WordPress websites soon attract the attention of hackers and their tools and they begin testing its defences and trying ways to gain access. Install a security plugin to stop them.
You may not realize it, but your WordPress website is under constant attack. It probably will not show it and therefore you will not know that it is happening. The first indication you will get that there is a problem is when your site goes down or is taken over by a hacker and begins doing strange things.
You could be locked out of your site for example, which would make it obvious that it has been hacked, but mostly likely the hacker will install malware of some sort. This may show dodgy, phishing or even malicious adverts (hackers get the ad revenue or hack visitors) or links to undesirable products or services (porn, gambling and other undesirable websites). The malware might redirect visitors to other sites and so on.
Sometimes it is not always immediately obvious that your site has been hacked and your web host, or even visitors to your site might email you to tell you that it is doing strange things.
Security software for websites
Just as you would use security software on a computer to protect it against threats on the internet, you must install security software on your WordPress website to protect it. A site that is not protected by security software is at risk from malware and hackers.
No protection is 100% effective against all threats and your site could still be compromised with security software running, but it is far more secure and safer with it.
Security software for WordPress websites can take several forms, but the most common is a plugin and it performs a similar task to security software on the computer. It scans the website files for potential malware, monitors people trying to log in, upload files, or access parts they have no business in accessing, and so on.
A security plugin should be installed from day one on your website or blog and it should be a priority whenever setting up a new site. First protect the site, then you can go on to configure it, extend it, customise it, and add content.
There is security in obscurity though, and when your website is first launched, few people will know it is there, so it could take some time for hackers and bots (automated programs) to find it, but sooner or later they will. Protect it!
WordPress.com does not allow plugins to be installed, not even security plugins because It has its own security features. The following plugins are some popular security plugins for self-hosted WordPress.
Warning: Security plugins can lock down a website so tight that even you cannot get in! Be very careful when changing any security settings!
Wordfence is one of the most popular security plugins for WordPress. There are more than 4 million active installations, it has a very high rating on wordpress.org and it is updated frequently. That inspires confidence and a lot of people rely on the plugin to protect their website.
There are free and paid versions and the main differences are that the paid version is updated more quickly when new threats are discovered and it has a few extra features.
Website security is a complex subject and parts of Wordfence can be complicated too. However, it can be installed and then forgotten about because the default settings work well enough.
There are many components to Wordfence security and it blocks brute force attacks. You can set the number of failed logins and the time users are locked out.
There is a file scanner that regularly runs and checks all the files on your site for known malware or for tampering. A firewall checks for malicious file uploads, cross site scripting, it can force complex passwords for user accounts, throttle unwanted traffic like bots and crawlers, block IP addresses or even whole countries, and more.
Wordfence has a dashboard that shows importabnt information, but the best place to view and customise settings is in All Options. It shows a long list of security sections and expanding each one shows the options. Some sections have a lot of options and some can be complicated. However, novices can simply accept the defaults and get good protection.
You benefit by being part of the Wordfence network and attacks seen elsewhere can be blocked on your site. There is a button to request help to clean up an infected site. It’s not free, but it’s good to know that help is available.
iThemes Security has over 1 million active users, which makes it the second most popular security plugin for WordPress. The free version has plenty of features and there is an option to upgrade to the paid pro version if you need even more features.
The plugin applies a few basic security settings when it is installed and activated, but you really need to go through each of the modules and configure the settings. There are many options that improve security and the iThemes Security settings page lists 17 modules.
It is not always obvious what settings are in each module, for example, WordPress Tweaks, System Tweaks and Global Settings, but you can simply open each and and explore the options.
There is too much to list everything here, but one interesting feature that caught my attention is Away Mode. This disables the WordPress dashboard between certain times of the day. For example, you could lock it from 6.00 PM to 8.00 AM for example. That locks hackers out for 14 hours each night. (It locks you out too – beware!)
People snooping around your site looking for insecure pages by trying random URLs can be locked out with 404 Detection. Users repeatedly trying to login can be blocked after a number of attempts, but it goes further and bans hackers detected trying to get into other sites protected by iThemes Security.
You can monitor files for changes, lock system files like wp-config, disables directory browsing and much more.
There are dozens of settings and good explanantions of each one and the effect it has on your site. Some are easy to understand, others need technical knowledge. It is a great security plugin and you will be fine if you are a geek, but non-technical bloggers might find some parts hard to understand.
All in One WP Security & Firewall
All in One WP security is another very popular security plugin for WordPress with over 900,000 active installations and a very high rating on the WordPress plugins site.
Security can be a complicated topic if you are not technically minded and if you are not a computer geek and WordPress expert, you might want to consider this plugin. The interface impresses because of its simplicity and security features are slightly easier to understand.
Simplicity is probably its best feature, but don’t get the idea that this plugin lacks in features. It has plenty, it is just that they re presented in as simple a way as possible.
Select WP Security in the WordPress admin sidebar and there is a Security Strength Meter that shows how secure the website is using a speedometer style gadget. As you go through the settings custmising them, you can see the result in the strength meter.
There are 13 subsections in WP Security and they cover topics like user accounts, login and registration. You can set the login attempts, retry time, lockout period, error message, and more. If you allow people to register and create accounts, they can be made to wait until you manually approve them.
You can easily back up the WordPress database, .htaccess and wp-config.php files. You can see and change access permissions for critical files and folders. IP addresses can be blacklisted, fake Google bots can be blocked, the login page renamed, and spam comments blocked.
With almost all security settings there is a description and a basic, intermediate or advanced badge. Points are awarded for enabling settings, which then shows up in the security meter.
I like All in One WP Security a lot, mostly because of its simplicty and ease of use. Just don’t get carried away and enable everything, stick to the basic security tweaks unless you are an expert.
Cerber Security, Anti-Spam & malware Scan
Cerber Security is not as popular as the previous three security plugins, but 200,000 active installations is still a lot. It has an almost perfect score in the WordPress plugins directory, which is another good sign.
The interface provides multiple sections and each one has multiple tabs, so everything is spread out a lot. You end up spending a lot of time switching between sections and tabs. The settings themselves are mostly easy to configure though.
The main settings are straightforward and there is a long list of items covering things like locking out repeated failed logins for a certain length of time. I like the option to increase the lockout time after a certain number of lockouts. You can change the login page, you can lock down WordPress so only people on a whitelist can access it, or limit access to registered users. Those options are useful for when a site is under maintenance or if you want privacy for some reason.
It has some useful features for controlling users based on roles. You select a role like subscriber, contributor, author, and choose whether they see the WordPress dashboard or toolbar, which page they are redirected to after login, and more.
Hardening options enable suspcious or risky activities to be blocked, and there is an option to scan the site for malicious files. The antispam features detect bots, which is the cause of a lot of automated spam.
Cerber Security is pretty good. It doesn’t quite have as many features as some other security plugins, but it has all the basics and they are enough for most people. Expert users might want more though.
More security plugins
The short list of security plugins covered here is by no means all of them and there are many more. Most don’t have as many users, but that isn’t always a bad thing and a new plugin may be excellent, but has not yet have built up a following like the older and more established ones. Here are some alternatives to the the featured plugins.
- Securi Security
- Defender Security
- Shield Security
- BulletProof Security
- Titan Antispam & Security
WordPress security Course Contents
- How to change the WordPress admin user to something different
- Make your website more secure by using strong passwords
- How plugins damage the security of your WordPress website
- How to use and customise user roles in WordPress
- How to recover from website problems with a WordPress backup
- How to increase website security with a plugin for WordPress
- How to make your WordPress website secure and deal with threats