Practices to keep your WordPress site secure + 3 plugins to make it possible

1. Update your PHP version!

PHP (Hypertext Preprocessor) is the programming language used to build the WordPress software. Every function and plugins in your WordPress site are mostly executed using PHP while the programming language version depends on what is installed in your hosting server. For hosting providers like GoDaddy, this can be done in the settings page of a hosted WordPress site.

PHP and WordPress are open-source, meaning, it is maintained by the open-source community. Due to this and PHP’s popularity, it can be a target for hackers, that’s why having an updated PHP version makes sure that vulnerabilities are patched before WordPress executes a certain code/process, and it even improves the performance of your WordPress site.

2. Update your WordPress software, themes, and plugins

It’s best if you always update your WordPress version if you are going to update your PHP version. Just like with PHP, every well-known vulnerability is fixed with a new version, making your WordPress site secure. Automatic updates can also be turned on in the settings of your WordPress site to make sure you are always having the latest version. The same principle can also apply to the plugins and themes you are using.

3. Install a Firewall and install an SSL certificate

A firewall blocks access to users who are doing suspicious activity on your website. This can also be applied to your Personal Computer, so that hackers cannot access your website. However, keep in mind that some Firewalls are executed only at WordPress level. It’s better to install one that also monitors at the Apache level to make sure that the firewall blocks the attacker even before executing a code at the WordPress site.

Having SSL protects your site by encrypting every data being passed through from the client to the server. SSL certificates can be installed manually by using services like LetsEncrypt or by having it installed automatically with plugins while hosting providers like GoDaddy also offer SSL certificates for your GoDaddy WordPress site.

4. Limit login attempts and use reCAPTCHA on your dashboard login

Limiting login attempts prevents a brute-force attack, in which the hacker tries to log into the site by guessing the username or password. ReCAPTCHA is a free service offered by Google, which can be used to let the site check if the user trying to log in at the dashboard is a human being and not a bot.

5. Always used SFTP when trying to connect to the server files

In the case of having your site inaccessible and the only way to retrieve your WordPress files is via FTP, make sure that you’re using the SFTP network protocol, to make sure that the files being passed through are encrypted. Programs like FileZilla offer options to make sure you’re secured when retrieving your WordPress site.

However, you need to be aware that attacks and breaches are inevitable since vulnerabilities are sometimes not shown through the public. Most of the time, white-hat hackers are the ones who present vulnerabilities with good intentions. While, Black hat hackers are the one who tries to gain personal data, and controls your site with the intent of destroying it. A backup should always be done regardless of how secure your site is. You do not know when an attack will come so a backup is always handy in case of a breach. Hosting providers like GoDaddy, provide automatic backups in their WordPress plan. Plugins are also available in the WordPress store.

Now that you know some practices on how to keep your site secure, here are some plugins that we found at the WordPress store that make some, if not, all the practices we mentioned above possible. All of the plugins we found have free-tier and a paid plan for those who want more features in the plugin. We’ll be overviewing some of the most noticeable features available in the plugins. Settings for each plugin will depend on what plugins and themes you are using. It’s best to try what works best on your site and then turn off each setting when something isn’t working correctly.

1. WordFence

Here is the link where you can access the plug in:

Click here

WordFence is a free plugin for WordPress that includes a WordPress-level Firewall, Malware Scanner. Below contains the features for its free plan and paid plan:

Web Application Firewall identifies and blocks malicious traffic. Built and maintained by a large team focused 100% on WordPress security.
[Premium] Real-time firewall rule and malware signature updates via the Threat Defense Feed (free version is delayed by 30 days).
Protects your site at the endpoint, enabling deep integration with WordPress. Unlike cloud alternatives do not break encryption, cannot be bypassed, and cannot leak data.
[Premium] Real-time IP Blacklist blocks all requests from the most malicious IPs, protecting your site while reducing load.
Integrated malware scanner blocks requests that include malicious code or content.
Protection from brute force attacks by limiting login attempts.

