Wordpress, by default, is quite secure. But because it's so popular, hackers try to find easy security loopholes in WordPress so they can hack a lot of websites in one go. They usually use bots that scour the web to find known vulnerabilities in the millions wordpress sites all over the web.
Using a security plugin means that the plugin developer will spot an attack early and protect your website before it gets hacked.
"We have only two modes - complacency and panic."
James R. Schlesinger
WordPress Security Plugins
Sucuri is a complete website protection service. It includes antivirus, firewall and DDoS protection built in. Sucuri also cleans existing malware on your website without any extra charge and includes a host of features to prevent any attacks from happening. As a bonus they also provide performance optimization and caching.
Even though it’s a little pricy, if you are looking for a complete website security solution, there’s nothing better than Sucuri.
What you’ll like: Full website security, Malware cleaning, Performance Enhancement
What you won’t: A bit pricy
If you are looking for a free WordPress security plugin, you’ll love Wordfence. Their free version comes with a lot of options you can use and their paid version adds some more. They also have a caching engine named Falcon.
While Wordfence is great at what it does, I find that sometimes I need to look up the documentation to find out exactly what a certain option does, and sometimes even then it isn’t clear to me if I should use some of the features included in the plugin.
What you’ll like: Free!
What you won’t: Can get confusing at times
Another free WordPress security plugin which works great and has a lot of options is All In One WordPress Security and Firewall Plugin. This plugin attempts to make it easier for you to analyse just how secure your WordPress is, by displaying security levels visually. Although its used on over 400,000 sites, I feel that this plugin doesn’t provide as many security features as Securi or Wordfence.
What you’ll like: Lots of features
What you won’t: Still not the best
Formally names WordPress Simple Firewall, has a limited number of options and doesn’t allow the admin a greater level of control as offered by the other free WordPress plugins mentioned above. On the plus side, it’s the easiest to use and if you aren’t using any other plugin to secure WordPress, you should at least use this. However, even if you are on a tight budget there’s no reason you should prefer Shield WordPress Security over any of the other free plugins.
What you’ll like: Ease of use
What you won’t: Lacks many important features
Formerly named Better WP Security, is another popular WordPress security plugin that offers a ton of features but the only downside is that you need to get the Pro (paid) version to get them. Of all the paid WordPress security plugins though, this is the cheapest.
iThemes security also works well with their backup plugin, BackupBuddy which can be purchased separately.
What you’ll like: Excellent security
What you won’t: The best features are limited to the paid version
Easiest method to secure your #WordPress website? Get a #security plugin
WordPress Security Plugins You Should Probably Ignore
The following plugins did a great job in their heyday but are now out shined by the plugins listed above. If you are using, or were planning on using, any of these plugins then consider using any of the plugins mentioned above.
This was one of the best WordPress security plugins back when it was first released. Unfortunately the developers don't seem to have kept up with the times and now BulletProof Security doesn't seem to match up to the competition.
This too used to be one of the most comprehensive security plugins for WordPress in its day, but as of the time of publishing this post, the plugin hasn't been updated in a year. That doesn't bode well for any security plugin as it indicates that the developers have lost interest in maintaining the plugin. I'd stay away from ALL plugins which haven't been updated in a long time.
Don't use #WordPress plugins that haven't been updated in a long time. They're a #security risk.
Firewalls can be used to extend the functionality of the security plugins but are not an absolute must-have for every website. Some of the better plugins mentioned above (like Sucuri) don't require firewalls because they have enough protection built in.
This is a fast and easy to use plugin for those who don't want to mess around with their .htaccess files. The plugin also allows you to set your custom security rules including IP white listing and separate rules for logged in users.
What you’ll like: Firewall for non techie webmasters
What you won’t: Doesn't offer much else
CloudFlare is kinda hard to describe. It's a security platform, website optimizer and CDN built into one unique interface.
CloudFlare protects your website by placing itself between your website and the visitor. If the visitor's action look suspicious or threatening, CloudFlare will automatically take steps to protect your website based on the security settings you have configured.
The best part about CloudFlare is that it's serving millions of websites around the world which gives it access to the attacks happening at the current time and it can take measures in real time to protect all websites using its service.
What you’ll like: Does many things to make your website safer and faster
What you won’t: Difficult to configure if not done through your hosting account
WP Security Audit Log keeps an audit trail of changes happening on your WordPress or MultiSite installations. It provides you with details of who logged in, when they logged in and what changes they made to the site’s themes, plugins and content.
