Back then, WordPress used to be limited to just posting blog content like posts, photos, videos, etc. Now, it has been transformed into a Content Management where it features plugins that can make your WordPress site into a forum, LMS, fantastic sales-funnel or an e-commerce site. All of these can be done with little to no programming knowledge. The best part probably about using WordPress is that it’s open-source. While hosting providers like GoDaddy and Drupal offers WordPress hosting, the software itself can be downloaded and have it installed at your hosting. However, hosting yourself has consequences like security. While hosting providers like GoDaddy offers protection about security, it also comes with a hefty fee. For this article, we will be talking about some practices on how to keep your WordPress site, secure as well as some recommended plugins to make the implementation, easier and faster.
PHP (Hypertext Preprocessor) is the programming language used to build the WordPress software. Every function and plugins in your WordPress site are probably mostly executed using PHP. The programming language’s version depends on what is installed in your hosting server. For hosting providers like GoDaddy, this can be done in the settings page of a hosted WordPress site.
PHP and WordPress are open-source, meaning, it is maintained by the open-source community. Because of this and PHP’s popularity, it can be a target by hackers. Having an updated PHP version makes sure that vulnerabilities are patched before WordPress executes a certain code/process. It even improves the performance of your WordPress site.
Might as well update your WordPress version if you are going to update your PHP version. Just like with PHP, every well-known vulnerability is fixed with a new version making your WordPress site, secure. Automatic updates can also be turned on in the settings of your WordPress site to make sure you are always having the latest version. The same principle can also be applied to the plugins and themes you are using.
A firewall blocks access from users who are doing a suspicious activity on your website. This can also be applied to your Personal Computer so that hackers cannot access your website. However, keep in mind that some Firewalls are executed only at WordPress level. It’s better to install one that also monitors at the Apache level to make sure that the firewall blocks the attacker even before executing a code at the WordPress site.
Having SSL protects your site by encrypting every data being passed through from the client to the server. SSL certificates can be installed manually by using services like LetsEncrypt or by having it installed automatically with plugins. Hosting providers like GoDaddy also offers SSL certifications for your GoDaddy WordPress site.
Limiting login attempts prevents a brute-force attack where the hacker tries to log in to the site by guessing the username or password. ReCAPTCHA can also be used to let the site checked if the user trying to log in at the dashboard is a human being and not a bot. reCAPTCHA is a free service offered by Google.
In the case of having your site inaccessible and the only way to retrieve your WordPress files is via FTP, make sure that you’re using the SFTP network protocol to make sure that files being passed through are encrypted. Programs like FileZilla offers such options to make sure you’re secured when retrieving your WordPress site.
However, all of us need to be aware that attacks and breaches are inevitable since vulnerabilities are sometimes not shown through the public. White hat hackers most of the time, are the ones who present the vulnerabilities with good intentions. However, Black hat hackers are the one who tries to gain personal data and control your site with the intent of destroying it. A backup should always be done regardless of how secure your site is. We do not know when an attack will come so a backup is always handy to in case of a breach. Hosting providers like GoDaddy provides automatic backups in their WordPress plan. Plugins are also available in the WordPress store.
Now we know some practices on how to keep your site secure, here are some plugins that we found at the WordPress store, that makes some, if not, all the practices we mentioned above. All of the plugins we found have free-tier and a paid plan for those who want more features in the plugin. We’ll be overviewing some of the most noticeable features available in the plugins. We’re unable to write any recommended settings for each plugin since this will depend on what plugins and themes you’re using. It’s best to try what works best of your site and then turn off each setting when something isn’t working correctly.
1. WordFence
Here is the link where you can access the plug in:
WordFence is a free plugin for WordPress that includes a WordPress-level Firewall, Malware Scanner. Below contains the features for its free plan and paid plan:
- Web Application Firewall identifies and blocks malicious traffic. Built and maintained by a large team focused 100% on WordPress security.
- [Premium] Real-time firewall rule and malware signature updates via the Threat Defense Feed (free version is delayed by 30 days).
- Protects your site at the endpoint, enabling deep integration with WordPress. Unlike cloud alternatives do not break encryption, cannot be bypassed, and cannot leak data.
- [Premium] Real-time IP Blacklist blocks all requests from the most malicious IPs, protecting your site while reducing load.
- Integrated malware scanner blocks requests that include malicious code or content.
- Protection from brute force attacks by limiting login attempts.
WORDPRESS SECURITY SCANNER
- Malware scanner checks core files, themes and plugins for malware, bad URLs, backdoors, SEO spam, malicious redirects and code injections.
