WordPress is open source software. Open source software has its advantages to be sure, but since it is “open,” meaning that the code is available for all to see, those that study the code close enough can find holes. If a hole is found by one of the “good guys,” then it can be filled, and providing the user updates his or her version of the software, all is well. However, if the version of the software is out of date, or if one of the “bady guys” finds a way in first, a security breach may be the result.
It’s not just the core WordPress files that could leave a web site open to attack either. It could be a poorly coded plugin or theme that is to blame. Keeping plugins and themes up-to-date and buying/downloading them from reputable sources is a smart idea.
More than just programming bugs, weak passwords are commonly to blame for security attacks as well.
Plugins to Help Keep WordPress Secure
There are a variety of plugins that exist that are designed to help keep a WordPress installation secure from attacks. Whether they “patch” up some default behaviour of WordPress that makes it vulnerable, check for existing exploits, or keep a watchful eye, many of the plugins are feature rich and offer peace of mind to the web site owner(s).
Each plugin naturally has a different feature set. I will go through the features of some of the best security plugins below.
BulletProof Security is a popular plugin in the WordPress community and is available from the WP plugin directory. This plugin is meant to provide protection against attempts for: XSS, RFI, CRLF, CSRF, Base64, Code Injection and SQL Injection hacking.
It offers simple protection for distributed configuration files (.htaccess files). These files are processed before a hacker’s malicious code has the opportunity to execute, so it stands to reason, at least to the BulletProof Security developers, to lock these files down first. It also offers one-click ability for turning on maintenance mode for the site. The files can be modded from the backend without the need for any file transfer methods like FTP or Control Panel file transfer. The root of the site, as well as the WordPress admin area are protected with this plugin.
Protected files include wp-config.php, bb-config.php, php.ini, and php5.ini. Standard features include the turning off of database errors, and the removal of the WordPress version, among others.
When in maintenance mode (503 Website Under Maintenance), admins will be able to see the site, while everyone else will see a custom “under maintenance” page. Additional IP addresses can be added to give other users the ability to see the site while under construction.
Wordfence is another good security plugin for WordPress and it works with the MultiSite or Network version of WordPress. It includes some firewall protection too.
Even without having backups, the plugin can verify the integrity of, and restore WP core files, plus theme and plugin files too. The core plugin is free but there is a premium version that extends the geolocation capabilities and allows the blocking of traffic from certain countries. The paid API version also allows for scans to be scheduled during set times.
The firewall feature will block fake Googlebots, and other common security threats, and it also offers the ability to block entire networks.
The scans will check for signatures of more than 44,000 malware and their variants, and check for other changes in files. Common backdoors will be looked for, which include: RootShell, Crystal Shell, Matamu, C99, R57, Sniper, Predator, Jackal, and others.
Standard features like blocking the ability for WordPress from revealing information that may compromise security exists within this plugin. It boasts a real-time traffic log which includes robots, page-not-founds, human traffic, logins and logouts. City-level geolocation is included in the real-time traffic view to see what locations are consuming the most content and posing as a threat.
The plugin attempts to prevent DDoS attacks by monitoring disk space.
Better WP Security
Better WP Security attemps to “obscure” WordPress by hiding or removing certain standard behaviours from the software. Knowing that common attacks on WordPress are from obsolete or out-of-date software, weak passwords, and plugin/theme vulnerabilities, the developers included ways to circumvent the attacks from those areas.
They set it up to prevent attackers from learning too much about the WordPress site by:
- removing WordPress meta “Generator” tag
- changing URLs for login, admin, etc.
- reamoving header information related to Windows Live Write and RSD
- renaming the “admin” account if it exists, and changing the ID for the first user that has the ID of 1
- changing the database prefix from “wp_” to something more obscure
- changing the path for “wp-content”
- removing login error messages
- randomizing the version number for non-admins
If the need ever arises to recover from an attack, the database backup option can be set up. It will send database backups by email on a customizable schedule.
The Better WP Security plugin works on both single site and multi site WordPress installations, and works with Apache, LiteSpeed and NGINX.
