Best Security for your WordPress Blog: Malware and blocked site woes, reviews and lessons learned

Best Security for your WordPress Blog: Malware and blocked site woes, reviews and lessons learned

If you have a Wordpress blog or website, you may have noticed that it’s getting harder and harder to keep it clean. You may have experienced the “white screen of death” or the dreaded “Reported Attack Page!” that tells you not to visit your own site, because it contains malware and has been blacklisted.

As someone with multiple blogs, I’ve been guilty of not keeping them all up to date. Some I use infrequently and let languish. I have about 10 blogs set up now, most of them subdomains of each other. Years ago, they were all pageranked 3 and above, and the linking helped. Today, it seems my sites get attacked at the same time and drag each other down.


Why does WordPress get hacked so easily?

WordPress is awesome, and easy to set up and use – which is why it has become a favored choice for bloggers, small businesses, artists and authors. But because so many sites use WordPress, it gets targeted by spammers and hackers. WordPress relies on a bunch of code and various files and folders and scripts. Hackers create programs that scan the internet for sites using outdated code, so they can inject their own little programs into them.

The easiest way to protect your site, everyone says, is to keep everything updated – all your plugins, and the Wordpress installation itself. But many authors and artists hire someone else to build their site, and don’t really want to have to manage it all the time.

Plus, keeping things up to date isn’t really enough. It seems that on every installation of WordPress, there are specific tweaks and security fixes that need to be implemented manually.

I’ve researched hundreds of these, but I’m not going to try to post them here because they are long and wearisome. You can and should protect your own site by doing the research and making the changes. But if you’re like me, you don’t want to, because it’s tedious and complicated. Fixing one site attacked by Malware might take me a week. Fixing all 10 just seem impossible.

Best WordPress Security Plugins

There are also a lot of good plugins for Wordpress security. I’ve tried most of them… (There’s a good list here).

But my sites keep getting hacked. A lot of the plugins will look for and tell you about problems, but won’t actively fix them – so unless you really want to get your hands dirty in the code, they won’t solve your issues.

What to do if your site has been hacked

There are several free scanners you can use to check your site for malicious code. These scanners will tell you where the problems are, so you can get in and fix them. If you know your way around your Wordpress installation, you can just identify and delete the harmful code manually.

But maybe you don’t want to do that.

A few months ago, when a few of my sites had been hit pretty hard, I hired a programmer from We agreed on a price, but then he told me how difficult everything was, and how much time he had invested, and asked for more money. A month later the problems were back and I had to pay him again – in all I spent a couple hundred dollars.

SiteLock review

After that, I knew I need to do something preventative, so I upgraded my Hostmonster account with the SiteLock addon. Sitelock “provides comprehensive website security.” Before I bought it, I was pretty sure I checked to see that it actually fixes problems… it turns out it doesn’t. Its tagline is “Prove your Site is Safe” – which means Sitelock gives you a badge to show that your site is safe, but won’t help you if it isn’t.

I got this message today:

Dear Derek
Your website has been decertified due to an unresolved malware vulnerability. Please access your SiteLock dashboard for more details.
From your dashboard, you can also take advantage of our Expert Services team to help you correct this issue and get your SiteLock certification back in good standing. This will allow you to display our security badge.
Thank you,
The SiteLock Team

I was surprised that a security program I had paid to help keep my site clean could disown me like this.

The problem: I had one link on this site recommending one of my other sites, for editing and proofreading, which (at the time) was blacklisted for having malware. Interestingly (and embarrassingly) I’ve also had people I had linked to from that site write to me asking to be removed, since my site was hurting their own site’s reputation.

To be fair, SiteLock does seem to be very, very careful – and it isn’t their job to go in and edit my post and remove the link that I had made. They told me (rightly) what the problem is and where it was, and I could have fixed it myself. If I had gone over all of their flags and warnings, I probably could have fixed things myself.

Also, SiteLock does seem to have an upgrade, for $49.95/year per domain name, that may be more robust, and include removal of issues. Through Hostmonster, I had upgraded only to the basic option, although that wasn’t made clear.

If you just have one website, this might be a good option for you.

Sucuri and Hostmonster

I also contacted Hostmonster, asking for advice about my WordPress security, and got this message:

If your account continues to be compromised, malicious files/code are being placed into your file structure.  Because this is all 3rd party code, we cannot go through the account & secure it as we do not know what should & should not be on the account.  You need to go through your file structure and code to remove anything you find suspicious or that you do not recognize.  I would also suggest removing any files and/or databases that are not currently in use.  You also need to make sure that your account is secure so that this does not happen again. Our servers are secure, it is the code you upload to our servers that compromise the overall security of your site. Please take some time to go through our basic site security checklist.

To make a long story short, keeping a site clean is nobody’s responsibility but your own, it is getting increasingly more complicated to do and requires manual, pedantic work looking at and removing code, and yet it is absolutely crucial. This isn’t your website designer’s responsibility, and WordPress is very vulnerable to infection.

Where does this leave us?

I couldn’t risk losing any more credibility on the sites I’m working to build, and I want to make sure visitors and clients can visit my sites safely, so I turned to Sucuri.


For $289.99, they will monitor and fix 10 of my websites for one year. The first time I looked over Sucuri’s services, I wasn’t willing to pay that much. After this year’s many battles with malware infection and website security issues, I realize it’s worth paying that much to keep my sites clean and functioning – especially since things should get even worse in the coming year.

If you have a website and you are trying to make a business or part-time income for yourself from it, this is probably one of those investments you’re going to need to make. If you’re comfortable enough with code and want to learn more about the innerworkings of web security, a free scanner can help you identify issues. If you’d rather keep out of it and let someone else perform website surgery, Sucuri is a pretty great option.

It’s been about 24hrs since I signed up and listed my sites. They’ve all been cleaned, and Sucuri’s customer service is excellent.

(SiteLock and Hostmonster also replied to me within 24hours).


  • RJ Gazarek Posted

    Hey – I don’t see a date on this post – but I’m currently using SiteLock – and am looking at switching to Sucuri – how has it been for you so far since you switched to them from SiteLock?

  • Derek Murphy Posted

    Sitelock never did anything… Sucuri sends me updates and usually fixes the problem by itself. I’ve just moved most of my sites to GoDaddy’s managed WordPress, so I’m hoping I won’t need an external security solution for awhile (fingers crossed). My problem now is I have about 25 sites and need something automatic and easy.

Add Comment

Your email address will not be published. Required fields are marked *