Tech Help Tuesday #5 – WordPress Security Plugins
How are we in August already? It feels like Christmas was only yesterday. I don’t know what it’s like where you are but it’s still really warm here in South Yorkshire and was the same in Ireland when we popped across last week to visit family. Anywho, this month’s tech help Tuesday is all about WordPress security plugins.
This month it was requested by the Pinterest Queen and Disneyland Paris Guru, Jade of The Blog Assistant and Mummies Waiting. Like most of us Jade wants to make sure that both of her blogs are as secure as possible. Let’s be honest, for a lot of us our blogs are our business and livelihood, so they need to be looked after, security-wise, as we would a traditional bricks and mortar business.
Why do you need a security plugin?
I love the internet and all the wonderful opportunities it brings with it. Access to information on anything at the click of a button, connecting people on opposite sides of the world and most importantly to me the chance it’s given me to start a business from my own front room. It does come with a very big but. With all the good stuff comes some potentially bad things too. There are some bad people with too much time on their hands looking to exploit any vulnerabilities they can find.
It does sound a bit overly dramatic and you might think well, why would anyone bother to hack my blog? I’ve got no credit card information or anything else a hacker would want, so I’ll be fine.
Wrong. Some hackers will look to hack sites just for the fun of it, honestly. With the growing popularity of crypto currency some people might look to try to use your host to help mine for it, which could end up hitting you in the pocket.
Suffice to say that there are some right idiots out there with nothing better to do. So don’t take any chances, especially if your blog is your biz. You wouldn’t leave your shop door unlocked, the same goes for your blog. WordPress security plugins are one precaustion you can take.
What do wordpress security plugins do?
Different plugins do different things. Some will be all-round plugins that will do everything, like Defender or Wordfence. But there are other more specialist plugins that will help prevent a brute force attack, or regularly scan your site for malware and more.
What are the options?
As with every other kind of plugin you can think of, there isn’t a shortage of WordPress security plugins. And as with other types of plugin it can be hard to work out which are the better ones. Here I’ve listed some of the more popular ones and tell you what I think about them.
Active downloads: 1 million+
Star Rating: 5*
Last updated: 1 week ago
- Firewall (updates delayed by 30 days)
- Malware scanner (updates delayed by 30 days)
- Protects from brute force attacks
- Checks themes and plugin to make sure they’ve not got any suspicious changes
- Repairs Files
- Checks for known security vulnerabilities and alerts you of any issues
- Scans your files for suspicious links
- Spam filter
- Can block IPs from accessing your site
- Monitor site visits and hack attempts
All of the free features plus those listed below.
- Firewall and malware updates applied in real-time
- IP blacklist blocks suspicious IPs from accessing your site
- Checks to see if your site or IP has been blacklisted
- Ability to enable 2 factor authentication (helps stop brute force attacks)
- Country blocking
This is one of the more well known and popular WordPress security plugins. As you can see by the list of features it’s a great all-rounder, and the premium version makes it a decent security plugin, in my view. Let’s be honest – 1 million+ downloads and a 5* rating speak for themselves.
The only thing that lets it down is that it has been known to have an impact on blog loading speeds, but certainly a secure, slightly slower loading blog is much better than an unsecured one.
Active downloads: 7000+
Star Rating: 5*
Last updated: 4 weeks ago
- Google 2-Step Verification
- One-click site hardening and security tweaking
- WordPress core file scanning and repair
- Login Screen Masking
- IP Blacklist manager and logging
- Unlimited file scans
- Timed Lockout brute force attack shield for login protection
- 404 limiter for blocking vulnerability scans
- IP lockout notifications and reports
- Blacklist monitor – checks to see if your URL or IP have been blocked by Google
- Audit logging – tracks every change made to your site
- Automated reports delivered to your inbox
This is the security plugin I use here at TBG HQ. Many of the eagle-eyed among you will have noticed that by using this plugin I’m going against my usual rule of using a more popular plugin. At the time I installed Defender, I was using one of it’s sister plugins WP-Smush (I don’t use it any more because it’s unecessary when your images are properly optimised), and found that I liked it.
I think it offers a bit more in free features than WordFence and it’s really easy to use.
Active downloads: 400,000+
Star rating: 4.5*
Last updated: 1 month ago
- Security activity auditing – tracks every change made to your site
- File integrity monitoring – checks your files against core WordPress files to check for anything suspicious
- Malware scanner
- Blacklist monitor
- Security alerts
- Security hardening
Sucuri are a big name in website security and they offer monthly plans beyond the WordPress plugin to help keep your site safe. The plugin is intended to compliment their paid plans, but nevertheless offers some decent security functions. I’ve not used it myself so I can’t give an opinion on how well it works.
