WordPress Security Services – What Really Works?

It's been another of “those” weeks, with WordPress security services causing me to tear my hair out. Do they work, or do they not? I have tried several over the last months and yet I still find myself in crisis every so often.

I was working away on my blog quite happily last week, made my usual weekly post, then later that night I just wanted to check – before going to bed – that I had “handled” all my comments.

Can't Login To WordPress

BloggingAfter640whiteHmmm – well it was late (it always is) so I decided to leave everything until the next day, because sometimes these things sort themselves out with a reboot and a sleep (by me AND the PC).

But no – I was solidly locked out, not just a “forgotton password” type of lock out, but “weird messages appearing on my screen” type of lock out. That's as technical as I want to get!!

Let me say first off that I already have in place what I consider as the “basics” of security on my site.

WordPress Security Basics

There are some basic tips that everyone should follow, and I have been doing these since I learned how important they are.

  • My theme and plugins are up-to-date, I check almost daily
  • I do not use admin as a username
  • I use a strong password – it is 24 characters long and includes symbols
  • I use a strong hosting password – 18 characters and symbols
  • I stop brute force attacks by limiting the number of times people can attempt to login using the free plugin Wordfence for this

Compromised Or Not?

I contacted my hosting company and they responded pretty fast saying my site had been compromised and sent a scan of “suspect” files to delete or repair, plus standard advice about securing a WordPress site (all of which was already in place).

However, when I looked at the “suspect” files list, I couldn't see anything wrong with them (not that I was sure what I was looking for!) and one of the files was a text file within my security plugin Wordfence!

It seemed a bit crazy just to start deleting random files so I decided to investigate further.

  • I have a paid security plugin WP Site Guardian too, so I contacted their support desk because, for a non-techy blogger, the messages from their plugin aren't terribly user-friendly. They couldn't see a problem and said that often hosting company scans report “false positives”.
  • I downloaded my site to my PC and scanned with a couple of anti-virus programs, nothing found.

Free Online Malware Scan

SecuriScan for WordPress security issuesIf only I had known about Sucuri Free Website Malware and Security Scanner.

As of today, I have checked my site and it's all clean, but unfortunately I didn't find this free version of Sucuri until several days later; the hosting company pointed me in the direction of a paid version.

Now admittedly (a) I have fixed the problem that ManageWP's scan identified and (b) the Sucuri free scan doesn't promise to be 100% effective. You need the paid version for that!

But it's a helpful start, so you may like to bookmark it!

However, going back to where I was a week ago from now, without the benefit of knowing how to do the free online malware scan, I was flummoxed as to whether my site had WordPress security issues or not.

All I knew was that I couldn't login into WordPress and I had no idea why. Then I found……

Another Way In!

I remembered that there's a security scan on my ManageWP.com dashboard, so I logged into that.

  • First surprise, I could actually login to my site – which I couldn't from the usual WP login
  • Second surprise – the ManageWP.com scan showed my sites as “clean”. (Google webmaster tools did too.)

I asked ManageWP.com why I could login via their dashboard and not the usual login, and they were super helpful. That's much appreciated given that their application was working perfectly!

They did an entirely different and more in-depth scan which showed a problem in “mu-plugins” (apparently that's “must-use” plugins) that hadn't been picked up by the hosting company. I emailed the new scan to the hosting company and a different advisor from my first one deleted the corrupt area, recreated it “empty”, and all was well.

Although I've condensed that into a few words, it took HOURS to resolve and ended up with me staying up until 5am to finally get my site back again about 30 hours after I first noticed the problem.

This isn't fun. I seem to spend more time fighting my site than writing it.

Enstine Muki To The Rescue

EnstineMukiI was chatting by email with Enstine Muki about something entirely different and mentioned that I was stressed (again) because of problems with my site being compromised.

He asked me if I was using a CDN (Content Delivery Network).

Although I'd heard of them, I didn't know much about them, because I'd assumed they were “expensive and technical to set up”. Quick education from Enstine in the form of recommendation to read the two articles below – plus the revelation that CDN can be free with CloudFlare.com and there should be a free service with my hosting company.

