Top 10 WordPress Security Plugins
WordPress Security Plugins to the Rescue
Whatever type of online business you pursue, you want to make sure the platform your business is on is as secure as possible. I’m not talking about the myth of a 100% impenetrable Fort Knox type security vault—the reality is, this isn’t currently a possibility in today’s world—but I am talking about taking the steps to minimize access to the sensitive data of your website from potential hackers.
WordPress is an excellent platform for your online business. As we’ve talked about before, there are many reasons for this.
One of the major benefits of WordPress is the support and flexibility offered through third-party plugins, and security plugins are no exception. Because WordPress is an open source program, when security vulnerabilities are known, there’s a wealth of plugins to help quickly patch it up—and many of these plugins are very good.
In this article, Inside eBiz will help you protect your online business from many of the hackers who are looking to take advantage of unprepared and unsuspecting sites.
The Current State of Online Security
Unfortunately, these days, online security breaches are happening all too often. According to the developers of the iThemes Security plugin, about 30,000 websites are hacked each day. For people who have sites on the WordPress platform, attacks usually occur because of plugin vulnerabilities, obsolete software, and weak passwords.
When a 15-year-old can hack into NASA’s computers and cause a 21-day shutdown, and also get into a Pentagon weapons computer system, you know that every website is potentially vulnerable. This is all the more reason to take whatever steps you can to minimize your own vulnerability.
On one hand, most big hackers won’t take the time to go after smaller businesses. They’re more interested in making their mark with government entities, large corporations, and other organizations with highly sensitive data. On the other hand, we need to watch out for unscrupulous low-level hackers who might want to do something like use our website’s server space to send out email SPAM .
Here’s some of the major organizations that have been hit by large data breaches:
US Postal Service
With WordPress, there are many ways to harden your website, but security plugins offer an easier solution for most people.
Although it can be very beneficial to understand the ins and outs of WordPress security to make your site as secure as possible, by using some of the plugins mentioned in this article, you can obtain many of the same features at the click of a button.
Just make sure you stay updated with whatever security plugins you choose to use. This is because once a hole or vulnerability is discovered, a good security plugin will be quickly patched up by the developer for that vulnerability. In short, always update to the most current version of the plugin!
How We Determined the Best WordPress Security PlugIns
Here’s some of the factors Inside eBiz considered to determine the best security plugins currently available for WordPress.
Range of Features
When it comes to WordPress plugins, generally speaking, the less you use on your site, the better. Instead of looking to use numerous security plugins with limited features, our aim is to mainly focus on individual security plugins that offer a breadth of security features.
And while there are a couple of plugins on this list that offer narrower security features, for the most part, we opted to mainly consider individual security plugins that offer a wide number of features.
Positive User Experiences
All of the plugins recommended in this article were personally used by Inside eBiz and evaluated. Also, Inside eBiz strongly considered the experiences, comments, and reviews of other users of the plugin.
Support is important to any product or service, but support is absolutely critical when it comes to security for your website.
In choosing the recommended security plugins for WordPress, we considered how responsive the developer was to questions and issues about the plugin, while also taking into account whether the plugin was free or not. We recognize that when it comes to support, sometimes you get what you pay for, and if a plugin is offered for free, we understand that the developer may not always have the available time to promptly respond.
That being said, Inside eBiz was more strict about support in terms of providing timely updates to security vulnerabilities.
The Best WordPress Security Plugins for Your Online Business
What follows is our top 10 choices for WordPress security plugins for your online business. They’re presented in alphabetical order.
After you install the plugin, it checks security vulnerabilities on your site and recommends the actions you should take to fix them. Doing so can be done at the click of a button.
The plugin determines your security level based on a point system—the more points you acquire by turning on different security features, the higher your security level.
Security rules for All in One WP Security & Firewall are categorized as “Basic”, “Intermediate”, and “Advanced”, allowing you to easily apply different security levels to your site at one time.
Here’s some of the main features offered by the plugin:
User Accounts Security
The plugin makes sure you provide proper settings for user accounts and incorporate strong passwords.
User Login Security
This includes protection against brute-force attacks, as well as the ability to force logouts and lockouts, whitelist IP addresses, monitor account activity, add captcha, and hide the WordPress admin login page.
