Fortifying WordPress Security – using MalCare

Why do websites need to be secured?

On an average, there are already 60 trillion URLs for malware and phishing scams. New malware with specific targets are discovered on a daily basis.

Search engines like Google blacklist 20,000+ websites for malware presence, and 50,000+ for phishing each week. But what does this mean? A red flag on your website? A warning to your dwindling visitors? Loss of revenue? Loss of credentials and personal data? No, it doesn’t just stop there. If your website has been hacked, until your website is fixed, you are off the internet. You are on Internet Detention.

Small businesses are reeling from the ever-increasing cyber crimes, and a hacked website can have even greater consequences if Google lists you as infected. Specifically, these consequences are tied to the website SEO rankings, trust and most punishing
of all, our reputation.

Being blacklisted destroys a small to medium level company’s chances of making it big. The impact may even be as terrible as traffic to the site dropping by 50% in a month and minimal sales. Businesses might argue that getting hacked is not their fault, and blame their web hosts or the hackers.

Google’s position, however, is that it is keeping the internet safe for everybody to use. Who is correct in their argument? We can argue that as an influential part of the community, the business owners can do their very best to keep their websites secure and achieve Google’s goal as well.

Online businesses can kill two birds with one stone – Keep their reputation intact and provide a safe environment for all internet users.

There’s something very humane about wanting to feel safe. Many of us can be gullible when looking for trust and security. But life tells us that if we leave the house door unlocked before going on vacation, we can expect a TV or laptop missing.

 

Is WordPress secure?

WordPress is an extremely popular CMS. It has been recognized as the unrivaled platform for online businesses of medium to high level and is even favored by bloggers all over the world. WordPress realizes that with such popularity, comes great responsibility for the security of internet users.

Things kept in boxes 400 feet below the ground in the middle of the desert no one knows about are very secure. There’s a catch. No one even cares. They’re also very useless. The internet, like a WordPress site, has a complex and dynamic risk factor in their environment that need protection.

As with all popular software with millions of users, WordPress has thousands of attacks aimed at it round the clock. Hackers are bound to spend enormous amounts of time and energy on the biggest target because that will give them easier access to a large number of websites. Hackers can’t resist such a bountiful honeypot. However, it is a sticky one.

WordPress by itself is heavily monitored by the WordPress team and scores of WordPress developers across the internet. There are old school bounties awarded to those who spot any security issues in the code, which by itself is quite rare. The predominant cause for such hacks is outdated plugins and themes. WordPress is regularly updated, and patch fixes are almost instantaneously deployed.

For the bullseye that WordPress’ popularity paints on itself to hackers, it has been widely successful in deflecting major malware attacks. On any given day, there’s only a minute 0.00001% chance of an unpatched problem whereby WordPress software is being attacked.

 

If WordPress is secure on its own, why Care about WordPress Security?

WordPress takes care of its own, but there’s no failsafe to ignorance or targeted malicious intent. Being caught in the crossfire of exploitation and automated attacks is likely from unexpected sources.

No, we do not mean your techno-genius-wizard niece (although you should tread lightly around them) but botnets. Hackers control the attacks, but botnets hammer at your defence system to get through and wreck havoc using backdoor vulnerabilities and spread malware. Botnets don’t care how important your site is, or what they can gain from it.

They may have various motives like redirecting traffic to own site, taking over SEO rankings, political messaging, infecting your visitors with virus (Drive by Downloads), spam or do the computation for mining cryptocurrency like Bitcoins and so on.

The reasons may vary but we hope you understand that even if you are a small business, on a secure platform like WordPress, your site is not obscure to wilful hackers.

Furthermore, WordPress security relies on a whole stack, not a monolithic code. A large variety of technologies are at play on the internet, and any of them could get infected at any point. For example, WordPress backend executes atop PHP. Sometimes, some versions of PHP might contain a vulnerability that can be exploited. MySQL configuration settings might go amiss. When you keep up-to-date regularly, you won’t have to face such compromising situations. You could set up a cheap VPS but that might just leave you with a false sense of security.

Think about it this way – Just because a King at war, lives in a fortress, will he not keep bodyguards? Your website is the same. A security plugin is your site’s bodyguard. A firewall is your site’s fortress. Every little addition to your security inventory adds an extra layer of security.

 

What is MalCare?

For some time now, we have been on the lookout for a decent security plugin.

The WordPress community is extremely helpful, and we were recommended a new security plugin called MalCare.

MalCare is from the makers of BlogVault, the trusty WordPress Backup plugin. At first glance itself, we were impressed with MalCare’s offerings. They claimed a unique set up implementing and enforcing Site Hardening and Maintenance techniques apart from scanning, and cleaning out malware with just a few clicks. The plugin even blocks untrusted IPs and bots through an enduring Firewall – All while not overloading our own servers.

We believe our WordPress website needs a reliable security strategy to overcome malware or vulnerability scares. WordPress doesn’t include such an advanced level of security, so we let MalCare directly tackle all our WordPress security concerns.

