When it comes to security, good enough is not enough. That’s why you should always go for a premium WordPress security plugin/service.
There’s no denying that on the whole, premium WordPress plugins offer much more value over the free ones. But even among the premium plugins, there are some that are on top of the food chain. They might be expensive, but they have a unique impact on your business, and any WordPress website worth its salt cannot do without them.
This post is about four such amazing plugins and services. But first, let’s step back a little and talk about this dark art known as web security.
Why should I care about Web security?
Hmmm, good question.
It’s hard to get yourself excited about security when your business is growing, and your website is doing great month after month. Now, you know that your business is 100% digital — those few files residing on a public computer somewhere is what makes your business all that it is.
And believe it or not, it’s a very shallow foundation to be banking your entire future on. New libraries, software, and features are being pushed out every week, but the state of security is very much where it was ten years ago (there are still several nasty ways to bring down a web app).
This is particularly true for WordPress, which doesn’t have a confidence-inspiring architecture from a security standpoint.
For you, the business owner, the risk is colossal — losing everything you have built over the years within a few seconds. Think about it — the business will come to a screeching (or silent) halt, customer complaints and anger will mount exponentially, and there will be nothing to do.
Even if you have multiple and frequent backups of everything and can restore the site, the damage to your reputation will be irreversible.
In other words, please, please, for the sake of your business and its reputation, act before it’s too late. By using one or more of the suggestions in this post, you’ll be able to take care of 99% of the weak links in your defense chain (as for the remaining 1% everyone has them). Take charge of your WordPress website security.
Okay, enough of rabid motivation; let’s get on on the suggestions. 😛
SUCURI is a cloud firewall, CDN, monitoring, and DDoS protection; all rolled into one.
It’s a decoupled, platform-neutral service that works with any CMS or web setup out there, most notably WordPress, Joomla, Drupal, and Magento.
Head over to their pricing plans, and you’ll find lovely deals. What caught my eye was the $199.99 per year plan, which has everything you could ask for (hack scanning, blacklist monitoring, DDoS protection, CDN, SSL, firewall), along with twelve-hour response time and 30-days money-back guarantee! :-O
For a website that’s making a few thousand dollars a month (or year) and can at any time lose it all to a stupid, automated attack? Not at all!
Wordfence is a kind of household name by now, being one of the best freemium plugins out there. Even after 2+ million active installations, it retains a near-perfect rating and is the number-one-thing-to-install for experienced WordPress admins.
But the real joy of this plugin is in the premium version, where you get a very useful firewall and eye-popping good features (IP filtering, country-blocking, backdoor scanning, to name a few).
The icing on the cake is the reporting dashboard that is available right from your WordPress admin menu.
Price? $99 per website per year. C’mon, you have to be kidding me?!
iThemes is a known name in managed WordPress hosting, but they also have an amazing premium security plugin called iThemes Security. It’s another batteries-included offering that contains some unique and useful features. I feel compelled to take a pause and quickly discuss a couple of them.
File change detection: WordPress is (almost) all about files and what’s contained in them. When a plugin is added, it adds its files; when the core is updated, several files are replaced; and so on. This means if someone has gained access to your website and is installing malicious code, file changes are one of the first things to look for.
404 detection: The greatest threat to most websites is not from determined hackers, but from bots that persist with their mindless but thorough attacks. For instance, a WordPress bot designed to hack would start by searching for key URLs in a setup that can be compromised.
For instance, it might search for /admin, /members-only, /private, and so on, hoping to find a page that grants access to the site after the password is broken. But since this bot can only guess and comb through the options one by one, it will generate a lot of 404 (not found) requests on the server.
In other words, it’s asking to be blocked, which is something iThemes Security does well.
Honestly, the number of features are too many to be all discussed here, so I encourage you to visit the site and have a look.
If you’re a freelance WordPress developer, you can protect up to 10 websites for $127 per year. That’s $12.7 per year for one site. Impossible to believe!
There’s no doubt you’ve heard of Cloudflare before; it’s one of the top (or the top?) names when it comes to high-performance CDN. I mean, unless you’ve researched CDNs on your own, Cloudflare is probably the first thing that comes to mind, or the first name that someone recommends, when it comes to a CDN.
What you may not know, however, is that the pro plan is an industry-grade security offering that’s used by the likes of Discord, Crunchbase, Udacity, ZenDesk, Cisco . . . Okay, I’ll stop before my brain explodes!
Cloudflare is not tied to just WordPress but works with all. It’s an extremely serious, high-performance offering for businesses that have things moving at a mad scale and cannot afford any weakness at all, no matter how minute.
The pro plans are expensive, with the basic one being at $20 per month, but does contain nice features like image optimization and mobile optimization. So, if you’re at a scale where the laws of (computer) physics are no longer obeyed, and nothing less than a howitzer will do, Cloudflare is the answer.
