Unfortunately, due to the astounding popularity of WordPress. There are a lot of people, on a daily basis, trying to break it. As a standalone software application, it has the most hack attempts in the world on a daily basis. Not all are successful, but many are. This is why it is extremely important that you protect your WordPress installation from the ground up.
Sure, there are many ways to do this from a server administrator level right through to your WordPress installation itself. In my opinion, if there is a step out there that you can take to prevent unwanted access and intrusions into your blog then you should take it. Even if it is only limiting one particular way in. Sometimes all these hackers need is one way in and you’ve lost your whole blog – or worse.
Today we’re going to run through what I consider to be the top 5 WordPress security plugins out there at the moment. It’s a big field and new plugins are coming to fruition almost daily but for now this list is as good as any and will go some way towards protecting your setup and keeping those pesky hackers out of your files!
Custom Login URL
In a post about WordPress security given the sheer amount of options out there plugin wise, it might seem a bit odd to start off the post with this little obscure plugin that simply changes the URL of your WordPress Admin login page. But with that said, if I was only allowed to take one step in order to secure my WordPress installation then changing the URL of the login page would be my step of choice.
The login page (the standard wp-login.php) page is the one that attracts the most hack attempts on a daily basis. Whether it’s a regular brute force style attack or something more complex such as code injections and such – it’s the login page that is target numero uno. If you take that page out of the equation then the hacer has absolutely no idea how to login to your blog – or even try to. This is a huge plus in the security stakes and as you can probably tell, the custom login URL plugin is there to assist in this extremely simple yet important change.
WP Security Audit Log
As any web security professional will tell you, the key to securing any aspect of your site or server is being able to peruse the logs and learn exactly what is happening. A log file will not only give vital information about the person who is trying to break into your installation but it will also show how they’re doing it. What files they accessing, what they’re trying to pass in (if code injection) or simply which plugin or theme they’re attempting to exploit. The log file holds the keys to both identifying the culprit and also patching the hole that allowed them access in the first place.
WP Security Audit Log assists with this. In real time you can see exactly who is accessing what on your installation. Both registered users and third parties. Each post that is edited, each file that is accessed and what scripts are being called as and when is reported in real time and flagged if the application spots something amiss. Sure, if you’re only running a small blog you probably don’t want to sit watching a real time log file but if you’re prone to hack attacks monitoring what is going on in real time could be a huge help.
If you’re looking for a complete all round security solution for securing your installation then you need look no further than iThemes security. At the time of writing it boasts of 30+ ways to secure WordPress, all from the luxury of one simple and easy to use control panel. Notable features include using Google Recaptcha on login, two factor authentication, live malware scanning and blocked login attempts.
As mentioned above, most hack attacks are brute force and target your login page. By setting up two factor authentication or even limiting the number of attempts which can be made you’re going a long way to securing your install. Other notable features include user agent banning (to get rid of those pesky seek and destroy bots), force SSL on admin (to make sure any admin functions are only accessible once logged in via SSL) and user action logging to you can see specifically what each user of your platform does. Ideal for big sites with lots of user accounts etc.
Wordfence claims to be the most widely used WordPress security plugin on the market and after trialing it I can see why. Whilst other plugins tend to require you to know what you’re doing, at least to some extent. Wordfence can be used by anyone from complete noob to security professional. Like with the other all in one plugins it allows you to stop brute force hack attempts, monitor what your users are up to on a task by task basis and ultimately lock down your install. But it also has a whole bunch of other features too. Notably it assists in the clean up and restoring of core files should you install it AFTER a hack has taken place.
Given most people only consider addressing their security issues once a hack has already taken place I found this a particularly handy option.
All in One WP Security and Firewall
Like with the other “all in one” suites out there, the All in One WP Security and Firewall does what it says on the tin too. It offers everything you could possibly need – and more. It has a fantastic built in firewall option and has rule based blacklisting options too so if you were to preemptively notice an attack you could analyse the rules yourself and block it from happening again as opposed to just blacklisting IP addresses as you’re required to do with some other suites.
The login lock down features are as expected, you can change your login URL and limit login attempts etc but you can also monitor failed attempts too so you can quickly identify people who are trying to break into your install. All in all it’s right up there and if you’re looking for an all in one solution to your WordPress security needs, this definitely needs consideration.
Hopefully the above can assist you in some way. You don’t need to use all of the plugins in tandem as there is a lot of overlap with most of them covering the absolute basis. Plugins such as WP Security Audit Log as also designed for people who know what they’re doing and want to spot issues as they occur with a view of resolving them. If you simply want a hands off security solution that you can just install and activate with no additional input then you’re going to be better off choosing something more generic such as Wordfence security.