What I Currently Recommend (Last Updated 10/16/13)
1) Sucuri – Sucuri is a major leader in the WordPress security industry. It used to be that they specialized almost exclusively in repairing infected websites. They’ve always been one of the best at what they do, but because they only handled repair, we were left to find alternatives to handle the other components of WordPress security.
That’s not the case anymore though. Sucuri now offers total 360 degree security protection encompassing prevention, monitoring, backup and repair. Their services are innovative, inexpensive, easy to implement, and don’t require the installation of additional plugins.
I cannot recommend Sucuri highly enough.
At the time of this writing their products are segmented and can be purchased together or separately…
The core service that they’ve always had remains unchanged. This includes monitoring and repair of 1 site and costs $89.99 annually.
The second product is called Cloud Proxy, which is a very robust cloud-based detection and prevention system costing $9.99 per month.
The third product is an offsite backup solution that backs up your site once a day, retaining the last 60 days worth of backups. This costs $5 per month.
So if you prorate that out over a year, you’ll see that you’re only paying $22.50 per month for a complete all-in-one security solution.
And in this case, all-in-one doesn’t mean “not as good” as the more specialized competition either. Sucuri is THE name in WordPress security and all of these products are top tier.
So basically… $20 bucks a month for total peace of mind? … sure, I’ll take that 🙂
2) Bulletproof Security – Security is about layers and it never hurts to have an additional layer of security that resides directly on your site via a plugin. If you want an extra layer of security in addition to Sucuri, BPS should be it.
Although BPS can be a bit intimidating at first, it really is the best security plugin available at this time. The free version gives you simple effective security solutions that you can set up in a few minutes.
If you want to get Fort Knox crazy with your security measures, the premium version does so much good stuff it’ll make your head spin. It will even auto-restore infected files and auto-quarantine new ones so it protects you even if your server is compromised.
But honestly the real reason I have to recommend this plugin over all others is due to the level of support the developer provides. If you browse through their WP support forum it is ridiculous how active he is in the community… when does he sleep! 🙂 They also have dedicated support forums for both the free and paid versions of BPS on their site as well.
BPS is a must have plugin.
Best WordPress Security Plugins 2013
Security is an issue that many WordPress users are completely unaware of. Up until recently I never gave it much thought myself. I just never knew it was something to be concerned with. Thankfully, I woke up before it was too late.
Sadly though, many many people aren’t so lucky. Every day WordPress sites are hacked and destroyed. WordPress is particularly attractive to hackers because it is so popular. If they can find a vulnerability that they can exploit on a massive scale, there are literally millions of sites they can target.
After spending a great deal of time researching and trying out various security plugins and services, I thought it would be nice to put that information together in one place for anyone else who might be going through the same process.
A good WordPress security strategy is about layers. There are several essential elements that need to be implemented and together they will help ensure your site’s safety. No strategy is ever totally bulletproof, but with all these layers working together you can bounce back from even the most vicious attacks with relative ease.
The 4 layers of WordPress security that I’ve found to be absolutely essential are:
NOTE: Although implementing the best WordPress security plugins is an important part of the process to secure your site, it is not the only solution. In this post we will also look at some other services and strategies as well. It is important to note that plugins can introduce security holes themselves. There seems to be a general consensus that the WordPress core is actually quite secure and it is in fact the introduction of third party themes and plugins that often pose the greatest security threat to your website.
Remember also that too many plugins can slow down your site’s performance. If you’re concerned, there’s a great plugin called P3 that will scan all of your other plugins and tell you how much they are slowing down your site.
1) Backup Your Site
Backing up your WordPress site is the first line of defense and the most important thing you can do to prevent disaster. There are many backup utility plugins out there with varying features and effectiveness.
Code Guard is a service that will backup all your WordPress files and your database on a daily basis. What sets Code Guard apart though is that they also monitor all of your files for changes so that if a hacker does gain access to your site and begins altering files, you’ll know about it quickly and can nip it in the bud.
Code Guard has changed their pricing structure a few times but at the time of this writing they have 3 tiers: $5 per month, $99 per month, and $299 per month. The plan that’s right for you will depend on how many sites and how much data you need backed up. For most people the $5 plan will work fine.
You can connect your site to Code Guard’s servers with their plugin or via FTP.
If you opt for the plugin, Code Guard will automatically backup and monitor your entire root directory. If you decide to use FTP you will be able to specify what you want backed up and you can even opt to have it backup the entire home directory of your site. All backups are stored on Code Guard’s servers.
Note that Code Guard often improves their site and services so, depending on when you read this, this information may not be totally accurate.
Code Guard also has excellent support. I have asked several questions via email and have always gotten prompt, cordial, and knowledgeable answers.
