I’ve written many WordPress security posts for JournalXtra. WordPress security plugins come and go like the day and night. Like nature’s evolution of man, developers interbreed features of old plugins to make superior all-in-one WP security solutions. With the evolution of new plugins the old plugins whither into antiquity, eventually to become a WordPress archaeologist’s treasure.
As ultimate as ultimate goes, this is the ultimate guide to WordPress security plugins.
All of these plugins are complimentary. They can be installed into a site and used together without any special configuration to promote harmonious performance.
Basic WordPress security
The key elements to keeping a site secure are:
- Server security
- Up to date software
- Removal of redundant software
- Security monitoring
- Regular site maintenance
Use a good host that treats seriously both server security and server software maintenance. I recommend Namecheap. There servers continuously scan for malware, delete infected files and then send the server admin a report.
Update WordPress, plugins and themes. Read change logs before updates run. Change logs tell us about feature enhancements and whether vulnerabilities have been patched. If a vulnerability has been patched, scan your site to ensure it hasn’t been compromised.
Delete plugins and themes that are not in use. The more software there is installed in a website the more chance there is that vulnerable scripts exist.
Check for abandonware. Use the Look-See scanner (detailed below) to ensure your plugins and themes are still being supported by developers. Abandonware is more likely to contain vulnerable scripts than is mature software that is in constant development.
Use plugins like Wordfence (detailed below) to regularly scan for malware and hack attacks.
Login into your sites regularly to confirm they are running smoothly, that software is up-to-date and to remove spam.
That said, we can now look at the security plugins.
Defence
Security plugins shown here defend WordPress sites from hackers and bots, and detect malicious activity and malware infections.
Wordfence
Wordfence is our favourite security plugin and has been since its initial release in 2011 following Mark Maunder’s discovery of the Tim Thumb vulnerability. Mark rewrote the Tim Thumb script then developed Wordfence to secure WP sites from hackers and to detect and remove malware from infected sites. Mark is a true WordPress hero!
Wordfence is a mature and feature rich plugin.
Overview
- Scans all files in a WordPress installation for malware.
- Optionally scans for malware in all files outside of a WordPress site’s directory space.
- Compares installed WordPress, plugin and theme files against known to be clean versions of them.
- Warns about missing, edited and out of date WordPress, plugin and theme files.
- Lets admins replace edited files with clean versions with the click of a button.
- Scans the WordPress database for SQL injections.
- Checks page URLs and URLs in content against Google’s database of unsafe URLs.
- Blocks malicious bots and fake crawlers.
- Detects and blocks hack attacks.
- Protects against spam and more
- Regularly scans for malicious files.
Installation
- Install Wordfence using the WordPress plugin installer i.e. Dashboard > Plugins > Add New.
- Activate the plugin
Configuration
Configure Wordfence the easy way and use my default settings.
- Go to Dashboard > Wordfence > Options
- Scroll to the bottom of the page
- Paste the following code into the Import field
62cb93cbf92991c17beace17068c98aaf532b8de32ad91b9df8e985736d9be376dd843534bb4c6138bbff4f71c1029b095e7fdc1fb0366cab0b3f48c98825c43
- Click the Import button
- Check the settings and add an emails address for reports to be sent to.
Notes
Enable Wordfence network wide when used in WordPress multisite.
More information about Wordfence is available here.
Jetpack Protect
This is a security feature provided by Jetpack. There was a time I complain about Jetpack. Nowadays I serenade about its virtues. Jetpack has matured much since Automatic first released it.
Overview
- Protects against brute force attacks
- Protects against botnets
- Protects login forms
Installation
Install Jetpack and enable the Jetpack Protect module.
Configuration
Nothing to do. Works out of the box.
Malware detection
These plugins are specific to
Look-See
Released in 2012, Look-See is one year younger than Wordfence. This plugin is a file malware scanner. These malware scans are more robust than those performed by Wordfence but then Look-See’s scans produce more false positives.
Use Look-See to perform manual security scans and to regularly check installed plugins against the WPScan Vulnerabilities Database.
Overview
- Verifies the integrity of core WordPress files.
- Scans wp-admin and wp-includes for unexpected files.
- Scans wp-content/uploads for hidden PHP scripts.
- Identifies file changes since previous scan.
- Locates files left over from older version of WordPress (3.6+).
- Analyses WordPress configurations for oversights and vulnerabilities.
- Checks uploaded themes and plugins against the WPScan Vulnerabilities Database.
- Lists installed plugins and themes along with their known vulnerabilities.
- Finds files for common malware code.
Installation
Install with the native WordPress plugin installer.
Configuration
None required.
Use the plugin by going to Tools > Look See Security Scanner
Notes
Cannot be used in multisite configurations.
Infection removal
Wordfence and Look-See will help you block attacks and find infections, they will even help you replace malicious files but they won’t fully clean up an infected site.
Malware removal requires the reinstallation of plugins, themes and WordPress core files, a database integrity check, password and username changes and a full inspection of the website’s server space.
I’m leaving post infection malware removal advice for another WordPress security post. If you need a malware infected site to be cleaned up, contact me and I will help you.
Over to you!
What security tips do you have to share? What is your experience with WordPress security plugins? Tell us by leaving a comment below.