WordPress Security

Originally published at: WordPress Security – Von Enterprises

Just a moment ago I finished testing a whole bunch of plugins so I can find my favorite security and malware protection plugin. You shouldn’t have to pay for good security and, if you choose to pay, it doesn’t mean you should get all sorts of bloat and subpar performance and detection. One thing I really liked was what SecuPress did, they offered to “auto fix” it for $$ or show you manual approach with documentation… pretty cool!

The most important things learned:

  • Take automated weekly / monthly backups to easily rollback and security attack
  • Change folder and file permissions
  • Lock down your login page, disable common usernames (like admin), protect system folders and change your table_prefix
  • Block external, and also whitelist connections using wp-config.php to stop or prevent communication
// define('WP_HTTP_BLOCK_EXTERNAL', true);
// define('WP_ACCESSIBLE_HOSTS', '*.wordpress.org, *.github.com');
  • Many plugins offer limited functionality because they want you to pay $$$ each and every month or year and typically prevent access to the most valuable features (ie. Malware Cleanup, Firewalla Control, Scheduled Actions, etc.)
  • Disable disable admin panel Theme Editor + Plugin Editor using wp-config.php tweak
define('DISALLOW_FILE_EDIT', TRUE);
  • Delete themes, plugins and files your WordPress installation does not need it.

List of Interesting Plugins

  • All In One WP Security
  • BBQ
  • BulletProof Security
  • SiteGround Security
  • iThemes Security
  • NinjaScanner
  • SecuPress Free — WordPress Security
  • Security Ninja
  • Shield Security
  • Titan Anti-spam & Security
  • Wordfence Security
  • WP Cerber Security, Anti-spam & Malware Scan

Most of the plugins I tested, didn’t make the cut because a monthly or annual subscription was required, or the plugin was just to massive (Wordfence at 14MB is insane). If you want to believe me, you’ll have to take my word but I did a pretty good test on all the plugins and the things I seen were wild… some of these plugins are designed to funnel you into a payment screen, and others are popularized by good branding with gimp features.

Favorite Plugins Tested:

  1. BBQ
  2. Tied = SecuPress & All In One WP Security
  3. WP Cerber Security
  4. Tied = Shield Security & Wordfence
  5. BulletProof Security
  6. Titan Anti-spam & Security
  7. Security Ninja
  8. Defender
  9. iThemes

* strikethrough = too many “premium paid” features
* plugin is junk if it’s not on the list

Misc.

  • I really enjoyed using Snitch to monitor outgoing connections but it generates ALOT of connection log entries… the insight it provided was amazing though because before now, I never knew just how many API calls plugins make… it’s insane and must be controlled (that’s why I recommend defining WP_HTTP_BLOCK_EXTERNAL).
  • Giant list of wp-config.php tweaks
  • The amount of log / notifications people promote is silly, you can setup notifications to monitor things that are worthless to know about.

cool!