This is especially useful in MultiSite installations or in single WordPress websites which are accessed by more than one user. You can use the data to stop users from doing what they are not supposed to be doing and also to troubleshoot in case something goes wrong.
This plugin also has some paid features which help expand its functionality.
What you’ll like: Logs. No other plugin listed here provides full access logs.
What you won’t: Only useful if your website allows logins for people you don't know
WordPress Two Factor Authentication
You should enable Two Factor Authentication for WordPress to make sure only those who you grant access can login to your website. The best part is that this makes sure that the baddies cannot login to your WordPress even if they have stolen a password. The bad part is that it takes a some time and effort to setup Two Factor Authentication for each of your WordPress users.
These are the best plugins you can use to achieve this.
Clef Two-Factor Authentication (now dead)
Clef allows you to completely disable password based logins for your WordPress website and replace them with a Clef login page. The page displays a moving wave pattern which needs to be scanned with the Clef app on a smartphone. This means that authenticated users can now login without their passwords. They have a WordPress plugin too.
The great part is that it's not easy to break into the Clef app on the phone either. You'll first need physical access to the phone, then you need to enter a PIN code to access the app and then you need to scan the wave to login. This process ensures that it's never easy for anyone other than the intended user to gain access to your WordPress installation.
The downside is that Clef might confuse users login in directly from smartphones. For some strange reason it allows you to login from desktop if you don't save your name in your Clef profile, but doesn't allow logins from smartphones. Overall, it is a great way to secure logins but it might initially confuse non admin users of your website.
What you’ll like: High security level. Not easy to break.
What you won’t: Not easy to configure. Might initially confuse users.
"Passwords are like underwear: you don’t let people see it, you should change it very often, and you shouldn’t share it with strangers."
These exists a two factor Google Authenticator plugin for WordPress but it's harder to setup than Clef. It's advantage is that Google has a much wider user base than Clef and it's possible many of your WordPress users are already using this two factor authorization service, which makes it easier for them to use it on your WordPress website too.
What you’ll like: High security level. Not easy to break.
What you won’t: Difficult to configure. Might initially confuse users.
#TwoFactorAuthentication protects you even if your #passwords have been stolen. #security
Website Security Solutions
Website security is not just important for WordPress but for all websites and there exist solutions to protect more than just WordPress websites. Here's a list of security solutions that can be used to protect more than just WordPress based websites.
SiteGuarding does more than just protect your website from attacks. It also includes malware removal, backups and updates. You can avail their service as a one time event, for malware cleaning or you can get their low priced monthly subscriptions for continued peace of mind. They offer a free site scan, so if you aren't really sure about the security status of your website, you should run the scan to find out.
SiteGuarding works with WordPress and a number of other CMS and website solutions.
What you’ll like: Awesome website security on a budget
What you won’t: No free plan, only trial
"There are risks and costs to a program of action, but they are far less than the long range cost of comfortable inaction."
John F. Kennedy
Incapsula provides enterprise level security to WordPress which includes DDoS protection, name server protection, bot protection, website security including firewall, two factor authorization and a global CDN. It might seem like overkill if you just have a personal blog, so they have a free plan for you too.
What you’ll like: Enterprise level website security, if you are willing to pay
What you won’t: Free plan is quite limited
Hosting isn't really is a security tool but good WordPress hosting can be the difference between a hacked website and a secure website. The importance of secure, fast WordPress hosting cannot be overstated.
Over the years I have dealt with many hosts and only a few of them are worth recommending. Since most of them offer free website migrations, it's worth considering moving to a secure host.
Here's a list of great WordPress hosts which I recommend:
Free Site Transfer
Read More: Performance WordPress Hosting Comparison
"If you spend more on coffee than on IT security, you will be hacked. What’s more, you deserve to be hacked."
WordPress is a widely used platform and with more than 25% of the internet powered by WordPress there are huge gains to be had from hacking WordPress. This is the reason why many hackers specialize in exploiting the weaknesses of WordPress websites and their hosting accounts.
These tools help us make sure that our websites are protected from the most common attacks and some uncommon ones as well. While it's not necessary to use all the security tools, using some of them cleverly allows you to make your website safer.
While it may be inconvenient to make your website safer, not doing so can result in a lot more discomfort in the future.
I hope you'll re-read this article and hopefully share it with others as well so we can make the web a safer place.
One last thing: If you know about a great tool that I've not listed here, please let me know in the comments below and I'll check it out.
Be a Hero! Share this article with your friends!