Call us:    +44 (0) 207 0439 349        Company      Contact us

WordPress Security and Plug-ins detailed review

Posted by on May 10, 2016 in Security Blog, Security TestingNo comments

managed wordpress security

WordPress has become the world’s most popular website platform for blogs and generic websites. This is partly due to its flexibility and ease of use but one thing that often gets overlooked with new WordPress sites is security!

Don’t leave securing your new WordPress website until the hackers come knocking! With the ever increasing attentions of cyber criminals and hackers, no website can really ever be said to be safe!

To help you to make your website as secure as possible, let’s take a look at the basic security steps that should be taken and the security related plug-ins that are available within the ecosphere of WordPress.


The major WordPress Security Vulnerabilities

As with any website platform, potential security vulnerabilities are potentially rife in WordPress! Secure hosting, variable login pages, strong passwords are just the start.

Here is a list of the major potential security issues:
 Website hosting Server security vulnerabilities
 Theme security within WordPress
 Plug-in security within WordPress
 Database security
 Incorrect File permissions
 Potential FTP vulnerabilities / Back doors
 Lack of secure Encryption

There is not a single plugin that covers all possible security holes with WordPress sites therefore effectively Managing WordPress Security is vital!

But what security plug-ins are available and which ones may suit your site? Let’s take a look:

Wordfence plug-in

Wordfence is a comprehensively powerful security plug-in. It also comes in both a free and paid for version. The paid versions cost ultimately depends on the number of licenses that you are purchasing and how long the licenses are active.

Wordfence is not just a standalone piece of software; it comes with support and monitoring from the company that developed it too. Basically, Wordfence servers scan your website for any recent file changes, code injections, malware, or any backdoor exploits. Website scans can be scheduled to run at whatever time you require.

Their ‘’threat defence feed’ arms your plug-in with the most up to date firewall rules, malware signatures and even supplies suspect and potentially malicious IP addresses!

Wordfence major elements:
 Two-factor authentication
 Threat Defense Feed
 Malware detection
 Country IP blocking
 Scans for recent file changes
 Scans for code injection
 Blocks IP addresses
 Customisable alerts can be setup

iThemes Security plug-in

iThemes Security provides users with either a free version with limited functionality or a paid version with more comprehensive functionality. This is what it covers:
 Monitors core files for changes
 Brute force login protection
 Two-Factor verification and identification.
 Logs user actions.
 Login and Admin pages can be hidden
 Locks out ‘too many attempts’
 Can be set to require secure passwords for specific user roles.
 Ticket logging system for support.

There is the chance that some changes could actually break your website. With iThemes Security be careful regarding database changes and file path changes! Always back-up your website before installing the iThemes Security plugin and prior to enabling any of its features, in case mistakes are made.

Sucuri Security plug-in

Sucuri Security is a free WordPress plugin. It is primarily good for quickly alerting you to any potential security problems with your WordPress installation.
It monitors and records all activity within your WordPress installation keeping a log of all activity that takes place.

Your installations files, such as WP Themes, plug-ins and the WP core are all monitored. When you activate this plug=in it first of all records all files present as an initial base point. Future changes to existing files and new files will then be notified to you directly when modification occur.

Lets look at Sucuri in a nutshell then:
 New/Modified File change alerts
 Protecting your upload directory from browsing and nefarious PHP execution
 Restricts access to wp-content and wp-include files
 Malware scans
 Blacklist monitoring
 Verifies your security keys
 Restricts access to the file editor in your WordPress dashboard.

All in One WP Security plug-in

All in One WP Security has a useful grading system, making identification of areas where your WordPress website security a doddle! There is a dashboard which ranks your existing levels of security on a scale according to security measures that have been enabled.

Basic, intermediate and advanced at the three levels included. Basic features are easy and safe to activate even for novice users. Intermediate and advanced features have the potential to break some of your website’s functionality so take care!

Sub-menus contain the main security features, together with detailed information regarding what you are changing!

Here is a quick reference list of features:
 Firewall protection
 Manual approve new user registrations
 Disable WP Meta information
 User account monitoring
 Prevents of Brute Force login attacks
 Database prefix management functionality
 Named file protection
 The ability to edit PHP files from within the dashboard
 Black-listing of users based on their IP or range of IP addresses
 Ability to change the login page URL
 Captchas and approved ‘whitelists’
 Cookie based login functionality
 Comment spam prevention
 Ability to detection file changes

WordPress Security Plug-ins are very powerful and care should be exercised in their implementation and usage.
If in any doubt the consider Managed WordPress security and secure hosting from the specialists!

Tags: ,

Registered Memberships and Partners:

OWASP - Open Web Applications Security Project
ISSA UK - Information Systems Security Association UK
NIST - Computer Security Division of NIST
UKITA - UK Information Technology Association
ISF - Information Security Forum
ISACA - Information Security Audit & Control Association

  • Latest Tweets

    • Britain's security has been threatened by 188 high-level cyber attacks in the last three months, according to a government security chief.

    • Libraries across the city of St Louis are gradually regaining control of their computer systems, following a malware attack on 17 Libraries.

This website uses cookies to improve user experience. By using our website you consent to all cookies issued by this website.
I agree Disagree