All In One WP Security & Firewall
All In One WP Security & Firewall plugin has been developed by Tips & Tricks HQ so we maybe a little biased towards it 🙂
This plugin will measure the security of a given WP website based on the features that are activated and put into use. Check for the Security Strength Meter after the plugin is activated to see the default score for your site.
This plugin offers the ability to change the default “admin” user name if it exists. When using something other than “admin” as the username, a hacker has a more difficult chance of breaking into the site as their “bot” must guess both the username and password rather than just the password. For the same reason, the plugin will also detect if there are any accounts in the system that are using their login name as their display name.
When there are too many unsuccessful login attempts, this all-in-one security plugin can be set to temporarily block the ability for users with a certain IP (or those within a range of IPs) from attempting to login again. It can also be configured to alert the site admin by email when this takes place. Blocked users can be seen in a simple report and the admin can quickly unblock a user or range of users based on IP address. Monitoring of logins, whether failed or successful can be done as well.
For easy restore, database backups can be scheduled and even emailed to the admin. Plus the default table prefix can be changed very simply with a click of the mouse. Knowing the table prefix also allows hackers to know the table names which can pose as a vulnerability and give opportunity for database access. File editing from the WP Dashboard can be turned off, and improper file and folder permissions can be dtected and corrected. Backup and modification of wp-config.php and .htaccess can be done very easily from the admin area.
Blacklisting by IP address or IP address range can be done easily. The plugin will keep track of IP’s that submit the most spam and block those users from accessing the site as well.
Blocking Malicious Code Starts With .htaccess – Using .htaccess as a Firewall
The Firewall feature of the All In One WP Security & Firewall plugin sets rules in the .htaccess file. This file is executed by the server first, which gives the plugin an opportunity to prevent the execution of malicious code within the .php and other files on the site.
This firewall feature allows the admin to:
- activate a range of firewall features based on the level of postential site impact which include: basic, intermediate, and advanced
- turn on the popular “5G Blacklist” Firewall rules
- turn off the ability for users to post comments from proxy servers
- activate the comprehensive advanced character string filter for XSS (Cross Site Scripting) protection
- …among other things
The “basic” features of the Firewall, when turned on, will have little to no impact on the site functionality and standard settings. The intermediate and advanced feature sets can be turned on progressively to allow the testing of the settings and their impact on the site as a whole. Given the extensibility benefit of WordPress, it can bring in a mixed bag of third party coding, which provides the potential for conflicts, so the progressive nature of this plugin can make it easier to spot such conflicts.
Video: More Information About The All In One Security & Firewall Plugin
It may also be worth pointing out that security can start at the computer level. The computer and network (especially wireless) can be the point of entry for attack on a web site. It’s a good idea to keep a computer free from viruses, malware, and spyware to keep your web sites safe as well. A secure wireless network and secure file transfers can go a very long way with keeping a web site secure. Always use strong passwords on a computer, network, router, FTP software, and everywhere else.
Deleting all unused themes and plugins prevents you from having to keep them up to date and worrying about them becoming a “hole” or “backdoor” into the system. Consider the implementation of SSL on the site’s admin and login areas.
Also, checkout the list of best WordPress plugins to find out what other plugins you could be using.
Comments (19 responses)
Initially I enabled additional Firewall Settings I have disabled them and now it seems to work ok, but I only have a score of 175
@Maddy, Have you enabled any advanced firewall rules in the security plugin?
I am using All In One WP Security & Firewall I seem to be having a problem with Wysija but only the setting page it keeps bring up a HTTP 403
Wysija has fixed this once already for me but I don’t know how can you tell me what I need to do so I can sort it out
I use this plugin (All In One WP Security v1.6) to protect my WordPress site and it works really good.
greetings from germany
@Gareth, Glad to hear that you like it. You don’t *need* it… you probably *want* it 🙂
It would be nice to get all those points but sometimes you may have to make a little compromise depending on what other plugins you are using on your site. If you are in the green you are already doing pretty good.
