Protection Tips for Wordpress SitesApr252017
Wordpress sites are more often susceptible to a security breach because they require a user name and password to enter the Administration area. Straight HTML coded websites experience other methods for hackers to take over their site. If your website utilizes a managed hosting solution, plugins update and perform security updates for the operating system on a regular basis.
A Few of the Most Widely Used WP Security Plugins
Shield Security by iControlWP, https://wordpress.org/plugins/wp-simple-firewall/
50,000+ Active Installs (as of 3-28-2017)
Tested up to 4.7.3
Key Features:
- Blocks malicious URLs and requests.
- Blocks ALL automated spambot comments.
- Hides your WordPress Admin and Login page.
- Prevents brute force attacks on your login and any attempted automatic bot logins.
- Verifies user identity with email-based Two-Factor Authentication.
- Monitors login activity and restricts username sharing, with User Sessions Management.
- Reviews admin activity with a detailed Audit Trail Log.
- Turns on and turns off WordPress Automatic Updates separately for plugins, themes and Core.
- Easy to use kill switch to temporarily turn off all Firewall Features without disabling the plugin or even logging into WordPress
All in One WordPress Security & Firewall, https://wordpress.org/plugins/all-in-one-wp-security-and-firewall/
500,000+ Active installs (as of 3/28/2017)
Tested up to 4.7.3
Key Features:
- User Accounts Security
- User Login Security
- User Registration Security
- Database Security
- File System Security
- HTACCESS and wp-config.php File Backup and Restore
- Blacklist Functionality
- Firewall Functionality
- Brute force login attack prevention
- WHOIS Lookup
- Security Scanner
- Comment Spam Security
- Front-end Text Copy Protection
- Regular updates and additions of new security features
Wordfence, https://wordpress.org/plugins/wordfence/
2+ million Active Installs (as of 3-28-2017)
Tested up to 4.7.3
Heavy Resource User
Key Features:
- Firewall Security
- Login Security
- Security Scanning
- Monitoring Features
- Multi-Site WordPress Security
- WHOIS Lookup, Location and Blocking
Free Learning Center
iThemes Security (formerly Better WP Security), https://wordpress.org/plugins/better-wp-security/
800,000+ Active installs (as of 3-28-2017)
Tested up to 4.7.3
Heavy Resource user
Key Features:
- Two Factor Authentication
- Password Security
- Malware Security
- Google reCaptcha
- Brute Force Protection
- Hides Common WP vulnerabilities
- Recovery Capable
- Detects Hidden 404 Errors
- Security Tutorials
Protect Your WordPress Admin with These Tips
Consider a Lightweight but Effective Plugin that Acts as a Login Barrier
WP Limit Login Attempts, https://wordpress.org/plugins/wp-limit-login-attempts/
This plugin performs as protection against brute force attacks, which is considered the easiest method of gaining access to a CMS, Wordpress website. Bots will try over and over to crack your user name and password until it gains access. This easy to set up plugin limits the rate of login attempts and will block IPs.
IP Address Limited Access
Whitelist your IP address in your security protection plugin of choice. If you have site contributors who post to your site regularly, add their IPs as well.
Big No No, Never Use “Admin” or “admin” as Your User Name
Make it hard for attackers to guess. Brute force attackers first use admin/Admin as user names when trying to break in.
Choose a Strong Password
Use a different password for your WP site then you use for other logins. It’s recommended to use 10 characters made up of mixed case letters, numbers, and symbols. Try to change your password every 60-90 days.
Don’t Broadcast Your WP Version
WP version identification allows attackers to quickly determine known vulnerabilities for your running version. Via FTP, delete the "readme.html" file.
Two Step Password
With the WP-OTP you can easily set up 2 Factor Authentication with One Time Passwords for your WordPress login. This extra layer makes your WordPress site a lot more secure.
Return