If your website allows user registration for your visitors (such as with a membership site), the All In One WP Security & Firewall plugin gives you the ability to use manual approval and/or captcha to minimize SPAM.
The features here give you the ability to change the default WP prefix and backup your WordPress database, including scheduled automatic backups.
File System Security
You can control permission settings, disable file editing within the WordPress admin, monitor system logs, and deny access to sensitive files.
You can also easily backup, restore, and modify your .htaccess and WP-config.php files to help resolve any broken functionality in your site.
The All In One WP Security & Firewall allows you to ban users from your site by specifying IP addresses/ranges or user agents.
You can add firewall protection to your site by using the .htaccess file. Because this file is processed before any other code on your site, you can stop malicious scripts before they get a chance to get started.
As stated earlier, you can instantly activate firewall settings among the existing “Basic”, “Intermediate”, and “Advanced” configurations. You can also enable more advanced settings, as well as disallow commenting vulnerabilities such as proxy comment posting and pingbacks.
Some of the other features that are included in the firewall security settings include protection against cross-site scripting, and blocking unwanted intruders from using up your resources, (such as fake Googlebots and image hotlinking).
If you have activity from a suspicious host or IP address, the All In One WP Security & Firewall plugin allows you to perform a WhoIs lookup to get more information about the intruder.
All In One WP Security & Firewall scans the files from your site and alerts you of any changes. It will also scan your core WordPress database tables.
Comment SPAM Security
The plugin allows you to easily block IP addresses that deliver SPAM comments to your site. Comments that don’t originate from your site can be blocked altogether.
The All In One WP Security & Firewall plugin offers other features, including the removal of vulnerable information from the HTML code of your site, the denial of access to certain files, the ability to lockdown your site (so that you can do things such as investigate attacks, perform upgrades, or maintenance work), the ability to save and apply security settings to other sites you own, and the ability to prevent the display of content via a frame or iframe.
New security vulnerabilities are discovered all the time, and the developers of the All In One WP Security & Firewall plugin state that their goal is to update it with new security features and fixes on a regular basis.
Some of the features of this plugin include:
Automatic removal of known threats and backdoors
Blocks brute-force attacks
Ability to run a scan at any time, as well as download definition updates to protect against new threats
The premium features of the plugin include:
Automatic download of definition updates during a complete scan
Ability to check the integrity of your core WordPress files
BruteProtect is cloud-powered and helps protect against botnet attacks. It does so by using a network of connected users to track and guard against every failed login attempt amongst all users of the plugin.
When an IP has too many failed login attempts over a specific period of time, the plugin logs and blocks that IP address across the entire connected network of users.
BruteProtect is compatible with WordPress Multisite, and only requires one API key for all sites. The plugin also works well alongside other security plugins.
BulletProof Security offers an easy-to-use security solution for your WordPress website. Also, WordPress.org shows that the developers of this plugin provide excellent response to support questions and issues.
Here are some of the valuable features from the free version of the plugin:
Brute-force monitoring and security
Database backup and logging
Database table prefix changer
HTTP error logging
Hotlink protection for images
Folder protection (e.g., root folder, wp-admin folder)
File protection (e.g., wp-config.php)
Comment SPAM protection
BulletProof Security includes additional Pro features, such as:
AutoRestore Intrusion Detection & Prevention System
Quarantine Intrusion Detection & Prevention System
Real-time file monitoring
Database monitoring and detection
Set of 16 Pro tools
… and much more
BulletProof Security’s One-Click Method allows you to use the plugin to set up all of its security features through its Setup Wizard. The plugin also offers manual controls for fine-tuning.
BulletProof Security is performance optimized. This means the plugin is friendly to your database (no excessive MySQL queries, no excessive database data, no excessive memory and resource use of your server, etc.). The plugin can even speed up your site through use of their Speed Boost Cache Bonus Code.
BulletProof Security firewalls help protect you against hundreds of thousands of different hacking attacks by matching malicious attack patterns. It uses .htaccess security that stops malicious scripts before they even have a chance to reach the PHP code in WordPress.
The Clef Two-Factor Authentication plugin offers simple, strong two-factor authentication for logging into your site, without the need for passwords or one-time codes. All that’s required is a single sign in using your smartphone and the Clef Wave. The plugin can even accommodate users without smartphones through flexible password settings.