WORDPRESS SECURITY SCANNER

Malware scanner checks core files, themes and plugins for malware, bad URLs, backdoors, SEO spam, malicious redirects and code injections.
[Premium] Real-time malware signature updates via the Threat Defense Feed (free version is delayed by 30 days).
Compares your core files, themes, and plugins with what is in the WordPress.org repository, checking their integrity and reporting any changes to you.
[Premium] Checks to see if your site or IP has been blacklisted for malicious activity, generating spam, or other security issues.
Repair files that have changed by overwriting them with a pristine, original version. Delete any files that don’t belong easily within the Wordfence interface.
Checks your site for known security vulnerabilities and alerts you to any issues. Also alerts you to potential security issues when a plugin has been closed or abandoned.
Checks your content safety by scanning file contents, posts, and comments for dangerous URLs and suspicious content.

LOGIN SECURITY

Two-factor authentication (2FA), one of the most secure forms of remote system authentication available via any TOTP-based authenticator app or service.
Disable or add 2FA to XML-RPC
Login Page CAPTCHA stops bots from logging in.
Block logins for administrators using known compromised passwords.

WORDFENCE CENTRAL

Wordfence Central is a powerful and efficient way to manage the security for multiple sites in one place.
Powerful templates make configuring Wordfence a breeze.
Highly configurable alerts can be delivered via email, SMS or Slack. Improve the signal to noise ratio by leveraging severity level options and a daily digest option.
Efficiently assess the security status of all your websites in one view. View detailed security findings without leaving Wordfence Central.
Track and alert on important security events including administrator logins, breached password usage, and surges in attack activity..
Free to use for unlimited sites.

SECURITY TOOLS

With Live Traffic, monitor visits and hack attempts not shown in other analytics packages in real-time; including origin, their IP address, the time of day, and time spent on your site.
Block attackers by IP or build advanced rules based on IP Range, Hostname, User Agent, and Referrer.
Country blocking available with Wordfence Premium.

When you use WordFence for the first time, it’ll ask to enter an email address. The email address will be used for notifications if suspicious activities happening on the site. Once done, you’ll be greeted in the dashboard. It’ll give you a brief summary about the security of your site.

Its Malware scanner can check the files not only on your WordPress site but also in your server itself making sure that no suspicious files can be found. Keep in mind that Malware Signatures are not always the latest on the free version. You’ll have to use the premium version in order to get the latest signatures. These Signatures are like dictionaries where it stores certain malware/virus definitions. This is used to check if certain definitions exist in your server.

It’s important to remember to some files might get flagged even though there’s no suspicious activity about it if you’re using an optimizer tool since the optimizer tool tries to create a compressed file of the original file making the scanner think like it’s a virus. The only way to check is by reading the results of the scan and make sure that there’s no suspicious line of code happening in the files detected.

Their Firewall settings also offer handy features like IP blocking and rate-limiting where it tries to limit the resources being used by a user. This can be used to prevent a DDoS attack.

WordFence also offers a live traffic monitoring feature where it checks every activity being made on the site. Here we can see that WordPress blocked a user by making a suspicious activity on a webpage.

For 2FA, you can force administrators to use 2FA to make sure all no administrator’s accounts are breached. WordFence’s 2FA requires an Authenticator app like Microsoft Authenticator or Google’s Authenticator. The mentioned apps are free at the Play Store and Apps Store. Once installed, you can use the QR code that is displayed in WordFence’s 2FA settings to set up the 2FA on your phone. ReCAPTCHA is also available to check if the user who is trying to log in is a human being and not a bot.

Overall, WordFence offers great options and tools to make sure your site is secure. Its free version offers a lot. However, Malware Signatures aren’t the latest, if you want to get the latest signatures, you’ll have to upgrade to their premium plan.

2. All in One WP Security and Firewall

Here’s the link where you can access the plugin:

Click here

All in One WP Security and Firewall is another plugin that makes sure your WordPress site is secure. The plugin tries to include all practices to make sure that your site is secured and protected. Below are the features being offered by the plugin:

User Accounts Security

Detect if there is a user account that has the default “admin” username and easily changes the username to a value of your choice.
The plugin will also detect if you have any WordPress user accounts which have identical login and display names. Having accounts where the display name is identical to the login name is bad security practice because you are making it 50% easier for hackers because they already know the login name.
Password strength tool to allow you to create very strong passwords.
Stop user enumeration. So users/bots cannot discover user info via author permalink.

