File Scanning

We scan your website for file changes, vulnerabilities and injected code and get and get notified about anything suspicious.

IP Lockouts

We protect your login area and have Defender automatically lockout any suspicious behaviour.

Audit Logging

We track and log events when changes are made to your website, giving you full visibility over what’s going on behind the scenes.

Reporting

We monitor tailored security reports so you don’t have to worry about checking in.

Blacklist Monitor

We automatically check if you’re on Google’s blacklist every 6 hours. If something’s wrong, we’ll let you know via email.

Security Tweaks

Defender checks for basic security tweaks you can make to enhance your website’s defense against hackers and bots.

  • Change default database prefix

When you first install WordPress on a new database, the default settings start with wp_ as the prefix to anything that gets stored in the tables. This makes it easier for hackers to perform SQL injection attacks if they find a code vulnerability.

  • Disable the file editor

WordPress comes with a file editor built into the system. This means that anyone with access to your login information can further edit your plugin and theme files and inject malicious code.

  • Disable trackbacks and pingbacks

Pingbacks notify a website when it has been mentioned by another website, like a form of courtesy communication. However, these notifications can be sent to any website willing to receive them, opening you up to DDoS attacks, which can take your website down in seconds and fill your posts with spam comments.

  • Disable XML RPC

XML-RPC is a system that allows you to post on your WordPress blog using popular weblog clients like Windows Live Writer. Technically, it’s a remote procedure call which uses XML to encode its calls and HTTP as a transport mechanism.

If you are using the WordPress mobile app, want to make connections to services like IFTTT, or want to access and publish to your blog remotely, then you need XML-RPC enabled, otherwise it’s just another portal for hackers to target and exploit.

In the past, there were security concerns with XML-RPC so we recommend making sure this feature is fully disabled if you don’t need it active.

  • Manage Login Duration

By default, users who select the ‘remember me’ option will stay logged in for 14 days. If you and your users don’t need to login to your website backend regularly, it’s good practice to reduce this default time to reduce the risk of someone gaining access to your automatically logged in account.

If you are using the WordPress mobile app, want to make connections to services like IFTTT, or want to access and publish to your blog remotely, then you need XML-RPC enabled, otherwise it’s just another portal for hackers to target and exploit.

  • Prevent user enumeration

One of the more common methods for bots and hackers to gain access to your website is to find out login usernames and brute force the login area with tons of dummy passwords. The hope is that one the username and password combos will match, and viola – they have access (you’d be surprised how common weak passwords are!).

There are two sides to this hacking method – the username and the password. The passwords are random guesses, but (unfortunately) the username is easy to get. Simply typing the query string ?author=1, ?author=2 and so on, will redirect the page to /author/username/ – bam, the bot now has your usernames to begin brute force attacks with.

This security tweak locks down your website by preventing the redirect, making it much harder for bots to get your usernames. We highly recommend actioning this tweak.

  • Prevent Information Disclosure

Often servers are incorrectly configured, and can allow an attacker to get access to sensitive files like your config, .htaccess and backup files. Hackers can grab these files and use them to gain access to your website or database.

  • Update old security keys

WordPress uses security keys to improve the encryption of informtion stores in user cookies making it harder to crack passwords. A non-encrypted password like “username” or “WordPress” can be easily broken, but a random, unpredictable, encrypted password such as “88a7da62429ba6ad3cb3c76a09641fc” takes years to come up with the right combination.

  • X-Content-Type-Options Security Header
  • Feature-Policy Security Header
  • Referrer-Policy Security Header
  • Strict Transport Security Header
  • X-Frame-Options Security Header
  • X-XSS-Protection Security Header