To login to your WordPress site with the plugin, you just need to open up the mobile app on your phone and sync with the Clef Wave. After you sync with the Clef Wave once, you have access to one-click sign in for all your sites.
Clef Two-Factor Authentication will also automatically log you out when you’re finished working.
The plugin uses the RSA public-key cryptosystem and stores your private key on your phone instead of a central database on Clef’s servers, keeping your login credentials secure with you.
And even if you lose your phone, you’ll still be safe because every Clef login requires two identifications—your phone and a fingerprint or PIN.
Clef protects against all password-based attacks by disabling passwords for WordPress dashboard access, API access, and automatic password resets via email.
Clef is compatible with WordPress Multisite, works well with most mainstream plugins, and offers free email and chat support.
iThemes also offers a Pro version of the plugin called iThemes Security Pro, that comes with professional support and added features, such as:
Tracking of user actions
Two-factor authentication to your cell phone
Ability to save and use settings across multiple sites
Automatic malware scanning
Password expiration and management
Monitoring of file and database integrity
Regular backups of your database
Temporary user privilege escalation with automatic reset
Brute-force protection network
Hiding of sensitive areas of your site (e.g., login page, administrative information)
Force SSL for any page or post
Site scan and vulnerability reports
Detection of unwanted bots
The people at iThemes do more than just WordPress security, they also create a range of themes, plugins, and training for the WordPress online business owner.
iThemes also offers in-depth tutorials and videos to help you learn how to use their plugin.
The Security Ninja link presented here is to the commercial version from CodeCanyon, not to the free Security Ninja Lite plugin at WordPress.org. The free version at WordPress.org is not very helpful; although it tells you what security holes your site has, it doesn’t tell you how to fix them.
The cost for the premium version at CodeCanyon is inexpensive relative to its value for the security of your online business. It’s an easy-to-use plugin that once installed, will perform over 37 different tests to determine the security vulnerability of your site. It then lists how your site did relative to each possible vulnerability (“OK or “Bad”), and includes guidance and preventative measures you can take (including code snippets you can use) to easily fix any holes in your site.
The aim of Security Ninja is to help you take all of the preventative measures you can against any possible attacks, and its many tests allow you to do just that. The plugin provides excellent documentation and guidance for each security test it performs on your site.
Security Ninja by itself is a very good plugin. But the developer of Security Ninja has created add-ons (for an additional cost) that can help make your site even more secure.
These add-ons include:
Simple Security Firewall is an easy-to-use WordPress plugin that offers firewall protection. The plugin blocks all web requests that violate the firewall security rules you choose, with seven options to choose from.
The plugin promises to never break your site and is the only WordPress security plugin that uses a WordPress-independent security key to protect itself against outside tampering.
The developers of this plugin offer their users exclusive membership to a private security group that can help them learn more about WordPress security.
Here are some of the features of Simple Security Firewall:
Blocks malicious URLs and requests
Blocks all automated spambot comments
Hides your login page
Prevents brute-force login attacks
Offers email-based two-factor authentication
Monitors user login activity and restricts username sharing
Audit trail log to monitor user activity
Allows you to turn WordPress automatic updates on or off
Helps fight comment SPAM, both human and automatic bot SPAM
Lockdown your WordPress admin area (e.g., enforcing SSL, preventing file edits)
The developer of the Simple Security Firewall plugin has an excellent record of responding to support threads at WordPress.org.
The Sucuri Security plugin developers take a proactive approach by using intelligence gathering from thousands of remediation cases, along with many millions of unique domain scans and attack blocks.
The developers of the plugin have a good track record for support on WordPress.org.
Sucuri, Inc. is a recognized authority in website security specializing in WordPress security.
The Sucuri Security WordPress plugin offers:
Security Activity Monitoring
Sucuri monitors any changes that occur in your WordPress site and records it. For extra security, the plugin records this activity to the Sucuri cloud so that the actions of an attacker cannot be wiped clean. In this way, your security logs can help you analyze an attack.
File Integrity Monitoring
With this feature, the plugin compares the current state of the directories at the root of your site to a clean, uninfected version. If the plugin sees a differene, it knows there’s a problem.
