*This lesson is a part of the Free Crucial WordPress Plugins Course by TemplateMonster
Hi, WordPress users! Do you want to make your website more secure? So, let’s find out what you can do for this keeping discovering our Free Crucial WordPress Plugins Course!
Table of content:
- Why Security Plugins Are So Important for WordPress?
- How to Secure WordPress Site: 10+ Tips
- Best WordPress Security Plugins Are Waiting
- Guide to Install and Configure Wordfence – Free WP Security Plugin
- Conclusion
Why Security Plugins Are So Important for WordPress?
It would be nonsense explaining why you should take care of your WordPress website protection. Modern sites are keys to the privacy, income, and success of their owners. If they are hacked there is a big leak of information. That’s why we all are interested to force the security of our websites and those we build for our clients.
Still, there is a frequent question. Do pages based on WordPress need extra security measures? For sure, today WordPress is trusted by the great majority of people. That’s why it has to be as safe as it’s possible. And all the efforts to strengthen WordPress protection are not baseless. First of all, it’s really widely used. Secondly, its open-source code is available for everybody who intends to attack any WP site. And, that is the reason of increased attention from hackers to this platform. Losing their sleep (no jokes!) they create different malicious programs to take control over your blogs, online stores, corporate pages, and so on. Hackers just know where the greatest number of top-notch sites (read “profitable businesses”) are concentrated. They understand that their owners make money from them, and exploit the situation to their advantage.
Modern sites are keys to the privacy, income, and success of their owners. If they are hacked there is a big leak of information.
TemplateMonster
So, what can you do to ensure better security of your site? Of course, provide it with a good WordPress security plugin. Such one will scan your pages seeking for potential vulnerability and fix it within a click. In view of this, we propose 10 tips to protect your WP website. After, we will pick out a free plugin for you.
PROFESSIONAL VIEWS
If you have a website that you've put a lot of time, effort, and money into, then it's highly advised that you use some sort of security plugin to protect it. I've had to learn the hard way, where a few of my sites were hacked and I had to nuke all of them.
When it comes to choosing a good WordPress security plugin, I recommend looking for one that has quite a few testimonials as well as helpful features. It's best to go with a solution that you know will have your back should something go wrong.
Premium plugins can certainly be better than free versions, however, it's going to depend on what your specific needs are. If you're looking for support along with the plugin, then you'll usually want to get the premium version in case you need more specific help with anything.
First off, I am a long time customer of Template Monster, and it's saved me so much time working off your templates than building them from scratch!
It's critical to think about security on Wordpress, because most builds use a myriad of open-source plugins, and each one increases the potential attack surface of the site. When users (or bots) on the web visit a typical Wordpress site, the site's web server interacts with a database to read or write data. This architecture is vulnerable to SQL injections, or attacks at the webserver layer that can bring the site down.
So how can we achieve this modern and super secure architecture, while enjoying all the benefits that WordPress provides? Wordfence does a great job of securing traditional installations and provides a firewall. It's certainly a great solution for many Wordpress sites, but that model can never provide as secure of an environment as a static site, simply because the attack surface is minimized.
WordPress is a very popular blogging platform and most websites are powered by it. Some of the most influential blogs in the world use WordPress as their content publishing platform. As always with the internet, hackers also target WordPress based websites. Although WordPress has it's own security features, as we using third-party themes, links and plugins to make the page more interesting, it may hamper the security of our site. One cannot stress enough the need for good firewall protection against malicious attacks on WordPress sites. A good security plugin keeps a close eye on everything happening on the site from file changes, logins, and importantly, failed login attempts.
Starting a blog, e-commerce website or small business website requires an upfront investment in articles, services, and products such as hosting, themes, plugins, and website development. This does not include any help you need to hire, such as customer service representatives or salespeople.
This initial investment alone is enough to secure your website from the start. But more importantly, you can be sure that you're not forgetting to protect the potential money you'll earn in the future.
By default, the WordPress Core has some security measures, but it's nothing compared to what a serious security plugin will do for you.
How to Secure WordPress Site: 10+ Tips
Everyone can strengthen their WordPress website security. And, today, we’ll show you how easy it is. Let’s start!
#1. Keep your WordPress site up-to-date
This will be the first and most important step to improve WordPress security. If you want a clean, malware-free website, you need to make sure your version of WordPress is up-to-date. This tip may seem very simple. However, only 22% of all WordPress installations correspond to the latest version.
As for automatic updates, they are available since WordPress 3.7 was released. Yet, they cover only small security updates. In case, you don’t know how to refresh WordPress manually, take a look at these services.
#2. Use secure login username and password
2-step verification brings extra security to your login page. After confirming the username, it adds another step that must be completed for successful authorization.
You must already use this to access mail, online bank, and other accounts. Why not try a 2-step verification on WordPress?
Although for the first time this may seem complicated, all you need to do is install the 2-step authentication mobile app and configure it for your WordPress website.
#3. Turn on 2-step verification
2-step verification brings extra security to your login page. After confirming the username, it adds another step that must be completed for successful authorization. You must already use this to access mail, online bank and other accounts. Why not to try 2-step verification on WordPress?
Although, for the first time this may seem complicated, all you need to do is install the 2-step authentication mobile app and configure it for your WordPress website.
#4. Turn off PHP error reporting
PHP bug reports can be quite useful if you develop a WordPress website and want to make sure everything works correctly. However, showing errors to everyone can lead to serious problems with your WordPress security.
You must resolve it as soon as it’s possible. Please, no fear! You don’t have to be tech-savvy to turn off PHP error reporting on WordPress. Most hosting services provide this option. If not, just add the following lines wp-config.php to your file.
#5. Use WordPress themes or templates only from reputable places
All over the Internet, there are thousands of plugins and templates for WordPress. Users can get them for free downloading special files. They don’t know that most of them are infected with malware or insecure links.
To avoid website crashes in the future think of its security already today. The reasons to save money are clear, of course, but free templates can cost you more than you could have ever imagined. So, going to download some free WordPress theme or site extension, do check its provider. Do not choose products from third-party services. Luckily, in our tutorial, only trusted best WordPress security plugins are gathered.
#6. Choose only qualitative hosting for your WordPress site
Statistics show that more than 40% of WordPress sites were hacked because of holes in the security of their hosting accounts. This should encourage you to transfer your WordPress website to more secure hosting.
Choosing a hosting, make sure your account will be isolated from other users and there is no risk of infection from other sites on the server.
#7. Make backups as often as it’s possible
The largest sites also get hacked, despite the fact that their owners spend thousands to improve their security. Even if you follow best practices securing WordPress, you still need regularly to back up your site. Learn more about WordPress backup plugins in Lesson 1. Hopefully, you’ve already successfully passed it!
#8. Turn off file editing
As you probably know, WordPress allows editing PHP files. This feature is as useful as it can be harmful. If hackers gain access to your control panel, the first thing they pay attention to is the File Editor. Some WordPress users prefer to turn off this feature completely. It can be made by editing the wp-config.php file. Just add the following code:
define ('DISALLOW_FILE_EDIT', true)
In case you want to re-enable this function, use the FTP client or File Manager of your hosting and delete this code from the wp-config.php file.
#9. Monitor people that register on your website
To scan your website visitors, you can try Google Analytics. Google Analytics is a simple but effective tool for tracking user behavior on pages. By installing JavaScript tags (libraries), a site owner receives information about the pages a user has visited. In order to "remember" what and when the user did on them, the Google Analytics JavaScript libraries include HTTP cookies.
#10. Do not store useless files
Inactive extensions can cause a serious threat to the security of your site. Therefore, feel free to delete all unused plugins and themes.
#11. Regularly check your local computer for viruses
Enhancing the security of your WordPress site, don’t forget about your personal computer. Get for it a timely update antivirus program. Otherwise, you risk infecting your website with virus files from your PC.
#12. Limit the number of access attempts
Most often, hackers make multiple efforts to pick up a password to your site. You can configure the system to block the IP address for several hours after a certain number of failed login attempts.
For this purpose, the plugins like, Login LockDown or Limit Login Attempts were created. They provide options to set the number of login attempts and the blocking time. Moreover, with these plugins, you can turn off the message about an incorrect username and password. It’s really necessary as this information can also help a hacker.
#13. Use WordPress security plugins
Qualitative modern plugins are the main answer to how to secure a WordPress site. They will help you scan your website for malware and protect it from hacking attempts.
So, if you want to strengthen the security of your WordPress site without using code, then you are in the right place. We would like to draw your attention to the best free WordPress security plugins. You will not regret if you choose one of them.
PROFESSIONAL VIEWS
Failure to prioritize your Wordpress site security and online security measures could seriously hurt your business. Online criminals are always on the hunt for data belonging to you and your customers to steal. As a matter of fact, your website could be completely deleted or even worse things can happen. This is why having a WordPress security plugin installed on your site is incredibly important. Worthwhile security plugins have a price tag, but there are a few that come with limited functionality for free so it's really important to understand what each plugin is going to do for you before you choose. Ultimately, it is about figuring out the best way to secure your website. I use Sucuri which I think is the best free WordPress security plugin available today. It offers lots of amazing features for free but the paid pro version is even much better if you can afford it. Some features that make Sucuri a great choice for me include:
- Effective security hardening.
- Keeps track of everything that happens on your site, including file changes, last logins, and failed login attempts.
- Sends instant notifications when something is wrong with your website.
- Reduces server load time and improve your site’s performance by blocking malicious traffic.
- Lets you conduct malware scanning.
- Advanced DDoS protection is available through some plans.
- Great customer service support.
To power up the security of your website, there are 3 basic things that you should always do. First, invest in a good web hosting. Cheap web hosting merely invests in its servers. What are you expecting from them? I had an experience where I was using a cheap hosting and my website had tonne of traffic. It got hacked, not that one website but all the websites hosted on that server. The second is using CDN. A paid CDN is better but free is not harm. The third is to install a Security Plugin. There are a lot of security plugins and you can choose any of them but make sure they have the above-mentioned features. Other than that, arrange taking backup of your website. Not one backup but at least 3 back-ups. One from the past day, another one from last week and the third one from the 15th day. Do not rely just on Web hosting provider's backup.
For our website and other web properties, our first line of defense is making sure our team members have a unique username and a complicated password with no dictionary words. By far the most common attack we see happening (dozens of times a day) is the brute force attack. Some hackers just stick a computer in their closet and set it to try to guess passwords on sites all day and all night. And you'd be shocked how often they succeed, mostly because they find a site that has a simple username and password, such as the username "admin" and a password with something out of the dictionary. The most common ones tried on our site are some combination of 1234 and the words, "blah," "sex," "password," "god," and "developer." The most commonly tried usernames are actual names, like "Paul," "Sharron," etc.
Our second line of defense is Wordfence, which I love. It runs a firewall (which is extra protection, because our hosting provider also has a firewall). The firewall allows us to manually block IP addresses, which I do once a week at least. Also, it shows us a log of failed logins.
Our third line of defense is good server-size security software, provided by our hosting provider.
There's no excuse for not having a security plugin as there are plenty of free options out there and most have a simple install process with very little configuration needed. The two key features of any security plugin are the firewall and malware scanner. The firewall is quite simple, it identifies and blocks malicious traffic from reaching your website. The malware scanner checks core files, themes, and plugins for malware and anything else that should not be there.
Of course, a premium version of any security plugin would be preferred as it will have more features and will increase the security of your website. But should you be in a position that you can't afford the premium version, the free one should do just fine.
Best WordPress Security Plugins Are Waiting
WordPress security can be enhanced with thousands of apps. Still, which plugin is worthy of your choice? Those, we’ve listed below, are among the most popular WordPress plugins. They will make your website as safe as it’s possible for free.
It’s time to look closer at them!
Sucuri Security – Auditing, Malware Scanner and Security Hardening
Sucuri is a solid website security company and a leader in WordPress protection. The plugin has wide functionality that provides a full cycle of WordPress security, including the prevention of hacking attacks. Every user will also find what’s up to their expectations and budget.
In order to use the free version of this plugin, right after installation, generate a free key. For this, in the blue block on the top, click the “Generate API Key” button. Also, verify that the entered data is correct and send your request.
The real gem for Sucuri customers is, it offers to clean up websites when they get infected with malware without additional costs.
As well, you can buy the paid version and benefit from its plans. They come with the best protection of the WordPress firewall. The firewall helps block malicious attacks.
Just imagine, the Sucuri Internet firewall filters out bad traffic before it reaches your server. Beyond security, their CDN DNS-level firewall gives you tremendous performance improvements and speeds up your site.
iThemes Security
iThemes Security plugin is a well-known way of securing WordPress. It’s also one of the best free WP plugins that counts 900 000+ active installations.
Like other tools of this kind, iThemes Security is aimed to protect your site from future hacking attempts and check its current condition.
Generally speaking about functions of this security plugin, we can’t but distinguish the following:
- hiding and removing potentially vulnerable elements;
- website protection from attacks;
- WordPress database monitoring for sudden changes, locks, and so on;
- making backups.
All In One WP Security & Firewall
All In One WP Security is a very powerful and handy plugin. It’s supplied with everything to find malicious software and prevent attacks of hackers. You can download it for free.
This security plugin includes login blocking functions. It also filters IP addresses, monitors files integrity and user accounts, scans suspicious templates, and much more.
Moreover, All In One WP Security is equipped with a modern firewall. However, sometimes it requires to enter suspicious IP addresses into the blacklist manually.
Anti-Malware Security and Brute-Force Firewall
Anti-Malware Security is another useful plugin you may need securing your WordPress site. The plugin comes with actively supported definitions that help you find the most common threats.
With this plugin, you’ll quickly scan all the files and folders on your site for malware, backdoors, and others.
To work with Anti-Malware Security, create a free account on the company website. After, you will get access to the latest definitions, as well as some premium features.
BulletProof Security
The plugin BulletProof Security must be known to WordPress users for many years. And today, it also gets timely updates of its great features.
It comes with the Setup Wizard. The settings panel includes links to extensive documentation. This will help you understand how to secure your WordPress site with BulletProof.
This plugin also boasts of the software scanner that checks the integrity of WP files and folders. It holds login protection, disconnection of wait times, database backup utility, and others. Plus, you can set up email notifications in security logs and receive alerts when a user is blocked.
Cloudflare
Cloudflare is widely used for its free CDN service, which also includes basic protection against DDoS attacks. However, the free version of this security plugin isn’t provided with a firewall. To connect it, you need to pay for a Pro subscription. This will also enhance the whole performance of your WordPress website.
As for the optimization and caching of pages on CDN, it can speed up the loading of your site.
The main disadvantages of Cloudflare are:
- no website scanning;
- this plugin doesn’t remove a site from blacklists;
- no monitoring of changes in files and alerts about such changes.
Security Ninja – WordPress Security Plugin
We can’t but check this trusted security plugin for you! The interesting fact about Security Ninja is hidden is the peculiarity of its workflow. It connects right to a malicious IP database. The database contains more than 600 million unsafe addresses that can be completely prohibited to enter a site.
The plugin has many settings you’ll find useful while securing your WordPress website. It can prevent various types of attacks, including brute force attacks, attacks on the database, and so on.
Moreover, there are 2 scheduled scanners, event logs, notifications by e-mail, and database optimization.
As for the built-in firewall, it works at the server level. This allows using a minimal amount of resources.
PROFESSIONAL VIEWS
A good security plugin should have the following features:
1. It should ensure the login security of your WordPress website using 2FA.
2. It should monitor the live site traffic and automatically block IPs based on X number of failed login attempts
3. It should notify the admin through email if someone accesses the WordPress admin area
4. It should provide a Web Application Firewall (WAF), malware scanner, and brute force protection
5. It should scan all plugins, themes, and files for malware and suspicious spam activity
6. It should display a security score for the website along with steps to improve the security score.
Before choosing a Wordpress Security plugin, make sure it has Real-Time Surveillance. With real-time surveillance, the plugin stays awake 24/7/365. So whenever someone tried to inject any malicious code or trying to login to your Wordpress Dashboard, the plugin will automatically block that IP. Along with that, you will always get an alert via email so that if anything is going wrong, you can take timely precautional steps. One more thing that is associated with that is the 'Website Scanner'. There should be an inbuilt website scanner that automatically scans the website in intervals and tell me if something is wrong with other plugins installed on my Wordpress site, public.html folder at the backend, core file changes, or modifications, Spam Check and other important stuff that can hamper your security.
Security plugins are important for WordPress websites because WordPress sites account for a large portion of the entire Internet. Hackers know that anyone can start a WordPress website and not everyone will take the time to secure it. A security plugin can stop most automated attacks like a brute-force login. They can also require that users have strong passwords, making it harder for people to login by guessing passwords.
Premium security plugins will always come with more bells and whistles, but the truth is, the free versions of Wordfence or iTheme Security will provide you more security than most WordPress websites on the web. We find that using these plugins in conjunction with CloudFlare's free DNS and protection services will keep most people's websites safe. A determined hacker will get into anything eventually - even Big Tech can't stop everyone.
Security plugins are a must for any website, not only for your protection but for the protection of the reader. When it comes to choosing the right security plugin for your WordPress site, I tend to look at reviews from other users, not only will this show where the security is strong, but also where there are gaps that it may overlook. I believe that features of a good security plugin include attempted changes to your page, spam comments, and unwanted and attempted access. Although there are many more features to look at, these are some of the key points that can affect every angle of how the website runs. When it comes to paid versions, I think they are worth the money you pay for extra features, I tend to pay for customer service rather than additional features in the plugin, this way, I am the first to get the updated patches, and if any issues arise, I can contact the support team at any time of day or night, wherever I am in the world.
Guide to Install and Configure Wordfence – Free WP Security Plugin
The better protection a service or plugin offers, the more expensive it is. Someone considers Sucuri to be the best WordPress plugin of its kind. It offers comprehensive website protection and lots of perks included in the premium plan. However, the free version of this security plugin isn’t supplied with a firewall. There is also no connection to the CDN network and no guarantee to get your site restored if it is hacked. Still, Sucuri is a perfect tool for those who are ready to pay. What do you think?
Up to this, we would like to present you a free WordPress security plugin with extended potential. And, of course, following our step-by-step guide, you’ll learn how to install and use it.
So, we’ve chosen Wordfence. Let’s discover why!
Wordfence Security – Firewall & Malware Scan
Wordfence is an extremely popular WordPress security plugin. The current number of its active installations is 3+ million. Isn’t it impressive? The plugin was released in 2012 and still gets lots of attention from new users. This can be easily explained, as Wordfence is always timely updated and powered with all the necessary modern features.
Despite, the slowed server loading, the WordPress plugin boasts of rather a lot of benefits. The most important is, all they are provided in the free version.
For no costs you can get:
- the effective scanner for malware;
- automatic threats detection and their analyses (but you also can run a full scanning at any time);
- warning of any security breaches (plus, you will receive instructions to resolve them);
- the built-in WordPress firewall, at last.
The firewall monitors the appearance of malicious code on a site, file changes, SQL injections. It protects your WordPress from DDoS, brute force, and other types of attacks.
Wordfence is a firewall of the local server level. What does it mean? It blocks malicious traffic as soon as it reaches a server(before the site loads).
Now, let's move on to the very use of Wordfence!
Free Wordfence WordPress Security Plugin Tutorial
To start working with Wordfence we need to install it!
Step #1
Go to the Plugin Directory in your WP admin panel (“Dashboard” → “Plugins” → “Add New”). Our hero, as well as other plugins of this kind, won’t hide from you when you type “security” in the search. Having noticed Wordfence, tap “Install Now” → “Activate”.
Step #2
You must see the Wordfence setup screen. The first thing the plugin wants you to share is your email address. And, that’s really important, as in a case something has happened to your WordPress site security, you’ll be informed per email.
After, you’ll be proposed to enter a license key. This step is for owners of the premium version. We’ll skip it and get Wordfence activated.
Step #3
In the panel click on the “Wordfence”. You’ll be provided with a tutorial you can pass. For now, let’s move without it. Choose “Click here to configure” to adjust the Web Application Firewall.
As well, this action must let you download a backup of the HTAccess file. Then, tap “Continue”.
Step #4
Having got a notification about the installation success, go back to the Dashboard. Soon you’ll notice that it’s the most visited screen of Wordfence. It gathers all the settings of the Firewall. Scrolling them down you’ll find out how handy this WordPress security plugin is.
The Firewall will scan the security of your WP website, find possible loops, and notify you automatically. Clicking on the “Help” you’ll get provided with info on how to fix problems that may happen to your site with Wordfence.
Step #5
Now, select the “Global Options” button, and let’s explore together what it offers.
First of all, there are plenty of possibilities to customize the menu up to your comfort. Decide and mark if you need “All Options”, “Blocking”, and “Live Traffic” menu on hand.
As for the “General Wordfence Options, they are quite necessary and responsible for updates, IPs, and different extra layers of security. There is even the recommendation to hide your WordPress version and disable code execution for uploads directory, and others. You can learn more about every option on your own, as they all are provided with descriptions. It’s also better not to change the settings by default. As soon as you’ll finish, tap on the “Save Changes”.
Step #6
How to scan your WordPress website for malicious software? This plugin works fully automatically. Still, you feel like scanning your site manually, with Wordfence you’ll achieve it in few clicks. So, pick out “Scan” → “Start New Scan” and wait for a little.
At last check the “Results Found”. If something is wrong with your WordPress security you’ll be provided with well-commented details and the magic button “Delete File”. Isn’t it easy and quick? Try it on your own and share your opinion with us!
And, YES, Wordfence is made to protect WordPress sites automatically. You can spend time on other things being sure that the plugin will alert you having noticed any threat. More than that, it will provide you with a solution.
PROFESSIONAL VIEWS
I cannot imagine my WordPress websites without Wordfence anymore. I use the features regularly to ensure the security of my pages.
The Wordfence Scan is for me the most important feature of this plugin for WordPress Security. With it, you can check several important security factors with one click. After scanning the WordPress installation you will get a list of possible dangers. Especially changed files are listed here. Changes in files do not necessarily have to be errors and can often be ignored. But it is also a good method to detect malicious code in a WordPress theme.
Wordfence is one of the most popular WordPress security plugins in the world. It’s used by hundreds of thousands of WordPress site owners because it offers a number of free features that other WP security plugins do not. For instance, Wordfence includes a firewall with tools to block users manually, or by location. It also offers brute force protection, real-time threat defense, and a web application firewall. Wordfence scans your WordPress site and blocks malware, real-time threats, and spambots. It’s an easy-to-use WordPress security plugin even for novices.
Conclusion
Even though WordPress is the most hacked CMS in the world, improving its protection is not so difficult. Hopefully, you agree with this having passed this lesson. As well, now you know how to secure a WordPress site.
In this guide, we’ve disclosed to you 10+ tips, shown the best WP security plugins, and the tutorial on Wordfence.
As you see, security plugins are essential for your WP website site. Yet, we can’t but remind you to follow WordPress updates, regularly change passwords, and make backups.
Meet you soon in the next lessons!
Best WordPress Security Plugins 2020 FAQ
Such modern tools like WordPress security plugins provide automatic website scanning for malware. They notify users if there is a hacking attack attempt and malicious files. These plugins help prevent any kind of security threat and also fix current problems.
For websites that present really big businesses premium versions of WordPress security plugins are better. They are more intuitive and safe when you have to deal with skillful hackers.
Well, best WordPress security plugins (most of them) provide free and paid versions. Start from a free one and decide if it’s enough for your website. It’s also not a secret that the best options are oftener can be meet only in premium tools. However, lots depend on your website's popularity and the income it brings.
The firewall (WAF - web application firewall) works as a filter between a website and traffic. A firewall monitors traffic and blocks malicious code before it reaches a site.
It’s highly recommended to install one security plugin on one WordPress website. Multiple active WordPress security plugins can cause errors.