WordPress is now powering over 40% of all websites. That’s a testament to its flexibility, ease-of-use and loads of free plugins and themes that are available. But that also means WordPress has a gigantic target on its back from malicious hackers and bots.
They’re constantly scanning for outdated installations and zero-day vulnerabilities. Brute-force login attacks hit even the most lightly trafficked sites.
It has become absolutely imperative that site owners take extra security measures. Some of that is done at the server level, but you can do plenty within WordPress itself. In fact, there are a plethora of free plugins out there that will harden WordPress and provide you with an extra layer of protection.
Brute-force login attacks are such a nuisance that there is a whole category of plugins dedicated to stopping them. Limit Login Attempts Reloaded can help you take control of the situation. It provides the ability to set login limits and block offending IP addresses for a specified amount of time.
Additionally, you can choose to be notified when an IP is blocked. That may be a bit overwhelming for sites that see a lot of attacks. Thus, it might be more efficient to periodically check the log of blocked attempts.
Sucuri Security includes a suite of features aimed at keeping site administrators informed. The plugin will scan your files for suspicious code, known vulnerabilities, and notify you of any issues it finds. In addition, your site will be checked against blocklist engines and will report if it has been flagged.
You’ll also find a helpful log of security-related activities, helping you keep track of changes made to your site. Level up to the premium version to activate a firewall, performance optimization and more.
With millions of active installs, WordFence is one of the most popular plugins out there. It will routinely scan your install for malicious code and has a real-time firewall that will help secure your site from known (and unknown) threats.
Advanced features like IP blocking and brute-force login protection can give site owners some peace of mind. The premium version includes country blocking, two-factor authentication, and the firewall is updated in real time.
The WordPress jack-of-all-trades, JetPack has added some great security features in recent years. Brute-force login protection is included (and will proudly display how many malicious login attempts have been thwarted on the WP Dashboard).
There’s also a single sign-on feature that works with your WordPress.com account. Paid plans add spam blocking, malware scanning, and more.
This security suite (in plugin form) will protect your site with brute-force protection, file change detection, requiring users to implement strong passwords, and even help you run your entire site in SSL. A Pro version enables malware scanning, password expiration, and much more.
This plugin will scan your site’s user accounts to ensure that a user’s username and display name aren’t identical – a key method bots use to grab logins. User registration can also be set for admin approval – meaning you’ll have the ability to reject accounts you don’t trust.
You’ll also find brute-force protection, a firewall, malware scanning, and protection for configuration files.
BulletProof Security will provide extra security for your site’s .htaccess file, logins, auth cookie expiration, and allow for database backups. You can also set a time limit on idle WordPress sessions, which will log the user out of the system after a specified period of inactivity.
One of the absolute best things you can do for security is to enable SSL on your site. Once you’ve acquired an SSL certificate and installed it on your server, Really Simple SSL will ensure your WordPress install is optimized to run under HTTPS.
Formerly known as WordPress Simple Firewall, this plugin will automatically block out malicious URLs and requests. It will also protect your blog from spambot comments and adds two-factor authentication.
One of the telltale signs a site is running WordPress is the use of the default /wp-admin/ and wp-login.php URLs. Hide My WordPress allows you to safely rename these login gateways to help avoid attacks.
Note that you should use caution when enabling more than one security plugin. Some can conflict with each other and lead to either a crashed site or a major performance hit. If you plan to use more than one security plugin, do some research to see how they coexist.
While there is no silver bullet for securing WordPress (or any other CMS), there are steps you can take to thwart malicious attacks. Most bots and hackers are looking for easy targets. Using a security plugin makes things much more difficult to crack.