Is Your WordPress Site Really Secure?
WordPress is a great platform, but hackers and the other scum of the Internet can wreak havoc any time, especially if your theme (or WordPress installation) makes it easy for them. This is particularly why should never search for “free WordPress themes”, which is something we’ve all done at one time or another. Take note, I’m not against free WordPress themes, and there are some good free themes at WordPress.org or even here on WPExplorer under ourfree themes section, but the vast majority of free themes you’ll find scatter across the web aren’t always really “free”.
These themes often have hidden lines of code or links that the developer or hacker placed solely for their own benefit. It is cleverly hidden, so you probably won’t notice this underlying code until it is too late. With that out of the way, shall we discuss a few things about your WordPress security? In this post, we will cover:
- Tips to securing your WordPress site
- Ten of the best WordPress security plugins
Update Your WordPress Platform
Let’s start with first things first; updating your WordPress site. Regardless of the free or premium theme you choose, you are still vulnerable to all manner of attacks if you are running on an old platform. That’s the ugly truth and one of the instances when old is not gold.
Automattic released WordPress 3.7 (or Basie) just the other day, and if you haven’t updated to this new version, you are making it all too easy for hackers. That’s because even with a premium theme, you can still get hacked if a someone exploits a security hole in an old WordPress platform.
Plugin compatibility shouldn’t be an issue, since good plugins get updated almost as soon as a new WordPress update drops. After all, would you rather hold on to an incompatible plugin and lose your website (and the plugin of course) or update WordPress and install new plugins (or updates)? I would go with the second option and so should you. Update, update and update.
Create Stronger Passwords
Newsflash: If your username is something lame like “admin” and your password is also something lame like “password123” or something close, you. will. be. hacked. Come on, you gain nothing by standing in front of a gun-wielding firing squad and yelling “Fire!”. Make it painfully hard for hackers to get through your front door by creating stronger passwords.
Use special characters (e.g. hyphens, commas, periods etc), UPPERCASE letters, lowercase letters and numbers – mix it up and don’t use the same password for different websites. That’s like messing with the mafia, giving them a map to your home and expecting them not to show up.
Guess what, WordPress 3.7 makes it really easy (and very much possible) to create stronger “hacker-proof” passwords. Take advantage of this new feature. Remember to change your password once in a while, just the way you change your toothbrush. It’s your responsibility as a WordPress site owner, so don’t forget or procrastinate.
Protect Yourself From Brute Force Attackers
Right now, some masked hacker might be trying to force their way into your WordPress site using brute force techniques. The masked part is an exaggeration because hackers are just normal people who don’t need face masks (or guns and knives) to perpetuate their evils. They will just hack the hell out of your website and hide behind all sorts of “virtual” masks aka proxies and hidden IPs.
Brute force attackers (which is just a fancy name for all hackers really) will bombard your login forms with an entire universe of username and password combinations until something gives. It better not be your site.
See why you need stronger passwords?
As you read the above line, your website could be getting 20, 30, 40…100 unauthorized login attempts! No, I’m not using scare tactics or anything, I’m just stating the obvious. There are sites that get up to three hundred brute force attacks in less than one hour. That should not leave you paralyzed with fear anyway, because you can beat brute force attackers at their little game.
How To Guard Your WordPress Site Against Brute Force Attacks
There are a few simple steps you can take to help protect your WordPress site against brute force login attacks.
- Create stronger passwords
- Talk to your web host about it and they should be able to help (They might ask you to edit a certain .htaccess file but your best response to this should be: “I have no idea who .htaccess is or where they live or if they would like to see me…” Okay, this is the point: just ask them to help you configure stuff if you don’t know the first thing about .htaccess because if you mess with this little bad boy (.htaccess), you will be seeing the infamous 404 error page all over your site.) Additionally, ask your web host to lock out offending IP addresses forever. Forever.
- Use plugins such as Limit Login Attempts that will give brute force attackers quite a hard time.
But if you really can’t help but experiment with your .htaccess file, just add the following code…
<Files wp-config.php> order allow,deny deny from all </Files>
… to the .htaccess file to protect or “hide” your wp-config.php file from brute force attackers. The wp-config.php contains all the confidential information on your WordPress site. You know, the kind of info that hackers dream of laying hands on, so don’t give it to them. Place the following code…
<Files .htaccess> order allow,deny deny from all </Files>
…in your .htaccess file as well to protect the .htaccess file from malicious hackers. Take note, you can basically protect any file using the .htaccess file by modifying the above code accordingly.
