Security is the number one concern for WordPress professionals.
Your site going down is the least of your problems; malware injection attacks can ruin your website performance and ranking in a number of creative ways. You usually don’t find out about it until your website gets blacklisted by Google, and the damage has been done by then.
And the worst part?
All the security articles out there keep recycling the same bits of advice that are about as efficient as putting a band-aid over a stab wound.
Pictured: 10 steps to secure your WordPress website
So what can be done? Tony Perez from Sucuri summed it up well in a WordCamp Europe 2014 talk – it’s about awareness and posture. Be vigilant.
Anticipate that your website will be compromised, and have a plan ready.
The ManageWP security check has been one of the most commonly used ManageWP tools. Regular checks are the easiest way to catch a suspicious line of code on your websites and find out about the problem before it escalates.
This is the reason why we decided it’s the first thing to be completed on the Orion road map.
Orion Security Check
The security check scans the pages on your website and compares the code against the known malware knowledge base. It also performs a blacklist check with a number of services, like Google Safe Browsing, Norton Safe Web, ESET, etc. It also flags certain site errors and outdated software.
Green is clean, as my hippie parents used to say
If the check comes back positive, a more detailed report will be generated. If it’s malware, you’ll get a more detailed description, as well as the list of affected files. It’s important to note that ManageWP does not clean malware for you, at least not directly. You can use ManageWP backups to roll back to a clean version of your website; you can also try cleaning the malware yourself, or hire a professional to do this for you.
Red is bad, as my survivalist grandpa used to say
How does the Orion security check differ from the classic ManageWP check?
History. Each scan result is now being stored in the archive. It allows you to look back into the past, investigate each security threat and discern a pattern if needed.
In the next few days the security checks will be implemented into Orion client reports, and you’ll be able to send them to your clients.
(Update: as of January 15 the client report integration is available to all Orion users)
Our core philosophy is to automate as much of your workload as possible and let you focus on things that matter. That’s why we’ll back once the current roadmap is complete and create a fully automated security check. It’ll be just like with the backups and plugin updates; as soon as you log into your ManageWP dashboard, you’ll get a summary of all the security checks, with special attention on potential threats to your business.
Do you have any suggestions on how to further improve the security check? We already have plans for a security module down the line, is there anything else we could do to make your life easier?
Let us know in the comments below!
bơ đậu phộng
Definitely implement automated checking, and make it the base functionality. Allow it to be scheduled regularly.
pfreeman
Hi, thanks for all the awesome work with this software its making my job so much more productive. Is there any news on the automation of the security scans? It is very time consuming (not viable at all) to go into each site to scan it so we are unable to use this feature just yet which is sad because it is so awesome.
Same question for the performance scan as well.
Nemanja Aleksic
Automated Performance and Security Checks are expected to go live roughly a month after the Classic version gets phased out. So that would be some time during the summer.
yen mach
My shop has had been hacked, the report is also their level file hosting my xxx.gif no malware
Nathan
Any update on when this will be available in client reports?on the 11th you had said a week or so. Enjoying Orion the more I use it.
Nemanja Aleksic
Hi Nathan,
The initial idea was to do it in a week or so, but we realized that half a dozen tools will also be implemented into the Orion client report, like SEO and uptime uonitoring.
That’s why we’ll implement them all once other tools are done, when we do the client report scheduling feature (should be in February).
Sorry about the delay, but it’s for a good cause – getting all the Orion tools online, ASAP.
natebald
OK, Thanks. Was really hoping to send out the New Years batch of client reports with some additional data. Certainly understand your reasoning.
Nemanja Aleksic
Hi Nathan,
The client report integration is ready. There will be an official announcement, but I wanted to personally give you the heads-up.
1lifeincome
Suggestion, can you place a green/red checkmark next to the respective property once the scan is run.
Nemanja Aleksic
Makes sense. I believe we already have this suggestion on our list of future improvements, although I can’t give you an ETA for now.
Henry Ramirez
hope this work, because we need our site secure..and i dont think wordpress is doing a hard work to keeps us away from hackers.
accounts
Is there a way to tie this into the client reports? This would be something amazing to include and run when client reports are sent out each month.
Nemanja Aleksic
Yeah, the security check will be included in the client report in a week or so.
Chris Edwards
Awesome!!
Nemanja Aleksic
We ran a bit behind the schedule with the client report integration, but now it is finally ready!
118Group
This is a great feature. I’ve inherited hacked sites – they are no fun. For the fully automated Security Scan, will it email the administrator? I am using 2 security plugins now, but this is a welcomed feature.
Nemanja Aleksic
Right now we have a digest email, where all the important stuff is sent to your inbox daily, weekly or monthly. Do you believe that the positive result should be sent right away, as a separate email, or is it enough to be a part of the regular digest?
Makis
Most my clients are about hacked sites so I can tell you that I was looking for something like this. ManageWP didnt have this so I had to use a number of ways for monitoring my clients site security.
Now it will be better organized and hopefully automated so scan could be run per day.
trib
Definitely implement automated checking, and make it the base functionality. Allow it to be scheduled regularly.
Then, as an extra, we can do ad hoc scanning.
Nemanja Aleksic
What would be the optimum check frequency you’d use?
Donna McMaster
Great feature! Off the top of my head, I’d say once a week for the check frequency.
1lifeincome
I’d say daily, w/a red flag email alert if detection occured.
Carl Taylor
This is great. I agree I’d love to see a scheduler for this so it’s automated. Also maybe seeing this tied into a backup too so when restoring a backup I can see which one was actually clean vs infected. I’d also love to see file change comparison check like Wordfence does. So checking if Plugins, Themes and WordPress core files look different to the repository versions. This is helpful so you can track down Malware and things that maybe haven’t yet shown up on a frontend scan yet.
Nemanja Aleksic
The Orion backups actually open up a whole new range of possibilities. Since the backups are kept on our cloud storage, we can run regular checks on our own and detect malicious changes. We could then do a rollback of the file to the version from the WordPress repository, or use the last known clean version of the file.
This is just the tip of a very exciting iceberg 🙂
jerry
I concur with Carl’s points. Automated is a must otherwise we’re wasting time clicking on every single website individually to perform the same task. That makes no sense when these tools are meant to make management more efficient. And second excellent point is tying this into the backup tool. If backup and security were both automated and handled at the same time, you could easily restore an uninfected backup in mere moments rather than having to guess which backup might be clean.
Simon
Awesome! This definitely automates part of my workflow – once it’s fully automated of course! The only improvement is just for this to scan by itself. I currently use Sucuri which I assume you are also using which scans daily but the reports are not particularly nice. I include a link to the scan in a custom ManageWP report and this seems to work well for my clients.
Nemanja Aleksic
You have a great workaround, but we’ll try to make things easier for you by running the checks automatically and including them in the client report.
omakad
This is great. I wonder when will fully automated security check be available? Any ETA?
Nemanja Aleksic
No ETA right now. We know that it’s doable, but first we need to complete all the things on the Orion roadmap.
omakad
Is updated Orion read map available anywhere? I did find this: http://managewp.com/developer-diary-9-managewp-orion-is-out