Author: Simon Keating

A critical factor in running a successful WordPress website is implementing monitoring and security measures. After all, a hacked site can cause a lot of headaches — regardless of whether your site is used for business or personal purposes. It can impact your revenue, risk your visitors’ information, and wreck your reputation. 

A typical entry point for hackers is the WordPress login page, which will be our focus today. What follows is a rundown of 14 ways to harden WordPress login security so malicious actors won’t breach your site. 

Why secure your WordPress login page?

Before we get to the list of security tips, let’s first briefly discuss why you might want to secure your WordPress login page — from brute force attacks or otherwise — in the first place. 

• WordPress is very popular, so cybercriminals are often looking for new vulnerabilities that they can exploit over a wide number of sites.
• Because hackers are familiar with WordPress, they know when a website is outdated and which security flaws are present in each version. 
• To gain access through a login page, hackers don’t always need advanced development knowledge or special skills.

Keeping a secure WordPress login page is essential for your website’s long-term success and overall performance. 

How to harden your WordPress login security

So you know why you need to create a secure WordPress login, but how can you accomplish it? We’ve gathered 14 ways to secure your WordPress login page properly so you don’t have to leave the safety of your data or customer info to chance. 

1. Install a WordPress security plugin

You can get a handle on most security concerns in just a few minutes by installing a high-quality WordPress security plugin. While many plugins specialize in protecting specific aspects of a site or against certain kinds of attacks, a more comprehensive approach is best for the average site.  An all-in-one security plugin will include features like audit logs, malware scans, firewalls, and login security tools in a single solution.

And at the top of the list of our recommendations is Jetpack Security.

Jetpack Security works by taking care of numerous security tasks automatically. And with both free and paid features, a level of protection is available to everyone with a WordPress website. It has a strong range of features that can work to prevent security breaches, but also help you diagnose and recover from any incidents you experience. These include:

• Brute force attack protection
• Spam prevention
• Malware scanning 
• Downtime monitoring 
• Backups 
• Activity logs 
• Two-factor authentication

While you can move through the rest of the steps outlined here on your own, using a plugin like Jetpack Security will streamline the login hardening process. 

2. Change and hide your WordPress login URL

Another way to make your login page more secure is to hide it from prying eyes. By default, the login address for all WordPress sites is http://www.yourwebsitename.com/wp-admin, which is basically like giving a burglar your home address. So anything you can do to obscure this is a good idea. 

Changing the WordPress login URL is a great way to put barriers in place to make the hacker’s job more difficult. You can find a plugin that does this for you, but you can also do it yourself. 

For this, you’ll need FTP access to your website. Once you’ve got that, just follow the instructions in our tutorial: WordPress Login URL: How to Find, Change, and Hide It. 

3. Use a strong password to log in to WordPress

You can also bolster your site security by upgrading to a stronger password. Implementing strong password measures makes it much less likely that a hacker or bot will be able to “guess” it. Though “fluffy21” might be easy to remember, it’s much too easy to guess — especially if “Fluffy” is the name of a beloved pet. 

Instead of picking passwords based on names, ages, or pets, creating one that combines letters and numbers, uppercase and lowercase letters, and a couple of symbols are much better. You can build a strong password in a couple of ways: 

• A built-in strong password tool. WordPress has a strong password tool that encourages you to create a stronger password than what you may be naturally inclined to choose.  
• A password generator. Many password generators make it easy to develop a strong password that’s not intuitively guessable. 
• A password keeper/manager. The only trouble with strong passwords is that they’re hard to remember. Using a password keeper or management tool eliminates this issue. Popular options include LastPass, DashLane, and 1Password.

4. Password protect your login page

By default, anyone can access the login page for your WordPress site. And while you can hide or change your login URL, as we previously discussed, hackers may be able to find it if the wp-admin folder is still accessible. 

That’s why adding another layer of protection before accessing the login page is a good idea. And you can accomplish this by password protecting the wp-admin folder. If your web host uses cPanel, this process is relatively easy. 

Log in to your hosting provider account, access the cPanel, then go to the Directory Privacy folder. 

While viewing your site’s files, navigate to public_html/wp-admin. There should be a visible checkbox that reads password protect this directory. Check the box. Then create a new username and password for accessing the wp-admin folder. Save your changes.

