WordPress now powers more than 40% of all websites. This is a testament to its flexibility, ease of use, and plenty of free add-ons and themes available. But it also means that WordPress has a huge target on its back from hackers and malicious bots.
They are constantly looking for outdated installs and zero-day vulnerabilities. Login attacks using brute force have hit even the most lightly trafficked sites.
It has become absolutely necessary for site owners to take additional security measures. Some of this is implemented at the server level, but you can do a lot more within WordPress itself. In fact, there are a large number of free plugins that will strengthen WordPress and provide you with an extra layer of protection.
Brute force login attacks are such a nuisance that there is a whole class of plugins dedicated to stopping them. Attempts to limit reloaded logins can help you control the situation. Provides the ability to set login limits and block offensive IP addresses for a specified period of time.
Additionally, you can choose to be notified when an IP address is blocked. This can be a bit confusing for sites that experience a lot of attacks. Thus, it may be a good idea to periodically check the history of blocked attempts.
Sucuri Security includes a set of features intended to keep site administrators informed. The plugin will scan your files for suspicious code and known vulnerabilities and notify you of any issues it finds. In addition, your site will be checked against block list engines and will be reported if it has been flagged.
You’ll also find a handy log of security-related activities, which helps you keep track of changes made to your site. Upgrade to the premium version to activate the firewall, improve performance, and more.
With millions of active installs, WordFence is one of the most popular plugins out there. It will routinely scan your installation for malicious code and contain a real-time firewall that helps secure your site from known (and unknown) threats.
Advanced features like IP blocking and brute force login protection can give site owners some peace of mind. The premium version includes country blocking, two-factor authentication, and real-time firewall updates.
JetPack has added some great security features in recent years. Brute-force login protection is included (and will proudly display the number of aborted malicious login attempts on your WP dashboard).
There is also a single sign-on feature that works with your WordPress.com account. Paid plans add spam blocking, malware scanning, and more.
This security suite (in plugin form) will protect your site with brute force protection, file change detection, require users to implement strong passwords, and even help you run your entire site in SSL. The professional version allows checking for malware, password expiration, and more.
This plugin will check your site’s user accounts to ensure that the username and the user’s display name are not the same – a main method used by bots to obtain login information. User registration can also be set to admin approval – which means you’ll have the ability to decline accounts you don’t trust.
You’ll also find brute force protection, a firewall, malware scanning, and protection for configuration files.
BulletProof Security will provide additional security for your site .htaccess file, logins, authentication cookie expiration and allow database backup. You can also set a time limit for idle WordPress sessions, which will log the user out of the system after a specified period of inactivity.
One of the absolute best things you can do for security is to enable SSL on your site. Once you have the SSL certificate installed on your server, Really Simple SSL will ensure that your WordPress installation is optimized to run under HTTPS.
Previously known as WordPress Simple Firewall, this plugin will automatically block malicious URLs and requests. It will also protect your blog from spambot comments and add two-factor authentication.
One sign that a site is running WordPress is using the default URLs /wp-admin/ and wp-login.php. Hide My WordPress allows you to securely rename these login portals to help avoid attacks.
Note that care must be taken when enabling more than one security plug-in. They can conflict with each other and lead to a site crash or significant performance injury. If you plan to use more than one security plug-in, do some research to see how you cope.
While there is no magic solution to securing WordPress (or any other CMS), there are steps you can take to thwart malicious attacks. Most bots and hackers are looking for easy targets. Using a security plugin makes things even more difficult to hack.