Free Or Not Free?

cloudflare wordpress security servicesAlthough there was free access to Cloudflare, including WordPress security services, within my hosting company account, their free plan didn't include SSL support, although CloudFlare's free plan does support it.

The hosting company say that their free plan gives extra speed instead.

I was tempted to switch off my SSL until Enstine reminded me that having SSL could help with ranking in Google.

So, instead, Enstine suggested it looked pretty straight-forward to set up CloudFlare direct, instead of via the hosting company.

We decided to give it a try!

Easy Or Not Easy?

Well, we've all heard that certain technical things are “easy” but the question is “easy for whom?”  I'm not a “technical” blogger, and have no aspirations to become one!

I want my blog to be like my car – start it up, and away I go.

To my relief I can honestly say that setting up CloudFlare WAS easy, and I had it done in a few minutes.

Setting Up A Content Delivery Network

Enstine explained that the stages involved were:

  1. First, create a CloudFlare account
  2. Then add your domain to it
  3. CloudFlare will give you Nameservers for your domain
  4. Change the Nameservers at the level of your domain registrar

I did everything without a hitch and received a “Welcome” email from CloudFlare. They assured me that my site wouldn't be “down” at all.

There was only one potential worry, because my hosting company advised me that I would need to:

Keep in mind that after using their DNS Zone you will then need to point the “A” record for your domain to your server at your hosting company

This threw me a little, because although I have heard of “A” records I don't know how to change them.

I rang my domain registrar, GoDaddy.com, and they were very helpful but explained that the A records would be associated with the CloudFlare DNS. So I checked my CloudFlare account and found it had already been done with the automatic set up. So even that potential scary bit had been handled!

Enhanced Security Protection With CDN

Amazingly, while he was helping me do all this by email, Enstine had an idea for a blog post about WordPress Security showing how the CloudFlare CDN had protected his site from hackers. If you haven't got a CDN, it makes scary but essential reading!

To have produced a blog post of that quality while still answering my emails, I can only think (as I've thought all along) that Enstine is a complete productivity genius, and one really kind blogger to have taken so much trouble to  help me!

Effect Of CDN On My WordPress Securitycloudflare for wordpress security

You've seen Enstine's results above and they're impressive.

Even though I only implemented Cloudflare yesterday, I can already see that 12 threats have been stopped. That may not seem many to people with high traffic, but if I can keep 12 hackers off my site in just one day, that's good enough for me.

I'll be watching with interest as I spend longer using Cloudflare.

Your WordPress Security Services?

  • Are you using a CDN?
  • Does you often get WordPress security issues?
  • If not, what extra measures are you using that I'm missing?
  • What WordPress security services do you trust?

I'd love to read your comments about your experiences with WordPress security services.

Please share

I left it too late to plan for a financially secure retirement. Don't make my mistake. Start building an extra income with a part-time (or full-time) business online. Think you don't have time? Can't afford the start-up cost? Can't meet sales targets? Contact me for free advice (no obligation) on the best fit for your circumstances.

Enstine Muki - February 8, 2016

Hi Joy,
Thanks for creating this post about our chat and linking back to my article. It’s a wonderful thing working with you. Each time we have a chat, something exciting always pops up.

I’m glad your blog is stable now. Though the security steps you have taken may not be 100% sure, there is going to be some improvement. From your stats above, you can see Cloudflare is already fighting.

They do a great job of stopping threats but those that manage to escape Clouflare will surely be handled by your security plugin.

While we blog and grow, let’s not forget security.

Do have a wonderful week ahead Joy 😉

    Joy - February 8, 2016

    Hi Enstine,

    Yes, things seemed to have settled down again. 100% perfection is probably never attainable, but if I get a bit of respite from added protection that’s a relief.

    Last night I emptied my WP Site Guardian log which was so jam-packed with “scary sounding error messages” that I couldn’t see the wood for the trees. I just looked at it again and it’s empty, so Cloudflare is probably picking those nasties up before I ever see them.

