Millions of websites are infected with malware every week. WordPress is a popular platform and is open to risks if not managed well. While WordPress is fairly secure and is further strengthened by regular patches and updates, it requires constant monitoring and checking for updates and patches.
Some of the suggested approaches include:
Keep the WordPress source files, themes, and plugins updated with latest versions and patches.
Change passwords regularly and use strong passwords.
Actively manage those users who are allowed editing access to WordPress. Ideally, limit access to
avoid mistakes impacting the whole site or leaving a vulnerability open.
Consider implementing an SSL certificate to encrypt connections to your website and secure any data
transfers.
Take regular backups.
Tighten what is allowed on posts, blogs, comments, and responses. Malware attacks are known to
originate through user/subscriber posts and comments with misleading links and the intent to steal
users’ personal information. Comments could include spamming or inappropriate language, and these need
to be actively managed.
As with all other management needs on WordPress, there are security plugins that help improve and
automate a number of these security management tasks.
WordPress security plugins: An introduction
Best practice: Think through your security approach based
on the final content of your WordPress website, the site’s structure, and the visitor interactions that
will be allowed on the website. For example, will there be multiple users working on website creation,
upkeep, and updates? Will there be subscribers who can post comments and write feedback? Knowing the
current and future approaches will help with selecting an appropriate security plugin, including
decisions around if a free security plugin version will suffice or if a paid version is best.
WordPress security plugins add value by offering automated, real-time security monitoring; scanning of
any uploaded files; malware checks, including scans for changes to core files; blacklist monitoring to
ensure that users or comments on the blacklist are not allowed in; security hardening; solutions to act in
case of a hack; firewalls; protection against denial-of-service (DoS) or brute-force attacks; and other
features.
A brief look at plugins
Plugins are applications that can be “plugged in” to your website. Plugins bring in pre-coded features
that allow quick feature setup. WordPress has a huge repository of free plugins apart from paid ones.
Choose a plugin if it adds value to your users’ experience and enhances communication with your audience.
Typical plugins make it easy to fill in forms, upload images, help track website activity by visitors,
have chat boxes, enforce security, and more. Plugins are accessed by navigating to the administrative page
> My Site > My Home > Tools > Plugins .
On clicking Plugins, a menu of available plugins is shown. Plugins can be searched by name or category
(Engagement, Security, Appearance, and Writing). You can also sort by featured, popular, and new
plugins.
The top WordPress security plugins
1. Jetpack
Jetpack is a plugin platform that consist of multiple plugin options including security, performance,
marketing, and design tools. The security component of the plugin provides, site security features
including malware scanning, spam protection, brute-force protection, and downtime and uptime monitoring.
The security plugin includes capabilities for:
Automatic malware and other code threat scans with the option to restore the website from malware in
one click.
Block spam comments and form responses with anti-spam features powered by Akismet.
Brute-force attack protection to protect the WordPress login pages from attacks.
Monitoring the site uptime and downtime and getting instant email alerts about any change.
Secure login with optional two factor authentication(2FA) for extra protection.
Auto-update individual plugins for easy site maintenance and management.
Wordfence Security includes an endpoint firewall and malware scanner to protect WordPress sites.
Wordfence offers 2FA and maintains a Threat Defense Feed that updates the newest firewall rules, malware
signatures, and malicious IP addresses to manage website safety.
Wordfence’s WordPress firewall/security scanner features
Protects the site at the endpoint, enabling deep integration with WordPress.
ntegrated malware scanner blocks requests that include malicious code or content.
Malware scanner checks core files, themes, and plugins for malware, bad URLs, backdoors, SEO spam,
malicious redirects, and code injections.
Compares site core files, themes, and plugins with what is in the WordPress repository, checking
their integrity and reporting any changes.
Protection from brute-force attacks by limiting login attempts.
Web Application Firewall identifies and blocks malicious traffic.
Repairs files that have changed by overwriting them with the original version.
Checks site for known security vulnerabilities and alerts to any issues. Also alerts to potential
security issues when a plugin has been closed or abandoned.
Checks the safety of your content by scanning file contents, posts, and comments for dangerous URLs
and suspicious content.
Offers 2FA for secure remote system authentication available via any time-based one-time password
(TOTP) authenticator app or service.
Login page CAPTCHAs stop bots from logging in
Disable or add 2FA to XML-RPC.
Block logins for administrators using known compromised passwords.
[Premium]
Real-time firewall rule and malware signature updates via the Threat Defense Feed (free version is
delayed by 30 days).
The Real-time IP blocklist blocks all requests from the most malicious IPs, protecting your site
while reducing the load on it.