Try to log in to your site as usual. You should now have to input another set of credentials before being granted permission to log in to WordPress. 

Note: this process would be identical, even if you moved the location of your login page. Password-protect the folder in which your login page resides, even if it’s not wp-admin. 

5. Limit the number of login attempts

Another thing you need to do to secure the WordPress login page is to limit login attempts. Hackers can use bots to make repeated login attempts until they crack the code — i.e., figure out your password and gain access to your website. Unfortunately, WordPress allows unlimited logins by default.

To prevent this potential access point, you can limit login attempts. A plugin is the best way to accomplish this. In fact, Jetpack Security offers Brute Force Attack Protection as a part of its all-in-one security solution. 

Brute force attacks can be incredibly disruptive to how your website functions, even before hackers gain access. For instance, they can slow your site down considerably — or cause it to stop responding altogether. Repeated login attempts may eventually succeed and the hacker can then go on to inject malware, insert links, or otherwise cause mayhem. These attacks can also put your personal information at risk. 

The Brute Force Attack Protection feature included in Jetpack Security provides the tools necessary to block attacks and prevent malicious hackers from gaining access to your data. It works by blocking malicious IPs before they ever get to your site. It also provides a count of total attacks and enables you to whitelist known IP addresses.

6. Add a security question to your WordPress login form

You can also extend the security of your login form by adding a security question (or two) to the login process. So, instead of just inputting a username and password, users must also answer a security question to gain access. 

This single step makes your website much more difficult to hack. And it’s relatively easy to implement. 

The No-Bot Registration plugin is a great way to accomplish this. Download it by going to Plugins → Add New, then type in the plugin’s name. Once it appears, download and activate it. 

Once activated, go to Settings from the WordPress dashboard. Here you can set up the plugin and configure the rules for when security questions are used (on registration, login, or forgotten password pages). 

This is much more user-friendly than a CAPTCHA, as it only requires answering a simple and logical question.

7. Add two-factor authentication to WordPress

Next, you can enable two-factor authentication. Many websites and apps use this popular security option, including Gmail. It works by sending an SMS code to your phone that you’ll need to input before you can complete the sign-in process. 

This is used to verify your identity and ensure access is only granted to authorized users. Every layer of authentication that you add to the process makes it significantly more difficult for someone to hack your site. Even if a bad actor gets access to your login information, it’s unlikely that they’ll be able to thwart the 2FA process.  

The easiest way to add two-factor authentication to WordPress is using a 2FA plugin. Several security plugins include this feature, but again, Jetpack Security comes through strong with Secure Authentication. 

Secure Authentication allows you to log in using your standard WordPress.com credentials and also disable or bypass the default login form entirely. Plus, you can opt to make two-factor authentication a requirement for all users to give your site further protection. 

8. Install an SSL certificate on your WordPress site

Another avenue of protection is to install an SSL certificate. Getting an SSL certificate for free is easy, so it’s a security measure no one should skip over. 

SSL is how most websites secure their data. And you can tell when a site is secure as the “HTTP” in the URL field will have an “S” added, so it reads “HTTPS.” Browsers will often use other visual indications, like a green lock icon, to let visitors know your site has an active SSL certificate in place. 

Beyond the security implications, visitors may not continue to navigate your site if they see that it’s unsecured. Plus, sites with SSL certificates tend to rank better in search engines and some browsers will even display a warning to visitors if you don’t have one. 

Don’t skip this step. Learn how to get a free SSL certificate.

9. Disable WordPress login hints after failed login attempts

Login hints can be genuinely helpful for real WordPress users, but they can sometimes give away too much information about your username and password to hackers. When you attempt to log in to a WordPress site and get the username wrong, you’re met with an error that reads, “The username is not registered on this site. If you are unsure of your username, try your email address instead.” 

Something similar happens if you type in the right username or email address, but the wrong password. 

To remove login hints, you need to add a few lines of code to your site’s functions.php file. 

function no_wordpress_errors(){
return 'There is an error.';
}
add_filter( 'login_errors', 'no_wordpress_errors' );

When someone — real or bot — inputs an incorrect username or password, they’re greeted with the message, “There is an error,” rather than the default. 

10. Keep your WordPress install & plugins up-to-date

Hackers also find entry points into WordPress sites via outdated installations. Every time WordPress is updated, all the bug fixes and security holes that were repaired are posted online. If your installation is outdated, hackers have an instruction manual for breaching your site. 

