WordPress plugins for security are the most important that you can have installed on your website. They’re what I like to call background plugins. They sit there in the background doing they’re thing and you only really know they’re there when something’s going down.
This post was prompted by the Pinterest Queen and Disneyland Paris Guru , Jade of The Blog Assistant and Mummies Waiting. Like most of us Jade wants to make sure that both of her blogs are as secure as possible. Let’s be honest, for a lot of us our blogs are our business and livelihood, so they need to be looked after, security-wise, as we would a traditional bricks and mortar business.
Why do you need a security plugin?
I love the internet and all the wonderful opportunities it brings with it. Access to information on anything at the click of a button, connecting people on opposite sides of the world and most importantly to me the chance it’s given me to start a business from my own front room. It does come with a very big but. With all the good stuff comes some potentially bad things too. There are some bad people with too much time on their hands looking to exploit any holes they can find.
It does sound a bit overly dramatic and you might think well, why would anyone bother to hack my blog? I’ve got no credit card information or anything else a hacker would want, so I’ll be fine.
Wrong. Some hackers will look to hack sites just for the fun of it, honestly. With the growing popularity of crypto currency some people might look to try to use your host to help mine for it, which could end up hitting you in the pocket with the extra resources taken up on your host.
Suffice to say that there are some right idiots out there with nothing better to do. So don’t take any chances, especially if your blog is your biz. You wouldn’t leave your shop door unlocked, the same goes for your blog. WordPress plugins for security are one precaution you can take.
What do WordPress security plugins actually do?
Different plugins do different things. Some will be all-round plugins that will do everything, like Defender or Wordfence. But there are other more specialist plugins that will help prevent a brute force attack, or regularly scan your site for malware and more.
Most of them will include firewalls and malware scanners along with the option to block people from logging in if they fail a certain number of times.
What are the options?
As with every other kind of plugin you can think of, there isn’t a shortage of WordPress plugins for security. And as with other types of plugin it can be hard to work out which are the better ones. Here I’ve listed some of the more popular ones and tell you what I think about them.
Active downloads: 1 million+
Star Rating: 5*
Last updated: 1 week ago
- Firewall (updates delayed by 30 days)
- Malware scanner (updates delayed by 30 days)
- Protects from brute force attacks
- Checks themes and plugin to make sure they’ve not got any suspicious changes
- Repairs Files
- Checks for known security vulnerabilities and alerts you of any issues
- Scans your files for suspicious links
- Spam filter
- Can block IPs from accessing your site
- Monitor site visits and hack attempts
All of the free features plus those listed below.
- Firewall and malware updates applied in real-time
- IP blacklist blocks suspicious IPs from accessing your site
- Checks to see if your site or IP has been blacklisted
- Ability to enable 2 factor authentication (helps stop brute force attacks)
- Country blocking
This is one of the more well known and popular WordPress plugins for security. As you can see by the list of features it’s a great all-rounder, and the premium version makes it a decent security plugin, in my view. Let’s be honest – 1 million+ downloads and a 5* rating speak for themselves.
The only thing that lets it down is that it has been known to have an impact on blog loading speeds during a scan, but certainly a secure, slightly slower loading blog is much better than an unsecured one.
When it comes to me fixing hacks for my own clients, WordFence is the plugin I turn to. When it shows scan results it gives you a full list of files it thinks have been changed with malicious code along with files that it doesn’t think should be there.
Active downloads: 400,000+
Star rating: 4.5*
Last updated: 1 month ago
- Security activity auditing – tracks every change made to your site
- File integrity monitoring – checks your files against core WordPress files to check for anything suspicious
- Malware scanner
- Blacklist monitor
- Security alerts
- Security hardening
Sucuri are a big name in website security and they offer monthly plans beyond the WordPress plugin to help keep your site safe. The plugin is intended to compliment their paid plans, but nevertheless offers some decent security functions. I know a few people who use it and are quite happy with it, so I think it’s a pretty decent option.