    I have checked my CloudFlare stats again this morning and the attacks blocked have more than doubled over night – yes USA is leading with Ukraine a close second. Checking is getting addictive 🙂

    My WordFence stats are also making more sense now, so I’m having a session blocking IPs that are accessing pages they have no right to be looking at (like logging in).

    This week looks set to be a lot calmer blog-wise than last week, so big thanks to you again!


David Hartshorne - February 8, 2016

hi Joy,
You do seem to have your fair share of security issues don’t you!!
Glad you got sorted with help from Enstine.
Since switching to Pressidium Managed WordPress Hosting I don’t have to worry about security- they look after that and much more
Hope you stay secure!

    Joy - February 9, 2016

    Hi David,

    I’ve had many problems and although I learn something and hopefully improve from each incident, it does get rather wearing when really all I want to do is produce content and market my blog.

    I’m currently on shared hosting with SiteGround, having worked my way through dreadful experiences with a couple of other hosting companies. This last week’s experience wasn’t great, but in general I’ve been very happy with them.

    I read your post about Pressidium Managed WordPress hosting and for me there are lots of points in its favor with one minor against (just that I have some non-WP sites).

    Will see how “things” go for the next few months, as I’m on an annual contract with SiteGround.


Philip Verghese Ariel - February 8, 2016

Hi Joy,

Nice to be here again to read your latest post! 🙂

Oh my! this is indeed a timely one!

And am sure all bloggers should make note of the points mentioned in it!
Security is vital!

And in fact taking care of our space is more important than anything else!
Our hard earned/created resources need to be protected!
Lot of things are to be noted from this post, especially the CDN thing as noted by Enstine is a new thing to me too!
Thanks for sharing about it in detail and your experience and the result with it.
I am bookmarking this for my further read
Keep sharing
Have a great and profitable week ahead.
~ Phil

    Joy - February 9, 2016

    Hi Philip,

    Learning about Content Delivery Networks is just another of the learning steps in starting an online businesses. As I’m sure we both learned the WordPress Security Basics above, we’re now building on that knowledge and taking more important steps to keep our content safe – because WOW – what a disaster it would be to lose all our blog content.

    Pleased to pass on Enstine’s knowledge to you and hope it helps you and many others.

    Have a great week too, Joy

Tasleem Khan - February 8, 2016

Thank you for this post, sorry to hear about the problems you had. I always worry about things like this, so it was very very helpful.

    Joy - February 9, 2016

    Hi Tasleem,

    I wouldn’t wish the problems I’ve had on my worst enemy, let alone my blogging friends, so I do hope you’ll implement some of these measures, and tell other people about them too.

    Good luck! Joy

Lea Bullen - February 9, 2016

Hi Joy,

WordPress security has been truly crazy lately. I kept getting emails about updates and attacks. I’m not thrilled with having to handle the technical aspects of the site, especially when something is wrong, but you do have to keep it working.

I do believe I’m using CloudFlare. I think I did set it up last year or so. I also use Wordfence to keep me updated on the plugins that need to be updated and securing my site all around. I remember I was getting a lot of brute force attacks last summer now, its just a handful if any.


    Joy - February 9, 2016

    Hi Lea,

    Yes, I’m sure I don’t remember WordPress security being as bad as it is at the moment. We seem to have to take more and more measures all the time.

    It’s encouraging to hear from you that you’re being attacked less since you installed CloudFlare. I’m hoping to see a similar tailing off.


James McAllister - February 9, 2016

Hi Joy!

First off I’m glad to hear that you’ve taken care of a lot of the issues. I remember speaking with you about them, and that is scary stuff.

You’d think I’d be a bit more careful on the security side of things considering I’ve been a victim of hacking multiple times before, but I just haven’t bothered to improve it. I’m going to have to make that a bigger priority, because it seems like so many of us put it off until we become a victim… I do use WordFence and a backup plugin but it doesn’t go much farther beyond that.

You’ve mentioned a lot of services I may consider using, so thanks for this post Joy!