Clean Up Your WordPress Regularly
Old, outdated themes and plugins that you no longer use should bite the dust, and bite the dust HARD. They should go, and there are no compromises here. It’s messy and will give hackers all the bark wood they need to set your house on fire.
With old themes and plugins lying around, it gets a lot harder for security professionals to perform their duties should your website be compromised, as will be the case should you choose to keep old themes and plugins. Clean out regularly, you don’t need that clutter. Your site will be faster as well.
Sign Up To Free CDNs
CDN is short for Content Delivery Networks and a good example is CloudFlare. CDNs “accelerate” your content enabling sub-second loading of web pages, which is great but that’s not the end of it. CDNs also protect your website from hackers, scumware and malware by filtering your incoming traffic. You don’t need to pay a single dime to use a CDN, just sign up for a free account. I will recommend:
- PageSpeed Service by Google (Limited Trial)
- Other Free CDN Services
Side note: We would be absolutely right if we presumed that Google takes security seriously 🙂
Backup Your WordPress Site
Backing up your website will help you get things running once again if a really patient hacker gets through your security measures. It’s that important but its not that hard because – free backup plugins! You can backup your WordPress site using these plugins:
There are paid backup services as well:
Top 10 WordPress Security Plugins
Now that we have covered a few security issues and how to protect yourself, let us train our focus and attention on the ten best WordPress security plugins (there are thousands). The following ten plugins will play bouncer on your website.
Better WP Security
This WordPress security plugin is from the good people at Foo Plugins. According to Foo Plugins, the Better WP Security plugin “…takes the best WordPress security features and techniques and combines them in a single plugin…” so that you can patch many security holes without conflicting issues or losing content on your website.
Better WP Security has over one million downloads on WordPress.org, and with a single click, you can detect, obscure, protect and recover your website. What’s more, it’s FREE, but you can choose to buy their install service and a Premium support token.
WP Security Scan
How would you know your WordPress security needed fixing if you don’t run security scans? You would know it needs fixing if things start falling apart that’s for sure, but you don’t want to wait until hell breaks loose.
Thanks to WP Security Scan, you can scan your WordPress site in a few minutes and stop security surprises that would take your site under. Additionally, the plugin offers handy tips to fix security vulnerabilities. Other key WP Security Scan features include the ability to:
- Back up your site
- Add index.php files to wp-content, wp-content/themes, wp-content/uploads and wp-content/plugins to avoid directory listing
- Report file permissions
- Monitor your website activity
- Remove wp-version to derail hackers
The list goes on and on, and with 1.2 million downloads, this plugin “gets” WordPress security.
Limit Login Attempts
This plugin is a good defense against brute force attackers. With Limit Login Attempts, you can restrict the login attempts for each IP address. After a predefined number of login retries is reached, the plugin blocks the IP address responsible stopping brute force attackers dead in their tracks (or consoles).
Login Security Solution
To put this out there, I think this is the mother of all login security plugins. The Login Security Solution helps you enforce password strength as well as force password reset for all users. Password aging is also an option with the plugin. In addition, logging out idle sessions is automatic.
With Login Security Solution, you can forget (or mistype) your password a couple of times without being locked out, but still brute force attackers will have a gargantuan task breaking into your website. Sounds great, right?
Download Login Security Solution
WordPress File Monitor Plus
This plugin does only one thing and does it really well. It tracks all changes to your file system. If files are added, changed or removed, you will receive an email notification in real time. How suave? This plugin will help you keep track of your website resources and it can come quite in handy when restoring or cleaning up your WordPress site.
Download WordPress File Monitor Plus
Block Bad Queries aka BBQ
Quite a fancy name (BBQ) for a plugin but don’t be mistaken one bit, this bad boy filters incoming traffic to stop known threats long before they break your site. BBQ is badass and is a great plugin to guard your site against malicious URL requests. According to the authors, the plugin was born out of simplicity i.e. requires no configuration – just install and activate it. No frills.
Download Block Bad Queries (BBQ)
Sounds more like a profanity plugin than a security plugin but don’t let that throw you off, Wordfence works wonders. It is still new in the WordPress plugins arena but it is causing quite a stir.
