WordPress Website Security
Here at FlexiWeb Website Design, based in Thurles, Tipperary, we encourage all our clients to take their website security very seriously. Most of us don’t worry about the security of our WordPress website until it’s too late. Security, backups and website recovery are, most of the time, an afterthought.
Avoiding potential problems until it’s too late is human nature, and that will probably never change – for most people. I’d encourage you to be proactive when it comes to WordPress security. Spending just a small amount of time planning and preparing can reduce the risk of your website being hacked.
In this post, we’re going to cover some of the best WordPress security plugins out there. Some of the plugins reviewed offer more specific functionality than others so before making a choice, be sure you’re comparing features properly.
WordPress Security Vulnerabilities
The number of potential security vulnerabilities faced by WordPress websites is actually much greater than most people realize. Typically we think of the obvious things like using strong passwords and keeping WordPress core files up to date. Truth be told, those particular items cover only a small percentage of the total vulnerabilities. Other things that need to be considered include:
- Server vulnerabilities
- Theme security
- Plugin security
- File permissions
- Securing specific files (like wp-admin and wp-config and wp-includes)
- Database security
- Computer vulnerabilities
- FTP vulnerabilities
- and more
As you can see, the list is long and we’ve only just scratched the surface. To make matters more complicated, no single plugin is really capable of covering all the security holes. And that shouldn’t really be your goal either, after all, managing WordPress security is a balancing act. You could spend all day trying to secure your website, but hey, you’ve also got a business to run, right?
How to Tell if Your WordPress Site Has Been Hacked
Figuring out whether or not your WordPress site has been hacked is not always as easy as you might think. There are a few ways to assess your site, none of which is perfect or foolproof. Other than that, it comes down to plain old detective work – and hackers are a sneaky bunch.
Performing regular scans of your website using free third-party services is a good idea. Google Webmaster Tools is the best place to start since their interpretation of your website will have the greatest impact on your ranking within the SERPs. Just be aware, that even GWT is prone to errors – a problem free website in Google’s eyes may, in fact, have problems. Also, remember to take a look at how your site is indexed by typing “site:yourwebsite.com” into Google search. Scan through a decent sampling of your page/post results and look for anything suspicious.
A free service like Sucuri Site Check will scan your site for free. Most of the time, Sucuri will alert you to any sign of malware, spam injections, defacing or blacklisting. Alternatively, there are also inexpensive paid services like CodeGuard that will backup your website every day and alert you to any changes.
Finally, it’s always a good idea to keep an eye on your Google Analytics account for anything unusual. Although GA can be a little tricky these days with the referral traffic causing traffic spikes, you should still keep an eye on the long-term patterns. Monitoring bandwidth use through your hosts CPanel is advisable as well.
Sorting Through the Best WordPress Security Plugins
Protecting your website from the more common WordPress security threats will put you in a much better position than most other sites. The vast majority of website owners don’t give a second thought to security until it’s too late.
Don’t be fooled into thinking that you’ll be able to achieve a 100% secure website – it’s just not realistic. Instead, set yourself a more reasonable goal of limiting your risk and protecting against some of the more common threats.
Remember that protecting against non-targeted attacks is always easier since they are automated and typically scan for common vulnerabilities. Targeted attacks are much more difficult to protect against since it’s your website versus the hacker. Anytime you have an individual who is willing to take time out of their day to analyze your specific website for vulnerabilities, there is an increased risk.
As one of the more popular WordPress security plugins, iThemes Security offers both a free and premium version which means there is really no excuse for failing to improve your current security situation. The different pricing options are available including:
- $80/year for 2 sites + 12 months of support and updates
- $100/year for 10 sites + 12 months of support and updates
- $150/year for unlimited sites and 12 months of support and updates
iThemes manages to cover most of the common security threats including:
- Brute force protection.
- Monitoring core files for any changes.
- Hiding both the login and admin pages.
- Locking out users who enter their username or password incorrectly too many times.
- Two-Factor identification.
- Logging user actions.
- Forcing the use of secure passwords for specific user roles and file permissions.
- Ticketed support is also available to all pro users.
With over 30 different ways that iThemes improves the security of your website, there are a few things to be aware of before jumping in. If you’re installing the plugin on an existing site, there is a possibility that some of the changes might break your site. Of particular concern are the changes made to the database and changing the path of your wp-content directory. As a precaution, you should make sure you backup your website before activating the plugin or enabling any new features.
Wordfence is the second security plugin on our list to feature both a free and premium version. Depending upon how many licenses you are purchasing and how long each license is valid for, Wordfence can provide some fairly steep discounts. For example, while a single site 1-year license will cost you $39, a 5-year license will cost just $29.25/year. If you’re running multiple websites or a purchasing licenses for client sites, you could pick up 10 license keys good for 12 months at $16.90 each. As you can see, the cost drops significantly with greater volume.
