You will see for yourself how good WebsiteDefender (WSD) is at detecting the smallest security risks on your website or blog and why maintaining a secure website should be of paramount importance to anybody that wants to have an online presence.
To conduct our review we created a new website in WordPress and performed a vanilla install of the ultimate security plugin WebsiteDefender WordPress Security, which was created by the WebsiteDefender Team to help you protect your website or blog. We left all standard and default functionality in place other than generating new WordPress unique keys and salts at https://api.wordpress.org/secret-key/1.1/salt/ and the FTP_HOST, FTP_USER and FTP_PASS constants in wp-config.php. It’s always satisfying to see the WordPress completion screen after just a few seconds 🙂
The WebsiteDefender WordPress Security plugin is FREE and the installation only takes a few seconds. A new WSD Security menu item will appear on your WordPress Admin page once the installation is completed and the plugin activated.
Clicking or hovering over this menu item then expands to provide a number of sub-menu items. The WSD Security sub-menu item points to a sign-up screen for a WebsiteDefender account. It is very important that you take this step and register for a WebsiteDefender account to enable further advanced functionality. You can also do the signup directly from the WebsiteDefender website. The registration dashboard includes a password strength indicator which gets you off on the right foot from the outset.
Once you register your account, you will be asked to download an “Agent”. The WebsiteDefender Agent is a small piece of software, or for the more advanced users a block of PHP code, which resides in your website to monitor activity and report any vulnerabilities or under the hood hacking activities. In our case, we received a message saying that the WebsiteDefender Agent failed to be copied automatically. Luckily WebsiteDefender provides a support link at every step of the installation that goes directly to a WebsiteDefender FAQ page and explains in details all the procedure you need to follow.
To install the Agent is relatively simple and can be broken down into the following steps :
1. Login to the WebsiteDefender Dashboard using the account credentials you chose to register. Once you have logged in your account, you will be notified that the agent has not yet been installed.
2. Click the “Download” button to copy the Agent PHP file which you must upload to your site’s root directory. This can be done through your web hosting admin interface, or by using an FTP client to connect directly to the website’s root.
In our case, because we have local SSH access to our server, we simply created the WebsiteDefender Agent URL file, applied the appropriate permissions to the file and clicked “Test” to ensure that the WebsiteDefender can connect to the Agent. As expected, WebsiteDefender recognized our “compat” zip file package was missing. If you are using an old version of PHP, you will receive an instant message through your dashboard to download the “compat” zip package, upload it to same directory as the Agent PHP file and then extract it.
3. Once the compat.zip file was uploaded to the advised location and extracted, a “compat” directory with four additional supplementary PHP files is created :
Now when we clicked “Test”, WebsiteDefender confirmed that the Agent is successfully installed.
4. The next step is to open the “Scan Settings” menu and enter a search pattern for your website.
WebsiteDefender will use this search pattern to determine if your website is up and running, with no hacking activity taking place. To choose your pattern you need to find a distinctive piece of information which shows on all your website pages. This can be for example a legal note of your company trademarks and copyrights. After you choose your pattern click “Apply” to save your settings. You will be returned to your Dashboard, which very helpfully advises that the first scan has been completed and provides a rating of your website security.
5. Now we can go back to WordPress and click on the WSD Security menu item to see the updated status page.
If you open the “Scan Reports” menu item you will see a list with several security risks. WebsiteDefender WordPress Security plugin checks to see if you are using the latest version of WordPress and notifies of any necessary upgrades. Each of the flagged items have links to the WebsiteDefender blog on how to fix the security loopholes, which can compromise your wordpress database security, php security or even your entire online presence. There is also a glossary at the bottom of the page explaining some of the terminology for the less technically knowledgeable users.
We immediately set about fixing all the issues that were clearly indicated in our report. The WebsiteDefender WordPress Security plugin comes with its own Database tool to help you back up your existing database and rename your WordPress tables in order to prevent a potential hacker attack. As you can see from the Database tool page, this requires your wp-config.php to be temporarily writeable. If your wp-config.php status shows that is not writable, you can enable it from your root directory, located on your web server or web hosting admin interface.
We updated the file permission to writable setting wp-config.php temporarily to rw-rw-rw- or 666. Note that within WordPress it is also very important to remove or rename the “admin” user so that your login credentials will be less guessable or susceptible to brute force attacks. The simplest method of doing this is by creating a new user with the administrative role privilege, and then log in using the new user credentials to delete the existing admin user.
The backups directory MUST also be writable. This can be done from /your/location/of/wordpress/wp-content/plugins/websitedefender-wordpress-security/backups/ by simply updating the permissions to be rwxrwxrwx or 777. Once this change has been made, click the Database menu again to refresh the page and choose the “Backup now!” button. Now you have created a database backup for your website or blog, which can be downloaded and stored safely.
When you get to this stage, do not forget to immediately change the permissions of wp-config.php back to rw-r–r– or 644.
It’s reassuring to see the Scan Reports page with all green ticks, knowing we are as secure as we can be. Thanks to WebsiteDefender, securing your WordPress installation can take just 10 minutes of your time.
The WebsiteDefender WordPress Security plugin also comes with a really great strong password generator tool. The first example it gave was “hhKaLI3D3Bae!Zi”. That’s certainly strong but not so easy to remember – great for automated functions such as the FTP_PASS WordPress constant we specified earlier in wp-config.php for FTP connectivity and plugin updates. Of course, we should also mention that enabling SFTP rather than FTP is always a firm security recommendation. The Options screen allows for the WebsiteDefender to be included in your WordPress dashboard home page, and is enabled by default. We thought you might find this tip useful when choosing your web passwords.
It’s important to remember that we are talking about two separate security scanning components here. The first is the WebsiteDefender WordPress Security plugin, which constantly monitors and reports the status and security of your WordPress installation and configuration. The second is the WebsiteDefender online security service, which communicates with the Agent and regularly scans your website for malware, redirections to malware links, Google blacklisting or under the hood hacking activities.
Furthermore, WebsiteDefender.com is built by the Acunetix Team and uses the same scanning technology.
To summarise, these are a killer set of security measures for your website or blog that you simply shouldn’t overlook. And best of all, they require minimal configuration and changes to your website, most of them being automatically implemented. These changes are for the overall benefit of your website, blog or business. You don’t necessary need a WordPress site in order to make use of the WebsiteDefender features and functionality – any website can be monitored in this way once you created a WebsiteDefender account.
From a single WebsiteDefender account you can monitor the status of several websites – which is free for single websites – a multi-site package is also available. You will receive email notifications as soon as an alert arises, so you can take immediate action to strengthen your website or blog security. More on how to scan several websites or blogs using WebsiteDefender service will follow in our next article. Stay tuned as more updates are on their way.
Don’t take unnecessary risks with your website, blog, or extranet. Sign up for a WebsiteDefender account and put your mind at rest as they do the hard work for you!