Checks to see if your site or IP have been blocklisted for malicious activity, generating spam, or
another security issue.
All in One WP Security & Firewall (https://www.tipsandtricks-hq.com/) offers features for securing user
registration, login, and accounts; file system security; firewall; spam protection; blacklist referencing;
front-end text protection; database security; security scanning; and more. Some of the features include:
Reduced security risk by checking for vulnerabilities, and implementing and enforcing the latest
recommended WordPress security practices and techniques.
Use the security points grading system to measure how well the site is being protected based on the
activated security features.
Security and firewall rules are categorized as “basic,” “intermediate,” and “advanced.”
User-based security features:
Detect if user accounts have identical login and display names.
Leverage the password strength tool to enforce strong passwords.
Prevent user enumeration; this prevents users/bots from discovering user info via author
permalinks.
Protect against brute-force login attacks using the Login Lockdown feature; get notified via email
whenever somebody gets locked out due to too many login attempts. View a list of all locked-out
users, and unlock IP addresses one at a time or in bulk.
Monitor the account activity of all user accounts on your system by keeping track of the username,
IP address, login date/time, and logout date/time.
View a list of all the users who are currently logged in to your site.
Specify one or more IP addresses in a special whitelist. The whitelisted IP addresses will have
access to your WP login page.
Add Google reCAPTCHA or plain math CAPTCHA to the WordPress login form and system login.
Add a honeypot to WordPress’ user registration form to reduce registration attempts by robots.
The file change detection scanner alerts about any files that have been changed in the WordPress
system. These can be investigated to check if that was a legitimate change or if bad code was injected.
Spam monitoring includes:
Monitoring the active IP addresses that persistently produce the most spam and blocking them
Preventing comments from being submitted if they doesn’t originate from your domain.
Implementing CAPTCHAs on comment forms to add an additional layer of security against comment spam.
Automatically and permanently block IP addresses that have exceeded a certain number of comments
labelled as spam.
All-in-one WP security and firewall details:
https://wordpress.org/plugins/all-in-one-wp-security-and-firewall/
Version: 4.4.8
Active installations: Nearly 1 million
Works on WordPress version: 5.0 or higher
Tested up to WordPress version: 5.7
Languages supported: 13
4. Sucuri
Sucuri Security – Auditing, Malware Scanner and Security Hardening is a WordPress plugin consisting of a
security suite. Some of the key security features include:
Security activity auditing: Monitor all security-related events, including changes that occur within
the application and its environment. This answers the questions Who is logging in? and What changes are
being made?
File integrity monitoring: Compare known good file versions with the current state of files. This
covers all the directories at the root of the install, including plugins, themes, and core files.
Remote malware scanning to boost security posture: SiteCheck from Sucuri is used for malware scanning.
Blocklist monitoring: Monitor blocklist engines to prevent known malicious IP addresses and users from
accessing the site. Get your site off that blocklist if it has inadvertently been included.
Effective security hardening: Use configuration learnings from a cleaned website to harden security.
Post-hack security actions: Get help recovering from a hacking event.
Security notifications.
Website firewall (premium): This includes protection against:
DoS or DDoS attacks.
Exploitation of software vulnerabilities
Zero-days.
Brute-force attacks against your access control mechanisms
Sucuri’s website firewall filters out bad traffic before it reaches the website.
MalCare Security – Free Malware Scanner, Protection & Security for WordPress is a malware detection and
removal plugin with a one-click malware removal option. It has a cloud-based firewall for website
protection. Geoblocking at the country level helps mitigate hack attacks originating from certain
geographies. MalCare comes integrated with a website management module that ensures security and site
management from a single dashboard. With a notification function if the website goes down, the Performance
Check further enables users to keep an eye on site loading speed. MalCare allows white labeling to help
developers support customers with their own branding.
As the risk of a website being infected with malware remains high, it is a comfort that some of the
constant monitoring and checking for updates and patches can be done through security plugins on
WordPress. Based on the final website content, structure, and interactions allowed, a security approach
needs to be strategized. Knowing current and planned future possibilities will help with selecting an
appropriate security plugin, including decisions around if a free security plugin version will suffice or
if a paid version is best.
We looked at five popular WordPress security plugins and their features for keeping the source files,
themes, and plugins updated with the latest versions and patches, firewall and malware scanning,
blacklist- and geography-based blocking, as well as additional features like 2FA and CAPTCHA solutions. As
with all security-related processes, it is a good idea to have routine checks to look for areas to improve
and harden your site.
Was this article helpful?
Sorry to hear that. Let us know how we can improve the article.
Thanks for taking the time to share your feedback. We'll use your feedback to improve our articles.
Write For Us