We highly recommend using a WAF to filter out malicious traffic and automatically block known threats before they ever reach your site. Your website needs to be protected by a WAF because although most hacks happen due to human error or neglect, not flaws in WordPress itself, attacks can still occur even if you’ve taken all the right precautions. A WAF will protect against:

• Brute force login attempts
• SQL injection
• Cross-site scripting (XSS)
• Plugin/theme vulnerabilities
• Distributed Denial-of-Service (DDoS) attacks

• Brute force login attempts
• SQL injection
• Cross-site scripting (XSS)
• Plugin/theme vulnerabilities
• Distributed Denial-of-Service (DDoS) attacks

These are the two different approaches to implementing a WAF to protect your website and you need to consider which one to take:

• Host Based WAF – Installed directly on the server hosting your website
• Cloud Based WAF – Cloud proxy which is part of the infrastructure of a security service provider

• Host Based WAF – Installed directly on the server hosting your website
• Cloud Based WAF – Cloud proxy which is part of the infrastructure of a security service provider

Each type of WAFs comes with their own advantages and drawbacks, and, as with many aspects of website management, choosing and implementing the right WAF is a key factor when selecting a hosting provider. While some hosting plans include a built-in WAF, this is often limited to higher-tier offerings – budget-friendly options typically do not. In some cases, particularly with certain Shared Hosting plans, you may be restricted from installing a host-based WAF altogether, making a cloud-based solution your only viable option.

One of the most significant distinctions between the two lies in maintenance, a host-based WAF requires you to manage updates and configurations yourself, whereas a cloud-based WAF is maintained entirely by the provider. Given the potential cost and impact on security, it’s essential to carefully evaluate both the type of WAF and the specific service you intend to use.

Keeping your website secure involves more than just blocking threats, it also requires ongoing monitoring and prompt response to any issues that manage to get through. This is where malware scanners and related tools come into play.

A Malware Scanner regularly checks your website’s files, code, and database for any signs of malicious software. These scans can detect known malware signatures, suspicious file changes, or unauthorized code injections. Many security tools offer scheduled automatic scans as well as manual scanning options, allowing you to stay proactive in protecting your site.

Once malware is detected, the system typically logs the detail, including what was found, where it was located, and when the activity occurred. This logging is crucial for tracing the source of an infection, understanding how it spread, and documenting incidents for future protection or compliance requirements.

The final and critical step is malware removal. Good security tools will not only detect threats but also offer options to quarantine or automatically remove malicious code. In some cases, removal may require manual intervention or the assistance of your hosting provider, especially if the infection is deep-rooted or sophisticated.

Ultimately, incorporating malware scanning and removal into your WordPress security strategy ensures your site remains safe, functional, and trustworthy to visitors. For comprehensive protection, it’s recommended to use a reputable security plugin or service that combines scanning, real-time monitoring, threat logging, and automated remediation. These solutions offer peace of mind by helping ensure that even if a vulnerability is exploited, it can be identified and neutralized quickly.

Wordfence is one of the leading Host Based WAF providers s and their free version has a very good reputation. MalCare is another Host Based WAF alternative whose free version is a good option. However, if you feel you need more robust protection and features like advanced scanning, faster cleanups, and more comprehensive protection, then the prices can be quite expensive.

Sucuri is very popular and well-regarded Cloud Based WAF. However it does not have a free version and it costs even more than most Host Based WAFs. Furthermore, the setup is not at all easy for users who have limited technical capabilities. Having said that, Sucuri have excellent support who can guide you through the process. We have often used Sucuri and can recommend their solution as offering very good security protection. One big benefit of Sucuri compared to many of their rivals is that their include unlimited malware clean-ups & blacklist removal in their basic plan.

If you want a free Cloud Based WAF then Cloudflare is your best option as they have a wonderful reputation. They provide a free reverse proxy service which inspects, filters, and block malicious traffic before it hits your site. However, your traffic needs to flow through Cloudflare’s edge network to do this which means you have to use their DNS. This means tou have to point domain Registrar’s NSs towards Cloudflare and setting up the DNS records with them. This is not very difficult, but can be a bit challenging if you have little or no technical skills. If you are using Shared Hosting they might not provide much help as this is not a change that suits them.