If you operate a website on the WordPress platform, it’s inevitable that a hack attempt will come your way sooner or later. Just this week, the Return On Now website has been under a series of botnet attacks. Luckily, we have spent a lot of time studying how to secure WordPress from these sort of attacks. So far, the site has never been compromised (knock on wood).
Today, let’s take a few minutes to look at some things you can do to secure WordPress before you get hit. If it’s too late and you’ve already been hit, read our tips for how to remediate hacked WordPress sites after the fact. After you clean it up, come back to this post and lock the site down to prevent a repeat performance.
The focus of this post is to cover a few free options you might use to secure a WordPress site. There are also paid plugins (e.g. Sucuri, CodeGuard) and premium WP hosting services available that can handle much of this for you.
WordPress Security Plugins
The natural place to start is with plugins, especially for those of us who don’t like jockeying PHP code and server side scripts. Below are some of the better plugins available for securing WordPress.
When hackers hit your site, they typically automate it into some sort of Botnet / Brute Force assault. These are scripted to automatically hit your login page and try to infiltrate using the “admin” profile. The script sets the user as admin (so use a different username and get rid of admin if you can), and keeps trying to login using a master list of passwords.
The most basic piece of security that you control is the password itself. If you have been using things like “abc123,” “password,” or “qwerty,” you’re lucky not to already have malware live on the site. There’s also the matter of other users or contributors. Everyone wants to remember their passwords easily, so many of us slack on creating good passwords.
You can’t force a change in user behavior by asking. Go get the Enforce Strong Password plugin, and everyone will be forced to follow good security standards with their own passwords.
This is one of my favorite security plugins. If you use online banking services or manage credit cards via the web, you already know that those sites allow a handful of failed attempts before locking your profile.
Similar functionality is now available for WordPress using the Limit Login Attempts plugin. The plugin allows you to set a number of login attempts that are acceptable, after which the IP address is locked out for 24 hours. When it blocks an IP, you get an email notification that someone is trying to hack into the site. Below is a sample email I received this morning, hot off the presses:
Brute Force Blocking Plugins
If you want to get an even more thorough solution to brute force attacks, there are some plugins built specifically with that in mind. Here are the top free plugins available for this purpose.
BruteProtect is used by tens of thousands of websites. They claim to have blocked over 100M botnet attacks, which is an impressive number indeed!
While this plugin provides some similar functions to the point solutions listed above, it also includes a community blocking feature. When an IP address is flagged for attempting to hack into sites, that IP address is added to the database of IPs to block. The entire community of BP users then benefits from that information, and can proactively block it before a brute force attempt occurs on other websites. I have heard excellent things about this plugin, so give it a try.
Security-Protection also claims to be a full solution to brute force attacks, but we have not tested it. The idea is that a botnet attack, being driven by a script, behaves differently than a real user trying to login. So the plugin adds hidden fields to the login form that a real user can’t see, but a bot could. When those fields are submitted with a login attempt, the IP is blocked.
While I’m sure this plugin works fine, it does not offer the community feature of BP. If you are a less technical user, I’d recommend using BruteProtect for the added protection of that feature. If you are okay with trusting code to block hack attempts and don’t care about the cross-site sharing, SP may be a good option for you.
Comprehensive WordPress Security Plugin
Want an even more comprehensive solution? The following may be of interest to you.
This plugin has great reviews and 4.9 stars in the WordPress.org community. It covers nearly everything you might want in a security plugin for WordPress. The plugin has features to change the “admin” username easily, to detect when a users real name and username are identical, and to force strong passwords. It also operates similar to Limit Login Attempts with IP blocking, and includes a list of great options for securing the database, the file system, and more.
One caveat – while this is one of the most robust security plugins available for WordPress, it may be too much for some users to operate. There is a small risk of breaking things on the theme or in other plugins depending on how the plugin is configured, so be sure to pull in someone with more in depth knowledge of WordPress and security if you choose to deploy it.
WordFence has a lot of fans in the WordPress community, and it does look like quite a robust solution. In fact, it not only locks down the security, but it also claims to help boost performance by way of it’s “Falcon Engine” caching functionality. WordFence offers similar community IP blocking to BruteProtect, but within the confines of a larger overall solution.
Some other good features include automatic Heartbleed scanning, two-factor authentication, DNS security monitoring, and real time views of traffic. It also looks to be compatible with a range of plugins like WooCommerce as well as multi-site installs of WordPress. All in all, WordFence Security offers the deepest protection you can find without paying for a premium plugin or having to start toying around with code in your htaccess file.
If you have a good developer on speed dial and want to get really serious about locking down WP, there is much more you can do beyond plugins. In fact, if you use a premium WordPress-focused hosting service, they likely already did this for you.
Rather than dig into the volumes of information about how to do so, check out the Codex on WordPress.org about how to harden WordPress yourself. If you roll out all of those recommendations, you won’t need so much help from plugins in the first place.
WordPress can be vulnerable to various botnets, hack attempts, and brute force attacks. There are multiple ways to secure WordPress from these attacks in advance. No matter whether you prefer to do so with hardening the code, using plugins, and/or changing user behavior, take the time to get serious about security now. Once you’ve been hacked, cleaning up the mess is a real pain, and then you will have to get serious about security anyway.
Feature image sourced via creative commons attribution 2.0 license from Wikipedia.