I’ve written many WordPress security posts in the years that JournalXtra has been alive. New plugins are released each year. Like nature’s evolution of man, developers interbreed features of old plugins to make superior all-in-one solutions to WordPress security issues. With the evolution of new plugins, old plugins whither and die, eventually to become a WordPress archeologist’s treasure.
So every year I write a new post to surpass all other security posts. This one is no exception. In previous years I wrote top ten lists. This year there is no top ten, not even a top five. This year you will need only two security plugins: Wordfence Security and Better WP Security.
As ultimate as ultimate goes, this is the ultimate guide to WordPress security plugins.
Think back to when the WordPress blogosphear was struck down with the heavy blow of the Timthumb security vulnerability. The vulnerability was made public by Mark Maunder, founder of Feedjit. Mark rewrote the Timthumb script then developed Wordfence to secure WP sites from hackers and to detect and remove malware from infected sites. Mark is a true WordPress hero!
What does Wordfence do?
As a quick overview:
- Scans all files in a WordPress installation.
- Compares those files with known clean versions.
- Warns about missing and edited files.
- Lets admins replace edited files with clean versions via the click of a button.
- Scans the WordPress database for SQL injections and offers to clean any it finds.
- Checks site URLs with Google to detect whether Google has flagged any pages as harbouring malicious code or links.
- Blocks malicious bots and fake crawlers.
- Detects attempts to hack a site.
How is Wordfence configured?
- Grab Wordfence here or install it from Plugins > Add New
- Go to Wordfence > Options.
- Untick Enable Live Traffic View.
- Under Scans to Include, tick everything you can except Scan files outside your WordPress installation.
- Tick Scan files outside your WordPress installation if you know your server can cope with the extra CPU load or if you suspect there may be a malicious file hidden outside of your WordPress folder.
- Enable Firewall Walls.
- Enable Login Security.
- Set Maximum memory Wordfence can use to 128 or to a value lower than your server’s memory limit. I usually set it to half the server’s maximum memory level.
Scans can be initiated from Wordfence > Scans. Results are viewed here too.
Better WP Security
This plugin featured in my last two posts about WP security measures. It picks up where Wordfence finsihes:
- Makes it easy to change the admin username and user ID.
- Lets admins put the login script on a timer so the site’s admin interface can only be accessed during set times of the day and/or months of the year.
- Installs a blacklist of known bad usernames and malicious bots.
- Hides the wp-content directory.
- Makes database backups.
- Changes the database prefix.
- Hides the login script.
- Enables SSL throughout the whole site or on a per page basis (server needs an SSL certificate).
- Sets numerous other security tweaks.
The homepage for BWPS is here.
How is Better WP Security configured?
When used alongside Wordfence, only a couple of Better WP Security’s settings need to be configured:
- Install it from Plugins > Add New
- Go to Security > Ban Users.
- Tick Enable Default Banned List then click Add Host and Agent Blacklist.
- Click the Detect tab.
- Untick Enable 404 Detection.
- Enter the Tweaks tab.
- Tick everything and save changes.
- View the frontend of your site using a different browser so that you are not logged in. If gallery or slider images fail to load or other problems occur, untick the following Tweak options one at a time between saving settings and checking the site’s frontend works properly: Filter Request Methods, Filter Suspicious Query Strings and Prevent Long URL Strings.
- Other tabs to look at are User, Backup and Prefix.
Options for WordPress security have improved a lot since I first began blogging and building websites. No site can ever be 100% secure but WP is getting damn close to it with Wordfence and Better WP Security.
The comment forms are open. Leave tips, suggestions and complaints below.