WordPress Security and Plug-ins detailed reviewPosted by SecurityAuditTeam on May 10, 2016 in Security Blog, Security Testing • No comments
WordPress has become the world’s most popular website platform for blogs and generic websites. This is partly due to its flexibility and ease of use but one thing that often gets overlooked with new WordPress sites is security!
Don’t leave securing your new WordPress website until the hackers come knocking! With the ever increasing attentions of cyber criminals and hackers, no website can really ever be said to be safe!
To help you to make your website as secure as possible, let’s take a look at the basic security steps that should be taken and the security related plug-ins that are available within the ecosphere of WordPress.
The major WordPress Security Vulnerabilities
As with any website platform, potential security vulnerabilities are potentially rife in WordPress! Secure hosting, variable login pages, strong passwords are just the start.
Here is a list of the major potential security issues:
Website hosting Server security vulnerabilities
Theme security within WordPress
Plug-in security within WordPress
Incorrect File permissions
Potential FTP vulnerabilities / Back doors
Lack of secure Encryption
There is not a single plugin that covers all possible security holes with WordPress sites therefore effectively Managing WordPress Security is vital!
But what security plug-ins are available and which ones may suit your site? Let’s take a look:
Wordfence is a comprehensively powerful security plug-in. It also comes in both a free and paid for version. The paid versions cost ultimately depends on the number of licenses that you are purchasing and how long the licenses are active.
Wordfence is not just a standalone piece of software; it comes with support and monitoring from the company that developed it too. Basically, Wordfence servers scan your website for any recent file changes, code injections, malware, or any backdoor exploits. Website scans can be scheduled to run at whatever time you require.
Their ‘’threat defence feed’ arms your plug-in with the most up to date firewall rules, malware signatures and even supplies suspect and potentially malicious IP addresses!
Wordfence major elements:
Threat Defense Feed
Country IP blocking
Scans for recent file changes
Scans for code injection
Blocks IP addresses
Customisable alerts can be setup
iThemes Security plug-in
iThemes Security provides users with either a free version with limited functionality or a paid version with more comprehensive functionality. This is what it covers:
Monitors core files for changes
Brute force login protection
Two-Factor verification and identification.
Logs user actions.
Login and Admin pages can be hidden
Locks out ‘too many attempts’
Can be set to require secure passwords for specific user roles.
Ticket logging system for support.
There is the chance that some changes could actually break your website. With iThemes Security be careful regarding database changes and file path changes! Always back-up your website before installing the iThemes Security plugin and prior to enabling any of its features, in case mistakes are made.
Sucuri Security plug-in
Sucuri Security is a free WordPress plugin. It is primarily good for quickly alerting you to any potential security problems with your WordPress installation.
It monitors and records all activity within your WordPress installation keeping a log of all activity that takes place.
Your installations files, such as WP Themes, plug-ins and the WP core are all monitored. When you activate this plug=in it first of all records all files present as an initial base point. Future changes to existing files and new files will then be notified to you directly when modification occur.
Lets look at Sucuri in a nutshell then:
New/Modified File change alerts
Protecting your upload directory from browsing and nefarious PHP execution
Restricts access to wp-content and wp-include files
Verifies your security keys
Restricts access to the file editor in your WordPress dashboard.
All in One WP Security plug-in
All in One WP Security has a useful grading system, making identification of areas where your WordPress website security a doddle! There is a dashboard which ranks your existing levels of security on a scale according to security measures that have been enabled.
Basic, intermediate and advanced at the three levels included. Basic features are easy and safe to activate even for novice users. Intermediate and advanced features have the potential to break some of your website’s functionality so take care!
Sub-menus contain the main security features, together with detailed information regarding what you are changing!
Here is a quick reference list of features:
Manual approve new user registrations
Disable WP Meta information
User account monitoring
Prevents of Brute Force login attacks
Database prefix management functionality
Named file protection
The ability to edit PHP files from within the dashboard
Black-listing of users based on their IP or range of IP addresses
Ability to change the login page URL
Captchas and approved ‘whitelists’
Cookie based login functionality
Comment spam prevention
Ability to detection file changes
WordPress Security Plug-ins are very powerful and care should be exercised in their implementation and usage.
If in any doubt the consider Managed WordPress security and secure hosting from the specialists!