WordPress doesn’t have a bad security record compared to other content management systems in its class. An up-to-date and properly maintained WordPress site is as secure as any other CMS. Most hacked WordPress sites are out-of-date or otherwise poorly managed: easy-to-guess passwords are a common culprit.
However, WordPress is much more popular than competing content management systems. Online criminals know that if they find a vulnerability in WordPress, they have the key to millions of websites. Botnets are designed to seek out and compromise WordPress sites because they are so common and because their owners are, on average, less knowledgeable about web security.
A strong ecosystem of plugins has grown in response to the threat WordPress sites face. They are intended to make it easier for WordPress site owners to keep their sites safe.
I’ve been a WordPress user for many years, and I’ve tested dozens of plugins. My favorites change as new plugins are developed and old ones fall by the wayside, but this is my list of recommended security plugins in 2018.
SecuPress is a new addition to the category of all-in-one security plugins that also includes WordFence and Sucuri, both of which are excellent. At the moment, I prefer SecuPress because it has a modern interface and a couple of features that aren’t found in other plugins.
A firewall that blocks suspicious requests.
A security audit tool that creates a report on the security level of a WordPress site.
Brute-force prevention tools.
That’s only a small selection of the available security tools in SecuPress. If you run a WordPress site, I’d strongly urge you to install SecuPress or one of its competitors.
A popular security utility on servers, fail2ban blocks IPs that make repeated failed login attempts. Brute force attacks are an annoyance: they consume resources and — if the site has poorly chosen passwords — can compromise WordPress installations. WP fail2ban limits the damage that brute force attacks can do by preventing repeated failed login attempts.
Move Login is an alternative approach to limiting brute force attacks. It moves the WordPress login page to a different location. Brute force bots are unsophisticated, and moving the login page to an unexpected URL is often enough to stop them in their tracks.
Two Factor Authentication
I take the view that every WordPress website should use two-factor authentication. If a WordPress site has more than a handful of trusted users, it’s a near certainty that one will choose a password that can be guessed easily. Two-factor authentication makes users prove their identity with a piece of information in addition to their username and password. Typically, that is a one-time code sent to a mobile device they control.
The Two Factor Authentication plugin supports several of the most popular TFA services, including Google Authenticator and Authy.
Backups may not seem like a security measure, but if your site is infected with ransomware or other types of malware, you’ll be glad to have an up-to-date copy of your site and its database.
BackupBuddy makes it easy to backup and restore your WordPress sites. It’s a premium plugin, but there are free alternatives including BackWPup.
There is some cross-over of functionality between the plugins I’ve suggested here today: SecuPress has two-factor authentication tools, for instance. To be sure your site is as safe as possible, take a close look at what each of these plugins does and choose a selection that provides the functionality you need.
Graeme is a writer and content marketer at Nexcess, a global provider of hosting services, who has a knack for making tech-heavy topics interesting and engaging to all readers. His articles have been featured on top publications across the net, TechCrunch to TemplateMonster.