I’ve written many WordPress security posts for JournalXtra. WordPress security plugins come and go like the day and night. Like nature’s evolution of man, developers interbreed features of old plugins to make superior all-in-one WP security solutions. With the evolution of new plugins the old plugins whither into antiquity, eventually to become a WordPress archaeologist’s treasure.
As ultimate as ultimate goes, this is the ultimate guide to WordPress security plugins.
All of these plugins are complimentary. They can be installed into a site and used together without any special configuration to promote harmonious performance.
Basic WordPress security
The key elements to keeping a site secure are:
- Server security
- Up to date software
- Removal of redundant software
- Security monitoring
- Regular site maintenance
Use a good host that treats seriously both server security and server software maintenance. I recommend Namecheap. There servers continuously scan for malware, delete infected files and then send the server admin a report.
Update WordPress, plugins and themes. Read change logs before updates run. Change logs tell us about feature enhancements and whether vulnerabilities have been patched. If a vulnerability has been patched, scan your site to ensure it hasn’t been compromised.
Delete plugins and themes that are not in use. The more software there is installed in a website the more chance there is that vulnerable scripts exist.
Check for abandonware. Use the Look-See scanner (detailed below) to ensure your plugins and themes are still being supported by developers. Abandonware is more likely to contain vulnerable scripts than is mature software that is in constant development.
Use plugins like Wordfence (detailed below) to regularly scan for malware and hack attacks.
Login into your sites regularly to confirm they are running smoothly, that software is up-to-date and to remove spam.
That said, we can now look at the security plugins.
Defence
Security plugins shown here defend WordPress sites from hackers and bots, and detect malicious activity and malware infections.
Wordfence
Wordfence is our favourite security plugin and has been since its initial release in 2011 following Mark Maunder’s discovery of the Tim Thumb vulnerability. Mark rewrote the Tim Thumb script then developed Wordfence to secure WP sites from hackers and to detect and remove malware from infected sites. Mark is a true WordPress hero!
Wordfence is a mature and feature rich plugin.
Overview
- Scans all files in a WordPress installation for malware.
- Optionally scans for malware in all files outside of a WordPress site’s directory space.
- Compares installed WordPress, plugin and theme files against known to be clean versions of them.
- Warns about missing, edited and out of date WordPress, plugin and theme files.
- Lets admins replace edited files with clean versions with the click of a button.
- Scans the WordPress database for SQL injections.
- Checks page URLs and URLs in content against Google’s database of unsafe URLs.
- Blocks malicious bots and fake crawlers.
- Detects and blocks hack attacks.
- Protects against spam and more
- Regularly scans for malicious files.
Installation
- Install Wordfence using the WordPress plugin installer i.e. Dashboard > Plugins > Add New.
- Activate the plugin
Configuration
Configure Wordfence the easy way and use my default settings.
- Go to Dashboard > Wordfence > Options
- Scroll to the bottom of the page
- Paste the following code into the Import field
62cb93cbf92991c17beace17068c98aaf532b8de32ad91b9df8e985736d9be376dd843534bb4c6138bbff4f71c1029b095e7fdc1fb0366cab0b3f48c98825c43
- Click the Import button
- Check the settings and add an emails address for reports to be sent to.
Notes
Enable Wordfence network wide when used in WordPress multisite.
More information about Wordfence is available here.
Jetpack Protect
This is a security feature provided by Jetpack. There was a time I complain about Jetpack. Nowadays I serenade about its virtues. Jetpack has matured much since Automatic first released it.
Overview
- Protects against brute force attacks
- Protects against botnets
- Protects login forms
Installation
Install Jetpack and enable the Jetpack Protect module.
Configuration
Nothing to do. Works out of the box.
Malware detection
These plugins are specific to
Look-See
Released in 2012, Look-See is one year younger than Wordfence. This plugin is a file malware scanner. These malware scans are more robust than those performed by Wordfence but then Look-See’s scans produce more false positives.
Use Look-See to perform manual security scans and to regularly check installed plugins against the WPScan Vulnerabilities Database.
Overview
- Verifies the integrity of core WordPress files.
- Scans wp-admin and wp-includes for unexpected files.
- Scans wp-content/uploads for hidden PHP scripts.
- Identifies file changes since previous scan.
- Locates files left over from older version of WordPress (3.6+).
- Analyses WordPress configurations for oversights and vulnerabilities.
- Checks uploaded themes and plugins against the WPScan Vulnerabilities Database.
- Lists installed plugins and themes along with their known vulnerabilities.
- Finds files for common malware code.
Installation
Install with the native WordPress plugin installer.
Configuration
None required.
Use the plugin by going to Tools > Look See Security Scanner
Notes
Cannot be used in multisite configurations.
Infection removal
Wordfence and Look-See will help you block attacks and find infections, they will even help you replace malicious files but they won’t fully clean up an infected site.
Malware removal requires the reinstallation of plugins, themes and WordPress core files, a database integrity check, password and username changes and a full inspection of the website’s server space.
I’m leaving post infection malware removal advice for another WordPress security post. If you need a malware infected site to be cleaned up, contact me and I will help you.
Over to you!
What security tips do you have to share? What is your experience with WordPress security plugins? Tell us by leaving a comment below.
do you use both side by side?
I use both Wordfence and Better WP together. The only parts of Better WP I use are the Ban List and the security Tweaks. Of the security tweaks, depending on the plugins installed in a site, I might or might not enable query string filtering and long URL filtering.
When loading Better WP security do you auto setup or configure manually?
Manual. I use Better WP and Wordfence together so only use Better WP to add the blocklist, change the database prefix (when needed), change the admin username and ID (when needed), to hide admin areas, to change the name of wp-content (requires help of a 3rd party script in some cases) and to apply the tweaks.
Answering your accusation of copy, I copied two of yours comment to save them and read them later to can config both security plugins in the same blog ;)
So, thanks for your comments but no, I have not copy your post :D
Regards
Oh, so you’re to blame for all the notifications I get! ;)
I have a plugin installed called CCC which emails me every 5 minutes or so about snippets being copied for later use. It’s great: I know my visitor stats are of real people who find my content useful. The other, the one that creates the pop up, is called Copy Control (from Code Canyon). It’s a nice little plugin.
Thanks for visiting, Javier.
I see, nice plugin anyway. At least it is useful to incentive comments or sharing, and also you can know if anybody copy something; I hope for good reason like me in that case :)
If you want to protect yet more your articles you can take a look at safecreative (dot) org ;)
Regards
I too am an advocate of Wordfence. It is the security plugin that I recommend. It really does protect a website from hackers. It is a life saver for any website owner. Malware continues to be a big problem as hacking is becoming more popular for these cybercriminals.
I’ve been testing Cerber in a couple of sites. Using it alongside Wordfence. It has a couple of features that WF lacks such as an option to move the login URL and to disable wp-login.php completely. It is worth a look at if you want/need those extra security features.
It is a shame so many people derive entertainment through hacking people’s websites.