WordPress Security Plugins That Are a MUST to Keep Hackers Away
Table of Contents
Making your website secure is not a one-time thing. It’s not a switch you can flip to “SECURE” and then not worry about it again. Web security is built in layers. The point of each layer is to make it a little more difficult for bad actors to get in and do bad things. Our goal is to put up just enough layers so that they give up and move on to a site with fewer layers.
Exactly, what is “WordPress Security”?
A lot of web site owners I talk to think that WordPress security is a plugin they install or a service they buy. Nothing could be further from the truth. Security is a mindset, it’s not a specific thing. It is something you should think about in every decision you make about your website.
- Want a new theme? What is the theme developers reputation security-wise?
- Want to add a new plugin in? How secure is it? Have there been any vulnerabilities reported in it?
- Want to hire a new contractor? What do others have to say about their work? Is their code secure?
Every decision you make needs to be wrapped in the question “How will this affect the security of my site?” If you can’t say for sure that the answer to that question is either increase it or at least not hurt it, then you need to re-think the decision.
The other analogy I use a lot is that security is not one specific action, but a series of layers you wrap around your site.
- The top layer is a network firewall
- The next layer is is your application firewall (in WordPress, this is usually a plugin)
- The next layer in is strong passwords
- The next layer in is Two-Factor authentication
- The next layer in is moving your wp-admin directory to a different name.
- The next layer in is not using the login name “admin”
- The next lawyer is to disable XML-RPC
None of these things by themselves are going to make your site secure. However, all of them together may make your site secure so that bad actors move on to a site with less security. Another good news is that you can nowadays easily secure your website by hosting your website with a high quality hosting partner that commits to security.
You may notice that Installing an SSL certificate is not in the list above. This is because having an SSL certificate is what we call “table stakes” these days. This means that it’s not a security measure, it’s something you should do when you setup any and every website. They improve your security and your search engine ranking. Since they are now free, there is absolutely no reason for any website to be running without one. Moreover, on SiteGround, they install free Let’s Encrypt SSL certificates shortly after the creation of each website to make it even simpler for you.
>> If you are interested in knowing more about WordPress Security, download now for free our eBook 21 Tips to Keep Your WordPress Secure <<
What are the best WordPress security plugins to secure each layer of your WordPress site?
To set up the layered setup described above will take most people some time. As mentioned before, almost everything can be accomplished these days by non-technical site owners. That having been said, if you are nervous about it or unsure of your ability to commit the time to do things right, hire someone you trust to do it for you.
If you are using a reputable hosting partner like SiteGround, this will be configured for you. If you are unsure if your hosting partner provides this service for you, ask them. If you don’t get a very clear “Yes, we provide you with a network level firewall.” consider finding a new hosting partner.
In the WordPress ecosystem, “Application Firewall” usually means a plugin. There are several good ones with solid reputations to choose from. I don’t usually recommend specific plugins because as soon as I do, someone writes to me to tell me how my recommendations are wrong. Still, since a lot of users have asked me for recommendations about security plugins, I am going to break my rule and make a few recommendations. It is important to note that these are in no particular order.
By the way, most of these plugins do a lot more than just APplication Firewall.
- Malware scanning
- Security audits
- Security hardening
- Website firewall
Some of the companies behind these plugins also provide malware removal and hacked site cleanup. If you are looking for peace of mind, that’s a great feature to have.
Jetpack is Automattic’s omnibus plugin. It has a lot of functionality and most of it doesn’t deal with security. It does however have some security features built into it. If you already have Jetpack installed, consider purchasing the security features.
If you don’t currently have Jetpack installed and don’t need any of the other features, this might not be the best solution.
Sucuri has been around for a while and has a great reputation. In addition to offering a Web Application Firewall Sucuri offers a lot of other features:
- Malware Removal & Hack Cleanup
- Advanced DDoS Mitigation
- Malware & Hack Scan Frequency
These three features are important and covered by their basic level. All-in-all, Sucuri is a well rounded offering that would be an important lawyer in any website’s security.
I’ve actually used this one before. I am not currently using it but at the time I was using it it was one of the best – if not the best – on the market. (It is important to note that I do not think the plugin has degraded in any way, my needs changed.)
The one thing that I remember about this plugin is that it’s admin page is complex. Make sure you block out a few hours over a couple of days to read and understand every option available to you so that you can make the right decisions. That advice is equally applicable to every security plugin.
Unlike other plugins, iThemes gives you all of the features on every pricing level. The difference in price is based on the number of sites you want to protect.
Though there are plugins available for this layer, strong password support is thankfully built into the WordPress core. I strongly encourage you to enforce strong passwords on any user that has any security above Guest or Subscriber. If they can manage anything, they should have at the very least, a strong password.
Two Factor Authentication (2FA) is one of the newer technologies to come to the web but it is an important one. Logins and passwords can be stolen online but a phone can’t. By adding 2FA as a layer to your security, you make it impossible for someone to access your site just because they got access to your login and password.
One plugin I’ve used over the years to implement 2FA is WP 2FA. It only does 2FA. If you already have an application firewall that implements 2FA, use that. But if you do not, WP-2FA is a good choice.
…and the rest
The other layers however, you still need some help with. I’ve tried combinations of dozens of different plugins to implement them and each time something didn’t go quite right. While I love the concept of “one plugin-one feature” Sometimes the plugins don’t play nice with each other and then you end up with a mess on your hands.
That’s why I was excited when SiteGround released their in-house built WordPress Security plugin. It wraps a lot of security layers into one plugin.
SiteGround Security: The All-In-One plugin for WordPress Security
This is a newcomer to the group but it has already become my favourite security plugin. I already have it installed on 4 of my WordPress installs, only one of those is actually hosted with SiteGround.
SiteGround Security comes with a lot of security features. Each of them can be turned on or off without bothering the rest of the features. My favourite 4 features of the plugin are as follows:
- Two-Factor authentication
- Disabling XML-RPC
- Disabling the login name “admin”
- Lock and protect system folders
I’ve installed stand-alone plugins that did each one of these things. Each time I ended up eventually removing the plugin because either it didn’t do the job the way I wanted it to or it became abandonware and was holding up my upgrading of my system.