We built IsItWP’s free WordPress security scanner to help you scan your website for known malware and hacks. It also checks your domain status with top search engines.
Our security scanner is powered by Sucuri. They offer the best WordPress security firewall. We use their services on our website, and we highly recommend that you do too if you’re serious about your website security.
The importance of WordPress Security
Because WordPress is the most popular website builder in the world, it’s no surprise that WordPress sites are favorite targets for hackers and spammers.
Unfortunately, many website owners take WordPress security lightly by assuming hackers only target popular websites. However, the reality is that hackers love low hanging fruits — websites that don’t follow WordPress security best practices.
That means if you’re not taking proper WordPress security measures, then you’re allowing the bad guys to sabotage your hard earned reputation, search rankings and your online business.
Do you want to know if your site is protected from malware? All you have to do is to scan your website with our free WordPress Website Security Scanner.
Let’s take a look at how our free WordPress security scanner works.
How Does WordPress Security Scanner Work?
Using our free WordPress security scanner is the best way to check your website for known malware and website errors.
Here’s how our security scanner works:
1. Submit Your URL to Our WordPress Security Scanner
To scan your website, all you have to do is enter your site’s URL in our WordPress security scanner and click the Scan Website button.
2. Our Tool Scans Your Website
Once the URL is submitted, our security scanner will check the website for any potential vulnerability threats.
3. You Get the Complete Scan Result
After scanning, you’ll get a detailed report on malware threats if detected, website backlist status and other security details of your site.
How to Protect Your Site From Malware
Using a Firewall is the best way to protect your WordPress site from malware.
A WordPress firewall plugin acts as a shield between your website and incoming traffic. It monitors all your website traffic and blocks any suspicious visitors to mitigate security threats even before they reach your site. By blocking suspicious visits, a firewall plugin helps you keep your server load in control and make sure that your website has good uptime.
Using a firewall plugin also helps you speed up your website and boost WordPress performance.
There are two common types of WordPress firewall plugins:
DNS Level WordPress Firewall
Using a DNS level firewall is highly recommended over application level firewall because it monitors all your site traffic by routing it through cloud proxy servers. After monitoring your traffic, the plugin only allows real users to your site.
Application Level Firewall
With application level firewall, you examine the traffic after it reaches your server but before loading most WordPress scripts. Compared to DNS level firewall, application firewall is not as efficient when it comes to reducing the server load.
DNS level firewall is exceptionally good at discerning genuine traffic from vulnerable requests. They do that by learning from thousands of websites, comparing trends, preventing known bad IPs, and blocking traffic to pages that your users would normally never request.
Sucuri is the best WordPress security provider that offers DNS level firewall to prevent hack attempts, brute force, Distributed Denial of Service (DDoS) attacks and zero block exploits. Sucuri also improves your website’s performance by reducing server load through caching optimization, website acceleration, and Anycast CDN (all included).
We use Sucuri for our websites including IsItWP. Our security scanner is also powered by Sucuri.
Or read our complete Sucuri review.
How to Fix Malware Infected Website
Is your WordPress site infected by malware?
Having our websites hacked in the past, we know how stressful it can be. Follow our step by step guide below to learn how to fix your malware infected WordPress website.
Step 0: Hire a Security Professional to Fix Malware for You
If you’re not technically inclined, then hiring a security professional is the best way to fix malware on your site. Handing over to an expert to clean up your website gives you peace of mind, so that you don’t have to deal with technical stuff that you’re not comfortable with.
Reputed security experts usually charge anywhere between $100 and $250 per hour, which is outrageous for small website owners.
For IsItWP readers, our friends over at Sucuri offer malware and hack cleanup for $199 which also includes their firewall and monitoring service for a whole year.
We personally know the team at Sucuri, and we wouldn’t be recommending them if we didn’t trust them with our own websites.
While we highly recommend you to hire an expert to fix malware, if you’d rather want to fix your website on your own, then follow the steps below.
Step 1: Identify the Hack
Dealing with a hacked website can be stressful. Before you start, write down everything you can do to identify the hack and fix the issue.
Here is a good checklist to run through:
- Are you able to log into your WordPress dashboard?
- Are there any redirects that take your visitors away from your site?
- Can you find any harmful backlinks on your site?
- Is Google marking your website as insecure?
Now that you’ve got a checklist in hand, the next thing to do is fix them one by one, so you can ensure you don’t miss out on any threat.
It’s advised to change your password before and after cleaning up your site.
Step 2: Check With Your Hosting Company
If you’re on shared hosting and you’ve found that your site is infected, chances are other sites may also have affected with malware. Get in touch with your hosting company and ask if they’re able to make a quick fix. Hosting providers like SiteGround and HostGator are good at this. They’ll be able to provide more details about the hack especially if other sites have also been affected.
You should read our complete SiteGround review and HostGator review to learn more about the hosting companies.
Step 3: Restore From Backup
If you have already setup a backup for your WordPress site, then you can quickly revert it to normal. The downside is that you may risk losing the latest content that has not been backed up.
After you’ve restored from your website backup, you’ll need to identify the reason for the threat and fix it to ensure it doesn’t happen again.
Step 4: Scan and Fix
Next, remove any inactive themes and plugins from your site that could be potentially vulnerable. More often than not, this is where hackers hide their backdoor.
Backdoor is a method of bypassing normal authentication and gaining the ability to remotely access the server while remaining undetected. This way hackers can regain access to your site even after you find and remove the exploited plugin.
After removing any inactive themes, you’ll have to install two plugins for further inspection: Sucuri WordPress Auditing and Theme Authenticity Checker (TAC).
Sucuri Scanner: It tells you integrity status of all your WordPress core files which enables you to identify where the hack is hiding. The most common places are themes and plugin directories, uploads directory, wp-config.php, wp-includes directory, and .htaccess file.
Theme Authenticity Checker: The Theme Authenticity Checker plugin enables you to scan your theme files for any potentially suspicious code. If potentially malicious codes are found in an installed theme, then the plugin will tell you the patch, the line number and display the suspected code. This makes it easy to take preventive actions on your own. This plugin comes handy to double check whether your installed themes have any encoded script slipped in it.
Step 5: Check User Permissions
Take a look at the Users section of your WordPress admin panel to ensure that only you and your trusted members have administrator access to your site. If you find any suspicious users, then you’ll need to remove them from your site.
Step 6: Change Your User Keys
If someone stole your username and password, then they’ll remain logged into your site unless you disable the cookies. To disable cookies and revoke unauthorized access to your site, you’ll have to regenerate a set of security keys which encrypts your password and then add it in your wp-config.php file.
Learn more about WordPress security keys.
Step 7: Reset All Your Passwords
Now that we’ve almost completed fixing the infected files on the site, the final step is to reset all your passwords including your WordPress, cPanel, FTP and MySQL passwords.
If you’re running a multi-user website, then you might want to force password reset for all your users. Also, you should check out this article on how to choose a secure password.
No matter the size of your WordPress website, security should never be overlooked. Below are a few recommendations for you to secure your WordPress website.
- Switch to a secure WordPress host: Choosing a secure WordPress hosting is your first line of defense in making your WordPress site impenetrable.
- Set up a WordPress backup solution: The most costly backup is the one you never did. Invest in a WordPress backup plugin, so you can count on your backups even in the worst case scenarios like getting your site hacked or files infected.
- Set up a website firewall and monitoring system: We use and recommend Sucuri for providing bulletproof security to all your WordPress websites and block the attacks before it reaches our server.
- Follow WordPress security recommended practices: Follow this ultimate WordPress security guide to implement security recommended practices on your WordPress site.
You might also take a look at the best WordPress security plugins.
