Keep WordPress Secure with 3 Simple Plugins

I’ve written many WordPress security posts for JournalXtra. WordPress security plugins come and go like the day and night. Like nature’s evolution of man, developers interbreed features of old plugins to make superior all-in-one WP security solutions. With the evolution of new plugins the old plugins whither into antiquity, eventually to become a WordPress archaeologist’s treasure.

As ultimate as ultimate goes, this is the ultimate guide to WordPress security plugins.

All of these plugins are complimentary. They can be installed into a site and used together without any special configuration to promote harmonious performance.

Basic WordPress security

The key elements to keeping a site secure are:

Server security
Up to date software
Removal of redundant software
Security monitoring
Regular site maintenance

Use a good host that treats seriously both server security and server software maintenance. I recommend Namecheap. There servers continuously scan for malware, delete infected files and then send the server admin a report.

Update WordPress, plugins and themes. Read change logs before updates run. Change logs tell us about feature enhancements and whether vulnerabilities have been patched. If a vulnerability has been patched, scan your site to ensure it hasn’t been compromised.

Delete plugins and themes that are not in use. The more software there is installed in a website the more chance there is that vulnerable scripts exist.

Check for abandonware. Use the Look-See scanner (detailed below) to ensure your plugins and themes are still being supported by developers. Abandonware is more likely to contain vulnerable scripts than is mature software that is in constant development.

Use plugins like Wordfence (detailed below) to regularly scan for malware and hack attacks.

That said, we can now look at the security plugins.

Defence

Security plugins shown here defend WordPress sites from hackers and bots, and detect malicious activity and malware infections.

Wordfence

Wordfence is our favourite security plugin and has been since its initial release in 2011 following Mark Maunder’s discovery of the Tim Thumb vulnerability. Mark rewrote the Tim Thumb script then developed Wordfence to secure WP sites from hackers and to detect and remove malware from infected sites. Mark is a true WordPress hero!

Wordfence is a mature and feature rich plugin.

Overview

Scans all files in a WordPress installation for malware.
Optionally scans for malware in all files outside of a WordPress site’s directory space.
Compares installed WordPress, plugin and theme files against known to be clean versions of them.
Warns about missing, edited and out of date WordPress, plugin and theme files.
Lets admins replace edited files with clean versions with the click of a button.
Scans the WordPress database for SQL injections.
Checks page URLs and URLs in content against Google’s database of unsafe URLs.
Blocks malicious bots and fake crawlers.
Detects and blocks hack attacks.
Protects against spam and more
Regularly scans for malicious files.

Installation

Install Wordfence using the WordPress plugin installer i.e. Dashboard > Plugins > Add New.
Activate the plugin

Configuration

Configure Wordfence the easy way and use my default settings.

Go to Dashboard > Wordfence > Options
Scroll to the bottom of the page

Paste the following code into the Import field

62cb93cbf92991c17beace17068c98aaf532b8de32ad91b9df8e985736d9be376dd843534bb4c6138bbff4f71c1029b095e7fdc1fb0366cab0b3f48c98825c43

Click the Import button
Check the settings and add an emails address for reports to be sent to.

Notes

Enable Wordfence network wide when used in WordPress multisite.

More information about Wordfence is available here.

Jetpack Protect

This is a security feature provided by Jetpack. There was a time I complain about Jetpack. Nowadays I serenade about its virtues. Jetpack has matured much since Automatic first released it.

Overview

Protects against brute force attacks
Protects against botnets
Protects login forms

Installation

Install Jetpack and enable the Jetpack Protect module.

Configuration

Nothing to do. Works out of the box.

Malware detection

These plugins are specific to

Look-See

Released in 2012, Look-See is one year younger than Wordfence. This plugin is a file malware scanner. These malware scans are more robust than those performed by Wordfence but then Look-See’s scans produce more false positives.

Use Look-See to perform manual security scans and to regularly check installed plugins against the WPScan Vulnerabilities Database.

Overview

Verifies the integrity of core WordPress files.
Scans wp-admin and wp-includes for unexpected files.
Scans wp-content/uploads for hidden PHP scripts.
Identifies file changes since previous scan.
Locates files left over from older version of WordPress (3.6+).
Analyses WordPress configurations for oversights and vulnerabilities.
Checks uploaded themes and plugins against the WPScan Vulnerabilities Database.
Lists installed plugins and themes along with their known vulnerabilities.
Finds files for common malware code.

Installation

Install with the native WordPress plugin installer.

Configuration

None required.

Use the plugin by going to Tools > Look See Security Scanner

Notes

Cannot be used in multisite configurations.

Infection removal

Wordfence and Look-See will help you block attacks and find infections, they will even help you replace malicious files but they won’t fully clean up an infected site.

Malware removal requires the reinstallation of plugins, themes and WordPress core files, a database integrity check, password and username changes and a full inspection of the website’s server space.

I’m leaving post infection malware removal advice for another WordPress security post. If you need a malware infected site to be cleaned up, contact me and I will help you.

Over to you!

What security tips do you have to share? What is your experience with WordPress security plugins? Tell us by leaving a comment below.