When new WordPress core updates roll out, you must back up your site and install the update as quickly as possible. 

But that’s not all you need to be mindful of. Third-party software — i.e., plugins and themes — are potential weak points, too. They’re even more essential to keep updated as plugins and themes are made by various development companies with different standards and approaches. 

This is also why you must be selective about the plugins and themes you install. If your go-to social sharing plugin hasn’t been updated in two years, it may be time to find one that updates regularly.

11. Hide your WordPress version number

A quick way to improve the login page’s security is to hide the WordPress version number. At the very least, this will make hackers look more thoroughly to determine which security holes to exploit. And you can remove it rather easily. 

Locate the functions.php file and (after you’ve backed up your site) add the following line of code to the file: 

remove_action('wp_head', 'wp_generator');

12. Hide your WordPress login username

Another step you can take is to hide your WordPress login username. A lot of the time, the emphasis is on creating a super-secure password — which is excellent — but you need to think of your username, too. Often, it’s available to the public — an opportunity hackers can exploit.

The quickest way to hide your username from the view of prying eyes is to remove it from appearing on blog posts and within author archives. 

To remove your username from blog posts, you simply need to go to Users → Profile → Nickname while logged into WordPress. From here, you can change the nickname so that your username is no longer visible to site visitors. So instead of seeing “blogperson02,” they’ll see your first name, first and last name, or another nickname you configure. 

To remove your username from appearing in the author archives, you’ll need an SEO plugin like Yoast SEO. 

Install Yoast like any other plugin, then go to the SEO → Search Appearance → Archives menu in the WordPress dashboard. There’s an option here to disable author archives. Do this, then click Save Changes. 

13. Shorten your WordPress auto-logout timer

It’s common to stay logged in to your accounts when you use them often. But this can create potential breaches, especially if several people have accounts on your site. Implementing an auto-logout timer is a great way to close those security holes. 

When a session is left unattended, it will be logged out automatically. By default, WordPress will log out users after 48 hours. Checking the “Remember Me” box keeps users logged in for 14 days. You can change these time frames a bit by using a third-party plugin. One that’s dedicated to this feature is Inactive Logout. 

Once installed, navigate to Settings → Inactive Logout → Basic Management. Then select the duration of idle time you want to trigger a logout.

14. Delete old and unused WordPress user accounts

Lastly, deleting accounts no longer in use can also help improve your WordPress security. Having several open accounts on your site means each is an access point to private data. And if you’re not regularly updating passwords for these accounts, they could present significant weaknesses. 

To avoid this, delete old and unused accounts. Make doing so a part of your regular site maintenance plan. 

You should also only provide privileges to users who need them. Not every user needs Editor or Admin privileges.

Likewise, keep an eye on the accounts listed. Sometimes, hackers will create a fake account. If one appears, delete it right away and bolster the rest of your security measures. Learn what to do if your WordPress website has been hacked. 

Secure your WordPress login page

Owning a website means bearing a level of responsibility for its content and users. Of course, this is doubly the case if you collect customer information. But no matter how you use your WordPress site, bolstering security around the login page is a great way to keep your data safe for the long haul. 

And the tips presented here should help you become efficient at WordPress security maintenance in no time. 

Ready to take the first step? Get started with Jetpack Security.

Brute force attacks happen when hackers try to access your site files by constantly trying new passwords. If they succeed, they could steal your private data, add malware, or even take down your website completely.

Fortunately, you can easily prevent these brute force attacks. By simply updating your login information or enabling two-factor authentication, you can make it harder for hackers to enter your website. Another effective method is to install a brute force protection plugin like Jetpack.

In this post, we’ll explain what brute force attacks are and how you can prevent them. Then, we’ll recommend the best plugins for brute force protection. 

An introduction to brute force attacks

Brute force attacks happen when hackers use trial and error to access your website. This usually involves guessing your login information using automated software. Essentially, hackers will try many different passwords and username combinations until they find yours.

Other forms of hacking usually exploit vulnerabilities on your WordPress website. For instance, hackers can access your data through out-of-date software, plugins, or themes. Even an old PHP version can leave your site vulnerable.

On the other hand, brute force attacks rely on weak login credentials. If you have a guessable password like “123456,” hackers can use automated software to enter your site.

Brute force attacks are more common than you might think. In fact, they’re becoming more of a threat than ever before. Towards the end of 2021, the rate of brute force attacks increased by 160 percent.

If your website suffers from a brute force attack, hackers can:

• Steal your private data
• Add malware to your site
• Decrease your credibility and/or search rankings
• Remove your content completely

Needless to say, you’ll want to protect your website against these dangers. Although the default WordPress settings don’t offer extra protection against brute force attacks, you can take some steps to prevent them from happening.

How to block brute force attacks on WordPress

Now that you know about brute force attacks, let’s discuss how to protect your WordPress website from them. 

Step 1: Update your username

Since brute force attacks involve guessing login information, you can secure your WordPress website by updating your credentials. First, you should consider choosing a unique username.

In older versions of WordPress, the default username was “admin.” Now, new account holders can choose their usernames when they first log in. But you might need to update your username if you have an older account.

To see what your current username is, open your WordPress dashboard. Then, navigate to Users → Profile. You’ll find your username under the Name section.

If you already have a unique username, skip to the next steps. If you see admin as your username, you’ll likely want to change it. Unfortunately, you won’t be able to directly edit your profile in the dashboard.

One of the simplest ways to change your WordPress username is to create a new user. Then, you can assign it a unique username and give it the same administrative privileges. The only downside of this method is that you’ll have to use a new email address.

First, go to Users → Add New. On this page, create a new username and enter your email address. Be sure to set the user role as Administrator.

If you want to use the same email address, you can simply add a plus sign with additional letters after the username. For instance, if your normal email address is “exampleemail@gmail.com”, you can use “exampleemail+wordpress@gmail.com.” WordPress will consider this a new email address, but it will use the same inbox.

Next, you’ll need to log out of WordPress and use the new username to log back in. Then, go to the All Users page and click delete underneath the admin user role.

During the deletion process, you’ll need to move its content to the new username. To do this, select Attribute all content to [new username]. This is a critical step — otherwise your content will be deleted.

Finally, click on Confirm Deletion. If you want to start using the same email address assigned to the admin username, you can update that now. 

If you want to change your existing username, you’ll need to do this through your WordPress database. Note that making changes to the database can be dangerous, so it’s best to do this if you already have experience in this area. To change your username, take the following steps:

1. Click on the phpMyAdmin tool in the cpanel of your hosting provider. The exact location can vary based on your host.
2. Click on your WordPress site’s database in the left-hand panel. This will open up your database tables.
3. Click on the wp_users table. The prefix “wp_” is set by default, but your host may have changed it to something else. For example, the table may be called “janb_users.” 
4. Find the username you want to change on the right side — in this case, “Admin” — and click Edit.
5. In the user_login field, type whatever new username you’d like to set.
6. Click the Go button.

Now, you can log in with the new username! 

Step 2: Use a strong password

Another way to protect your site against brute force attacks is to use a strong password. Since hackers use botnets (robot networks) to randomly guess passwords, it can help to have a one with a unique string of numbers and letters.

These are the characteristics of a strong password:

• It has between ten and 50 characters
• It uses uppercase and lowercase letters
• It uses numbers and special characters
• It’s unique from passwords used for other accounts or websites

To update your WordPress password, navigate to Users → Profile. Then, scroll down to Account Management.

Next, click on Set New Password. Once you do this, WordPress will automatically generate a strong password for you. This will be a complex credential that’s hard to guess.

You can use this password or create your own. As you type, WordPress will indicate how strong or weak your new password is.

To make sure your new password is secure and random, you can use a password generator. This tool can automatically create a password with uppercase and lowercase letters, as well as numbers and symbols.

After pasting your new password into the text box, scroll to the bottom of the page. Click on Update Profile to save your changes. For maximum protection against brute force attacks, consider changing your WordPress password every four months. 

Step 3: Add two-factor authentication

When you log in to your WordPress site with just a password, this is called single-step authentication. You can also implement two-step, or two-factor, authentication.

With two-step authentication, you’ll provide two forms of verification to log in to your site. You’ll still enter your password, but you must also confirm your identity on your phone or another device.

Jetpack makes it easy to add secure authentication to your website. First, install and activate Jetpack in WordPress. Then, in the Jetpack dashboard, click on Manage security settings.

