There are already like thousands or more articles about WordPress security out there. What’s good, what’s bad… everyone has an opinion about what to use to secure WordPress. I thought I would take a little time here to talk about my own experiences with security as I have built websites for clients. Some of this stuff might seem repetitive but like I said, this is my experiences with securing WordPress.
The first issue, as everyone knows, is that WordPress is OPEN SOURCE SOFTWARE. Every one is able to program into it. That is numero uno on the list of security issues. Keep WordPress up to date. Whether you’re using those one click install programs from your hosting company like Softaculus or you have a managed WordPress hosting package, make sure it’s up to date.
The other issue is plugins. I have gone on to websites and seen as little as three plugins running the site and as many as 128 plugins running on one site. Let me spell that out ONE HUNDRED AND TWENTY EIGHT PLUGINS. Talk about creating backdoors and letting the hacking world into your website. The big problem with plugins is that third party developers do not take the time to secure their coding as well as they should. The more plugins you are running, the worse your security is going to be (let alone your website speed and bandwidth).
Here are a couple of plugins that I used over time and for different reasons:
An oldie but goodie. Bots look for that wp-login.php file and try to brute-force attack it to get in. Renaming is good and this was a main one I started with back in the day. However, most of the security plugins now have the ability built in to re-name this page.
I won’t list everything this one does but it has a firewall, IP blocking, login blocking and more. It’s not too bad and I will usually run this one in conjunction with another one. It does not offer malware scanning and I have had sites hacked that have this plugin on it alone.
A step up from the Shield Security plugin, in my opinion, is this plugin that will do ALOT of what is needed. Database security, firewall, login security, comment captcha, etc. This is a good plugin. However, I have had some issues with plugin conflict as well as some sites that are on a crappy hosting package that have some trouble running this. The solution, more often than not, is to have a caching plugin in place.
Another plugin I tried near the beginning that does many of the things that All in One WP Security and Firewall but I found that the alterations it makes to the .htaccess file can screw some things up.
A damn good plugin with malware scanning and a firewall as well as IP blocking. The free version updates it’s malware definitions every 30 days but the premium updates it daily.
I have some clients on Godaddy hosting who use their security scanner and it is ok. It does not clean up as well as it should but it at least lets you know if there is a hack on your site. There is also Sucuri which offers a plugin that is free from the WordPress Plugin Repository as well as a premium version. I use Sucuri off their website and rung the site check function. The plugin set up can get a little complex especially for a layperson who does not want to fiddle with advanced settings.
1- You can take this advice or shun it and blast me with comments but I think the best option for security is installing”
2- Again, my opinion and I have yet to see anyone really, really lock down their site and not get hacked. Like I mentioned at the beginning, WordPress is open source software. Joomla, Drupal, Foundation6, etc. are constantly updated to fix security holes.
3- Use as little plugins as possible to get the job done and use other cloud based solutions.
4- Use an SSL on your site even if you are not selling anything.
5- BACK UP YOUR SITE REGULARLY. Most hosting companies have back-up capability built in.