WordPress sites are a popular target for hackers. Not because the core code of WordPress is insecure, but because it’s such a common platform (WordPress now powers 30% of the web) and because many website owners make silly security mistakes like not keeping up to date with new versions of WordPress core and plugins.
Reports from WordPress security software company Wordfence show that the sites they monitor are attacked up to 30,000,000 times a month! Of course most of these attacks would be unsuccessful, but as Wordfence monitors only a tiny proportion of all the WordPress sites out there, it’s an indication of how frequently sites are attacked.
Why Worry about Hackers?
You may think only businesses and big websites need to worry about website security, but this couldn’t be further from the truth. In fact hackers often target small sites because they’re usually less secure.
It’s not only valuable business sites that are attacked either. Sites are hacked for various reasons including:
- It’s a ‘fun’ challenge for the hacker
- To install malware that infects the computer of visitors to your site
- Steal your personal data or that of customers or users of your site
- DDoS attacks to overload your website until it goes offline
- Vandalizing your site for personal or political reasons
- Inserting spam links for their own SEO purposes
- Using server resources to run a botnet.
Sometimes it’s very obvious when your site is hacked, but other times it’s more subtle and you may not even notice for months or longer.
So how do you secure your site against hackers and make sure you don’t become a statistic?
There are a few things you can do yourself – making sure you’re using a reputable webhost, installing WordPress core and plugin updates promptly, and only using strong passwords are all recommended for a start.
To give your site an extra level of security and some peace of mind for you, I highly recommend using a security plugin. These plugins not only make sure your site is set up securely but also actively detect and block attacks, so you can take appropriate action if your site is being targeted by hackers.
This is a simple and easy-to-use security plugin that’s great for beginners and anyone who wants to make sure that their WordPress site is safe and secure.
On the dashboard you can easily see the security status of your site at a glance with the clever use of a “security strength meter” so you can clearly see how making changes in the plugin improves your site security.
You’re also given a list of critical features that you can simply activate to give your site the recommended level of basic security.
The visual information continues on each settings page, where you can see a badge and a score. As you make changes to your settings, you can see how this affects your security score.
A file scanner makes it easy to see if your site has been infiltrated by hackers and you can also set the system to automatically scan for suspicious file changes.
Other features include:
- Login lockdown and monitoring
- Blacklist users by IP or other criteria
- Improved database security
- Set file permissions to secure settings
- Firewall protection to block malicious scripts
- Brute force attack protection
- Comment spam blocking and prevention.
This really is an all-in-one solution for your WordPress solution and it offers an incredible number of features for a completely free plugin.
Wordfence is a company that’s solely dedicated to WordPress security. Their security experts continually analyze the latest threats and develop protection rules, which are fed directly to the WordPress security plugin.
Like All in One Wp Security & Firewall, visual progress meters help to show the security of your site in different areas at a quick glance.
The Wordfence security plugin offers four main functions:
- A web application firewall to block malicious traffic
- Real-time threat defense feed
- Block brute force attacks
- Block countries
- Advanced manual blocking.
- Malware scanner
- Real-time threat defense feed
- Check IPs for spam generation
- Check if site is Spamvertized
- View blocked attacks
- View Google crawl activity
- View bots and crawlers
- View logins and logouts
- View human visitors
- Cell phone sign in
- Repair files
- Comment spam filter
- Monitor disk space
- Get detailed IP info
The Wordfence plugin is particularly good at monitoring your site in real-time so you can see if anything suspicious is going on. You’ll also be protected from threats quickly thanks to the threat defense feed.
Wordfence is available as both a free and premium plugin priced at $99 a year. The real-time threat protection is only available in the premium version, along with some other features.
Bulletproof Security is another all-in-one security plugin that offers various features and different types of protection so you don’t have to mess around with installing multiple plugins.
Let’s be honest, this plugin is pretty ugly! But don’t let that put you off. It actually offers some advanced security features and is ideal for more experienced WordPress users who want the option to fine-tweak settings
- Malware scanner
- Login security
- Database backup
- Anti spam
There’s a basic free version of the plugin, or you can upgrade to the premium version for a one-off payment of. The premium plugin includes additional features such as:
- Auto-restore and quarantine
- Database monitor
- Plugin firewall
- Protection of WordPress uploads directory
- Automatic monitoring and alerts
- Advanced security tools
Bulletproof security is not quite as user-friendly as some of the other option but there’s a setup wizard that you can use to activate all the default settings in less than a minute.
Sucuri offers both a WordPress plugin and a real-time monitoring and protection service so you can recover from attacks quickly.
The Sucuri dashboard instantly alerts you via clear red or green color coding whether your website has passed security tests, and gives you clear instructions on what to do if there are any security concerns.
The free plugin includes the following features:
- Security activity auditing
- File monitoring
- Malware scanning
- Blacklist monitoring
- Security hardening
- Post-hack security
Users upgrading to the premium plugin for $9.99 a month also have access to a full website firewall to protect your site from malicious scripts and traffic.
Sucuri free version is very user friendly and is good at detecting attacks. However beyond the basic WordPress hardening steps it takes, it’s less thorough at tightening up security than some of the other plugins without the firewall.
This security plugin from the team at iThemes is a popular option with over 900,000 active installations, and offers over 30 ways to protect your WordPress site.
It’s available as both a free and a pro version (from $80 a year). The free version includes:
- Security check
- 404 exploit detection and blocker
- Disables access to the WordPress dashboard on a schedule
- Ban IPs and users
- Database backups
- File change protection
- Brute force protection
- Strong password enforcement
- WordPress security tweaks.
There’s a one-click “secure site” button that will run all the basic security features:
The pro version also includes additional features:
- “Magic links” for username lockout
- Malware scan scheduling
- Password expiration
- Privilege escalation
- Two-factor authentication
- User security check
- User logging
iThemes security includes some interesting security features for WordPress users that aren’t included in other plugins but you’ll have to upgrade to the paid plugin to take advantage of most of them. It’s a particularly helpful plugin for strengthening security on sites with multiple users.
Tightening WordPress Security is a Must for Everyone
If you run a WordPress site, it’s your responsibility to make sure it’s secure. These plugins can help you to do that but you still need to stay on top of software updates and make sure to review your security settings regularly.
Sometimes it can be a little overwhelming to make sure security is top notch when you’re running multiple websites, and that’s when these plugins can really come in useful to take some of the hard work out of your hands.
Another option is to opt for a managed WordPress hosting service. Managed hosting not only ensures your sites are secure but will also backup your sites and recover them quickly if they are ever hacked.