The Best WordPress Security Plugin, Hands Down

If you’d like to secure your WordPress website without spending a great deal of time doing so, the best solution is to use one of the freely available WordPress security plugins.

There are quite a few options, but my security plugin of choice is Better WP Security.

I’ve installed and configured this WordPress security plugin on hundreds of WordPress installations, and I’ve never had a single WordPress property hacked with it on duty.

So, why do I like Better WP Security versus the rest?

For starters, it covers a lot of problem areas, and allows you to customize the settings for your particular needs. It also handles database backups, and will send you those backups via eMail attachments hourly, daily, weekly, or monthly.

I usually don’t enable all of the security settings, as some of the settings can be a little intrusive or bothersome. I don’t need all of them enabled to secure the website satisfactorily, but, they are there in the case that I decide to enable them for a particular site that needs a few extra layers of security.

The basic configuration I use covers the following points:

• Your WordPress header is revealing as little information as possible.

• Non-administrators cannot see available updates.

• The admin user has been removed.

• The user with id 1 has been removed.

• Your table prefix is not wp_.

• You have scheduled regular backups of your WordPress database.

• You are blocking known bad hosts and agents with HackRepair.com’s blacklist..

• Your login area is protected from brute force attacks.

• Your .htaccess file is fully secured.

• Your installation is actively blocking attackers trying to scan your site for vulnerabilities.

• Your installation does not accept long URLs.

• Better WP Security is allowed to write to wp-config.php and .htaccess.

• wp-config.php and .htacess are not writeable.

• Version information is obscured to all non admin users.

For me, this is enough. I can configure the settings quite quickly. At first, it would take me about half an hour to go through everything, but as I have become increasingly familiar with the installation and configuration process, I can usually knock this out in 10 to 15 minutes.

To give you an idea of the performance of this plugin and it’s settings, I once had a WordPress website owner contact me, telling me that his website had been hacked. When I visited his website, there were various “graffiti” present representing a particular “cyber army” which was claiming the blame for hacking his website.

He supplied me with access to his cPanel, and within about 10 minutes, I had regained access to the dashboard. I then went through all of the active theme files one by one, removing code added by the hackers.

Then, I installed Better WP Security, and configured it using the settings I normally use, without even activating any of the additional security settings, except for those listed above.

Within a couple of hours, I began receiving eMail notifications that someone was locked out of the site. Since the hackers were using proxies, I got quite a few of these notifications. I then went into the security dashboard, and permanently banned all of those proxy IP addresses manually.

Over the next few days, I got more notifications, and more notifications. The hackers were attempting to brute force their way into the website, however, they could not defeat Better WP Security.

In my opinion, unless you’ve installed a third party plugin that has security vulnerabilities, Better WP Security will keep your website hack proof, unless someone with a lot of time and computing power comes along, who also has great skill at hacking WordPress websites, and they are hell bent on getting in. Then, perhaps your site might get hacked. I would imagine that before it did, you’d probably receive enough alerts from the plugin to know that you had better contact your host, and let them know someone was attacking you, ensure you had up to date backups of everything, and perhaps enable a few more layers of security temporarily, until the hacker got tired of failure, and moved on.

I recommend Better WP Security to anyone running a WordPress website, it’s protection is excellent.

Should you need assistance in installing or configuring Better WP Security, I’m always around to lend a helping hand, via my WordPress Maintenance Service business linked in the navigation menu here on the Digi Purpose blog.

One Simple WordPress Security Measure that Makes a Big Impact

When you’re dealing with WordPress, security should always be an area that you take seriously.

Remember, WordPress is open source, and as such, hackers trying to break into sites that run on the WordPress platform have access to it’s source code. This in itself isn’t that big of a deal, however, the fact that most WordPress websites are running third party created plugins as well, adds to the security risk. 

Perhaps a plugin developer has left a security vulnerability in their plugin unknowingly, and once this vulnerability is discovered by the right hacker, every website running that particular plugin are ripe for the picking.

I’m not warning you to batten down the hatches, go sit in a closet, and say hail Mary’s, security just needs to be on your radar.

Also, you may not even know that your website has been hacked, until a much later date, depending on what the hacker decides to do once they’ve gained access to your website. Perhaps they just want to take your site offline, in which case, I hope you have a backup. Perhaps they just want to make a fool out of your website, and post unsavory content all over it to damage your image and wreak havoc. Perhaps they want to be crafty and see what affiliate advertisements you’re running, sign up for those affiliate programs, and then replace your affiliate links with theirs, so that your website traffic brings them commissions instead of you! The point is, it’s up to them, and I can promise you, no matter what they decide to do, it’s not going to be a good thing for you. They may even contact you and try to sell you security improvements based on the fact that they’ve already hacked your website. Now there’s a killer sales pitch, if they haven’t touched anything, and they’re very brave.

One very simple security improvement you can make easily which has a big positive impact on WordPress security is your admin username. Remember, the default username is ‘admin.’ If you’re running the default username, you’ve handed a would be hacker 50% of the login credentials to your dashboard before they even lift a finger to attempt to gain entry. This is definitely a bad idea, but I see it all the time.

Also, another mistake I see all the time is displaying the admin username in the context of the by line, e.g. “by admin.” 

In this case, even if you have changed the default username, you’re advertising it openly, so again, you’ve handed any would be hackers 50% of your login credentials.

You cannot change usernames in the “User” dashboard menu, but some security plugins support this feature. What you can do from dashboard, however, is to create a new admin user, with a custom username, and then remove the original admin user.

Also, you can control the publicly displayed author name in the user dashboard. However, the link to the author archive will remain to be the author’s username, for instance: http://website.com/author/admin

This means that if you’re displaying the by line, with a link to the author archive, a hacker can still very easily find your username.

My recommendation is that if you’re not willing to take the steps necessary to protect against brute force attacks, do not display the by line at all. This can be done by manually editing your theme files. Remember, you can login to WordPress using the username, nickname, or display name of a given user! Even if you’re displaying the by line with your display name, you’ve still given the hacker your username.

Even after doing all of this, search engines will index your author archive page, so it’s a good idea to add a line to your robots.txt file to disallow indexing of author archives. If your author archive link isn’t freely available somewhere online, the hacker will have to figure out someway to guess your username, and your password, thus making any brute force attack twice as difficult, and theoretically, take twice as long, and twice as much computing.

Your best bet is always going to be to protect your website from brute force attacks, however, taking measures like these are always steps in the right direction, if you do not need the author archives for anything specific.