Scroll to the bottom of the page and find the WordPress.com login section. Here, turn on Require accounts to use WordPress.com Two-Step Authentication.

Then, find the Two-Step Authentication page in the Security tab. You can choose to set up your two-factor authentication with an app or SMS.

If you choose the first option, you’ll need to download an app like Google Authenticator (iPhone | Android). WordPress will provide a QR code, which you can scan with the app and then enter the generated code.

When you click Set up using SMS, you’ll have to enter your phone number. Once you verify the code sent to your phone, you can start using two-factor authentication.

Now you can verify your identity every time you log in to WordPress! This setup can offer increased protection against brute force attacks.

Step 4: Install a brute force attack protection plugin

After taking some basic steps to protect your login page, you can also benefit from installing a brute force protection plugin. The right tool can automatically block brute force attacks before they impact your site.

As you’re trying to choose the best plugin for brute force protection, you should keep a few factors in mind. To protect your website, you’ll want to find a plugin that works behind the scenes to prevent and stop brute force attacks.

Here are some basic features you should look for in a brute force protection plugin:

• Limited login attempts
• Two-factor authentication
• A firewall
• IP address blocklisting

Additionally, many brute force protection plugins provide general security for your website. For example, Jetpack Security not only prevents brute force attacks but performs malware scans, creates automatic backups, and screens for spam.

Jetpack is also one of the easiest brute force protection plugins to configure. After installing and activating Jetpack, you can turn on Brute force protection in the dashboard.

With this one click, you can enable Jetpack to prevent brute force attacks!

The four best WordPress plugins for brute force attack protection

Installing a plugin can be the most effective way to prevent brute force attacks. Still, you might not know which option is right for your website. Although there are many brute force protection plugins, four stand out as the best! 

1. Jetpack

When you download Jetpack, you can access brute force attack protection and many other security features. Jetpack also offers performance and growth tools, so you can choose a plan that’s perfect for your needs. 

If brute force attack protection is all you need, the great news is that it’s completely free!

Key features of Jetpack’s brute force attack protection:

• One-click activation
• Allowed IPs
• The ability to see the number of blocked attacks
• Two-factor authentication

Pros:

• If you’re accidentally locked out of your login page due to Jetpack’s protection measures, you can send a special login link to your email address.
• Jetpack compares each new IP address to its global database of malicious addresses.
• With Jetpack, you can also access extended security measures, like downtime monitoring, site backups, and malware scans.

Cons:

• Jetpack requires you to connect to a WordPress.com account. 
• If your server is misconfigured, it may not return an IP address, which can disable the brute force protection feature.

Ease of use:

With Jetpack, you can implement brute force attack prevention in a single step. After installation, just visit the main Jetpack dashboard to turn on the feature. Then, you can simply allow Jetpack to do the work without any maintenance.

Pricing:

Any WordPress user can start using brute force protection for free with Jetpack. 

2. Sucuri

Sucuri is a tool specializing in website monitoring, protection, and performance. By implementing a Web Application Firewall (WAF), Sucuri can block brute force attacks on your website. 

Key features:

• Web Application Firewall (WAF)
• Limits login attempts
• Automated tools to block bots
• Allowlisting
• Two-factor authentication, CAPTCHA, and passcodes

Pros:

• Sucuri includes geo-blocking so that you can block all visitors from specific IP ranges. This feature can prevent brute force attacks from certain countries.
• Sucuri’s firewall sanitizes traffic before it even reaches your WordPress website.

Cons:

• The free version of Sucuri does not provide brute force prevention. To access a WAF, you’ll need to purchase a subscription. 
• Although Sucuri is an effective option for brute force attack prevention, it’s expensive. There are other free plugins with similar features.

Ease of use:

Compared to other plugins, Sucuri has a more complicated setup process. To start using Sucuri, you’ll need to purchase a plan and set up a firewall. This involves integrating your cPanel account and manually changing your DNS records.

Pricing:

With Sucuri, brute force protection requires a premium plan. This feature comes with all of its subscription options, which start at $199.99 per year.

3. Wordfence Security

Wordfence Security is a plugin that provides a firewall and security scanner all in one. This tool offers many forms of login security, including two-factor authentication, allowlisted IP addresses, and reCAPTCHA keys. 

