Contrary to what you may have heard, the core WordPress software is very secure.
So why do you hear about other people’s WordPress sites being hacked? Perhaps even you’ve been hacked yourself.
These security breaches occur not because of a vulnerability in the WordPress software, but because of weak user passwords, vulnerabilities in plugins or themes, and not keeping the software up to date.
Still, in today’s world, when big companies like Sony and Apple are getting hacked, nothing is ever 100% secure. So we want to take steps to make our websites as secure as possible.
I’ve gathered 5 of the best security plugins currently available for WordPress. Keep your site secure by adding installing them on your website.
This plugin fixes many issues that leave WordPress sites vulnerable, as well as hardens the security. For instance, it will hide the login and admin pages, remove information hackers use to gain access to your site, scan your site for any vulnerabilities, and make regular backups of your database.
The dashboard for iThemes Security presents a checklist of action items, listed from most important to least. You can then click each item and be taken to a page where you can enable that security option.
There are also a number of advanced options for more experienced WordPress users.
One feature of All in One WP Security & Firewall that I like is a meter on your dashboard that gives your site a score of how secure it is. By adding additional security options, you can increase your score.
This plugin’s interface is not as easy to use as iThemes Security, but offers a couple options better suited for certain sites.
Sucuri Inc. is one of the top experts in website security. In addition to their premium services, they offer this free security plugin.
Here are some of its features:
The Sucuri plugin tracks all activity on your site. This includes when users log in or when changes are made to your site. This way, if there is a breach in security, you’ll be able to review the activity logs and find what occurred.
It will also scan your core WordPress files for any abnormalities. If it finds anything, you can quickly restore a copy of the file to how it’s supposed to be.
Sucuri will even scan blacklist monitoring sites to see if they flag your website for security issues, as this is a high indication that there may be malware on your website.
And finally, Sucuri has a section of suggested actions to take to harden your site’s security. Most of these actions can be completed with just a click of a button.
One of the most common ways hackers try to gain access to your site is through what’s called a Brute Force Attack.
In a brute force attack, bots are sent to your site to try different combinations of usernames and passwords, over and over again—and because it is a computer running the attack, it can try a lot of combinations in a short amount of time.
If a website’s passwords are weak, it’s possible for a hacker to gain access this way.
But even with strong passwords, brute force attacks can cause issues on your site. Because the bots are trying to log in so many times, it can overload the server, which can cause your website to go offline.
To prevent this, BruteProtect identifies these bots and blocks them from your site. If someone tries to log in to your site and fails too many times, their IP address is restricted from you site.
On top of that, BruteProtect has a network keeping track of the IP addresses of these identified bots. So if a bot tries a brute force attack on one website on the BruteProtect network, all websites on the network will start blocking that IP address.
It’s protection taken to a whole other level.
Even the strongest passwords out there are only so strong. There are still methods hackers can use to find your password and gain access to your site.
So, you can begin using 2-factor authentication to log in to your site. This can be easily set up using the Google Authenticator plugin, and here’s how it works: You’ll still have your username and password to log in to your site, but your login form will also ask you for your Google Authenticator code.
On your smartphone, you’ll have the Google Authenticator app which cycles through a sequence of numbers. When you need to log in to your site, just open the app and enter the number that is currently shown.
With 2-factor authentication, even if a hacker finds your username and password, it would be nearly impossible for them to get your Google Authenticator code.
How do you keep your site secure?
Do you have any tips, plugins, or services you use to keep your WordPress website secure? If you do, I invite you to share them in the comments below.