- [Premium] Real-time malware signature updates via the Threat Defense Feed (free version is delayed by 30 days).
- Compares your core files, themes, and plugins with what is in the WordPress.org repository, checking their integrity and reporting any changes to you.
- [Premium] Checks to see if your site or IP has been blacklisted for malicious activity, generating spam, or other security issues.
- Repair files that have changed by overwriting them with a pristine, original version. Delete any files that don’t belong easily within the Wordfence interface.
- Checks your site for known security vulnerabilities and alerts you to any issues. Also alerts you to potential security issues when a plugin has been closed or abandoned.
- Checks your content safety by scanning file contents, posts, and comments for dangerous URLs and suspicious content.
LOGIN SECURITY
- Two-factor authentication (2FA), one of the most secure forms of remote system authentication available via any TOTP-based authenticator app or service.
- Disable or add 2FA to XML-RPC
- Login Page CAPTCHA stops bots from logging in.
- Block logins for administrators using known compromised passwords.
WORDFENCE CENTRAL
- Wordfence Central is a powerful and efficient way to manage the security for multiple sites in one place.
- Powerful templates make configuring Wordfence a breeze.
- Highly configurable alerts can be delivered via email, SMS or Slack. Improve the signal to noise ratio by leveraging severity level options and a daily digest option.
- Efficiently assess the security status of all your websites in one view. View detailed security findings without leaving Wordfence Central.
- Track and alert on important security events including administrator logins, breached password usage, and surges in attack activity..
- Free to use for unlimited sites.
SECURITY TOOLS
- With Live Traffic, monitor visits and hack attempts not shown in other analytics packages in real-time; including origin, their IP address, the time of day, and time spent on your site.
- Block attackers by IP or build advanced rules based on IP Range, Hostname, User Agent, and Referrer.
- Country blocking available with Wordfence Premium.
When you use WordFence for the first time, it’ll ask to enter an email address. The email address will be used for notifications if suspicious activities happening on the site. Once done, you’ll be greeted in the dashboard. It’ll give you a brief summary about the security of your site.
Its Malware scanner can check the files not only on your WordPress site but also in your server itself making sure that no suspicious files can be found. Keep in mind that Malware Signatures are not always the latest on the free version. You’ll have to use the premium version in order to get the latest signatures. These Signatures are like dictionaries where it stores certain malware/virus definitions. This is used to check if certain definitions exist in your server.
It’s important to remember to some files might get flagged even though there’s no suspicious activity about it if you’re using an optimizer tool since the optimizer tool tries to create a compressed file of the original file making the scanner think like it’s a virus. The only way to check is by reading the results of the scan and make sure that there’s no suspicious line of code happening in the files detected.
Their Firewall settings also offer handy features like IP blocking and rate-limiting where it tries to limit the resources being used by a user. This can be used to prevent a DDoS attack.
WordFence also offers a live traffic monitoring feature where it checks every activity being made on the site. Here we can see that WordPress blocked a user by making a suspicious activity on a webpage.
For 2FA, you can force administrators to use 2FA to make sure all no administrator’s accounts are breached. WordFence’s 2FA requires an Authenticator app like Microsoft Authenticator or Google’s Authenticator. The mentioned apps are free at the Play Store and Apps Store. Once installed, you can use the QR code that is displayed in WordFence’s 2FA settings to set up the 2FA on your phone. ReCAPTCHA is also available to check if the user who is trying to log in is a human being and not a bot.
Overall, WordFence offers great options and tools to make sure your site is secure. Its free version offers a lot. However, Malware Signatures aren’t the latest, if you want to get the latest signatures, you’ll have to upgrade to their premium plan.
2. All in One WP Security and Firewall
Here’s the link where you can access the plugin:
All in One WP Security and Firewall is another plugin that makes sure your WordPress site is secure. The plugin tries to include all practices to make sure that your site is secured and protected. Below are the features being offered by the plugin:
User Accounts Security
- Detect if there is a user account that has the default “admin” username and easily changes the username to a value of your choice.
- The plugin will also detect if you have any WordPress user accounts which have identical login and display names. Having accounts where the display name is identical to the login name is bad security practice because you are making it 50% easier for hackers because they already know the login name.
- Password strength tool to allow you to create very strong passwords.
- Stop user enumeration. So users/bots cannot discover user info via author permalink.
User Login Security
- Protect against “Brute Force Login Attack” with the Login Lockdown feature. Users with a certain IP address or range will be locked out of the system for a predetermined amount of time-based on the configuration settings and you can also choose to be notified
- via email whenever somebody gets locked out due to too many login attempts.
