Part 3 of 3: Plugins and monitoring services
It's not our place to judge a plugin or SaaS offering, so you won't find a ranking system here. Times change, new plugins and services appear, new security techniques develop. We've listed six potential plugins here chosen from current industry knowledge and user reviews. There are many, many others: do your research and find which best suits your budget and your needs.
A security plugin is really only as good as its last update as it must stay abreast of the latest threats and malware, so look for a plugin that has a solid history and regular updates.
Wordfence is a very popular security plugin with an extensive list of features, even in the free version. It features a firewall and a virus/malware scanner, and can compare core WordPress and (some) plugin files against repository versions and alert you to any suspicious changes or unnecessary files. It also offers tools to help recover from a hack.
It also features a caching engine that claims to make your site up to 50 times faster.
Unfortunately, it was featured in the WP Scan Vulnerability Database some time ago as having itself a security vulnerability which, of course, is not a good look for a security plugin. However, the vulnerability was patched very quickly by the developer and, as I said in the intro above, the real mark of a good plugin is not only how well it works but how quickly any problems are addressed. In this regard, it deserves its popularity.
This was formerly known as Better WP Security, and as such had a very strong following. iThemes bought the plugin — and hired its developer — and now touts iThemes Security as its premier security offering. It has copped a bit of flak from customers of its previous incarnation as having 'gone down hill'; I won't comment on that directly here (I simply don't know if it has or it hasn't) but I can say we use other plugins made by iThemes and they're all excellent.
Like the other suggestions here, iThemes Security has an extensive list of features. Its free version includes enforcing strong passwords, login lockout after a set number of failed login attempts, away mode (locks down WordPress completely during nominated times like when you're asleep and unlikely to be working on your blog), and the use of secret login and admin areas. We've canvassed some of these methods in previous security posts, but this plugin makes a lot of the geeky stuff a lot easier. In all, there's 30+ features, easily activated through a one-click admin interface.
As a bonus, iThemes has partnered with VirusTotal, a virus and malware scanning service, so even the free version of the plugin affords a complete virus and malware scanning feature (separate sign up).
Don't let the kinda ordinary website fool you: Bulletproof is one of the WordPress community's most trusted security plugins and best peer-rated.
The free version seems to operate mostly by mod'ing your .htaccess file which effectively acts like a firewall. It also features login security and monitoring, database backup (backups should be a critical part of any security system) as well as advanced mods to your wp-config.php file. (Bulletproof goes way beyond what we've outlined, but you can read about security-focused mods to your .htacess and wp-config.php file here.)
The Pro version features many, many more features including intrustion detection and quarantine, an autorestore system, an IP-based firewall (a 'true' firewall) and many other safeguards and file locks. Unique among Pro or Premium versions, it's a one-off cost for as many installs as your require, across multiple sites if necessary, with lifetime updates.
All-in-One WP Security and Firewall
As its name suggests, this plugin boasts both a security module and a firewall (though, in truth, most of the plugins here do, too).
It is not uncommon when using security plugins to find that they make other plugins malfunction. This is simply a matter of what the security plugin is trying to do (protect your site), versus the core funtionality of the other plugin's files — some plugins, for instance, need to write to the wp-config.php file in order to work and this is a file that security plugins usually lockdown. And so you get something of a functionality stalemate.
To get around this (at least in part) All-in-one WP Security and Firewall features an easy-to-understand interface and a security 'grading' system whereby the user can choose the level of security desired from basic through intermediate and advanced — this makes it easy to check for plugin mismatches and other incompatibilities, and tweak the settings until you're happy with the blend of security and functionality.
Extensive list of features, well maintained and regularly updated.
Centrora is a relative newcomer to the WordPress scene though it's built on open source security software that has been around for some time, namely Open Source Excellence PHP Security. It provides an all-in-one protection solution for WordPress websites, and is able to secure your private data, protect your system files from malicious codes and hacking attacks, and clean viruses and infected files.
Among its many features are dual-layer firewall, file upload checking (a must for any security protection system), anti-flooding module which stops frequent, repeated attempts to access your site (as this usually signifies a hacker), embedded virus protection, 10+ firewall rules and 50+ security checks, detailed reports and an easy setup module.
The free version of the plugin doesn't seem as comprehensive as some of the other free plugins out there, but the paid version is full-featured and seems excellent value-for-money.
Sucuri is a security monitoring service (Software-as-a-Service, or SaaS), but they also provide a free WordPress plugin which is why I've included it here.
The plugin offers advanced security monitoring and logging of security 'events' so that you can see, at a glance, all activity on your site. This includes who has been trying to log in, and what changes are being made. This is all logged to an account in the cloud to ensure its available for analysis should your site be compromised.
It also features 'known states' of all core files, plugins and themes that it logs automatically as they're installed as a benchmark for any future analysis; malware scanning using Sucuri's own SiteCheck scanner; security hardening procedures, such as strong passwords, secure database table prefixes and .htaccess mods; and post-hack recovery procedures.
On its own, the plugin is an excellent security measure, but to really lock down your site, you should investigate Sucuri's premium services Firewall and Antivirus.
Other security-focused utilities
There are a few other plugin utilities you might want to consider to really beef up the security of your WordPress site. Some of these may overlap with the security plugins above, and as such may cause functionality issues.
Yoast is everyone's favourite SEO plugin; If you're doing business on the web, you should have Yoast. But we're not here to talk SEO. I've included it in this list as it gives you access to your .htaccess file from the WordPress dashboard, so you don't have to log in to your cPanel of Plesk account. That's kinda handy. Developer's site. Download.
Also made by the creators of WordPress, Akismet is a free subscription-based service that protects you against spam and thus protects your commenting area, which can be a source of security holes. Installed by default on most new WordPress installs but must be activated and you must sign up for an account. Developer's site. Download.
This will lock out a user who tries repeated failed attempts to login to your site — such activity is usually the sign of a would-be hacker. You can set how many attempts can be made before the user to locked out. Download.
Summary and signoff
If you've stayed with us during this three-part series on security, then hopefully we've helped you learn something about the ever-present threat that lurks outside your WordPress doors, and some easily achievable methods to combat it.
1. Don't wait. Do it now.
2. If you don't do anything else, use a strong password for your login.
3. Be vigilant, check for unusual activity, and make sure you always have the latest versions of WordPress and any plugins and themes.
4. Backup. If your site gets hacked it's usually easier, especially for a small business site with non-critical information, to roll back than it is to track down the security breach.
5. If you don't like fiddling under the bonnet, seriously consider installing a security plugin; go one better and used the premium/paid version.
In this series ...
If you’re already a customer of saso.creative (and even if you’re not), we’ve got a Special Offer for security audits and security planning. We review many of the potential security breaches detailed in these three articles on Wordpress security, provide you a report of suggested improvements, and implement any or all of those suggestions as appropriate.