WordPress is powering more than one fourth of total websites hosted on earth which would be millions and some of the very popular blogs including, mashable, time etc are using WordPress as their CMS. This is why hackers are interested in finding bugs in WordPress core or plugins or even themes which run on WordPress based websites to attack a blog.
If there is any vulnerability in WordPress core, Automattic Inc fixes it themself and issue patch to world, then there are third party themes and with improper permissions on the files in php a hacker is able to hack the server.
There has been widespread news about mass hacking of WordPress based websites recently, with over 5000 websites spreading malicious codes to users across the world. Some of our clients websites also got hacked and we had to recover them as soon as we became aware of the situation.
If you are a WordPress user, you must take care of your WordPress website and keep your installation updated and secure. Here I have created a list of popular WordPress plugins that offer wide security features and keep your WordPress blog secure from any threats. Here are the best security plugins for WordPress.
Our first choice to secure WordPress website. iThemes Security (known as Better WP Security earlier) is a popular security plugin for WordPress. It provides more than 30 ways to protect and secure your website from malicious attacks.
Most WordPress users do not know they are vulnerable until they are hacked, so why compromise on security. iThemes Security helps you to fix common loopholes, stops automated attacks and strengthen the user credentials and all of it can be achieved just by one click activation.
Some of the common loopholes can not be fixed by non technical users, which this plugin can very easily do. Some of the best features of iThemes Security which we think can make the wordpress site secure are
- iThemes Brute Force Protection Network -This plugin creates a database of IPs which try to log forcefully into WordPress websites using iThemes Security. The IP’s are then distributed using iThemes network and if you use iThemes Security Plugin,those IPs will be blocked for length of time even if they have not tried to forcefully attack your website.
- Protect -Scans your website to report vulnerabilities , banning bad bots , turning off file editing from WordPress Admin area etc helps to protect your website.
- Detect-iThemes monitors website files and changes to filesystem along with database and alerts you in case of any modification.
- Obscure -It renames default admin ID if you have not changed , changes the database table prefix, removes error login messages, changing wp-admin url etc are some of features which will prevent attackers from learning too much about your website.
- Recover – It creates a backup of your database and sends you via email, and in case of any hack you can easily get back online.
This plugin is available in both Free mode and Premium Mode. The Premium Plugin iThemes Security Pro adds some more features like 2Factor Authentication , Geo IP etc
WordFence is one of the most downloaded security plugin. It starts by deep server side scan of your source code comparing it with official wordpress repository code for core ,themes & plugins. The makers of WordFence claim that their plugin will make your website 50 times faster and secure.
One of the other important feature of WordFence is Falcon, the caching engine, which makes your WordPress website not only run faster but also reduces your web server disk and database activity to minimum.
Some of the features of WordFence are
- Blocking Features — Just like iThemes, if any site using WordFence is attacked, your site is protected automatically by using a real time blocking feature. You can also rate limit aggressive crawlers and scrapers.
- Login Security — You can use 2Factor authentication on your site maximizing the login security. Enforcing strong passwords is one of the policy to strengthen security.
- Security Scanning –Scan your core files, themes and plugins for Heartbleed vulnerability. It also scans for signatures of 44,000 known malware variants and known threats.
- WordPress Firewall –It also includes a firewall to block fake Google Bots and malicious scans from hackers and botnets.
- Monitoring Features— You can monitor your real time traffic, monitor your dns security , reverse DNS for attackers and also disk space for any potential issues on your site.
- Multi-Site Security–Wordfence Security can be used for WordPress multisite and if used,it scans all posts and comments across all blogs from one admin panel.
Another popular plugin in the WordPress repository which protects your WordPress website by adding firewall security, database security, login security etc. It comes with one click setup if you are using it in automatic mode otherwise BulletProof Security Manual setup takes a total 4 clicks to set up.
The best thing about Bulletproof Security is the low usage of memory and server usage and in turn can help you by improving the website performance by caching, using Speed Bosh Cache Bonus Code.It actively monitors your website for any issues and you can choose 5 different email alerting options. You can also set up Idle Session Logout security which can help you secure your WordPress website as soon as you leave your computer or laptop idle for sometime.