User Login Security

Protect against “Brute Force Login Attack” with the Login Lockdown feature. Users with a certain IP address or range will be locked out of the system for a predetermined amount of time-based on the configuration settings and you can also choose to be notified
- via email whenever somebody gets locked out due to too many login attempts.
- As the administrator, you can view a list of all locked out users which are displayed in an easily readable and navigable table which also allows you to unlock individual or bulk IP addresses at the click of a button.
- Force logout of all users after a configurable time period
- Monitor/View failed login attempts which show the user’s IP address, User ID/Username, and Date/Time of the failed login attempt
- Monitor/View the account activity of all user accounts on your system by keeping track of the username, IP address, login date/time, and logout date/time.
- Ability to automatically lockout IP address ranges which attempt to login with an invalid username.
- Ability to see a list of all the users who are currently logged into your site.
- Allows you to specify one or more IP addresses in a special whitelist. The whitelisted IP addresses will have access to your WP login page.
- Add Google reCaptcha or plain maths captcha to WordPress Login form.
- Add Google reCaptcha or plain maths captcha to the forgot password form of your WP Login system.

User Registration Security

Enable manual approval of WordPress user accounts. If your site allows people to create their own accounts via the WordPress registration form, then you can minimize SPAM or bogus registrations by manually approving each registration.
Ability to add Google reCaptcha or plain maths captcha to WordPress’s user registration page to protect you from spam user registration.
Ability to add Honeypot to WordPress’s user registration form to reduce registration attempts by robots.

Database Security

Easily set the default WP prefix to a value of your choice with the click of a button.
Schedule automatic backups and email notifications or make an instant DB backup whenever you want with one click.

File System Security

Identify files or folders which have permission settings that are not secure and set the permissions to the recommend secure values with the click of a button.
Protect your PHP code by disabling file editing from the WordPress administration area.
Easily view and monitor all host system logs from a single menu page and stay informed of any issues or problems occurring on your server so you can address them quickly.
Prevent people from accessing the readme.html, license.txt, and wp-config-sample.php files of your WordPress site.

htaccess and wp-config.php File Backup and Restore

Easily backup your original .htaccess and wp-config.php files in case you will need to use them to restore broken functionality.
Modify the contents of the currently active .htaccess or wp-config.php files from the admin dashboard with only a few clicks

Blacklist Functionality

Ban users by specifying IP addresses or use a wild card to specify IP ranges.
Ban users by specifying user agents.

Firewall Functionality

This plugin allows you to easily add a lot of firewall protection to your site via htaccess file. An htaccess file is processed by your web server before any other code on your site.

So these firewall rules will stop malicious script(s) before it gets a chance to reach the WordPress code on your site.

Access control facility.
Instantly activate a selection of firewall settings ranging from basic, intermediate, and advanced.
Enable the famous “6G Blacklist” Firewall rules courtesy of Perishable Press
Forbid proxy comment posting.
Block access to debug log file.
Disable trace and track.
Deny bad or malicious query strings.

Brute force login attack prevention

Instantly block Brute Force Login Attacks via our special Cookie-Based Brute Force Login Prevention feature. This firewall functionality will block all login attempts from people and bots.
Ability to add a simple math captcha to the WordPress login form to fight against brute force login attacks.
Ability to hide the admin login page. Rename your WordPress login page URL so that bots and hackers cannot access your real WordPress login URL. This feature allows you to change the default login page (wp-login.php) to something you configure.
Ability to use Login Honeypot which will helps reduce brute force login attempts by robots.

Security Scanner

The file change detection scanner can alert you if any files have changed in your WordPress system. You can then investigate and see if that was a legitimate change or some bad code was injected.

Comment SPAM Security

Monitor the most active IP addresses which persistently produce the most SPAM comments and instantly block them with the click of a button.
Prevent comments from being submitted if it doesn’t originate from your domain (this should reduce some SPAM bot comment posting on your site).
Add a captcha to your WordPress comment form to add security against comment spam.
Automatically and permanently block IP addresses that have exceeded a certain number of comments labeled as SPAM.

Front-end Text Copy Protection

Ability to disable the right-click, text selection and copy option for your front-end.

Regular updates and additions of new security features

WordPress Security is something that evolves over time. We will be updating the All In One WP Security plugin with new security features (and fixes if required) on a regular basis so you can rest assured that your site will be on the cutting edge of security protection techniques.

Works with Most Popular WordPress Plugins

It should work smoothly with the most popular WordPress plugins.

