Using plugins like the WordPress File Monitor Plus is a great way to keep track of what’s going on with your site. However the plugin needs to be active on your site to send you email notifications.
If a hacker gains access to your WordPress administration panel he could disable the plugin, and you would not be notified.
We will address this problem by using monitoring tools that run outside of your WordPress site.
We recommend that you use at least two of the monitoring tools described in this section as they give you different data and work in different ways.
In this article
Sucuri
Sucuri is a company founded in 2010, which specializes in website malware detection and removal.
What You Need To Do
Create an account and setup monitoring for your site.
Why Sucuri Is Important
Sucuri monitors many key settings for your website. If your site gets blacklisted by Norton, AVG McAfee or Google Safe Browsing for example you are immediately notified. Sucuri will also help you get removed from the blacklist.
The Sucuri monitoring also includes checks for changes to your WHOIS, DNS and SSL information.
These checks will ensure that you are informed if anyone hijacks your domain or changes your nameservers.
Your site is also scanned for malware, phishing, malicious javascript and iFrames, Drive-By Downloads (which could harm your visitors computers) and suspicious redirections.
If Sucuri detects that your site has been infected they will clean it up. This is part of the subscription and does not cost extra.
As an added bonus Sucuri has developed a WordPress plugin, which adds substantial preventive protection to your site.
The plugin adds:
Web Application Firewall
Integrity Monitoring
Audit Logging and Activity Reporting
1-click Hardening
For more information see Sucuri WordPress Security Plugin.
How You Complete This Security Checkpoint
Follow these steps:
Choose a plan. Click here.
(Affiliate link: We get a small commission – you pay the same price).
Add your websites.
Adjust your monitoring options.
Setup alerts.
You can be alerted by Email, Twitter, Instant Messenger, SMS or RSS.
WebsiteDefender
In addition to the security features provided by the WordPress plugin as discussed in WebsiteDefender WordPress Security they also offer an online scanner.
This scanner checks for malware, change of content, creation of WordPress administrator accounts and many other things.
For a free online scanning account click here (affiliate link).
By using the affiliate link you support the WordPress Security Checklist.
You can see the extensive list of features here.
The free accounts scans your site once per month whereas the paid accounts scan daily.
What You Need To Do
Create an account with WebsiteDefender and setup online scanning of your WordPress site.
Why This Point Is Important
This check runs independently of your WordPress site. Even if your site completely stops working this scan will still run.
How You Complete This Security Checkpoint
To enable the online scanner follow these steps:
Install and enable the WebsiteDefender WordPress Security plugin.
Register for a free account for the online scanner or enter your existing account details.
To support the WordPress Security Checklist you can click here (affiliate link) and we will get a small commission.
The status changes.
Your first WordPress site scan is scheduled, and you will receive an email when it has completed.
First scan email.
On your dashboard at https://dashboard.websitedefender.com you can adjust the scan settings.
Recommended: Enter a text pattern to search for on your home page.
This could be the title of your WordPress site or a key piece of text that will rarely change.
If the scan cannot find this text on your home page it will alert you by email. This is a good way to detect if your site has been changed without your knowledge.
Optional: Exclude directories from the scan.
This could be the caching directories for example. The default for W3Total Cache is /wp-content/w3tc/*.
Datafeedr Tip!
If you have a large store with many products you might receive many alerts on new product images being cached locally. You may choose to exclude the store directory from the scan by adding /wp-content/uploads/store/*. We recommend that you include the store directory. |
If you are using Datafeedr you should be storing your product image files locally (for performance reasons).
The main dashboard gives you a nice overview.
Pingdom
Web site: http://pingdom.com/
What You Need To Do
Create an account with Pingdom and setup monitoring for your WordPress site.
Why This Point Is Important
Pingdom is another online monitoring service, which will check for the presence of a key text on your home page.
Additionally they check your site is available with 5 minute intervals, and provide a nice monthly report with your average response times.
How You Complete This Security Checkpoint
Follow these steps:
Go to http://pingdom.com/
Sign up for a free account.
On the Optional settings tab enter a string to check for.
Remember to Test your check before you save.
If this string is not present or if your site is unavailable you will receive an email (or optionally an SMS).
Change Detection
Web site: http://www.changedetection.com/
What You Need To Do
Create an account and setup monitoring for your site.
Why This Point Is Important
Change Detection will check for changes to a page on your WordPress site – as opposed to checking for the presence of a key text.
How You Complete This Security Checkpoint
Follow these steps:
Create an account.
Enter the page you wish to monitor and click Next.
Note the options.
You might want to try out different settings here until you are happy.
The “sizable change” option tends to work well, as it ignores smaller changes such as dates etc.
You will now receive emails with notifications whenever the page changes.
You can study the details of the changes online, so you can see exactly what has changed.
Follow The White Rabbit
Then you can find your next article below.
If not you should take a look at the Table Of Contents.
Next article: Cloudflare For Security
Previous article: Add SSL To The Admin Area
Questions Or Comments?
Please leave them below. Thanks!
About Anders Vinther
When setting up Pingdom, if you use Google Analytics, be sure to add the Pingdom Probe servers’ IP Addresses to your exclusion list. Here is a a link on “how to exclude multiple IP addresses from Google Analytics” http://brentlandels.com/site/web/google-tricks-exclude-your-ip-address-from-google-analytics/
If the Pingdom Probe Server IP addresses change, you will need to update the exclusion list in your website’s Google Analytics profile.
Hi Gary,
Thanks for the tip. I have used Pingdom for a long time and have not had problems with it skewing my GA data – even without using this trick…
It is necessary though to filter out your own visits, so thanks for posting the link.