MalCare Features List

  • One Click malware Scan
  • Daily Automatic Scan using 100+ Intelligent Signals
  • Detects Complex malware
  • Tracks all change
  • Syncs to MalCare server
  • Security operations run on MalCare server without slowing site down
  • No False Alarms
  • Early detection of malware before Google blacklists or web hosts shuts down site
  • One click Malware Cleaner
  • Rollbacks to clean version of site
  • Careful Removal of malware without affecting rest of the site
  • Integrated Web Application Firewall
  • Firewall Live Tracking Graph
  • Firewall Audit Log
  • Tracks bad IPs across Global Server Network
  • Blocks bad IPs
  • Tracks Bypassed Requests
  • Suspicious Login Alerts
  • Captcha-based Protection
  • Brute Force Attack Protection by Limiting number of failed login attempts
  • Login Request Live Tracking Graph
  • Login Requests Audit Log
  • Site Hardening
  • Changes security keys
  • Protects Upload Folders
  • Prevents PHP execution in vulnerable folders
  • Disables File Editor
  • Disallows plugin and theme installation
  • Site Management
  • Helps Reset passwords
  • Helps Update plugins and themes
  • Tracks newly added plugins and themes
  • Helps remove idle plugins and themes
  • Helps update WordPress core
  • Auto updates plugins and themes
  • Offers Protected by MalCare badge

Setup and Configuration

We didn’t have to manually setup or configure MalCare.
We installed and activated the plugin, as you would any other plugin. Then we signed in on MalCare website.

Now we see the MalCare dashboard.

Security

Enable Security on your MalCare dashboard you will get the option to Secure your site from malware.

Website Security Scan

Typically MalCare scans your site automatically every 24 hours.

Scan Now lets us scan our site whenever we are suspicious of any malicious presence on it

Is my WordPress site hacked?

If and when your site is hacked, you will get the alert via email and notification as well. Then you can let Malcare clean your site for you. We had an old site which had been hacked long ago, lying around.

We were immediately alerted to the hack when the website was scanned. The alerts are on the Site Listing page, Dashboard’s Website Information section and Clean Card as well. We even receive an email alert, and notifications. What we mean to say is, there is no way you can miss the Hack.

Now we used the Auto Clean button on the Clean card of the dashboard and ta-da! Within a few clicks, the malware was removed.

We even checked the site later, and on scanning, found it clean.

Protection from Brute Force

MalCare website Protection is threefold.

  • Firewall: We like the graph display of Firewall stats. Each color represents a type of request sent to our website. In this case, there were 20 requests that were allowed to pass through, 0 blocked and 0 bypassed (or whitelisted) requests. You can even review the requests in the Audit Log.
  • WordPress Login Protection: This graph maps out the number of login requests to our website. Just like the Firewall graph, different colors depict different types of login attempts. Successful logins are in green, blocked logins are in blue and failed login attempts are in red color. MalCare even blocks login page for IPs which fail to log in successfully for half an hour.
  • Best Practices: WordPress recommends Hardening Security practices like protecting Upload folders, disabling file editors, and changing security keys. MalCare helps you perform all these protective actions and more. We could even disallow unauthorized plugin installation and uninstallations!

MalCare accommodates all our security needs by even taking care of our website backups.

We generated reports on website security scans, and backups status, as well as details on plugins and themes on our site. A detailed history of scheduled reports is also easily accessible. The customized description is a cherry on the top for website developers who want to reassure their clients of their website’s security.


Dashboard Management

Depending on the plan you choose you can enable or disable Backups, and Security whenever you want.

MalCare dashboard is very inclusive. You get a brief look at all your resources (WordPress core, themes, and plugins). We could even manage our site from the MalCare dashboard itself and learn all about our site’s add-ons in bite-sized snippets. That includes installing, uninstalling, and updating WordPress core themes and plugins.

Based on all this your Overall Security is graded, from D to A. That is, D for the worst website health, and A for best protection against hackers and other attackers. MalCare gave us suggestions to follow to improve our Security Grade.

For example, at grade B, we were told to update our plugins and themes. When we did just that, our grade went up to A.
This leaves no room for confusion or even negligence.

Protected by MalCare Badge

Now you can establish trust with your customers using the MalCare security badge. It will be visible alongside the website footer, near the WordPress badge.

Subscription Plans

All the Subscription plans include the following:

  1. Scanning
  2. Cleaning
  3. Login Protection
  4. Web Application Firewall Protection
  5. Site Hardening
  6. Customized Support

The pricing for each plan varies from $59 per year to $99 per year (or more if you want to secure more than 20 sites with MalCare.)

Take your time deciding on the right plan. We have used the Security+Backup Plan.
You can, in the meantime, try the MalCare Free Plugin.

Customer Support

Apart from offering this feature-packed plugin, MalCare support team was kind enough to tell us certain other security pitfalls to look out for. They cleared our doubts about SSH certification, and Captcha based protection as well. Thanks for that, MalCare! This goes on to show, Malcare Support team is greatly resourceful and knowledgeable. Contact them here.

They have an FAQ and Help section at our disposal too.

P.S. – MalCare has an Affiliate Program and you know what that means! Go for it help the Internet community become a safer place for all of us.

The Verdict

Even if you consider yourself just a small-time or medium-sized online business, don’t just rely on your web hosts, or WordPress for security. MalCare as a WordPress security plugin, we think, makes a good case for itself with its potent list of features. Give it a go, experience such unparalleled peace of mind, and let us know what you think.

About the Author

Susmita is an engineer, a writer and a dancer - not necessarily in that order ! Ever since she discovered WordPress, she has not ceased to be amazed by how this community-driven platform brings people together - in more ways than one. And yes, she loves binge-watching movies !

Leave a Reply

Your email address will not be published. Required fields are marked *