Additional Features

Ability to remove the WordPress Generator Meta information from the HTML source of your site.
Ability to remove the WordPress Version information from the JS and CSS file includes your site.
Ability to prevent people from accessing the readme.html, license.txt and wp-config-sample.php files
Ability to temporarily lock down the front end of your site from general visitors while you do various backend tasks (investigate security attacks, perform site upgrades, do maintenance work etc.)
Ability to export/import the security settings.
Prevent other sites from displaying your content via a frame or iframe.

When using the plugin for the first time, you may be overwhelmed with the number of features available since it tries to cover all the necessary methods to keep your site secure. Its dashboard provides a summary of how secure your site is as well as the methods you are using to keep it secured. The dashboard also shows the last five users who were able to successfully logged in to the server.

A big advantage of this plugin, so far, is its firewall since it has the ability to restrict access at the Apache level. Thus, it can block a certain process before entering the WordPress site

The plugin also features a limited login attempt feature to prevent any brute force attacks. If an account has been locked out, the site owner will be notified. Blocking IP addresses is also available. Lastly, you can set how a force logout feature where the server will logout the user for such time. There are many more options available here, but most of it is regarding monitoring activity like who was the last person to log in as well as activity logs.

If you want to prevent any Brute Force attacks, then you must rename the default URL when trying to login to the dashboard. The default URL is currently, wp-login. With this plugin, you can have it changed to our preferred liking. ReCAPTCHA v2, a CAPTCHA service offered by Google is also available. Keep in mind that this is v2 of the ReCAPTCHA where a puzzle is usually needed to be answered before trying to login. In the newer version, no human intervention is needed.

Honeypot login is also available. Honeypot is computer security mechanism set to detect, deflect, or, in some manner, counteract attempts at unauthorized use of information systems.

For SPAM Protection, a reCAPTCHA field can be added in forms like comments to prevent multiple comments with the same content. We can also check the IP address of each Spamming in the SPAM protection page.

The last feature we’re going to cover is about File System Security. In this page, it talks about if every folder in the server has the appropriate file permissions. It will check if folders that are supposed to be read-only are read-only based on the permissions set.

The page also has features about security protection on PHP files as well as WP files. System logs can also be found on this page.

The biggest downside about this plugin is probably the malware scanner. It’s not included in the plugin itself and requires a subscription with its plugin partner: Site Scanner.

Overall, All-In-One Security and Firewall is a good choice as long as you have a separate plugin for the malware scanner if you’re not interested in the paid service being offered by this plugin.

3. Sucuri Security – Auditing, Malware Scanner and Hardening

Here’s the link where you can access the plugin:

Click here

Sucuri Security is a security plugin recommended by our hosting provider: GoDaddy. It’s currently the only plugin on our list without any premium plan. All of the functions are available. There’s a downside though, the available functions in this plugin are somewhat limited compared to the features available in the first two plugins we’ve overviewed.

Overall, All-In-One Security and Firewall is a good choice as long as you have a separate plugin for the malware scanner if you’re not interested in the paid service being offered by this plugin.

Security Activity Auditing
File Integrity Monitoring
Remote Malware Scanning
Blacklist Monitoring
Effective Security Hardening
Post-Hack Security Actions
Security Notifications
Website Firewall (premium)

Based on the features mentioned above, we can tell that this plugin is only useful for monitoring any vulnerabilities on the site.

In the dashboard, Sucuri checks the installation integrity of your WordPress site. Meaning, it will check if any system files in your WordPress site haven’t been modified or deleted. Audit logs containing information about user actions can also be found on here.

Hardening options are available at the settings page and from there, it gives you options on how you can protect your site.

Post-hack actions are available where you can update your secret keys to prevent further damage on the site. A secret key makes your site harder to hack by adding random elements to the password. You do not have to remember the keys, just write a random, complicated, and long string in the wp-config.php file. You can change these keys at any point in time. Changing them will invalidate all existing cookies, forcing all logged-in users to log in again. You can also change the passwords for each user on this page as well as resetting the data for each plugin.

Lastly, we can check the login attempts being made by each user on the site. However, it’s currently limited to just monitoring. No actions are available to prevent user breach like 2FA or even reCAPTCHA.

Overall, Sucuri is a good plugin only when monitoring the security status of your site. It’s best if paired with other security plugins that offer more security features to prevent breaches. It’s good, but it cannot stand on its own.

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.