Just like you would want to protect your house from ravenous neighborhood thieves, you can turn the deadbolt on your website with these top five WordPress security plugins:
- WPS Hide Login, a streamlined plugin that changes the URL of your WordPress login form.
- Two-Factor, a multi-factor authentication tool that can defend your site against password-based attacks.
- Akismet, a spam protection solution with powerful filters.
- reCaptcha, a plugin that protects your site’s forms against spam entries.
- Stop User Enumeration, a tool that prevents hackers from stealing login names.
In this post, we’ll discuss why every website owner should prioritize security. Then we’ll explore these top five WordPress security plugins in more detail. Let’s get started!
Table of Contents
An Introduction to WordPress Security (And Why It’s Important)As one of the world’s most popular Content Management Systems (CMS), WordPress is an attractive target for hackers. If an attacker exploited a vulnerability in WordPress, they could potentially use it against almost half of the web. With this in mind, it’s unsurprising that attacks against WordPress are on the rise. During the first six months of 2021, the Wordfence Web Application Firewall blocked over 4 billion malicious requests. These figures are enough to worry many WordPress website owners. However, there’s also evidence suggesting that a good portion of these attacks succeed. Wordfence surveyed WordPress users in 2020. The company found that 25 percent of respondents dealt with hacked sites in the month before the survey. WordPress is generally considered a secure platform, but no software is perfect. During the first half of 2021, WPScan recorded 602 new vulnerabilities across WordPress plugins, themes, and even the core software. If a hacker manages to take control of your site, the consequences could be disastrous. This person might steal your data, set up malicious redirects, or deface your website. Some hackers might delete your content or even your entire site. Without a WordPress backup in place, you could lose months or even years of hard work. With the stakes high and the statistics worrying, it’s vital that you take steps to protect your website.
Top 5 WordPress Security PluginsIt doesn’t matter if you’re a multinational enterprise, a small business, or a hobby blogger. Hackers target everyone. With that in mind, here are five security plugins to help fend off their attacks.
WPS Hide LoginA brute-force attack is where a hacker attempts to force their way into your dashboard using hundreds or thousands of known password and username combinations. Worryingly, this means that a hacker could break into your website without even knowing your password. Some attackers may even use automated scripts to bombard your site with thousands of login credentials. Brute-force attacks are common across all platforms, but WordPress is particularly susceptible to them. By default, the WordPress login page is located at /wp-admin/. This means that a third party can easily access your website’s login form by adding /wp-admin/ to the end of your domain. However, WP Hide Login can change this configuration: You can use this simple plugin to change your website’s login URL. This slight adjustment can make it more difficult for anyone to break into your dashboard via a brute-force attack. Key Features:
- Changes the login URL to anything you want
- Supports multisite setups, with subdomains and subfolders
- Is compatible with any plugin that hooks in the WordPress login form, including BuddyPress, bbPress, and Jetpack
Two-FactorUsing a long, complex, and unique password can help keep your site safe. However, there are some attacks where your password’s strength has no impact on hacker success. For example, there are keystroke logging attacks, where malicious programs record everything you type – including your passwords. While following password best practices is a great start, it’s also important to use Two-Factor Authentication (2FA). After you configure 2FA, attackers will need to pass an additional security check before accessing your WordPress dashboard. This step applies even if they enter the correct username and password. Some of the biggest companies in the world rely on 2FA. In fact. Alex Weinert, Group Program Manager for Identity Security and Protection at Microsoft, says, “your account is more than 99.9 percent less likely to be compromised if you use [2FA]”: You can add this powerful additional layer of security to your WordPress website using Two-Factor. This plugin supports a range of authentication methods: Once activated, the Two-Factor plugin can request users to authenticate their identities via email codes, one-time passwords, or backup codes. This add-on makes it significantly more difficult for someone to use leaked or stolen passwords against you. Key Features:
- Protects your site using one or multiple 2FA providers
- Supports backup codes
- Provides a dummy method, which is ideal for testing your 2FA
AkismetAttackers may try to trick WordPress into publishing malicious content such as comment spam. This can expose your visitors to malicious links or even mislead them into downloading malware. Comment spam can be disastrous for your reputation and your search engine rankings. If your site is flooded with malware, then you might receive search engine penalties or even end up on Google’s blacklist. With over 53 percent of all web traffic originating from organic searches, spam comments can be seriously harmful to your WordPress website. Fortunately, the Akismet plugin can protect your visitors and your position in the search engine rankings. Whenever you receive a new comment or contact form submission, Akismet will check this input against its global database of spam: You can then review all of this content in the WordPress dashboard. As such, you can choose which comments show up on your website. Key Features:
- Automatically filters comments that resemble spam
- Displays a detailed status history for each comment
- Easily blocks the worst spam via its discard feature
- Enables you to review the total number of approved comments for each user
reCaptchaWordPress forms can be helpful tools that add extra functionalities to your website. They can enable your readers to contact you, sign up for your email marketing lists, book appointments and events, and much more. However, these forms are also subject to spam content. Hackers or bots may enter fake information into the submission fields, such as links to malware or phishing websites, ads, or irrelevant and abusive content. If you run an online store, your site may be even more vulnerable to spambots. Studies have found that ecommerce shops attract more than 18 percent of phishing attacks. As such, it pays to use a plugin that can prevent malicious or fake content. Using the reCaptcha plugin, you can filter out spam entries without inconveniencing your legitimate users: The plugin adds an extra field that users must click on to submit form entries. This feature is easy for humans to use, but it prevents bots from bypassing the additional security layer. Key Features:
- Applies to multiple form types, such as contact and reset password forms
- Enables you to disable the security check for known and whitelisted users
- Comes in multiple languages
Stop User EnumerationUser enumeration is a type of brute-force attack. The hacker will try to access your site’s user names by viewing server responses to different credentials. For example, they can see if an entered username doesn’t exist or is simply paired with the wrong password. If a hacker can find out your username, they can try password combinations to enter your site. Alternatively, they could use the username details to find your real identity and target you with phishing content. With Stop User Enumeration, you can prevent hackers from viewing and stealing your site’s user names: The plugin works by blocking user enumeration across your site. It also logs malicious IP addresses so you can prevent them from attacking again. Key Features:
- Pairs with Fail2ban to prevent brute-force and Distributed Denial of Service (DDOS) attacks
- Blocks attacks via a REST API
- Sends IP logs directly to your firewall
Bonus: HTTP HeadersHTTP headers carry requests and responses between clients and servers. For example, when a user types your website’s domain name into their browser, this sends an HTTP request. Your site interacts with other entities in the same way. However, these headers can expose your site to vulnerabilities. For example, the HTTP host header contains data about the domain name of a website. An attacker can exploit this by injecting payloads to change your server’s behavior. The HTTP Headers plugin enables you to control the HTTP headers of your WordPress website: With this plugin, you can assign and adjust the settings of multiple headers. For example, you can implement HTTP Strict-Transport-Security (HSTS) to enforce secure server connections. Key Features:
- Enables you to control more than 30 HTTP headers
- Comes with high-level customizable settings
- Includes a detailed plugin tutorial