Is WordPress Secure?

WordPress is undeniably and by far the most popular CMS on the planet. Powering 31%of the internet and has a 59% Market Share among other CMS’s, security is always a concern, especially for websites utilizing a shopping cart on the platform. Among every other CMS, WordPress is the most attacked and the most hacked, surprised? This fact, however, does not imply that WordPress is less secure than any other CMS, it is not! With WordPress being the most popular CMS, it has a bigger target on its back, major companies use the software and there are a lot of bad people looking to gain from the vulnerabilities that theme and plugin developers fail to patch.

WordPress at its core is really secure in its latest and stable version. Which makes you wonder, if WordPress is secure then how does it get hacked? According to data analysis from Sucuri 39% of all WordPress, hacks happens on an outdated installation. Another interesting part of their analysis reported that 71% of hacks were done through backdoors. This is not a result of the core WordPress but as a result of themes and plugins not properly maintained or obtained from non-reputable sources, usually ‘nulled’ software.

Therefore, it is safe to say that WordPress security has risen above WordPress itself and now surrounds the community as a whole. There are a lot of things that we can do to protect our websites, some more technical than others. We will look at 7 reputable security plugins that we can use to protect our websites and our businesses.

Table of Contents

1. Sucuri Security

2. Wordfence

3. BulletProof Security

4. iThemes Security (formerly Better WP Security)

5. All in One Security and Firewall

6. Qutterra Web Malware Scanner

7. Defender Security Monitoring and Hack Protection

Plugins to Avoid For a Safer Site

1. Sucuri Security

Sucurri free wordpress plugin

Sucuri is a company that offers website security services and not only for WordPress specific websites. However, they offer a free WordPress plugin for all WordPress users who want to protect their website. Sucuri offers features such as:

  • Security Activity Auditing – All activity is logged in Sucuri’s Cloud for safe keeping (every change is recorded and kept away from the reach of any hacker).
  • File Integrity Monitoring – The “current state” of your site is compared to a “known good” and if it differs then you have a problem (A known good off all the plugins, themes and directories will be created automatically when the plugin is installed).
  • Remote Malware Scanning – Powered by SiteCheck. Learn more about it using this link
  • Blacklist Monitoring – Shows if the blacklisting entities such as Google, Norton, Yandex and other major companies flag your site for security issues. (Sucuri will help your site to get off the blacklist)
  • Effective Security Hardening
  • Post-Hack Security Actions – A three-step procedure to follow if your site gets hacked.
  • Security Notifications – Real-time updates of your website sent to you directly (you can set the security events that you would like to know about or not)

Premium Features

  • Website Firewall – Enterprise grade firewall protection. (Also comes with performance optimization, redundancy, and advanced access control)

Price

You can purchase using this link

2. Wordfence

 

Wordfence has a large team of persons dedicated to WordPress security. It is the most popular WordPress Firewall plugin. In addition to being fully supported, wordfence uses caching technology to ensure that your site’s speed is not affected when installed. Wordfence carries a variety of features as shown below.

  • Protection from brute force attacks – Limits login attempts and forces strong passwords
  • Integrated malware scanner – Block requests that include malicious code or content. (Checks core files, themes, and plugins for bad URLs, Backdoors, Spam and Code Injections)
  • Integrity Comparison – Compares themes, Plugins and core files against WordPress.org repository (Reports changes back to you)
  • File Repair – Overwriting changed files with the known good original version (Let’s you delete any files that don’t belong with wordfence interface)
  • Security checks for known WordPress Issues (Let’s you know when a plugin is no longer supported)
  • Free to use for unlimited sites
  • Live Monitoring of hack attempts (Time of day, amount of time spent, origin and IP address based on IP range, Hostname, User agent and referrer)

Premium Features

  • Real-time firewall rule and malware updates (Delayed for 30 day in free version)
  • Real-time IP blacklist tool from most malicious IPs (Reduces Loading speed of website as well)
  • Two-factor authentication (One of the most secure technologies for website security)
  • Country Blocking