Keep your WordPress website free from malware with Malcare plugin.
Being infected with various threats is relatively easy these days with the growing amount of hackers and spammy sites, so it’s always good to be prepared. Fortunately, plugins such as MalCare instantly remove malware from your sites either manually or automatically, depending upon your preferences.
The great thing about this plugin is, it gets up and running within a minute. And on top of that, it won’t slow down your website because it performs the scans on their servers.
Even if your website is already hacked and infected, MalCare can fix it possibly in under a minute without manipulating any of your clean files. Since prevention is better than cure, their algorithm can detect even the most sophisticated threats that might grow up to be a considerable danger to your data and assets. It goes on to block them in real-time as soon as the detection is done.
Aside from these features, it also has extras that can turn out to be super useful for you, such as:
- Bulk website update, which includes theme, plugins, and others
- Hardening your website using best security practices
- Collaboration with team members for better protection actions
- Captcha-based smart login to prevent bad bots from attempting to barge in
Add this reliable plugin to your WordPress website and sit back, knowing hackers stand no chance to manipulate your property.
Google Authenticator for WordPress is a simple plugin that lets you enable two-factor authentication. The authenticator app is available for iPhone and Android devices.
You can activate two-factor authentication per user basis on top of a regular password.
WP Security Audit Log
WP Security Audit Log helps to log every single event on your website. It also works with WordPress multisite. By using this plugin, you can ensure security, productivity and organize your workflow.
The plugin has more than 70,000+ active installations and is a must-have tool for WordPress administrators and security professionals.
- Tracks almost every activity on your WordPress site
- Tracks user activities such as password change.
- Reporting is accurate to milliseconds.
- Records IP address.
WPS Hide Login
WPS Hide is a lightweight plugin that lets you easily change the admin login URL. Deactivating the plugin brings your site back exactly to the state it was before.
Changing an admin URL would be a good idea to hide the login page from an attacker to avoid automatic brute-force attacks.
BulletProof Security offers a Malware scanner, Firewall, Login Security, DB Backup, Anti-Spam & much more.
This plugin has a one-click setup wizard where you can secure your site in a few clicks.
- MScan malware scanner
- .htaccess protection
- Idle session logout
- Login monitoring, logging, and security
- JTC anti-spam protection
- Inbuilt firewall
BulletProof plugin also has a PRO version with more security coverage.
Cerber Security defends your site against hacker attacks, spam, Trojan, and malware.
Mitigate brute force attacks by limiting the number of login attempts through the login form XML-RPC / REST API requests or using auth cookies.
- Permits or restrict access by White IP access list and Black IP access list with a single IP, IP range, or subnet.
- Automatically detects and moves spam comments to trash or denies it completely.
- Citadel mode for massive brute force attacks.
- Protection against DDOS attacks.
- Hides wp-login.php and wp-signup.php from possible attacks.
- Immediately blocks an IP or a sub-net when attempting to log in with a non-existent username.
The plugin is free.
Block Bad Queries
Block Bad Queries or BBQ checks all incoming traffic and quietly blocks bad requests containing nasty stuff like eval(, base64_, and excessively long request strings.
This is a simple yet perfect solution for sites that are unable to use a strong .htaccess firewall.
Some of the key features are:
- Helps block SQL injection attacks.
- It scans all incoming traffic and blocks bad requests.
- Provides statistics such as the number of hit counts for every pattern and bar graph of all count data.
- Helps block directory traversal attacks.
Anti-Malware Security and Brute-Force Firewall
Anti-Malware Security and Brute-Force Firewall run a complete scan to remove known security threats and backdoor scripts automatically.
It has a Firewall that blocks SoakSoak and other malware from exploiting the Revolution Slider and other plugins.
- Disable XMLRPC
- Prevent brute-force and DDoS attacks
- Core files integrity checks
Anti-Malware Security and Brute-Force Firewall is open-source software and hence free to use.
All In One WP Security & Firewall
The All In One WP Security & Firewall is a comprehensive, easy-to-use, stable, and well-supported WordPress plugin that adds extra security and firewall to your site by using different tools that enforce good security practices.
- Enforce to allow only strong password
- Stop bad bots
- Login lockdown based on IP or action
- Protect against brute force, XSS
and many more.
To conclude, you can’t go wrong with any of these plugins/services here. For some, a combination of Wordfence and Cloudflare works best, while others are happy to activate SUCURI and not have to worry about total attacks blocked in a day.
The same boring thing I always say: don’t be in a hurry and always take reviews with a pinch of salt. Even mine. 😜
Go for the free/cheapest version first, try it out actively for some time over different use cases, and only then make the change.
May you have a secure and thriving WordPress deployment! 👍