WordPress is open source software. Open source software has its advantages to be sure, but since it is “open,” meaning that the code is available for all to see, those that study the code close enough can find holes. If a hole is found by one of the “good guys,” then it can be filled, and providing the user updates his or her version of the software, all is well. However, if the version of the software is out of date, or if one of the “bady guys” finds a way in first, a security breach may be the result.
It’s not just the core WordPress files that could leave a web site open to attack either. It could be a poorly coded plugin or theme that is to blame. Keeping plugins and themes up-to-date and buying/downloading them from reputable sources is a smart idea.
More than just programming bugs, weak passwords are commonly to blame for security attacks as well.
Plugins to Help Keep WordPress Secure
There are a variety of plugins that exist that are designed to help keep a WordPress installation secure from attacks. Whether they “patch” up some default behaviour of WordPress that makes it vulnerable, check for existing exploits, or keep a watchful eye, many of the plugins are feature rich and offer peace of mind to the web site owner(s).
Each plugin naturally has a different feature set. I will go through the features of some of the best security plugins below.
BulletProof Security is a popular plugin in the WordPress community and is available from the WP plugin directory. This plugin is meant to provide protection against attempts for: XSS, RFI, CRLF, CSRF, Base64, Code Injection and SQL Injection hacking.
It offers simple protection for distributed configuration files (.htaccess files). These files are processed before a hacker’s malicious code has the opportunity to execute, so it stands to reason, at least to the BulletProof Security developers, to lock these files down first. It also offers one-click ability for turning on maintenance mode for the site. The files can be modded from the backend without the need for any file transfer methods like FTP or Control Panel file transfer. The root of the site, as well as the WordPress admin area are protected with this plugin.
Protected files include wp-config.php, bb-config.php, php.ini, and php5.ini. Standard features include the turning off of database errors, and the removal of the WordPress version, among others.
When in maintenance mode (503 Website Under Maintenance), admins will be able to see the site, while everyone else will see a custom “under maintenance” page. Additional IP addresses can be added to give other users the ability to see the site while under construction.
Wordfence is another good security plugin for WordPress and it works with the MultiSite or Network version of WordPress. It includes some firewall protection too.
Even without having backups, the plugin can verify the integrity of, and restore WP core files, plus theme and plugin files too. The core plugin is free but there is a premium version that extends the geolocation capabilities and allows the blocking of traffic from certain countries. The paid API version also allows for scans to be scheduled during set times.
The firewall feature will block fake Googlebots, and other common security threats, and it also offers the ability to block entire networks.
The scans will check for signatures of more than 44,000 malware and their variants, and check for other changes in files. Common backdoors will be looked for, which include: RootShell, Crystal Shell, Matamu, C99, R57, Sniper, Predator, Jackal, and others.
Standard features like blocking the ability for WordPress from revealing information that may compromise security exists within this plugin. It boasts a real-time traffic log which includes robots, page-not-founds, human traffic, logins and logouts. City-level geolocation is included in the real-time traffic view to see what locations are consuming the most content and posing as a threat.
The plugin attempts to prevent DDoS attacks by monitoring disk space.
Better WP Security
Better WP Security attemps to “obscure” WordPress by hiding or removing certain standard behaviours from the software. Knowing that common attacks on WordPress are from obsolete or out-of-date software, weak passwords, and plugin/theme vulnerabilities, the developers included ways to circumvent the attacks from those areas.
They set it up to prevent attackers from learning too much about the WordPress site by:
- removing WordPress meta “Generator” tag
- changing URLs for login, admin, etc.
- reamoving header information related to Windows Live Write and RSD
- renaming the “admin” account if it exists, and changing the ID for the first user that has the ID of 1
- changing the database prefix from “wp_” to something more obscure
- changing the path for “wp-content”
- removing login error messages
- randomizing the version number for non-admins
If the need ever arises to recover from an attack, the database backup option can be set up. It will send database backups by email on a customizable schedule.
The Better WP Security plugin works on both single site and multi site WordPress installations, and works with Apache, LiteSpeed and NGINX.
All In One WP Security & Firewall
All In One WP Security & Firewall plugin has been developed by Tips & Tricks HQ so we maybe a little biased towards it 🙂
This plugin will measure the security of a given WP website based on the features that are activated and put into use. Check for the Security Strength Meter after the plugin is activated to see the default score for your site.
This plugin offers the ability to change the default “admin” user name if it exists. When using something other than “admin” as the username, a hacker has a more difficult chance of breaking into the site as their “bot” must guess both the username and password rather than just the password. For the same reason, the plugin will also detect if there are any accounts in the system that are using their login name as their display name.
When there are too many unsuccessful login attempts, this all-in-one security plugin can be set to temporarily block the ability for users with a certain IP (or those within a range of IPs) from attempting to login again. It can also be configured to alert the site admin by email when this takes place. Blocked users can be seen in a simple report and the admin can quickly unblock a user or range of users based on IP address. Monitoring of logins, whether failed or successful can be done as well.
For easy restore, database backups can be scheduled and even emailed to the admin. Plus the default table prefix can be changed very simply with a click of the mouse. Knowing the table prefix also allows hackers to know the table names which can pose as a vulnerability and give opportunity for database access. File editing from the WP Dashboard can be turned off, and improper file and folder permissions can be dtected and corrected. Backup and modification of wp-config.php and .htaccess can be done very easily from the admin area.
Blacklisting by IP address or IP address range can be done easily. The plugin will keep track of IP’s that submit the most spam and block those users from accessing the site as well.
Blocking Malicious Code Starts With .htaccess – Using .htaccess as a Firewall
The Firewall feature of the All In One WP Security & Firewall plugin sets rules in the .htaccess file. This file is executed by the server first, which gives the plugin an opportunity to prevent the execution of malicious code within the .php and other files on the site.
This firewall feature allows the admin to:
- activate a range of firewall features based on the level of postential site impact which include: basic, intermediate, and advanced
- turn on the popular “5G Blacklist” Firewall rules
- turn off the ability for users to post comments from proxy servers
- activate the comprehensive advanced character string filter for XSS (Cross Site Scripting) protection
- …among other things
The “basic” features of the Firewall, when turned on, will have little to no impact on the site functionality and standard settings. The intermediate and advanced feature sets can be turned on progressively to allow the testing of the settings and their impact on the site as a whole. Given the extensibility benefit of WordPress, it can bring in a mixed bag of third party coding, which provides the potential for conflicts, so the progressive nature of this plugin can make it easier to spot such conflicts.
Video: More Information About The All In One Security & Firewall Plugin
It may also be worth pointing out that security can start at the computer level. The computer and network (especially wireless) can be the point of entry for attack on a web site. It’s a good idea to keep a computer free from viruses, malware, and spyware to keep your web sites safe as well. A secure wireless network and secure file transfers can go a very long way with keeping a web site secure. Always use strong passwords on a computer, network, router, FTP software, and everywhere else.
Deleting all unused themes and plugins prevents you from having to keep them up to date and worrying about them becoming a “hole” or “backdoor” into the system. Consider the implementation of SSL on the site’s admin and login areas.
Also, checkout the list of best WordPress plugins to find out what other plugins you could be using.