Active downloads: 700, 000+
Star rating: 5*
Last updated: 2 weeks ago
- Checks for the default ‘admin’ user and lets you easily change it
- Checks for user accounts with the same screen name and user name
- Includes a password strength tool
- Locks users out if a brute force attack is suspected
- Lets you check a list of all locked out users to let them back in if needed
- Lets you force the log out of all users after a certain period of time
- Monitors failed log in attempts
- Monitors all activity of users on your site
- Add a captcha to the wordpress log in form
- Add a captcha to the wordpress lost your password form
- Enable manual approval when creating new wordpress accounts
- Add captcha to wordpress user registration page to help guard against spam
- Reset the wordpress database prefix
- Backup functionality
- Identify files with less than ideal security permissions
- Diasble the PHP editing area
- Ban users with certain IPs
- Special brute force attack prevention feature
- Change the URL of the WordPress login page
- Spam prevention features
- Allows you to disable right click on your site so text, images etc. can’t be copied
- Can remove wordpress version information from your files (so hackers can’t tell which version your using)
I actually have this plugin on my other blog, Raising a Ragamuffin, and found out firsthand how good it is at preventing brute force attacks. For about 3-5 days I got around 20 emails a day saying that the plugin had locked out an IP from trying to log into my site. It also told me the usernames that hackers had been trying to use to gain access to my site (admin, thebloggenie etc.).
When it comes to WordPress security plugins, for me, it comes down to a choice between WordFence and All-in-One WP Security. Since that brute force attack I’ve been reluctant to remove it from that site.
It’s also the plugin that I use here at TBG HQ. I like that I get the option to change my login URL as part of the plugin along with the basic captcha that’s added to the login screens.
How do I know my security plugin is working?
When Jade asked about WordPress plugins for security she asked how to tell your plugin is working and how to get alerts from them. There’s no one-size-fits-all answer to this. In the same way that different caching plugins have different settings, so do security plugins.
I couldn’t find an option to tell All-in-one WordPress security when I wanted to be sent alerts, and I don’t remember setting it up when I first installed it, but I did get email notifications when it detected a brute force attack on my site.
Defender is good in that if there are some security features that you’ve not enabled, that it thinks you should, for example I won’t disable my PHP editor because I use it a lot, it pops a little icon on the menu item in the WordPress dashboard to remind you every time you log in to your dashboard.
You can also set up email notifications for IP lockouts by clicking Defender in the WordPress menu > IP lockouts > Notifications. There you can decide what you want to be notified about and can set up multiple email addresses to have the email notifications sent to, too.
To check whether or not my WordPress plugins for security are working I run some manual scans (if the plugin has that feature). It’s a really difficult one because the only time a security plugin is really needed is when you’re under attack, and you don’t want that to be the time you find out it’s not working properly. My view is that as long as you use a plugin from a reputable developer/company, with a big number of active installs, and that is regularly updated you *should* be ok. But you can never be 100% certain, which is why we should all take other precautions too.
What else can I do to keep my WordPress blog secure?
WordPress security plugins are important but they’re not the be all and end all when it comes to WordPress website security. There are a load of other precautions you can take to make sure your website is secure.
Regular readers will not be surprised to hear me say take regular backups. The best thing you can do to keep your blog safe today is to take regular backups. If the worst does happen you’ll have a nice clean version of your blog to revert to.
Change your usernames and display names
If a hacker decides to launch a brute force attack on your site they’ll hundreds of thousands of combinations of usernames and passwords to try to get into your site. But they’ll also scour your site for clues as to what your username could be.
This is why it’s especially important that you make sure that your usernames and display names are different. Some WordPress themes will include the display name of the user who published a blog post, and if that’s the same as your username, you’re giving hackers an easy ‘in’ to your site. All they have to do now is work out your password.
Use a secure password
Make sure you choose a strong password. WordPress can help by generating a strong 12 character long password for you. If your not great with remembering strong passwords, you could use something like LastPass to remember them for you and also generate strong passwords if you prefer.
The following definitions are taken from Google’s online dictionary
Firewall – software to help prevent unauthorised access to a website/system/network
Malware – software specifically designed to disrupt/harm a computer system
Brute Force attacks – trial and error attempts to log in to a system
IP – unique address given to a computer accessing the internet
Security Hardening – process of removing security vulnerabilities from a system
You may also enjoy: