There’s a plugin for all types of functions: WordPress security, search engine optimization (SEO), accessibility, expressing Phil Collins fandom, and even spawning unicorns. Sticking with website security, there are many attack vectors available to cyber criminals including:
Furthermore, your cyber risk can be increased by the plugins you use or having too many plugins. Either case can deteriorate overall performance and increase your attack surface, the amount of ways an attacker can infiltrate a system. This is why it’s best practice to carefully monitor plugin usage. Only install plugins that perform functions you can’t do yourself in a more efficient manner.
A fully-featured WordPress security plugin is one of them. Because breaches can be performed by people or automated bots, you need something that can help you proactively secure data so you spend less time reacting to intrusion attempts. Great security plugins pick up where server security stops. Below we’ll cover:
- What WordPress Security Plugins Should Do
- Plugin Review
- Best WordPress Security Plugins
What WordPress Security Plugins Should Do
While reading, keep in mind that you may not find a single plugin that does all of these things well. We’ll explain when this is the case along with reputable options, but you should read until the end to better understand what’s best for your needs.
Why is backups first on this list, you ask? Because nothing else below matters once a hacker gains unauthorized access inside your system. Some features such as log analysis and geo-blocking may slow them down. However, in most cases for a single Linux web server, you’re better off restoring a known backup and auditing your WordPress security measures. Otherwise, they could just monitor your attempts to remove them in real-time and adjust their game plan accordingly.
The best backup plugins will allow you to:
- Create backups manually
- Download full WordPress backups
- Schedule backups at times of low traffic (usually night time)
Multi-factor Authentication (MFA)
Rainbow tables are databases of passwords one can use for brute-force password attacks and learning how commonly a password is used. They’re easy to find. The best white-hat example I know is HaveIBeenPwned.com (HIBP) which allows you to see how many breaches included your email address, domain, and password.
Two-factor authentication (TFA) ensures that even if someone correctly guesses your WordPress username and password, they’ll need access to a second attack vector to resume the attack. This is usually an email account or mobile device set up to receive time-based one-time passwords (TOTPs). TFA / MFA helps when password strength isn’t high enough.
Just remember to be conscious of MFA phishing scams.
MFA is stronger when you can also block login attempts based on IP address and geolocation. A firewall feature to authenticate where you are offers an alternative option from the common three-factor authentication methods:
- Something you know
- Something you have
- Something you are
Change Login Page
WordPress malware usually target code “/wp-admin” and “/wp-login” because it’s the default login page. A good WordPress security plugin will allow you to block these pages and IPs that attempt to access them. Then you can create a custom, obscure login URL instead. Loginizer is popular for its focus on this feature.
Prevent User Enumeration
User enumeration is an attempt to discover login usernames. The easiest way to do this in WordPress is with author pages (/?author=[number]) and REST API. There are ways to prevent user enumeration without plugins, so this feature isn’t a must-have. However, a WordPress security plugin that makes this easier and redirects attempts to a 404 page deserves consideration.
Bonus points if the WordPress security plugin removes the login error notification which verifies if an username exists.
Antivirus (AV) Scanning
Even if you take measures to secure your PC, your AV scanner may not catch everything. Others with access to upload files to your website may not have a file scanner at all. A WordPress security scanner can compliment or even supersede your server AV scanner if it can:
- Do integrity checks with file change management (usually via checksum)
- Quarantine suspicious files and repair WordPress core files
- Ignore files that are modified regularly
- Display history of results for past scans
- Schedule scans at times when backups aren’t taking place and server load is still low
Similar to backups, it may be beneficial to install a dedicated scanner plugin such as WPScan. It connects with WPvulnDB.com to gather related vulnerability reports from various sources including Common Vulnerabilities and Exposures (CVE).
Comments, contact forms, and forums are easy ways to embed malicious code if there’s no data input validation. Akismet and the native comment moderation options are good. The ability to add reCAPTCHA or hCaptcha without a standalone plugin: better.
This is a rare feature, but there are some plugins that allow you to adjust file permissions for files at the root level of your site without logging into Secure Shell (SSH) or cPanel. The benefit here is being able to restrict files from bad user agents as a type of mandatory access control (MAC).
Security Information and Event Management (SIEM)
Finally, your WordPress security suite should include log analysis features for tracking changes related to the features mentioned above. This is separate from web analytics applications and plugins which primarily track visitor actions on your website.
High-availability (HA) simply means not completely fault tolerant. If there’s an issue on your web server, your website might go down. You have an issue that needs attention if your website constantly goes down with the infamous WordPress error:
Error establishing a database connection
You can resolve this by setting your wp-config.php file to auto-repair the database automatically. However, you should track when and how often this and similar issues happen to determine patterns that lead to downtime. This can help you decide whether you need to clean your database, upgrade your web hosting plan, or configure caching.