– James McAllister

    Joy - February 9, 2016

    Hi James,

    It seems we just have to keep adding more and more levels of security to our sites – very depressing. I’m going to be interested to see if CloudFlare has taken the load of WordFence and WP Site Guardian. Bit early to tell, but I really do think the warning messages are reducing.

    I hope you’ll give CloudFlare a try because it was genuinely simple to install and, although I wondered if there’d be some follow-up problem I’d missed, it all seems to have settled in well. (Fingers crossed).


Katrin - February 9, 2016

Hi Joy,
interesting article!
I have run into security problems several times, and quickly decided to use a CDN (CloudFlare), which was an excellent decision.

When I set up a WordPress site I usually install 3 different security plugins (WordFence, Acunetix and Sucuri), as their main focus seem a bit differ from each other. That has worked very well.

Also, when I notice there is an attack or someone tries to login with a false user ID and doesn’t give up on it, I adjust the settings for how long they get logged out or I mark the site as under attack in CloudFlare. These things work well!

I hope for you that you never run into these kind of troubles again. Good luck with everything!

    Joy - February 9, 2016

    Hi Katrin,

    Thanks for those extra tips and plugins to investigate. If I see someone being persistent with attempts I block their IP, but I guess they could be spoofed IPs anyway.

    I’m encouraged by the number of people saying that CloudFlare has helped their sites – so much so that I think I’m going to be putting another site on there!

    Thanks for visiting my blog, Joy

Kim Willis - February 10, 2016

Hi Joy

Being privy to your plight gave me pause to think about my own security issues over the last few days.

Two years ago I got hacked which created no end of problems. Since then we instituted a range of measures that – so far – have not resulted in new issues.

It’s great that you’ve resolved the problem with the help of Enstine

I like the look of the Cloudfare strategy – people should check it out

Installing a security program is vital. It’s a bit like buying insurance. You hope a negative event never happens, but if it does, you’re covered.

Thanks for another helpful and practical post, Joy


    Joy - February 11, 2016

    Hi Kim,

    I’m hoping that this will be the end of it. However I just heard (in an iPro webinar) that “apparent malware” can be because of someone else on a shared hosting platform. What a nightmare it is.

    Hope to have helped someone avoid the issues I went through last week. And with hindsight, more resources were saying my site had NO malware than my host that said I did have!


Adrienne - February 11, 2016

Hey Joy,

I’m SO sorry you had these issues and I know how it is spending hours upon hours trying to resolve a problem that should have taken no more than maybe 30 minutes had everyone looked at things thoroughly to begin with. When I was with shared hosting they were quick to blame me for everything instead of help me resolve an issue I didn’t know how to resolve. 99.9% of the time it was something they could easily help me with.

So I have all the normal things in place but I’m also with a VPS service now and have been for two years. I also have something in place that doesn’t allow hackers to even access my login page. Ashvini created this for me years ago and boy did it ever work.

I haven’t had issues in years now and am truly blessed. I have been with a hosting service though that was hacked so no fault of mine, my blog was compromised so it’s never a fun thing to have to deal with. That’s why we have the things in place that we do because we just never know what can happen.

Glad Enstine got you set up too, he’s a sweetie for helping you with that. Hope it’s smooth sailing from here on out.


    Joy - February 13, 2016

    Hi Adrienne,

    It was a truly horrid week and I do feel rather aggrieved that the hosting company, which I’ve previously praised for good support, fell short of my expectations this time.

    From talking to others, as well as your comment, it may be that shared hosting is causing me problems I can well do without. I’ve been investigating other options and David’s Pressidium Managed WordPress Hosting is looking like the front runner at the moment, but I’d be very interested to hear what you’re using when we have our chat.

    I suppose I’m just going through the growing pains that every blogger goes through and learning bit by bit.

    Yes, I was truly grateful for Enstine’s help and hope against hope that everything will settle down now.

    Thanks for your encouragement, as always, and have a great weekend, Joy

Chery Schmidt - February 13, 2016

Hello Joy, I hate to hear things like this, why do people have to be so corrupt, I just don’t understand it all.