Price

  • 1 website – $99.00 annually = $8.25 Monthly
  • 2-4 websites – $89.10 annually per site = $7.43 Monthly
  • 5-9 websites – $84.15 annually per site = $7.01 Monthly
  • 10-14 websites – $79.20 annually per site =$6.6 Monthly
  • 14+ websites – $74.25 annually per site = $6.19 Monthly

You can Purchase Here

3. BulletProof Security

 

Bulletproof Security is an easy to use and reliable security plugin that setups in only one click. The developers also offer bonus custom codes and a tonne of support to help protect your website even further. The features include:

  • Setup Wizard AutoFix (AutoWhitelist|AutoSetup|AutoCleanup)
  • MScan – Malware Scanner
  • .htaccess Website Security Protection (Firewalls)
  • Hidden Plugin Folders – (Detects hidden folders that may contain hacker files)
  • Login Security & Monitoring – Set Maximum user attempts
  •  JTC Anti-Spam|Anti-Hacker
  • Idle Session Logout (ISL)
  • Auth Cookie Expiration (ACE)
  • DB Backup: Full|Partial DB Backups | Manual|Scheduled DB Backups | Email Zip Backups | Cron Delete Old Backups
  • DB Table Prefix Changer
  • Security Logging
  • HTTP Error Logging
  • FrontEnd|BackEnd Maintenance Mode
  • UI Theme Skin Changer (3 Theme Skins)
  • Extensive System Info

Pro Features

  • AutoRestore Intrusion Detection & Prevention System (ARQ IDPS)
  • Quarantine Intrusion Detection & Prevention System (ARQ IDPS)
  • Real-time File Monitor (IDPS)
  • Intrusion Detection System (IDS)
  • Data comparison tool
  • Database Backups, Status & Info: (extensive database status & info)
  • Plugin Firewall (IP Firewall): Automated Whitelisting & IP Address Updating in Real-time
  • Uploads Folder Anti-Exploit Guard (UAEG)
  • Custom php.ini Website Security
  • Login Security & Monitoring w/Dashboard Alerting|Status Display & additional options/features
  • PHP Error Logging
  • DB Table Prefix Changer
  • S-Monitor: Monitoring & Alerting Core
  • Pro Tools: 16 mini-plugins
  • Heads Up Dashboard Status Display

Price

$69.95 one time purchase for unlimited installations and free lifetime security updates. Purchase Here

4. iThemes Security (formerly Better WP Security)

 

iThemes security has over 30 different methods of securing your website. The team behind this plugin develops themes, offers training and other plugins such as BackupBuddy. Here’s a list of few of the features available below:

Free Features

  • One click security check (enabling: ban user, database backup, local brute force protection, two-factor authentication, strong passwords, network brute-force protection, user logging, and WordPress tweaks)
  • Ban specific IP addresses
  • 404 detection
  • Hide login & Admin URL
  • Change WordPress Salt and keys
  • Reduce Comment spam
  • Away mode – Disable dashboard availability for certain periods of time (Useful if you don’t want persons editing your site after hours.)
  • Database backups – Full or partial (Schedule backups frequency and files to backup)
  • File change detection – Categorizes files into “chunks” and lets you choose and exclude files. You get notified by email and/or on your dashboard, you can disable the notifications and manually check the files in the log  (Hackers normally change files if the break in your site)
  • Disable Live write editor – For advanced users to block attempts that use these techniques (note that some plugins may use this technique to test and ensure that all things are functional once this feature is enabled)
  • Removes RSD header – Really Simple Discovery (RSD) makes services discoverable by certain client software.
  • Rename Admin Account
  • Change WordPress database prefix – The default prefix is ‘wp’ (Always backup before using this tool)
  • Changing wp-content path – By default WordPress saves the contents of your site in a folder called wp-content which is an easy target for hackers. Changing this folder is irreversible and a backup should always be done before using this feature. (may use more system memory)
  • Force SSL for any post, page and admin page – Security Secure Layers (SSL) is used to encrypt data between your server/host and a visitor on your site. (Full site, per content or specific pages on your website)
  • Local, Network and XML-RPC brute-force protection
  • Security Logs – Logs user action
  • Email Notifications and digest emails
  • Custom lockout messages
  • String password enforcement
  • File permission check
  • Malware Scan
  • iThemes Sync – Manage multiple websites from one dashboard