It has grown quickly because of the following unique feature. The plugin compares your WordPress core files, themes and plugins with their official versions in the WordPress repository, and if something doesn’t look right (if there are discrepancies), Wordfence will notify you via email. Isn’t that cool? In addition, Wordfence will also scan your website for known backdoors, malware, phishing and virus infections.
According to the author, AITpro, this plugin will protect your WordPress site against Base64, CRLF, CSRF, Code Injection, RFI, SQL Injection and XSS hacking. You didn’t know there were so many types of hacking, now did you? Don’t worry though, this plugin is the bulletproof vest you need on your WordPress installation.
The plugin comes with firewalls, error logging, login security and security monitoring amongst other features. It is really “bulletproof” where hacking is concerned.
All In One WP Security And Firewall
If you are into all-in-one type of solutions (who isn’t?), here is a WordPress security plugin made just for you. According to the developers, the All In One WordPress Security And Firewall plugin “…will take your website security to a whole new level…”. Wouldn’t you love that?
Key features include scanning for vulnerabilities, blacklist functionality, firewalls, file system security, backup, brute force attack prevention, WhoIS lookup, comment spam security and regular updates amongst other features. It is an all-in-one solution 🙂
Download All In One WordPress Security And Firewall
AntiVirus For WordPress
That’s right, websites too have antivirus programs, or rather plugins, to keep virus and hackers at bay. This WordPress security plugin will scan your theme for malicious injections automatically every day. The daily scans ensure you are safe from malware, exploits and spam injections. The plugin features a virus alert in the admin bar, multiple languages, daily scans with email notifications as well as optional Google Safe browsing.
Bonus Recommendation: Sucuri
For those of you who want a more comprehensive security service, Sucuri is a prevention, monitoring and cleanup service that you can use to keep your WordPress site safe. You can even have them handle backups of your site. Sucuri is not free, however it is a great investment in the protection of your website.
Before we get to the end of this post, I would like to remind you of our earlier advice about free WordPress themes. Please, and I will say it again, please don’t download free WordPress themes from just anywhere. You risk downloading templates that are lined with malicious code that you didn’t bargain for.
Moreover, with the not-so-safe neighborhood that is the Internet, you don’t know what you could catch. Malicious code will break your site, sell unwanted ads and links to unsavory sites or earn you a really bad reputation with Google, so take this seriously:
- Don’t download free-for-all “premium” themes from wherever
- Invest in a premium WordPress theme
- Use recommended WordPress security plugins
- Create stronger passwords
- Remove old themes and plugins (and broken code that serves no purpose), and
- Update your WordPress platform already
Over To You…
What do you do to keep your WordPress site secure? As always, we will be delighted to get your input, so share your thoughts in the comment section below and keep the discussion cog turning. Cheers!
Thanks for listing Better WP Security!
You are welcome Chris!
Thanks for this useful info.
Just want to say that your code for hiding .htaccess and wp-config gives me an error and website can not load. The space between comma and letter d should be removed (order allow, deny)
Good eye! All fixed now 🙂
An overall good article. I believe that WordPress security has to be taken seriously, and, unfortunately, too many people don’t realize how important it is to secure your site. They usually realize after something happened…
WordPress security involves a mix of good practices, small tweaks and good plugins. In addition to all the ones above, I’d like to say a world about 2-factor authentication.
2-factor authentication (also known as 2-steps validation) is a very powerful tool to secure the login process. I recently released WP Google Authenticator which will add 2FA (the Google powered 2-factor authentication system) to any WordPress login form: http://wordpress.org/plugins/wp-google-authenticator/
Very true Julien, many a web developer don’t realize the importance of WordPress security until it’s too late. Thanks for your word of advice and the extra plugin!
I didn’t not use to care about WordPress security until my site was infected. On top of that, I didn’t have any backups either. I took me days to clean up the code.
Anyway, you have listed some plugins here which I didn’t know before. I’ll check them. Thanks for taking the time to collect them.
You’re welcome sir.
As a developer with themes in WordPress.org, I a little disappointed with the miss information at the beginning of this post.
I’m not sure you understood correctly. What Freddy is saying is even though there are good free themes such as those on WordPress.org (like the ones you make) there are a lot of sketchy sites out there sharing free themes with hidden code.
Thanks AJ for clarifying that 😉
There are too many plugins to choose from. If I just want a general security plugin which one should I choose?
Thank you for this information. God bless you!
Thank you for sharing this great list for WP security essentials.