Why?? I am happy Enstine was able to help you out, he is a great guy HUH?

As far as CloudFlare goes, OH MY I have never heard of this before and was kind of lost when you were talking about it..

You don’t think you are techy? It takes me forever to figure out how to do anything… I to would like to think of my blog as my car and just turn a key.. “Wouldn’t that be nice” LOL

Great job my friend..
Thanks for sharing
Chery :))

    Joy - February 13, 2016

    Hi Chery,

    If it weren’t for lovely people like Enstine, you, the other PAC members and several other bloggers I think these constant battles would just be enough to make me pack it all in. Stubborn as I am there comes a time when it is all just too silly. No wonder family members look in amazement at me!

    As you say – WHY? What have I ever done to these people? I just want to mind my own business and them mind theirs.

    I would never have figured out Cloudflare without Enstine LOL. But the problem is, I don’t actually want to have to figure it out.

    It’s like having to do my own major service to the car before I drive to the shops. I really am tearing my hair out.

    Will try and get odd my soapbox now 🙂 Thanks for your kind words, Joy

Edward Thorpe - February 14, 2016

Hi Joy,

What an exciting online life you have!

Despite your troubles, this is an interesting and important post for any blogger. I use my hosting company’s Cloud setup. From your experiences, I’m gonna check out cloudflare. com.

Kudos to Enstine! Whatta good man to have your back.

Have a great week,

    Joy - February 14, 2016

    Hi Edward,

    Exciting is one way of putting it! I think someone has put the old Chinese curse on me: “May you live in interesting times.” (Although according to: http://quoteinvestigator.com/2015/12/18/live/ there’s doubt as to what is the correct version and its history!

    However, that aside, my online life is far more exciting than I would like it to be, and actually all I want to do is get on with blogging and marketing.

    But “they” say that providing solutions to others is what successful, value led, blogging is all about. So I hope that this and my other posts will contribute to helping some newcomer to blogging who gets hit with some of the challenges that follow me about.

    Enstine was a star – thanks are also due to you and all the others in my community at PAC http://www.poweraffiliateclub.com/ who have also been so helpful encouraging me with their suggestions.

    Actually – it’s still a learning curve as (like it or not) I find out more and more about the odd world of WordPress Security.

    Enjoy the rest of your weekend, Joy

Peter Beckenham - February 15, 2016

Hello Joy,

Normally I would leave you a much longer comment than this but to be perfectly honest, after reading your post I am completely blown away.

I only have 2 forms of security on my blog and both are plugins. All-in-One WP Security and WP SpamShield. I did have WP SiteGuardian but removed it as it did not allow anyone to leave comments on my posts.

So it looks like I’m completely open to be hacked. Now I am worried.

I’m a technical dunce – more so than you by the way – so I’m off to seek out some help and advice.

Thanks for sharing what must be have a horrible experience Joy

Best wishes from a remote Thai village blogger with no tech skills whatsoever!


    Joy - February 15, 2016

    Hi Peter,

    Yesterday another blogging friend recommended I install All-in-One WP Security. When I did it came up with loads of extra things I could do beyond what WordFence had told me. I’ve now done most of these so it’s probably protecting you pretty well. Will do the others as “things” settle, because as I flick one switch something else gets “upset”.

    I’m getting a lot of spam now, but that’s the least of my problems – I think I had WP SpamShield but it clashed with something else and I had to remove it. May try it again, I’ve been switching plugins in and out so fast I hardly know where I am!

    Some people are telling me that it’s being on shared hosting that’s the problem – some say it isn’t LOL! I had innocently assumed that the hosting company and a strong password would protect me from all this, but it’s not the case. Their scan didn’t even pick up the problem that was later found to fix the “damaged site”. This is about my fourth hosting company – I almost wonder if I dragged “something” over from my previous company which was Hostgator as I got pretty badly hacked there several times.

    I have backups, but would have no clue as to which version to recover.

    The real problem is that no-one seems as if they can tell me definitively if I have been hacked or not (many scans show my site as clean) nor how to actually get rid of it if there’s already a “backdoor” – other than by manually examining the files in my WordPress, looking for goodness knows what!

