In the previous part of this mini-series, we covered some tips and tricks that are very important for hardening your WordPress projects. In this part, we're going to go through some of the best WordPress security plugins, and a few vital tips for WordPress security.
Let's get right to it!
Securing WordPress With Plugins and Other Crucial Tips
In the following sections, I'm going to talk about things that saved my websites from a number of attacks over the years. I hope you'll make use of them as well.
Installing a Security Plugin
Tips and tricks about WordPress security are great, but sometimes you need more than that. Beyond small tweaks in the
wp-config.php files, you might need to prevent brute-force login attempts, log malicious-looking requests and such. For these kinds of tasks, you will need a security plugin.
I'm not going to review them one by one, but I want to talk about some of the most popular security plugins for WordPress:
iThemes Security (formerly Better WP Security): This one is easily one of the best free security plugins in the WordPress ecosystem. (It also has a Pro version, but honestly I never needed to upgrade.) It audits your WordPress installation and checks for soft spots, then offers to patch them. Moreover, it has some cool features like banning certain user agents, preventing brute force attacks, monitoring files for unauthorized changes, and logging 404 errors. In fact, I wrote a piece about it in October 2014, so be sure to check it out if you're interested.
Wordfence Security: Wordfence Security is one of the most popular free plugins, with a stunning 4.9 stars (out of 5), making it also the highest-rated security plugin in the WordPress.org Plugin Directory. It has tons of features, from monitoring and blocking to scanning and caching (yes, caching). The Pro version offers even more features that will make your website incredibly secure.
All in One WP Security & Firewall: All in One WP Security & Firewall is another popular security plugin with a 4.9 star rate, but with fewer downloads. It also has a wide range of features and settings a security plugin can offer, like login and registration security, file system protection and firewall functionality.
Sucuri Security: "Sucuri" is one of the most well-known brands in WordPress security, especially because of their top-notch reports on security flaws in WordPress core and popular plugins. It helped many developers fix their products, and it helps all WordPress users with the Sucuri Security plugin. Be sure to check out the plugin's features on its WordPress.org page, and do try it out before you land on a decision.
I wanted to cut the list short, since this is just a part of the tutorial. If you want to learn more about each plugin, be sure to visit their plugin pages and make your research before you decide on what you'll be using.
Other Tips on WordPress Security
wp-config.php files is great, and using security plugins is extremely helpful... but there's always room for improvement—especially in terms of security. And hopefully, the following tips and tricks are going to help you get even closer to 99.999% security. Let's begin!
Install SSL on WordPress
A secure HTTP connection helps in more than one way to achieve more safety on WordPress. The connection will be encrypted, so tapping into the connection would be useless (for most parties). It's also a good way to show trust, and kind of essential for e-commerce websites. You don't want to tell your customers that their payment information is going through an unencrypted connection.
If you want to learn more about SSL in WordPress, check out this article on Make WordPress. To learn about how to implement SSL in WordPress, check out this Envato Tuts+ article written by Joe Clifton.
Use Two-Factor Authentication in Logins
Passwords are getting easier and easier to crack over the years, so you shouldn't trust in choosing a strong password anymore. Luckily, methods that require more than one kind of authentication show some promise in terms of security (in general, not just WordPress).
It basically works like this: The system asks for your password, and then asks for something else—like a single-use passcode that comes via SMS or clicking a disposable link via email. So, even though a hacker steals your password (or guesses it correctly), it will still fail to access your account.
Two of the most popular ways to enable two-factor authentication in WordPress are using the Google Authenticator plugin or the Clef Two-Factor Authentication plugin. If you want to use Google Authenticator, there's a great Envato Tuts+ article written by Jeff Reifman about the plugin.
Select a Great Hosting Environment
Sadly, if a hacker takes down a WordPress website on an insecure server, people may still assume that it's WordPress's fault. But in any case, choosing a web host that pays attention to security is always a good idea.
I won't be recommending any companies in this post, but I can tell you what to look for: A good web hosting company keeps server software up to date, monitors unusual activity with a firewall, and keeps frequent backups of your account without any extra charge. Do your homework and find the best web host for your needs.
Embrace a Security Mindset
Did you know that FileZilla, one of the most popular FTP clients in the world, keeps saved server credentials in an unencrypted XML file? Did you know that anyone in your wireless network can tap into your HTTP connections? Did you know that most of the VPN service providers have to share your information with hush-hush intelligence services when they need your info?
A little bit of paranoia doesn't hurt, I guess. Even if you install the best security plugins and tweak the
wp-config.php files perfectly, if you talk about your last pet to a stranger in a coffee shop or install any Android app you like, you might fail at securing your website. Here's the rule of thumb: Common sense is the best tool for security.
I hope you enjoyed the tips and tricks I shared in this two-part mini-series. Granted, you might have stumbled upon some of the things I wrote before, but it's always a nice idea to put together roundups like this to keep everyone up to date on WordPress security. If you've seen these before, awesome! If you haven't, glad to be of help!
Do you have more useful WordPress security tricks up your sleeves? Go ahead and share them with us in the Comments section below. And if you liked this mini-series, don't forget to share it with your friends!