Essential Tips and Tools to Secure WordPress Sitesby Raj Kumar Maurya November 17, 2015 0 comments
WordPress developers push regular updates to patch all the known vulnerabilities. But still it is not secure enough, and there are many other ways of hacking the websites based on WordPress. Plugins add an extra layer of security to your WordPress site and here we discuss the best ways to secure your site and the key plugins available.
1. Use a unique username and password
Choose a Unique username and password for your WordPress wp-admin and avoid default admin username. If you have already set your username to admin then there are some plugins such as Username Changer to change your username to something more secure.
2. Protect and secure login page
First of all change the default link to login to your WordPress i.e yourdomain.com/wp-admin, which is known to everyone. You can change it manually if you are a developer or have good WordPress knowledge, but there are some plugins which can do the same with a few clicks, such as All-in-one security plugin in which you can change your login WordPress URL easily. To get a more secure login, you can use Two-factor authentication (known as 2FA, or sometimes 2-step verification). This requires a user to login with not just his username and password, but also a unique code that’s generated for one-time-use and sent to a device (typically a smartphone) via SMS or an iOS/Android app. Clef type of plugins enables this authentication easily on your WordPress site.
3. Choose your theme and plugins wisely
When you choose theme or plugins to use in your in your website, please choose the ones that are actively maintained and regularly updated. Some people use cracked versions of paid themes and plugins, but they don’t know that these plugins and themes may have some malicious code from the hackers who hacked the paid themes.
4. Protect your database and limit the use of plugins
Backup your WordPress database regularly after some interval of time which helps you to keep your all posts with you. In case, someone hacked your website you still have its copy. Your website might be at stake if you are using the predictable wp_ prefixes in your database. If you are not an IT person or developer and want to change your database’s wp_prefixes, then don’t do it manually. Also, limit the use of plugins in your website. More plugins mean less security as every plugin is not updated on a regular basis.
5. Limit Login attempts
There is a nifty little WordPress plugin called Limit Login Attempts that enables you to limit the number of failed login attempts and even ban an IP for a specified number of hours. The hacker would need to have many different proxies because the plugin would keep banning that IP address after a certain number of failed login attempts.
6. Secure it from Brute Force and DDoS Attacks
A brute-force attack is performed to gain access to someone else’s account on the site whereas DDoS attack is usually launched to take a site down (typically by consuming resources). There are many plugins available to stop Brute Force. Out of those BruteProtect is a cloud-powered Brute-Force attack prevention plugin and aims to provide the best protection against botnet attacks. It automatically blocks an IP address if it finds some malicious activity such as the number of failed login attempts.
7. CloudFlare is the way to protect your site from DDoS attacks. It protects and accelerates any website online. After submitting your website in CloudFlare, its web traffic is routed through their intelligent global network. They automatically optimize the delivery of your web pages so your visitors get the fastest page load times and best performance. CloudFlare offers both free and premium plans. The free plan is enough to get a decent amount of brute force protection.
Here’s a list of security plugins to secure your website:
It scans all the files of your WordPress core, theme and plugin. It it finds any infection, it will notify you. For making your website faster, it uses Falcom caching engine. This plugin is free, but a few advanced features are available for premium users. This plugin blocks brute force attack and can add two-factor authentication via SMS. You can also block traffic from a specific country. It also includes a firewall to block fake traffic, botnet and scanners. It also scans your hosting for known backdoors including C99, R57 and others. If it finds anything, you will instantly get an email notification.
2. BulletProof Security
BulletProof Security is another popular WordPress security plugin. It adds firewall security, database security, login security and more. It limits failed login attempts and blocks security scanners, fake traffic, IP blocking and code scanners. It keeps on checking the code of WordPress core files, themes and plugins. It comes with built-in file manager for htaccess. It protects WordPress websites against various vulnerabilities including XSS, RFI, CRLF, CSRF, Base64, Code Injection, SQL Injection and many others.
3. Sucuri Security
This plugin offers various security features like security activity auditing, file integrity monitoring, malware scanning, blacklist monitoring, and website firewall. It incorporates various blacklist engines including Google Safe Browsing, Sucuri Labs, Norton, McAfee Site Advisor and more to check your website. It protects your website from DOS attack, Zero Day Disclosure Patches, brute force attacks and other scanner attacks.
4. iThemes Security (formerly Better WP Security)
It tracks registered users’ activity and adds two-factor authentication, import/export settings, password expiration, malware scanning, and various other things. It scans the entire website and tries to find if there is any potential vulnerability in your website. It also prevents brute force attacks and bans the IP addresses which try to use brute force. It also integrates Google reCAPTCHA to prevent comment spam on your website.
5. Acunetix WP SecurityScan
It offers a security scanning tool to find vulnerabilities in web applications. It offers file permission security, version hiding, admin protection, removing WP generator tag from source, and database security. It also offers a database backup tool to take a backup of your website and live traffic monitor tool to check website traffic in real time.
6. All In One WP Security & Firewall
This is one of the popular security plugins. It protects against brute force login attack and also allows you to schedule automatic backup and receive an email notification. It also protects PHP code by disabling admin area editing. It adds a web application firewall in your website and enables 5G Blacklist to prevent various attacks. It denies bad query strings, prevent XSS, CSRF, SQL injection, malicious bots and other security threats.
7. 6Scan Security
6Scan Security has a security scanner which scans and protects your website against SQL injection, Cross Site Scripting, CSRF, Directory traversal, Remote file including, DOS attack and other OWASP top ten security vulnerabilities. It also has an automatic malware fix for malware related issues on your website.