WordPress is now powering over 27% of all websites. That’s a testament to its flexibility, ease-of-use and loads of free plugins and themes that are available. But that also means WordPress has a gigantic target on its back from malicious hackers and bots.
They’re constantly scanning for outdated installations and zero-day vulnerabilities. Brute-force login attacks hit even the most lightly-trafficked sites.
It’s become absolutely imperative site owners take extra security measures. Some of that is done at the server level, but there is plenty you can do within WordPress itself. In fact, there are a plethora of free plugins out there that will harden WordPress and provide you with an extra layer of protection.
With over one million active installs, WordFence is one of the most popular plugins out there. It will routinely scan your install for malicious code and has a real-time firewall that will help secure your site from known (and unknown) threats.
Advanced features like IP blocking and brute-force login protection can give site owners some peace of mind. The premium version includes country blocking, two-factor authentication and the firewall is updated in real time.
The WordPress jack-of-all-trades, JetPack has added some great security features in recent years. Brute-force login protection is included (and will proudly display how many malicious login attempts have been thwarted on the WP Dashboard).
There’s also a single sign on feature that works with your WordPress.com account. Paid plans add spam blocking, malware scanning and more.
This is a security suite (in plugin form) that will protect your site with brute-force protection, file change detection, requiring users to implement strong passwords and will even help you run your entire site in SSL. A Pro version enables malware scanning, password expiration and much more.
Clef offers a unique method of adding two-factor authentication to WordPress. Users will need the Clef mobile app to scan the “Clef Wave” animated pattern that appears on your login screen with their phone. It’s password-less authentication. It also acts as a single sign on that can work across multiple sites.
This plugin will scan your site’s user accounts to ensure that a user’s username and display name aren’t identical – a key method bots use to grab logins. User registration can also be set for admin approval – meaning you’ll have the ability to reject accounts you don’t trust.
You’ll also find brute-force protection, a firewall, malware scanning and protection for configuration files.
Spam account registration can be a dangerous thing for a WordPress website. WP-SpamShield helps to eliminate registration spam, along with comment/trackback/pingback/contact form spam. The great thing is that it does so without using annoying CAPTCHA fields.
BulletProof Security will provide extra security for your site’s .htaccess file, logins, auth cookie expiration and allow for database backups. You can also set a time limit on idle WordPress sessions, which will log the user out of the system after a specified period of inactivity.
One of the absolute best things you can do for security is to enable SSL on your site. Once you’ve acquired a SSL certificate and installed it on your server, Really Simple SSL will make sure your WordPress install is optimized to run under https.
Formerly known as WordPress Simple Firewall, this plugin will automatically block out malicious URLs and requests. It will also protect your blog from spambot comments and adds two-factor authentication.
One of the telltale signs a site is running WordPress is the use of the default /wp-admin/ and wp-login.php URLs. Hide My WordPress allows you to safely rename these login gateways to help avoid attacks.
Note that you should use caution when enabling more than one security plugin. Some can conflict with each other and lead to either a crashed site or a major performance hit. If you do plan to use more than one security plugin, do some research to see how they coexist.
Stay Safe Out There
While there is no silver bullet for securing WordPress (or any other CMS), there are steps you can take to thwart malicious attacks. Most bots and hackers are looking for easy targets. Using a security plugin makes things much more difficult to crack.