gains in delivering your content to your visitors. The CloudFlare control panel has a multitude of options to enhance the performance of your site. Another potentially significant benefit of using CloudFlare emerges if your site gets under serious attack when CloudFlare can raise its walls, and can thwart or at least significantly slow down the attackers.
Much of CloudFlare setup is done on their site using their easy to follow instructions. Once you create an account their system analyzes your site’s configuration and tells you how to change your name servers on your domain name registrar account. Once that is done and the name servers propagate to all the routers around the world, the traffic to your site starts getting routed through the CloudFlare system. For the most part, your installation can be this much. However, if you want to take advantage of other performance and security options you can tweak the settings on their control panel.
You will need your domain registrar login information to make the needed changes. Make sure that you can login to that account and note the current name server settings. In a worse case scenario you can revert back to those name servers and not use CloudFlare. Instead of writing setup instructions in detail here I would like you to visit their site and get first hand information. After setting up your account and starting CloudFlare you should install the CloudFlare WordPress plugin which apparently makes it work more efficiently behind the scenes and allows you to change some temporary settings on CloudFlare without going to their site.
Here are some useful direct links on CloudFlare site:
- Who uses CloudFlare (you will be in good company)
- CloudFlare Overview
- How to sign up for CloudFlare
- Getting Started with CloudFlare
- Sign Up for CloudFlare
My Experience with CloudFlare
Since I started my account on CloudFlare a few years back, my site has been under their protection and performance enhancement system. I have a free account which has a few missing features but I could not bring myself to paying $20/month for those additional benefits. At times I wondered if I was getting any real benefits in terms of speed of delivery but occasional testing showed better content delivery with CloudFlare than without it. However, when one of my client’s Web site was under DDoS attack which totally crippled it, we put it behind CloudFlare and turned on the option “I am under attack” and the benefits became immediately visible. Visits to the site was possible albeit with a brief pause to check whether a human or a bot was accessing it, and after that the visitor could browse normally.
Lately, I have had a different kind of problem where I needed some guidance from CloudFlare but being a free account holder has a different kind of costs, namely speed of response to your trouble ticket. I ended up using a feature built-in to their service “Pause CloudFlare” which essentially removed if from the equation. Now, with the help coming through I am in the process of reconfiguring and starting CloudFlare again.
Full disclosure: I was given a one-year premium version of Wordfence after I noted a bug in it and have been using that version free of charge. Rest assured that my comments are not clouded by that nice gesture.
(Wordfence, at least parts of, may not work on Windows IIS servers and Wordfence says they do not provide support on Wordfence installations on Windows IIS. However, on an earlier hosting account I was able to use it. Your experience may be different.)
As CloudFlare sits between your site and the visitors, humans or bots, Wordfence is a more immediate shield around your site. It offers many security options that will help maintain a stable and secure site. It is a WordPress plugin that comes in free and premium versions and they both provide ample coverage. Take a look at their features on Wordfence site. Its many options will allow you to track real-time connections, pages not found, as well as giving you the option to block IP numbers from accessing your site if you suspect malicious behavior. Once installed and properly configured to suit your needs, it stands guard against many potential hazards that may arrive at your site. Here are the most salient features that will benefit your site:
- Security and code update alerts on code, WordPress, plugins, or themes via e-mail
- Enforcing secure passwords for users
- Login notifications via e-mail
- Lock out after prescribed number of login or password recovery attempts
- Lock out if certain URLs are accessed
- Scan site contents for malicious software
From your WordPress dashboard, choose Plugins/Add New, and search for wordfence. After that, it is a matter of installing the plugin just as any other WordPress plugin. Once installed, it will ask for your e-mail address for alerts and make a few suggestions. The important option settings, at least for me are:
- White listed IP addresses that bypass all rules: enter the IP numbers where you access your site like home and office. You will not be blocked even if you accidentally violate any rules
- How does Wordfence get IPs: If you are using CloudFlare set this to “Use the CloudFlare ‘CF-Connecting-IP’ HTTP header …” to get the real IP numbers of the visitors.
- Immediately block the IP of users who try to sign in as these usernames: If you used best practices and avoided the common administrative level user names like admin, wp_admin, main_admin, yourname, etc. enter a list of what the hackers will first try for user names separated by commas. My list includes admin,wp_admin,wpadmin,main_admin,administrator, your list will depend on your practices
My Experience with Wordfence
I have been very pleased with the way Wordfence puts its shield around my site, and to some extent my potential neglect. I periodically monitor live traffic, especially the entries under “Pages Not Found” tab. That shows access to URLs that the site could not deliver. This may be due to a typo at the visitor end, a changed file or post name at my end, or visitors with ill-intentions trying to find vulnerabilities by searching links and even trying to inject code by way of malformed URLs. Every site will get these, I am almost certain your site gets the same treatment since these are done by small programs called “bots” to go out and find these security holes. If I get too many hits from a particular IP number or other suspicious behavior I can click on [block] next to the IP and reject all future access from that point. Optionally, I can block networks which will include a range of IP numbers, even countries if I wanted to. I set my default block time to 60 days and these users from those nodes will not be able to get anywhere on my site.
Wordfence also alerts me when I login to the site as well as if anyone attempts to login with a bogus name. When the latter happens, the user is locked out because of my settings I showed above. I also receive updates if they have discovered a security hole in a plugin or theme. If it happens to be one I am using I immediately update the item or even temporarily suspend using it if there are no updates.
Your site is more vulnerable to outside attacks than that may be obvious. Taking precautions to safeguard your work makes sense, especially if these tools are available at no cost to try. I have been very pleased with the protection these services and plugins provide and the speed advantages that come from CloudFlare’s CDN (content delivery network) is the icing on the cake. Wordfence also offers some local caching but I am not sure if there is additional advantage of using both services.
Now, it’s your turn to look into these and decide if you want to use them or not.