Key features:

• Limits login attempts
• Records successful and failed login attempts
• Continually updated IP blocklist
• Manual blocking tools
• Two-factor authentication and reCAPTCHA 

Pros:

• Since it comes with a Web Application Firewall, Wordfence can identify and block malicious traffic on your site.
• If any administrative passwords are compromised, you can block any logins from that user.
• Wordfence performs scheduled security scans every three days when you’re using the free version.

Cons:

• For the free version of Wordfence, the generated data is delayed by 30 days. To receive real-time threat intelligence, you’ll have to upgrade to a paid plan.
• The free plugin also doesn’t let you manually schedule scanning.

Ease of use:

Wordfence provides a very simple setup process for first-time users. After installing and activating the free plugin, it will prompt you to enter an email address where Wordfence can send alerts. Then, you can add brute force protection by implementing a firewall and login security features.

Pricing:

Even the free version of Wordfence Security comes with built-in brute force protection for unlimited sites. If you need advanced support, you can purchase a premium plan. These start at $99 per year.

4. iThemes Security

iThemes Security ensures that you can start protecting your website from brute force attacks in under ten minutes. With this plugin, you can quickly customize your login page with two-factor authentication and password requirements. Plus, iThemes will automatically add your site to its Brute Force Protection Network.

Key features:

• Maximum login attempts for both hosts and users
• Local and network brute force protection
• Graphs of recent brute force attacks
• The ability to set password requirements for all users
• Two-factor authentication

Pros:

• One of the main benefits of iThemes Security is its Brute Force Protection Network. It records suspicious activity across one million different websites, identifying malicious IPs.
• You can set a maximum number of login attempts for your website, which can prevent automated login guessing.

Cons:

• If you want to add extra security features to your login page, like a reCAPTCHA field, you’ll need to purchase the premium plugin.
• The free plugin does not include real-time security reports.

Ease of use:

After installation, the iThemes plugin will take you through a step-by-step setup process. Here, you can enable both local and network brute force protection. You can also choose to add two-factor authentication for extra security.

Pricing:

iThemes Security is a free WordPress plugin. If you’d like to use the real-time security dashboard, you can purchase the premium version, starting at $80 per year.

Comparison of the top plugins that block brute force attacks

	Jetpack	Sucuri	Wordfence Security	iThemes Security
Limit login attempts	Yes	Yes	Yes	Yes
Two-factor authentication	Yes	Yes	Yes	Yes
Real-time reports	Yes	Yes	Yes, with premium extension	Yes, with premium extension
IP blocking	Yes	Yes	Yes	Yes
reCAPTCHA	Yes	Yes	Yes	Yes, with premium extension
Network brute force protection	Yes	No	No	Yes
Ease of use	One-step activation	Requires manually changing DNS records	Simple tabs for managing your firewall, scans, and login security	Setup wizard to configure login security and user groups
Price	Free	$199.99-$499.99 per year	Free-$950 per year	Free-$199 per year

Frequently asked questions (FAQs)

Now that you know all about brute force attacks and how to prevent them, let’s answer some questions!

How much does brute force protection cost in WordPress?

Brute force protection can be free if you download a brute force protection plugin like Jetpack. Other providers like Sucuri require a paid subscription.

How can I set up brute force attack protection in WordPress?

Setting up brute force protection will vary based on the provider you choose. Some options require you to configure a firewall, which can be complicated. Alternatively, Jetpack is a plugin that makes this process simple. After activation, you can turn on brute force protection with just one setting. 

What else can I do to secure my WordPress site?

There are many general security measures you can take to protect your website. First, consider performing consistent updates for the core software, themes, and plugins. You can also keep your data secure by backing up your website.

Another simple security measure is blocking spam. It’s also a good idea to delete unused plugins and monitor your site activity. Finally, make sure you regularly scan for malware and take immediate action if anything is found. 

Secure your website against brute force attacks

Without the right protection, your website can fall prey to brute force attacks. Fortunately, a brute force protection plugin is a simple addition to your site. With the right security measures, you can stop hackers from stealing your data.

To review, here’s how to implement brute force attack protection in WordPress:

1. Update your username.
2. Use a strong password.
3. Add two-factor authentication.
4. Install a brute force attack protection plugin like Jetpack.

After following these steps, you’ll be able to keep your information private and secure! Then, it’s just a matter of keeping your software up to date, backing up your files, and monitoring your website for spam and suspicious activity.