Remote Malware Scanning
Sucuri offers a free security scanner called SiteCheck. This scanner uses blacklisting engines to help you see whether or not your site might be getting flagged for any security issues. If your site appears on one of the blacklists, Sucuri can help you get removed from them through their Website Antivirus product.
Sucuri offers security hardening configurations that can make your online business site more secure.
Post-Hack Security Actions
As mentioned before, having a 100% hacker-proof setup is currently not possible with today’s technology. But, if you’re site ever does get compromised, Sucuri can walk you through the actions you can take to get back up and running.
Sucuri will notify you of any security issues, allowing you to choose the types of issues you want to be notified about.
As an add-on, Sucuri also offers CloudProxy, a enterprise-level website firewall.
CloudProxy provides protection against:
Zero-day disclosure patches
CloudProxy also offers performance optimization, advanced access control features, and failover and redundancy
After the plugin is installed, it scans your site’s core, theme, and plugin code against a clean code version to make sure your site isn’t infected.
Wordfence Security offers many valuable features with its free plugin, including:
Free scan for infection and vulnerabilities
Falcon Engine caching with cache management features
Whois lookup and location/network blocking
Real-time traffic and blocking from known attackers within the Wordfence community
Two-factor authentication with cell phone sign in
Login security with password management
Firewall for blocking common security threats and malicious scripts
Ability to repair changed files
WordPress Multisite compatible
Wordfence also offers premium features that include:
Determining whether SPAM is being sent by your server
Wordfence is consistently updated to work against the latest security threats to your online business.
Some Basic Website Security Practices to Keep in Mind
Although the plugins in this article will go a long way towards patching up any security holes for your WordPress site, there are some basic measures to keep in mind to help you lockdown your online business.
• Keep your software up to date, especially your plugins, themes, your web browser, and WordPress itself. New software versions typically address security holes from previous versions. Also, delete any installed plugins or themes that you’re not using.
• Only acquire software from trustworthy sources that keep their software current and well coded. This includes popular plugins and themes from WordPress.org, as well as well-known third-party premium plugin and theme developers.
• Always backup your website (we’ll get more into the options for backing up, in future articles from Inside eBiz). For WordPress, this means backing up not just the database, but all the files in your WordPress installation as well. Look for automated backup solutions to make the job easier.
• Choose a web host that takes security precautions seriously. For example, find a host that stays current with the latest version of PHP and makes frequent backups of your site.
• Always use a strong password, and change it every couple of months. Try to use passwords that contain characters, numbers, capitals, and even phrases. Make sure that all users for your website have strong passwords as well, especially users who have administrative privileges.
Also, don’t get into the habit of using the same password for multiple sites and logins across the web. I highly recommend a password manager to make this part of your life much easier.
• If you allow people to upload files to your website through a form on your website, make sure the form has the ability to deny malicious scripts. If you’re unsure, don’t use such a form on your site.
• Keep your computer clean of any viruses, malware, and other malicious code that could compromise the security of everything on it.
• Never login to your site on an unsecured network (such as some Internet cafes) that fail to encrypt such information as passwords.
• When using FTP to upload and download files to your site, choose to use a more secure connection (SFTP).
• Never give someone the ability to access your FTP or edit your site unless you completely trust them. If you ever need to give someone temporary access (e.g., technical support), make sure to give them a one-time login that you can change when they’re finished.
Keep Your Online Business Protected
By choosing from among the plugins on this list, you can help make your WordPress website more secure against attacks. Although it’s unrealistic to expect a site to be 100% secure, it’s up to each of us to be proactive and take whatever precautions we can do minimize the risk.
This means locking down your site to limit security vulnerabilities, having the ability to detect when an attack has occurred, and knowing how to get up and running if the worst has happened.
Inside eBiz will talk more about the best ways to get back up and running in a future article, but if your site is compromised, at a minimum, you’ll want to reset your password, get your site scanned for malicious code, and contact your web host to help you get back up and running. And most definitely, taking basic precautions means having a full backup of your WordPress files and database.
So, make sure to take advantage of the security offerings that are available out there, and be vigilant with some basic, commonsense security practices. By being proactive, you can save yourself from potential headaches down the road, and make your online business safer both for you and your customers.
Until next time, have a safe and secure 4th of July!