    There were some funny files being created in my root directory and no more have been created since I went on CloudFlare, so that does seem to have help. They’ve now been deleted.

    What really upsets me is the implication that I have been negligent in updating my site and with passwords, because I go into it every day and do updates as soon as they come out. Some are even done automatically for me by the hosting company to keep me up-to-date.

    Ah well – it’s an on-going investigation that cleverer people than I have failed to crack. I’ll share any more info I can.

    Meantime – a few spare minutes to do what I’m supposed to be doing!

    Joy – Blogging After Dark (which sometimes feels like Blogging IN THE Dark!!)

Erika Mohssen-Beyk - February 21, 2016

Hi Joy ,
sorry to hear about this troubles,
good Enstine had a solution for you.
I never had any troubles and hope
they stay away from me.
Thank you for explaining all
this and giving good advice.

    Joy - February 21, 2016

    Hi Erika,

    I’m well on the way to solving my problems, although a few more tweaks have to be made.

    It really baffles me why I have had all this trouble, because from a very “young-blog” age I have been very security-aware.

    I was hacked at a previous hosting company several years ago and am beginning to wonder if it was then and has been carried forward until it could be fixed now. The puzzle is that even Google is showing the site clean, and sending traffic to me.

    I really hope you never have to go through it all!

    Joy – Blogging After Dark

Atish Ranjan - February 26, 2016

Thanks for writing this post, Joy. For better security, the checklist you have mentioned are bang on.

Glad you have fixed the problem with the Enstine’s help.

Stay Safe.

    Joy - February 27, 2016

    Hi Atish,

    Glad you like the list – although I’ll be taking a look at a different approach in my next post.

    Have a great weekend. Joy – Blogging After Dark

Ann - March 1, 2016

Hello there, Thank you for this article

I dont actually understand all the details written here or in the comments

So I was wondering this. If I get sucuri DO I

1) have to decide what I need from what they offer (I wouldnt know)

2) is it hard is it to install for a NON-UNDERSTANDER” like me

3) is there code? I have broken my site before by adding code

4) and will any other security measures be necassary?

Thanks for your site! Ann

    Joy - March 1, 2016

    Hi Ann

    My site is a WordPress site, so I can only comment on WordPress installations. Yours may not be WP.

    Believe me you couldn’t be less technical than I am about all this stuff – and the problem is I don’t actually want to be technical. LOL

    In the end (see my next post – link below) I didn’t go the Sucuri route because for WordPress sites, like mine, I found what I thought was a better option because it ticked more boxes than the Sucuri route alone. That’s not meant to say Sucuri isn’t good – I’m sure it’s excellent – but the solution I found addressed more problems than the security problems I was having.

    Because of this I have no experience of how easy it is to install Sucuri, however they’re a very reputable company so I’m sure they will give excellent support. If I were you I would contact them before you buy and ask your questions. That’s what I did about the change of hosting that I eventually decided on.

    Sorry I can’t be of any help for non-WordPress sites, but if your questions related to a WordPress site, do feel free to ask more questions.

    Good luck, Joy – Blogging After Dark

Robin Khokhar - March 6, 2016

Hi Joy,
WordPress security is becoming an issue because more and more people are using it, WordPress is not only used for blogging but also for developing different kinds of sites. There are many Free plugins available which can make our WordPress site more secure but do use these plugin with care.
And also the things you have shared in the post are really good and your chat with Enstine.
Thanks for sharing.

    Joy - March 7, 2016

    Hi Robin,

    I suppose the problem with people using WordPress like static sites is that they may not be udating them as regularly as an active blogger does, so they will run the risk of having out-of-date plugins and themes, which as we all know, are more vulnerable to being hacked. So a checking routine needs to be established and adhered to.

    I was also given a tip to stick where-ever possible to plugins from the WordPress repository as they have more “eyes” checking them over.

    Glad you found it a useful post – and thanks for raising a point I hadn’t considered.

    Joy – Blogging After Dark

Comments are closed