WordPress can be very secure, if you know how to do it, but it can also be a hacker’s delight, if you leave doors wide open. Very often exploits happen because of WordPress plugin weaknesses, not because of weaknesses in WordPress itself but this isn’t much of a comfort when your site gets hacked.
In order to secure WordPress, you can use plugins. There are numerous WordPress security plugins – from small plugins that do only a single job to large security bundles. In this article I’ve included mainly security suites because they do many jobs at once.
I need to clarify that you don’t have to install all the plugins listed here. In fact, you might not be able to use all of them at the same time because of potential conflicts, if two or more different plugins handle the same task (i.e. htaccess protection). One approach you might try to resolve the conflicts is by disabling particular functionality in one plugin, when this is possible. If this isn’t possible or doesn’t work, you simply need to remove one plugin and rely solely on the other(s).
1. Better WP Security
Better WP Security is a very comprehensive security plugin. It includes tons of features, some of which are:
- Change URLs for WordPress dashboard including login, admin, and more, thus making it more difficult for hackers to find them
- Completely turn off the ability to login for a given time period (away mode)
- Remove the meta “Generator” tag, theme, plugin, and core update notifications for users who do not have permission to update them, Windows Live Write header information, RSD header information, login error messages, etc. All these give hackers info where to search for weaknesses and therefore when they are gone, it becomes harder to find what to attack.
- Rename “admin” account
- Change the WordPress database table prefix
- Perform a site scan to identify vulnerabilities (and fix them when possible)
- Ban suspicious bots, other hosts, user agents, and users with too many invalid login attempts
In addition to these, Better WP Security can also monitor your site and notify you of potential hacking attempts. Another useful feature that comes with the plugin is the backup functionality, which can prove critical to have even if your site never gets compromised.
2. BulletProof Security
BulletProof Security is another very comprehensive plugin. It does have some of the functionality of other security suits, such as login security and login monitoring, protection against XSS, RFI, CRLF, CSRF, Base64, Code Injection and SQL Injection hacking but it also has some features you won’t find in many other security bundles, for example htaccess protection, security log files, etc.
3. All In One WP Security and Firewall
All In One WP Security and Firewall is one more security suite to consider. It comes with user account, user login, and user registration security, as well as file system, htaccess and wp-config.php protection. It also comes with a firewall functionality, so you can control all incoming and outgoing traffic and set numerous rules to regulate it. One more feature of All In One WP Security and Firewall worth mentioning is its anti-spam module, though if you use the built-in Akismet plugin, you won’t need it that much because Akismet itself does a pretty good job in dealing with comments spam.
4. WP Login Security 2
Unlike most of the other plugins on this list, WP Login Security 2 isn’t a security bundle but it has one very cool functionality that can really save you from brute force attacks. This feature includes a whitelist of IPs from where logins are allowed and when a login attempt from an IP that’s not on this list is made, the plugin sends an email to the email address you’ve entered.
This email contains a verification link. If you made the login attempt, you simply click this link and you are allowed into WordPress but if a malicious user has made it, he or she is just cut off. It’s true that this could lead to inbox flooding, if somebody decides to do it but at least it stops brute forcers from getting into your site, while at the same time doesn’t complicate it much for you to login from new locations.
5. Acunetix WP Security
Acunetix WP Security is a security scan plugin. You can run it every now and then just to know if your WordPress site has security holes. One of the cases when it is a must to run a security scan is after you install or update a new plugin or theme because these are known to cause vulnerabilities. In addition to its scanning feature, Acunetix WP Security also has a backup functionality. Some of its other features include the ability to hide error information on login page, WP version number, RSD tag, Windows Live Writer meta tag, disable database and PHP error reporting (which if enabled can give hackers really useful information), etc.
Viruses are a common danger online and your WordPress site isn’t an exception. The very name of the AntiVirus WordPress plugin says enough about what it does – it scans your WordPress site for viruses hidden in its files or somewhere in the themes.
7. Total Security
Total Security is another security scanner. In addition to WordPress files, it also scans for Apache and PHP-related vulnerabilities, as well as suspicious files, such as .exe, .bat, .scr, etc. You can also secure login by creating custom URLs for user’s login, logout and admin’s login page and hide the wp-admin folder.
This plugin isn’t a security plugin per se – i.e. it neither prevents attacks, nor scans for vulnerabilities but it’s a vital plugin not only if your site gets hacked. Some of the other plugins on the list do have a backup functionality but if you want a dedicated backup plugin, this is better because they usually have more options.
A backup is always a must because there are many cases when you might lose your site’s content and if you don’t have a recent backup, you need to upload everything from scratch. This is pretty painful even for a small site, and if your site has thousands of posts, then it’s simply a disaster.
BackUp WordPress is very simple to configure and use. You can set automated backups, have the backup emailed to you, selectively backup files and directories instead of backing up everything, etc. In addition to BackUpWordPress, there are other backup plugins as well, so you might want to give them a try. In any case, don’t leave your WordPress site without a backup plugin – the risks are too high.
I wish I could say that after you install some of the plugins on this list your WordPress site becomes 100 per cent secure but unfortunately this isn’t so. With security no matter what you do, you can never be sure you are fully covered but if you don’t take at least some basic measures, it’s only a matter of time before your site is hacked.