- As the administrator, you can view a list of all locked out users which are displayed in an easily readable and navigable table which also allows you to unlock individual or bulk IP addresses at the click of a button.
- Force logout of all users after a configurable time period
- Monitor/View failed login attempts which show the user’s IP address, User ID/Username, and Date/Time of the failed login attempt
- Monitor/View the account activity of all user accounts on your system by keeping track of the username, IP address, login date/time, and logout date/time.
- Ability to automatically lockout IP address ranges which attempt to login with an invalid username.
- Ability to see a list of all the users who are currently logged into your site.
- Allows you to specify one or more IP addresses in a special whitelist. The whitelisted IP addresses will have access to your WP login page.
- Add Google reCaptcha or plain maths captcha to WordPress Login form.
- Add Google reCaptcha or plain maths captcha to the forgot password form of your WP Login system.
User Registration Security
- Enable manual approval of WordPress user accounts. If your site allows people to create their own accounts via the WordPress registration form, then you can minimize SPAM or bogus registrations by manually approving each registration.
- Ability to add Google reCaptcha or plain maths captcha to WordPress’s user registration page to protect you from spam user registration.
- Ability to add Honeypot to WordPress’s user registration form to reduce registration attempts by robots.
Database Security
- Easily set the default WP prefix to a value of your choice with the click of a button.
- Schedule automatic backups and email notifications or make an instant DB backup whenever you want with one click.
File System Security
- Identify files or folders which have permission settings that are not secure and set the permissions to the recommend secure values with the click of a button.
- Protect your PHP code by disabling file editing from the WordPress administration area.
- Easily view and monitor all host system logs from a single menu page and stay informed of any issues or problems occurring on your server so you can address them quickly.
- Prevent people from accessing the readme.html, license.txt, and wp-config-sample.php files of your WordPress site.
htaccess and wp-config.php File Backup and Restore
- Easily backup your original .htaccess and wp-config.php files in case you will need to use them to restore broken functionality.
- Modify the contents of the currently active .htaccess or wp-config.php files from the admin dashboard with only a few clicks
Blacklist Functionality
- Ban users by specifying IP addresses or use a wild card to specify IP ranges.
- Ban users by specifying user agents.
Firewall Functionality
This plugin allows you to easily add a lot of firewall protection to your site via htaccess file. An htaccess file is processed by your web server before any other code on your site.
So these firewall rules will stop malicious script(s) before it gets a chance to reach the WordPress code on your site.
- Access control facility.
- Instantly activate a selection of firewall settings ranging from basic, intermediate, and advanced.
- Enable the famous “6G Blacklist” Firewall rules courtesy of Perishable Press
- Forbid proxy comment posting.
- Block access to debug log file.
- Disable trace and track.
- Deny bad or malicious query strings.
- Protect against Cross-Site Scripting (XSS) by activating the comprehensive advanced character string filter.
- or malicious bots who do not have a special cookie in their browser. You (the site admin) will know how to set this special cookie and be able to log into your site.
- WordPress PingBack Vulnerability Protection feature. This firewall feature allows the user to prohibit access to the xmlrpc.php file in order to protect against certain vulnerabilities in the pingback functionality. This is also helpful to block bots from constantly accessing the xmlrpc.php file and wasting your server resource.
- Ability to block fake Googlebots from crawling your site.
- Ability to prevent image hotlinking. Use this to prevent others from hotlinking your images.
- Ability to log all 404 events on your site. You can also choose to automatically block IP addresses that are hitting too many 404s.
- Ability to add custom rules to block access to various resources of your site.
Brute force login attack prevention
- Instantly block Brute Force Login Attacks via our special Cookie-Based Brute Force Login Prevention feature. This firewall functionality will block all login attempts from people and bots.
- Ability to add a simple math captcha to the WordPress login form to fight against brute force login attacks.
- Ability to hide the admin login page. Rename your WordPress login page URL so that bots and hackers cannot access your real WordPress login URL. This feature allows you to change the default login page (wp-login.php) to something you configure.
- Ability to use Login Honeypot which will helps reduce brute force login attempts by robots.
Security Scanner
- The file change detection scanner can alert you if any files have changed in your WordPress system. You can then investigate and see if that was a legitimate change or some bad code was injected.
Comment SPAM Security
- Monitor the most active IP addresses which persistently produce the most SPAM comments and instantly block them with the click of a button.
- Prevent comments from being submitted if it doesn’t originate from your domain (this should reduce some SPAM bot comment posting on your site).
- Add a captcha to your WordPress comment form to add security against comment spam.
- Automatically and permanently block IP addresses that have exceeded a certain number of comments labeled as SPAM.