Pro Features

  • Dashboard Widget – Gives access to features within the plugin without going into the plugin’s settings directly
  • Google reCAPTCHA integration
  • Two-factor authentication
  • Settings import/export – For use on multiple sites
  • WordPress core online comparison – Compares file changes to WordPress.org files to see if files are malicious.
  • Scheduled malware scanning
  • User action logging
  • Password Expiration
  • Temporary privilege escalation
  • Private ticketed support
  • WordPress Security Checks – To see which users have weak security measures set up

Price

  • Gold – Unlimited Sites, 1 year ticketed support, 1-year plugin updates, 10 iThemes Sync Sites – $199
  • Freelancer – 10 Sites, 1 year ticketed support, 1-year plugin updates, 10 iThemes Sync Sites – $127
  • Blogger – 2 Sites, 1 year ticketed support, 1-year plugin updates, 10 iThemes Sync Sites – $80

Purchase Here

5. All In One WP Security and Firewall

 

This plugin is a feature-rich security tools created and maintained by an expert team that manages various other plugins. The plugin has a choice of basic, intermediate and advanced categorizations that enable you to make group security features without breaking your website. So here’s a list of some of the features below.

  • User account security – detects if users have default names, identical names and weak passwords
  • Brute force protection
  • Lock and Unlock User access
  • Force Logout Users
  • Failed Login attempt tracking
  • Google reCAPTCHA
  • Whitelist IP addresses
  • User Logging
  • Change default ‘wp’ prefix to a custom one
  • Schedule automatic backups
  • Check and change unsecured folder permissions
  •  PHP code protection
  • Prevent people from accessing readme.html, license.txt, and wp-config-sample.php.
  • Ban specific IPs
  • Firewall functionality – Rules that stop malicious scripts before reaching your WordPress Core (block fake bots, disable tracking etc...)
  • Security Scanner
  • Comment spam security
  • Ability to disable right click, copy or text selection from your pages
  • Remove WordPress Generator Meta and WordPress version from your site
  • Ability to lock down site
  • Export and Import Settings

6. Qutterra Web Malware Scanner

 

Quterra is a FREE, open source Malware Scanner Plugin with capabilities. This plugin is constantly updated by the Quterra Team which is responsible ThreatSign which offers premium features such as malware removal, audit and malware reverse engineering. Let’s take a look at what this plugin has to offer.

  • One-Click Scan
  • Unknown Malware Detection
  • External Links Detection
  • Blacklist Status
  • No Signatures or Patterns Updates
  • Artificial Intelligence Scan Engine
  • Cloud Technology
  • Detailed Investigation Report
  • Investigation of WordPress files
  • Detection of files infected by PHP malware
  • Detection of injected PHP shells

 

7. Defender Security, Monitoring and Hack Protection

 

Defender is A Security plugin developed by the WPMU DEV team that host a large number of plugins in their fleet. This plugin offers one click, easy to set up security features that anyone can use. Let’s take a look at them below.

  • Disable trackbacks and pingbacks
  • Core and server update recommendations
  • Change default database ‘wp’ prefix
  • Disable file editor
  • Hide error reporting
  • Update security keys
  • Prevent information disclosure
  • Prevent PHP execution

Conclusion

WordPress will always improve it’s technology so as a result there will always be hackers trying to break it. It is important to stay secure with plugins that protect your website instead of protecting a hacker’s intention. Whether free or paid, any security is better than none. There are a lot of free plugins that when combined can give you all the protection you need. The choice is yours depending on your budget.

Rate this post

Share This