Wordfence is more than just a standalone plugin – at regular (free version) or customized intervals, Wordfence servers will scan your site for file changes, code injections, malware, or known backdoors. The premium option offers advanced scanning options so you can coordinate scans with low traffic periods.
Taking a slightly different approach than iThemes Security, Wordfence specializes in the following tasks:
- Scanning for file changes
- Blocking IP addresses
- Two-factor authentication
- Country blocking and country redirects
- Custom alerts
As you can see, Wordfence does a lot to improve the chances of keeping your site secure. It offers some different functionality than the other plugins covered in this post and there is less risk of problems compared to some of the other plugins.
All in One WP Security
As what is probably the top free WordPress security tool, All in One WP Security currently shows over 200,000 installations (versus iThemes 600K). Using a convenient grading system, this plugin makes it relatively easy to see the areas where your website security might need to be improved. The main dashboard has an indicator that ranks your current level of security between 0 and 470 depending upon how many features are currently enabled.
With this plugin, there is also the risk of breaking your site. To reduce the likelihood of this happening they have implemented three categories of changes – basic, intermediate and advanced. The basic features are relatively safe to activate while the intermediate and advanced changes have the potential to break some of your website’s functionality. If something goes wrong there are detailed instruction for fixing the problem but it’s still a good idea to err on the side of caution.
Each primary security feature is contained within its own sub-menu and is supported by a detailed description so you know exactly what you’re changing. A more extensive list of security features includes:
- The ability to disable the WP Meta information
- Monitoring user accounts for obvious vulnerabilities
- Brute Force login attack prevention that’s more extensive than the Limit Login Attempts Plugin
- A setting that requires you to manually approve new user registrations
- Database prefix management
- Protection of specific files including the ability to edit PHP files from within the dashboard
- Blacklisting users based upon their IP address or a range of IP addresses
- Basic firewall protection
- Changing the login page URL, cookie based logins as well as Captchas and whitelists
- Comment spam prevention
- File change detection
- Disable copying of text and the use of your site in an iFrame
Sucuri offers a free plugin which is available in the WordPress repository. Much like Sucuri’s free web-based scanning tool, the plugin is designed primarily as a method of alerting you to potential problems with your site. There are four primary areas that this plugin can help with:
The first has to do with monitoring and recording all activity within your WordPress installation. Sucuri attempts to keep an accurate log of who’s doing what and when. This particular feature is the equivalent of having a security camera set up to monitor what’s happening on your site – which users are logging in and what are they doing while they’re there.
Another key feature of Sucuri Security is the monitoring of all files including WP core, themes, and plugins. If you plan to use this feature properly, it’s important to make sure that the plugin is being installed on clean site. As soon as the plugin is activated it takes a snapshot of all files under the assumption that they are known to be good. From that point forward, you’ll be notified of any changes – including the addition of new files.
Malware and blacklist monitoring are provided and powered by Sucuri’s free scanner. You’ll also be able to tell if your website has been added to one of the many blacklist engines.
Finally, the plugin also helps you take some of the basic but critical steps necessary to harden your website security including:
- Removing the WordPress version information
- Protecting the uploads directory from browsing and PHP execution
- Restricting access to wp-content and wp-includes
- Verifying your security keys
- Restricting access to the file editor from with the WordPress dashboard.
Although their website is somewhat antiquated, BulletProof Security continues to be a popular WordPress security plugin in the repository with over 100k downloads. BPS offers two versions of their plugin – free and paid. The paid version is a one time purchase of $59.95 and includes lifetime updates and technical support as well as unlimited installations.
The list of features included with BulletProof security is too long to list but include:
- An easy one-click setup
- htaccess protection against XSS, RFI, CSRF, Base64, SQL injection and other hacking attempts
- Login security and monitoring including max login attempts and lockout time
- Database backups
- Database prefix changes
- File monitoring and quarantine of uploaded files
- Email alerts for a variety of user actions
- Many more
Even though their website is in need of work, their support forums are active within the WordPress repository and questions from users appear to be addressed quickly.
Taking any security measure to protect your WordPress site can be considered proactive and will put you in a better position than someone who chooses to do nothing. There are several high-quality security plugins available, all of which are capable of making your website more secure – including the free versions.
While there is no such thing as a site being 100% secure, you’re always better leaning towards the side of caution. Even with a security plugin installed, it’s still important to keep an eye out for anything unusual on your site that could indicate a problem. As well, remember that the higher profile your site becomes the greater the risk of a targeted attack.
If you’ve currently using any of the plugins covered in this post, please share your experience in the comments.