Active downloads: 700, 000+
Star rating: 5*
Last updated: 2 weeks ago
- Checks for the default ‘admin’ user and lets you easily change it
- Checks for user accounts with the same screen name and user name
- Includes a password strength tool
- Locks users out if a brute force attack is suspected
- Lets you check a list of all locked out users to let them back in if needed
- Lets you force the log out of all users after a certain period of time
- Monitors failed log in attempts
- Monitors all activity of users on your site
- Add a captcha to the wordpress log in form
- Add a captcha to the wordpress lost your password form
- Enable manual approval when creating new wordpress accounts
- Add captcha to wordpress user registration page to help guard against spam
- Reset the wordpress database prefix
- Backup functionality
- Identify files with less than ideal security permissions
- Diasble the PHP editing area
- Ban users with certain IPs
- Special brute force attack prevention feature
- Change the URL of the WordPress login page
- Spam prevention features
- Allows you to disable right click on your site so text, images etc. can’t be copied
- Can remove wordpress version information from your files (so hackers can’t tell which version your using)
I actually have this plugin on my other blog, Raising a Ragamuffin, and found out firsthand how good it is at preventing brute force attacks. For about 3-5 days I got around 20 emails a day saying that the plugin had locked out an IP from trying to log into my site. It also told me the usernames that hackers had been trying to use to gain access to my site (admin, thebloggenie etc.).
When it comes to WordPress security plugins, for me, it comes down to a choice between Defender and All-in-One WP Security. Since that brute force attack I’ve been reluctant to remove it from that site. In fact as I’m writing this post I’m thinking that I might actually switch to All-in-One WP security here at TBG HQ too. I’ll sleep on it and read this post again in a few days to see how I feel.
How do I know my security plugin is working?
When Jade asked about WordPress security plugins she asked how to tell your plugin is working and how to get alerts from them. There’s no one-size-fits-all answer to this. In the same way that different caching plugins have different settings, so do security plugins.
I couldn’t find an option to tell All-in-one WordPress security when I wanted to be sent alerts, and I don’t remember setting it up when I first installed it, but I did get email notifications when it detected a brute force attack on my site.
Defender is good in that if there are some security features that you’ve not enabled, that it thinks you should, for example I won’t disable my PHP editor because I use it a lot, it pops a little icon on the menu item in the WordPress dashboard to remind you every time you log in to your dashboard.
You can also set up email notifications for IP lockouts by clicking Defender in the WordPress menu > IP lockouts > Notifications. There you can decide what you want to be notified about and can set up multiple email addresses to have the email notifications sent to, too.
To check whether or not my wordpress security plugins are working I run some manual scans (if the plugin has that feature). It’s a really difficult one because the only time a security plugin is really needed is when you’re under attack, and you don’t want that to be the time you find out it’s not working properly. My view is that as long as you use a plugin from a reputable developer/company, with a big number of active installs, and that is regularly updated you *should* be ok. But you can never be 100% certain, which is why we should all take other precautions too.
What else can I do to keep my wordpress blog secure?
Regular readers will not be surprised to hear me say, take regular backups. The best thing you can do to keep your blog safe today is to take regular backups. If the worst does happen you’ll have a nice clean version of your blog to revert to.
Change your username and password
Some hackers will try hundreds of thousands of combinations of usernames and passwords to try to get into your site, do the best thing you can do to make it hard for them is to choose a username that isn’t obvious so isn’t something like admin, and make sure you choose a strong password. WordPress can help by generating a strong 12 character long password for you. If your not great with remembering strong passwords, you could use something like LastPass to remember them for you.
For more info on how to keep your blog secure sign up to my VIP list, where you’ll get an email every week full of useful info to keep your wordpress blog in pristine condition. Next week’s newsletter talks all about more things that you can do to keep your blog secure – I know you won’t want to miss out on that one.
The following definitions are taken from Google’s online dictionary
Firewall – software to help prevent unauthorised access to a website/system/network
Malware – software specifically designed to disrupt/harm a computer system
Brute Force attacks – trial and error attempts to log in to a system
IP – unique address given to a computer accessing the internet
Security Hardening – process of removing security vulnerabilities from a system
You may also enjoy: