(Last Updated – 16 August 2018)
I never worried about the security of my website in the initial days of my blogging business.
No one hacked my website, neither I had any virus or malware attacks.
But that does not mean that I did the right thing. I escaped from the hackers because of my luck but that’s not how online businesses are run.
I was very careless about maintaining my website.
Often a times my website became slow or unresponsive because I hosted my website with a cheap web hosting company (GoDaddy). The issues got resolved after I moved my website to a high performance web host (SiteGround).
A good hosting solves most of the performance issues and the basic security comes by default with SiteGround hosting plans.
Chances are still there that we can get into the trouble if we don’t keep our website safe. After all our business (revenue) comes from our website. Loss of every minute of website uptime means revenue loss.
And we can’t afford the data loss at all. Right?
Let’s understand what we need to do to keep our website safe & secure.
Who can hack your website
There can be security threats on your website from two sources.
#1. Hackers (Humans)
If you are not popular then hackers will not target your website.
Hackers target big brands, government websites and people who are earning well from their websites.
However, If your website is hosted on your self-managed servers (dedicated hosting, AWS) then bitcoin miners may hack your machine and use for bitcoin mining.
#2. Bots (Softwares)
The moment you launch your website, lots of automated software tools will start attempting to break your security.
You will start receiving continuous login attempts to your website, spam comments, article submissions and various other un-identified things.
You can install security plugins to keep your website secure.
Tips to Keep Your Website Secure
You must go through the manual health check of your website
#1. Strong Password
Not to mention that you must set a strong password for your website. It should contain Alphabets, Numbers and Special Characters. Never ever use English grammar words or easily identifiable works like your own name or website name as your password. If possible, use non-English words with combination of special characters.
Bad passwords examples – [email protected], password1234
#2. Change default username ‘admin’
By default wordpress installation will give you admin as the username of administrator. All the bots will try to break the password of default ‘admin’ username, better not to user ‘admin’ as username.
You should either change the default admin username at the time of installation or create a new user as administrator and delete the default ‘admin’ user.
#3. Change default login URLs
By default anyone can see the login page at URL yoursite.com/wp-admin
For the safety purpose, you should change the default URL to something else.
What to look for in the best security plugin for your WordPress website
There are different plugins to perform different type of security tasks. If you know your requirements then it becomes easy for you to pick the right plugin for securing your wordpress website. Otherwise you can pick the generic plugin that can perform most of the tasks.
Don’t install all the plugins mentioned in this article as installing unnecessary plugins will slow down the performance of your wordpress website.
For the comparison purpose, we will look at the following things apart from the main features of the plugins.
I also reviewed Best WordPress Email Subscription Plugins
Best Free & Paid WordPress Security Plugins
#1. Sucuri Security
Sucuri is the most popular and full featured security plugin for wordpress. It prevents the website from brute force attacks, scan the entire file system for malware infection and keeps monitoring for any ongoing malicious activities.
The plugin will ask you to get the API code and registration with their website. It’s just a single click process.
After the registration and API access – the plugin will test the website for any malicious activity.
I fell in love with their interface and clean report.
They provide many other options to secure your website
- Scheduled Tasks
- WordPress Integrity Diff Utility
- Ignore Files And Folders During The Scans
- Website Firewall Protection
- Block PHP Files Upload in particular directories
- Default Admin Account
- Plugin and Theme Editor
- Updating security keys
- Setting up alerts
All in all, the plugin has a beautiful interface and easy to understand settings for a layman.
Look at their hardening options.
You can enable and disable security options with a single click.
However, when I tried to enable the Firewall Protection, I got this message, “SUCURI: The firewall is a premium service that you need purchase at – Sucuri Firewall”
I think that’s justifiable. The sucuri is still giving a lot of options to use as free and high level security options are available in the premium version of the plugin.
Their premium plan starts at $16.66/month and that includes SSL certificate from LetsEncrypt.
I bought the SSL certificate for my website at $80 per year, so my effective price becomes half for the premium version of Sucuri after adjusting the cost of SSL certificate.
The complete website protection package includes
- Comprehensive Website Security Monitoring/Scans
- Incident Response Team Security Operations Support
- Website Firewall (WAF) Coverage
Here is the link to get the premium version of Sucuri ($16.66/month)
You can also get just the Sucuri Firewall Website Application Firewall (WAF) / Intrusion Prevention System (IPS) at $9 per month.
Click here to buy Sucuri Firewall ($9/month)
Update Secret Keys Option
Interestingly, they have option to update all the security keys in case your website is compromised for any reason. The hackers won’t be able to access your website with the old security keys.
You may also like to read – Best WordPress Membership Plugins
This is one of the most popular security plugin for wordpress websites – with more than 1,000,000 installs till date.
The plugin will check if your site is infected with any malware or suspicious code. You will get peace of mind after installing Wordfence security plugin as it protects your website from brute force attacks and malware infections.
After installing WordFence, you will see the dashboard showing the status of features, monthly stats and number of threats counts.
And they have additional security measures for the premium users.
“As a free Wordfence user, you are currently using the Community version of the Threat Defense Feed. Premium users are protected by an additional 199 firewall rules and malware signatures.”
Wordfence security plugin did not find any threats on my website.
[Sep 07 07:17:52] Preparing a new scan. Done.
[Sep 07 07:17:52] Scanning for old themes, plugins and core files Secure.
[Sep 07 07:17:52] Scan complete. Congratulations, no new problems found. Scan Complete.
The additional benefits of WordFence plugin
- Web application Firewall (Premium)
- Brute Force Protection
- Login Attempt Limit
- Blocking IPs
- Live traffic with IP, hostname, browser of the users
- Password Audit (Premium)
- Whois lookup
They offer pretty good options in the free version but the interface is not user friendly. No doubt the plugin is popular but it’s most appropriate for the developers rather than a regular user like me & you.
Single license key with 1 year validity costs you $99.
Personal Biased Opinion : If I have to choose between Sucuri and Wordfence then I will pick Sucuri.
#3. iThemes Security
iThemes security will help you change the default admin user name and block the IP address of known hacker website servers.
You will also be secured from brute force attacks. The plugin will send you notifications whenever there is any unauthorised change in your file system.
iThemes offers a lot of options in their free version.
This is how their dashboard looks.
I went through the security check option and enabled brute force protection.
Security check results are below for my website.
- Your site is now using Network Brute Force Protection.
- Changed the REST API setting in WordPress Tweaks to “Restricted Access”.
- Banned Users is enabled as recommended.
- Database Backups is enabled as recommended.
- Local Brute Force Protection is enabled as recommended.
- Strong Password Enforcement is enabled as recommended.
- WordPress Tweaks is enabled as recommended.
They clearly shows you what options are available in the free version and what would you get in their premium version.
The premium version starts at $80 per year, valid for 2 websites.
You will be secured against most of the bots attack that try to exploit the vulnerabilities of wordpress, free themes and loopholes of hosting servers.
Bulletproof security will protect your website from running malicious scripts, SQL injections and brute force attacks.
I installed it on PluginHackers and the setup wizard gave me following report.
It gives this notification after the running the Setup Wizard.
“BPS Setup Verification & Error Checks
If you see all Green font messages displayed below, the Setup Wizard setup completed successfully.
If you see any Red font or Blue font messages displayed below, click the Read Me help button above and read the “Notes” help section.”
I saw all messages in Green so I assume the website is secure as per BulletProof plugin.
They give a lot of other options and everything is free.
- htaccess File Security Modes ~ RBM, WBM, HPF, MBM & BBM BulletProof Modes
- htaccess File Editor ~ Check or edit BPS htaccess files/code manually/directly for testing
- Login Security & Monitoring (LSM)
- Log All Account Logins or Log Only Account Lockouts
- Brute Force Login Protection
- Idle Session Logout (ISL) ~ Automatically Logout Idle/Inactive User Accounts Auth
- Cookie Expiration (ACE) ~ Change the WordPress Authentication Cookie Expiration Time
- DB Backup ~ Full & Partial DB Backups, Manual & Scheduled DB Backups, Email Zip Backups, Automatically Delete Old Backups
- Security Log ~ Logs Blocked Hackers & Spammers ~ HTTP 400, 403, 404, 405 & 410 Logging
Most of the options are beyond the understanding capacity of a normal user.
I am also not a security expert. Tested the security plugin as a regular user like you.
The plugin will offer most of the features that are required by a first time user. Your website will be secured from the brute force attacks and malicious codes that try to steal your website information.
You will see this simple dashboard after installing the plugin
The settings are difficult to understand for the novice user however they have provided a lot of options in the free version
- Taking Backup of .htaccess file
- Default user admin name and password protection
- Limiting login attempts
- Database security and backup
- Filesystem security
- Blacklisting IPs
- Firewall protection
- Protection against brute force
- Spam protection
Their malware scanner option is paid but the rest of the features are free.
That makes them stand out from other plugins which offers the basic features under their paid plan.
But the negative point is that the plugin will not provide you continuous monitoring & prevention from threats.
Overall, it’s a good choice for people who don’t have any budget to spend on security plugins
MalCare really is one of the most comprehensive security plugins that I’ve come across. They automatically check your website for malware attacks daily without any manual intervention which is a big relief for many website owners
Developed after monitoring over 240,000 WordPress sites, MalCare uses this collective intelligence to protect from hackers, malware, and the rest
After installing the plugin in my website, it begins scanning the site automatically. It checks for not only known malware but also for new and complex ones that other security plugins tend to miss
In additional you can also scan your website for Malware attacks manually through One click Automatic Clean Up option
What’s impressive with Malcare is their scanner use AI technology to learn about malware and uses that knowledge to improve itself. Also, all the scanning is done in Malcare’s server hence there is no extra load on our server
This is how Malcare’s Dashboard looks after activating the plugin
Right after the first scan MalCare grades the security of my site and recommends how can I improve it by updating plugins & themes
Cleaning a hacked site has never been easier. The ease with which you can remove malware without needing to have any technical knowledge is impressive
All I need to do is click on the “Auto Clean” button and MalCare begins cleaning the website. It takes a few minutes to complete. This means I don’t have to depend on an external security personnel to do the cleaning nor do I have to share my site credentials
Other notable MalCare features include:
- A Firewall that prevents malicious login attempts and untrusted IPs.
- Update Plugins, Themes, WP Core and keep track of your website users from a single dashboard.
- They have three levels of Site hardening options (Essentials, Advanced & Paranoid) which are very easy to implement through Single Click
- White-labeling MalCare and resell their service at your own price. Also, generate detailed security reports via Client Reporting.
- And take regular Backups (powered by BlogVault) that you can access for up to 365 days.
Malcare comes with free version where you get access to Scanner and Firewall features. To get access to additional features you have to go with premium version.
The premium version starts at a fairly nominal price of $8.25 per month
Malcare has a very clean and easy to use interface without any complicated steps which is great for a non-tech guy.The best part about Malcare is how easy it is to scan and remove malware. If you want to clean your site fast, I’d suggest using MalCare.
#7. Security Ninja
The plugin will automatically check brute force attacks and the strength of your password. You will be able to hide the version of your wordpress from the eyes of hackers.
Free version of Security Ninja plugin will run 48 security tests on your website.
Here is the list
- Check if active plugins have been updated in the last 12 months.
- Check if active plugins are compatible with your version of WP.
- Check if themes are up to date.
- Check if there are any deactivated themes.
- Check if full WordPress version info is revealed in page’s meta data.
- Check if readme.html file is accessible via HTTP on the default location.
- Check the PHP version.
- Check the MySQL version.
- Check if server response headers contain detailed PHP version info.
- Check if expose_php PHP directive is turned off.
- Check if user with username “admin” and administrator privileges exists.
- Check if “anyone can register” option is enabled.
- Check user’s password strength with a brute-force attack.
- Check for display of unnecessary information on failed login attempts.
- Check if database table prefix is the default one (wp_).
- Check if security keys and salts have proper values.
- Check the age of security keys and salts.
- Test the strength of WordPress database password.
- Check if general debug mode is enabled.
- Check if database debug mode is enabled.
- Check if display_errors PHP directive is turned off.
- Check if WordPress installation address is the same as the site address.
- Check if wp-config.php file has the right permissions (chmod) set.
- Check if install.php file is accessible via HTTP on the default location.
- Check if upgrade.php file is accessible via HTTP on the default location.
- Check if register_globals PHP directive is turned off.
- Check if PHP safe mode is disabled.
- Check if allow_url_include PHP directive is turned off.
- Check if plugins/themes file editor is enabled.
- Check if uploads folder is browsable by browsers.
- Test if user with ID “1” and administrator role exists.
- Check if Windows Live Writer link is present in pages’ header data.
- Check if wp-config.php is present on the default location.
- Check if MySQL server is connectable from outside with the WP user.
- Check if EditURI link is present in pages’ header data.
- Check if Timthumb script is used in the active theme.
- Check if the server is vulnerable to the Shellshock bug #6271.
- Check if WordPress core is up to date.
- Check if automatic WordPress core updates are enabled.
- Check if plugins are up to date.
- Check if there are deactivated plugins.
- Check if the server is vulnerable to the Shellshock bug #7169.
- Check if admin interface is delivered via SSL
- Check if MySQL account used by WordPress has too many permissions
- See who logged in, from where & what they did
- Verify integrity of all core files
- Scan the database, plugin & theme files for malware
And the results of my website when I run the security tests.
My website failed at 18 security tests.
On clicking details, tips and help button, the plugin shows the solution that can be applied manually.
Some of the solutions may not possible on the shared web hosting but I have not tried to fix all the issues reported by the Security Ninja.
The plugin has 5 other option tabs
- Core Scanner
- Auto Fixer
- Malware Scanner
- Event Logger
- Scheduled Scanner
But all the options are available in Pro version.
The free version will just show you the issues and a recommended solution. But if you really want to fix the issues automatically and protect your website from future threats then a paid version will solve your problem.
However, it’s worth trying the free version of Security Ninja, just to see how many errors are pointed out by the plugins.
And what can you fix manually.
Acunetix will perform the basic security checks and help you secure your website against brute force attacks. You can change the permissions on files and change the default messages that user see on wrong password attempts.
I read the good reviews when I was researching about the best wordpress security plugins.
But I did not felt like installing the plugin on my website when I saw that the plugin has not been updated for past 2 years.
Yet, Acunetix WP Security offers the basic level of protection for the websites.
The plugin checks for security vulnerabilities and suggests corrective actions
- File permissions
- Database security
- Version hiding
- WordPress admin protection/security
- Removes WP Generator META tag from core code
I included the plugin in the list so that you know that Acunetix was referred as one of the best plugin by WordPress experts and it does it’s work (happy users are saying that).
The plugin is totally focused on protecting your website from any virus or malware attacks. It’s useful for people who are running their websites on windows server as most of the viruses attach windows.
You may need protection from malwares, adwares, hidden links, redirection, spywares and other bad code that may be hidden in plugins & themes that we install from any random developers.
#10. Google Authenticator
This plugin solves a single problem of unauthorised access to your website by any hacker.
The user will be enforced for double authentication after installing this plugin on your wordpress website. The first step would be using correct username/password and the second step would be authentication through a text/voice or mobile app.
VaultPress is a combination of backup and firewall protection for your website. You can get those as a combo or separate package depending on your requirement.
The plugin will scan your files and keep you protected against the threats from malwares.
No matter at which business level are you – A security plugin is must for your wordpress website.
Almost all the plugins provide Protection against brute force attacks (DDos attacks) and basic website health monitoring. All In One Security Plugin will do all the work that is expected from a free plugin.
But if you have an annual budget of $100 to spend on the security of your website – then Go with Sucuri Security (Two options – Securi Firewall $9/month and Complete Protection $16.66/month)
If your requirement is purely Virus & Malware protection then you should pick WP Antivirus Site Protection.
I will update the article after a few weeks after hearing your thoughts in the comments. Let me know if you need any more clarification about the security plugins.