WordPress is at least as secure as other content management systems. It’s also more popular. When hackers and cyber criminals look for vulnerabilities, it makes sense for them to focus on an application of WordPress’s popularity. It gives them the greatest chance of finding a vulnerable site.
No matter how secure a default WordPress installation is, any application that is under constant attack from hackers is going to need a little bit of help.
Most WordPress vulnerabilities are not caused by flaws in WordPress itself, but by configuration errors. Many use the default admin username with a weak password and neglect to update their installations: the two biggest causes of hacked WordPress sites.
Assuming you’ve got those basics covered, it’s time to think about beefing up security to repel even the most determined criminal.
I’m going to highlight four plugins that will turn a standard WordPress installation into Fort Knox. There’s some duplication of functionality in these plugins. You don’t need all of them, but WordPress webmasters should be aware of the options — informed site owners build safer sites.
Most attacks on WordPress are not very sophisticated. Hackers use botnets to enter lots of username-password combinations until they find the right one. The best defense is to remove the default admin user and use long random passwords, but WP Admin Protection adds an extra layer of defense.
The plugin implements CAPTCHA tests on the login page. CAPTCHA tests try to determine whether the login attempt is made by a human. Botnets usually aren’t sophisticated enough to read CAPTCHA tests.
Additionally, WP Admin Protection adds a third authentication token to the standard username and password: a secret key that every user needs to know before they can log in.
WP Login Security 2 also protects the login page. It keeps logs of user’s IP addresses and if a login attempt is made from an unfamiliar computer, the plugin sends an email with a verification link to the user’s registered address.
Wordfence Security is a suite of tools for protecting WordPress sites. It includes IP blocking based on data from other attacks, two-factor authentication, integrity scanning of core files, a firewall to block botnet scans, and malware scanning, among many other features.
BulletProof Security is a popular plugin that actively guards against exploitation. It has far too many features to list fully, but some of the most notable are protection from cross-site scripting and SQL injection attacks, login and brute force protection, and implementation of security best practices for the .htaccess file.
While it’s impossible to truly guarantee the security of any site on the Internet, with a combination of these plugins, WordPress site owners can make hacking their sites so difficult that most attackers will move on to an easier target.