Front-end Text Copy Protection
- Ability to disable the right-click, text selection and copy option for your front-end.
Regular updates and additions of new security features
- WordPress Security is something that evolves over time. We will be updating the All In One WP Security plugin with new security features (and fixes if required) on a regular basis so you can rest assured that your site will be on the cutting edge of security protection techniques.
Works with Most Popular WordPress Plugins
- It should work smoothly with the most popular WordPress plugins.
Additional Features
- Ability to remove the WordPress Generator Meta information from the HTML source of your site.
- Ability to remove the WordPress Version information from the JS and CSS file includes your site.
- Ability to prevent people from accessing the readme.html, license.txt and wp-config-sample.php files
- Ability to temporarily lock down the front end of your site from general visitors while you do various backend tasks (investigate security attacks, perform site upgrades, do maintenance work etc.)
- Ability to export/import the security settings.
- Prevent other sites from displaying your content via a frame or iframe.
When using the plugin for the first time, you may be overwhelmed with the number of features available since it tries to cover all the necessary methods to keep your site secure. Its dashboard provides a summary of how secure your site is as well as the methods you are using to keep it secured. The dashboard also shows the last five users who were able to successfully logged in to the server.
A big advantage of this plugin so far is its firewall since it has the ability to restrict access at Apache level. Thus, it can block a certain process before entering at the WordPress site.
The plugin also features a limited login attempt feature to prevent any brute force attacks. If an account has been locked out, the site owner will be notified. Blocking IP addresses is also available. Lastly, you can set how a force logout feature where the server will logout the user for such time. There are many more options available here, but most of it is regarding monitoring activity like who was the last person to log in as well as activity logs.
If we want to prevent any Brute Force attacks, then we must rename the default URL when trying to login to the dashboard. The default URL is currently, wp-login. With this plugin, we can have it changed to our preferred liking. ReCAPTCHA v2, a CAPTCHA service offered by Google is also available. Keep in mind that this is v2 of the ReCAPTCHA where a puzzle is usually needed to be answered before trying to login. In the newer version, no human intervention is needed.
Honeypot login is also available. Honeypot is computer security mechanism set to detect, deflect, or, in some manner, counteract attempts at unauthorized use of information systems.
For SPAM Protection, a reCAPTCHA field can be added in forms like comments to prevent multiple comments with the same content. We can also check the IP address of each Spamming in the SPAM protection page.
The last feature we’re going to cover is about File System Security. In this page, it talks about if every folder in the server has the appropriate file permissions. It will check if folders that are supposed to be read-only are read-only based on the permissions set.
The page also has features about security protection on PHP files as well as WP files. System logs can also be found on this page.
The biggest downside about this plugin is probably the malware scanner. It’s not included in the plugin itself and requires a subscription with its plugin partner: Site Scanner.
Overall, All-In-One Security and Firewall is a good choice as long as you have a separate plugin for the malware scanner if you’re not interested in the paid service being offered by this plugin.
3. Sucuri Security – Auditing, Malware Scanner and Hardening
Here’s the link where you can access the plugin:
Sucuri Security is a security plugin recommended by our hosting provider: GoDaddy. It’s currently the only plugin on our list without any premium plan. All of the functions available are. There’s a downside though: the available functions in this plugin are somewhat limited compared to the features available in the first two plugins we’ve overviewed.
Overall, All-In-One Security and Firewall is a good choice as long as you have a separate plugin for the malware scanner if you’re not interested in the paid service being offered by this plugin.
- Security Activity Auditing
- File Integrity Monitoring
- Remote Malware Scanning
- Blacklist Monitoring
- Effective Security Hardening
- Post-Hack Security Actions
- Security Notifications
- Website Firewall (premium)
Based on the features mentioned above, we can tell that this plugin is only useful for monitoring any vulnerabilities on the site.
In the dashboard, Sucuri checks the installation integrity of your WordPress site. Meaning, it will check if any system files in your WordPress site haven’t been modified or deleted. Audit logs containing information about user actions can also be found on here.
Hardening options are available at the settings page and from there, it gives you options on how you can protect your site.
Post-hack actions are available where you can update your secret keys to prevent further damage on the site. A secret key makes your site harder to hack by adding random elements to the password. You do not have to remember the keys, just write a random, complicated, and long string in the wp-config.php file. You can change these keys at any point in time. Changing them will invalidate all existing cookies, forcing all logged-in users to log in again. You can also change the passwords for each user on this page as well as resetting the data for each plugin.
Lastly, we can check the login attempts being made by each user on the site. However, it’s currently limited to just monitoring. No actions are available to prevent user breach like 2FA or even reCAPTCHA.