Best Features of BulletProof Security are
- Firewall Protection – .htaccess Website Security Protection is method to protect your WP-admin folder.
- Monitoring — Login Security & Monitoring,Idle Session Logout (ISL),Auth Cookie Expiration (ACE) and HTTP Error Logging will monitor and send you emails in case of any issues.
- Database Backup: You can choose between Full or Partial DB Backups and Manual or Scheduled database backups. You can also set up email for backups of database.
Acunetix WP Security
Acunetix WP Security is WordPress Security Plugin from a well known web application security company Acunetix. This plugin once installed will show you what steps you need to take in order to make your WordPress website more secure. It will tell you what files you need to delete and which ones to add to which places.
The dashboard of this app will give you an information about current alerts or you can filter between critical, medium , low or informational alerts on your website. If you are on a multi author website, it can remove update notifications for all users except the administrator.
This Acunetix WP Security plugin scans your website for security vulnerabilities and suggests corrective actions such as:
- File permissions
- Database security
- Version hiding
- WordPress admin protection/security
- Removes WP Generator META tag from core code
All In One WP Security & Firewall
All In One WP Security & Firewall adds some security and firewall measures to your WordPress website. As soon as you install this plugin, you will tend to notice the dashboard which is clearly one of the best I have seen and this makes the plugin very easy to use.
It shows you Security Strength Meter which you can calibrate to enhance your security. It also provides you Security points breakdown in the plugin dashboard. You can also see the status of some critical features right from the plugin dashboard and enable or disable features from there itself.
As soon as you complete the tasks, your Security Strength meter score increases. The plugin protects your WordPress website against brute force login attacks by adding captcha to login page register page and disabling user registration.
Here are some of the features of All In One WP Security & Firewall
- User Account Security – Change the default username – admin and enforce strong passwords for any users.
- User Login Security – Protect against Brute Force attacks by adding Lock down features and captcha . You can also monitor any failed login attempts and their IP range.
- User Registration Security – Enable Manual approval of accounts, along with enforcing captcha on user registration.
- .htaccess and wp-config.php Security – Backup both the files to your computer and in case of any error you can successfully restore from the backup. You can also edit both the files from WordPress admin dashboard.
- Firewall Functionality- Addition of Firewall using .htaccess file , as htaccess files are processed before any file on server.
- Database Backup and Email- This plugin can enable database backup and email you as per schedule to your email ID so that database reaches you safely.
Additional security measures
These are some of few WordPress Security Plugins which you can use to protect your WordPress Websites. There are many more but I only wrote about those plugins which I tested personally myself. There are some more additional measures which should be taken into account even if you are not using any of the WordPress Security Plugins mentioned above.
- Always keep your WordPress Installation up to date. Updating is free of cost and does not take more than one or two minutes of your precious time but will enable your website to be absolutely safe. The latest WordPress updates covers all the loopholes left open in the previous versions.
- The Themes and plugins should be from highly recommended developers and should be updated timely as soon as their update arrives. There was a plugin Timthumb which enabled hackers to enter WordPress websites but the updated releases prevents any such thing from happening.
- Do not install nulled WordPress Themes and Plugins. They may contain malware and run without your information and might cause a hack in your WordPress website.
- Default administrator user “admin” should be avoided because it will make attack on your website more easy. This reduces the work of hacker to just half as he has to know the password and he can brute force the user admin with passwords.
Hackers do intend to take down popular websites, but they also do not show mercy on any lesser known websites. Instead lesser known can be easily hacked because most of them are on shared hosting along with less security plugins, helping hackers to overtake servers. After infecting one website with malicious code, they infect whole server, and in turn many others are infected. If you are working on WordPress then it is your responsibility to secure your website.
If you are planning to get any of the Best WordPress Security Plugins then i would suggest that you should go with WordFence which can support major plugins along with real time blocking and addition of a free caching engine i.e. Falcon to their website makes it a full fledged Security Plugin to be on your WordPress Website. My conclusion can be supported by a simple fact that it is currently active on more than 1 Million websites around the world and has been downloaded more than 9.5 million time till date.
We welcome all the comments or suggestions and do share this post if you like this post.