Hey guys using your pluggin, love the gamification aspect of the dashboard! Problem is I’ve done everything and only on 105/245 ??!!
I need 245!!!
Hi Mohit, Manually edit the htaccess file on your site and remove everything between the following two lines (this will disable all the firewall feature of the plugin and let you log in):
# BEGIN All In One WP Security
# END All In One WP Security
You can then go back to the admin dashboard and re-enable some firewall features as you need.
Hey, I just upgraded to the latest “All In One WP Security & Firewall” plugin and added that Brute Force Security Key which looks like “brfdbb7bhncgfhhzmk&#” and the URL was supposed to be like “DomainName/?brfdbb7bhncgfhhzmk&#=1”.
Now I am locked out. How do I get to the Dashboard? I am using Firefox and Chrome and they accept cookies.
I DO have the access of the server but do not want to delete everything again and start from the scratch.
@Samuel, I don’t think the word virus has the exact meaning when it comes to your web server. PC viruses are executable files that runs on it’s own and tries to do *bad* things. When it comes to the WordPress realm you mainly have to worry about various different types of attacks and try to have measures in place to block those attacks.
Can your blog be attacked by a virus?
I have yet to hear a blog that has been taken down completely by a virus.
There probably were blogs that have been attacked before.
Has it happened to any of you? Would like to know.
Thanks for the suggestions!
About a year ago, one of my blogs got hacked . Luckily I had a database backup, but it still took me almost a day to get everything up and running again. Currently I’m using Better WP Security and I’m quite happy with it.
After receiving your most recent newsletter, I installed your security plugin, and I’m writing just to say ‘thanks!’
So far I’ve only activated the four essential parts per your recommendation, but I’ve found the plugin easy to understand and well-organized.
Since I don’t have a technical background, I really appreciate that the instructions and settings pages are explained clearly. (In contrast, I have a caching plugin which claims to be user-friendly, but it gets very technical and assumes a relatively high degree of technical knowledge of server-side stuff.)
Thanks also for the backup features.
And thanks for offering this for free.
Hi Pam, You don’t need to know anything else. The security plugin should work with all of our other plugins. Install the security plugin then activate the features that are categorized as “Basic” (these features are designed to not mess up any functionality of your site yet providing a good deal of protection).
This looks terrific and very much needed!
Just wondering if there is something else I should know before installing.
I use eStore, eMember, PDF Stamper and other awesome TTQ stuff.
I have been pairing down things that are not TTQ and am nervous about installing anything. I have ready your documentation and it appears very straightforward. This appears to be a far reaching plug in….you have probably covered all the bases, as usual. Just wanted to ask.
I was a victim of a brute force attack this week. They didn’t get in but it did make me aware that I need this!
Thanks for sharing this list. I known of a few friends wp that got hacked and it was a complete mess for them. This is a really good information to take that extra step of protection! I will for be looking into some of these you have shared and giving them a shot!
@Jer, You don’t need to install all of them. We developed the all in one wp security plugin so my opinion could be biased if I told you to pick one 🙂
My advice would be to try them all one by one (they are all free) and stick with 1 or 2 that you like.
Great post. What’s not clear is if I need all of these, one of these… What criteria should I use to decide? What criteria do the “bad guys” use to choose a target?
Sorry if this is too basic…
@Christina: You can run a lot of plugins without crashing your site. If your site’s crashing though, you can try weeding out the bad plugin through the classic plugin troubleshooting method. Go to your plugins in your dashboard, disabling and re-enabling your plugins one by one. Each time you disable one though, just refresh the site to see if it’s running well again. Otherwise, re-enable the disabled plugin. Rinse and repeat until you find which plugin has a problem. Hope this helps.
Anyway, this is a great post and I’d love to test out the plugins here. Freeware is always a good thing, especially if they come from a trusted source.
Great thanks for this wonderful post about WordPress Security Plugins but I install some Plugins in my WordPress blog & due to lot of Plugins my website wasn’t running. It was showing me Server error. so I don’t use very many plugins.