Your WordPress security plugin should have the ability to alert you via email stating:
- When your site went down
- When it came back up
- How long it was down
- A brief explanation of why it might be down
Depending on the error, you may need to adjust caching settings, contact your hosting provider about DoS attacks, or take other proactive measures to secure your data.
Get started with the most secure WordPress hosting. Look no further than InMotion Hosting’s managed WordPress hosting solutions!
Free SSLs Malware & Hack Protection DDoS Protection
Here are a few factors to consider when browsing WordPress security plugins.
Is it Updated?
When reviewing WordPress security plugin pages, check the “Last updated” and “Tested up to” lines. WP Content Security Plugin allows you to create a CSP HTTP header. However, as of January 2021 the plugin page states:
This plugin hasn’t been tested with the latest 3 major releases of WordPress. It may no longer be maintained or supported and may have compatibility issues when used with more recent versions of WordPress.
That’s potentially three versions worth of WordPress core security vulnerabilities, and the benefits aren’t worth them. In this case, you should use the HTTP Headers plugin instead.
How many active installations does the plugin have? What do the reviews say? How many topics in the forums are resolved or at least answered? These factors help determine if the developer actively maintains the plugin.
Premium or Free
If a WordPress security plugin has both a free and premium version, this should mean the developer is being compensated well enough to maintain both versions for a long time. Since there are great security plugins available for free, the question becomes: what’s special about the paid version of a plugin?
Premium features might include:
- Malware cleanup support
- Incident response assistance after a hack
- In-depth security audit
- Faster updates for AV signatures
Then, you have to ask how much can you trust the development team with your personally identifiable information (PII), debit card info, and private data. Furthermore, you may already have a subscription to handle this such as the Sucuri web application firewall (WAF).
Test in Staging
The best and safest place to do a plugin review is in a staging site or local development environment. If you don’t have one of those, test the plugin during downtime or a scheduled maintenance session. Check if the plugin conflicts with other plugins you’ve installed:
- Page elements not behaving as intended
- “White page of death”
- Obscure errors
You can resolve issues privately before integrating it on your live site.
Best WordPress Security Plugins
In general, you shouldn’t use more than one WordPress security plugin. However, as mentioned with scanners and backup managers, it can be beneficial to use multiple plugins that enhance security but in unrelated ways.
Cerber Security — Formerly known as WP Cerber, the free version covers hardening features covered above and more. That includes antispam, reCAPTCHA, scans, and much more. You get expected features in the paid version.
Wordfence — This plugin covers the same features as Cerber Security but with a more user-friendly interface. You get expected features and real-time updates to blacklist and firewall settings in the paid version.
VaultPress — This plugin is a paid security and backup plugin popular for ease of use. The menus and screens are simple to navigate for non-technical users. However, this is not a great choice for multisite (MU) for two reasons. First, each site requires a separate license purchase. Second, the plugin only backs up common files when it is dealing with a network with multiple sites.
Jetpack — Not only does Jetpack integrate with VaultPress, but it’s also a great option for many different functions. Jetpack can help you create and design your site, optimize it for mobile customers, and keep it secure. On the security end, Jetpack is great for stopping brute force attacks and will also inform you of website downtime which you can then monitor to see if it is because of server issues or an actual hack.
Sucuri Security — One of the features that make this such a great choice is that it allows you to continuously (and remotely) scan for malware issues on your website. Unlike many plugins, it also provides you with actions that you can take if a hacker manages to get through.
BBQ Firewall — Formerly known as “Block Bad Queries,” it simply blocks malicious requests such as URLs including SQL injections and executables (.exe). It works well with other security suites but may be unnecessary depending on your primary security plugin.
HTTP Headers — As mentioned before, this plugin helps you create and manage HTTP headers to improve security, privacy, and performance without needing to edit the .htaccess file. Like BBQ Firewall, it works seamlessly with other security plugins. To negate the purpose of this plugin, you’d need to modify your .htaccess file manually.
My personal recommendation:
- Install Cerber Security or Wordfence
- Install Total Upkeep or another backup plugin
- Schedule cPanel backups and/or snapshots depending on your server environment
- Install the HTTP Headers plugin and configure all the security HTTP headers
- Ensure you’re using the latest PHP version and prepare for PHP 8
- Find a way to integrate DNS security extensions (DNSSEC)
- Enhance email authentication
- Implement Brand Indicators for Message Identification (BIMI)