Vault Press is one of the most popular backup plugins around. Vault Press only backs up your themes, plugins, uploads and database. In most cases this is fine because all of your irreplaceable data (posts, pages, images, settings, etc.) are contained within these locations. If you have a lot of static pages that you’ve uploaded to your servers outside of WordPress however, you’ll need to back these up another way as Vault Press will not.
What makes Vault Press special is that it does it’s backing up in real time. This is a neat feature because it gives you the peace of mind of knowing that the most current version of your important data is always backed up. Every time you make a change to your site, be it a new post or simply changing a dashboard setting, Vault Press is notified and backs up the changes. All backups are stored on Vault Press servers.
Vault Press will run you $15 per month for the basic service, which only includes real time backups. If you want extra features like security scanning, it will cost you.
Back WP Up is a very versatile plugin that will produce a local backup your files and database that is stored on your own server. But Back WP Up will also allow you to send those backups to an FTP Server, Amazon S3, Google Storage, Microsoft Azure (Blob), RackSpaceCloud, Dropbox, SugarSync, or your Email
This is a very important feature because keeping your backups stored only on your own server is a recipe for disaster. If something catastrophic were to happen (which is exactly why you’re backing up in the first place) there’s a good chance the backups stored on your server would be lost along with the rest of your site. Storing copies of your backups offsite is critical.
This plugin will also perform several other functions like automatically optimizing your database (which should be done regularly either automatically with a plugin or manually with PHP My Admin).
This plugin comes from the WordPress repository and is totally free.
Backup Buddy is another very popular back up solution. Backup Buddy has a lot in common with Back Wp Up. It will allow you to schedule full or partial backups of your files and database that are stored locally. You can then have those backups automatically sent out to Dropbox, Amazon S3, an FTP server, Rackspace Cloud or to your email.
They also include a free malware scanner from Sucuri, who are know for their excellent security services. You can scan your blog for free anytime your like with Sucuri’s Site Check, but having your backed up files scanned automatically for threats is a great hands-off way to help alert you quickly if there’s a problem.
Backup Buddy is a premium plugin and one of the most popular options of its kind, so you can expect an intuitive interface, solid functionality, regular developer upkeep and quick, helpful support. I submitted a couple of questions to their support forum recently and was surprised by how quickly and thoroughly they were answered.
Backup Buddy costs $75 per year for a 2 site license.
If you’re using Host Gator then your cPanel has a backup utility built right into it. With this tool you can backup individual databases, your home directory (all your files), email forwarders, or do a full site backup, which includes all of the above. I like to keep a current full backup of my site that’s no more than a week old at all times, which I then store in 3 separate places.
The database and home directory backups download straight to your computer. When you click the button to generate a full backup however, it is stored in your home directory and then it gives you a link to download it to your computer from there.
It’s important to remember to delete old backups from your home directory that you don’t need anymore, as they can add up quickly and will take up a lot of space. You can do this through the file manager icon in your cPanel.
Unfortunately, cPanel doesn’t allow you to schedule automatic backups, but it only takes a few minutes to do it by hand.
To restore a backup, simply navigate back to the backup utility and use the restore functions on the right side (see image above). Just browse on your computer for your zipped backup file and upload it to your site. Remember that this will overwrite any existing data and replace it with your backup. It cannot be undone.
Full backups can’t be restored this way however. To restore a full backup you will need to contact your hosting provider and have them do it for you.
Also your backup files will be in a gzipped format, so you won’t be able to view them on your computer without a third party program. If you ever need to view or restore the individual files of your home directory backups, there’s a free program called 7-Zip that’s able to unzip these files for you.
You can’t restore individual files through the cPanel interface, but once you have access to them you can easily ftp in the ones you need using an ftp program like File Zilla. Incidentally, using an ftp program is another easy way to backup your website files straight onto your computer.
2) Take Preventative Measures
The next step is to have a prevention strategy. From what I’ve found there really aren’t a lot of plugins and services offering security breach prevention. Most offer scanning services that will alert you if a breach has occurred, which is nice, but it would be even nicer to stop the breach from happening in the first place.
By far, the best WordPress security plugins for 2013, or any year for that matter, will be prevention plugins.
Bulletproof Security is a very well respected plugin that uses .htaccess rules to help prevent people from being able to hack into your site. It’s a complicated plugin that does a lot (most of which I honestly don’t understand).
Due to the complexity of what the plugin does, the user interface does leave a bit to be desired. It isn’t quite as streamlined as you’re probably used to, but the developer has done a great job of making a complicated process fairly simple for a novice user to implement.
The support for this plugin is also top notch. I asked several very long winded questions that were always answered promptly and completely. By far one of the best support experiences I’ve had.
The core version of the plugin is free but there is also a much more comprehensive premium version BPS Pro ($59.95) that does many many more things, all of which are completely over my head 😉
Wordfence is a newer plugin that’s been gaining a ton of momentum. I haven’t had time to test this plugin myself but it has stellar reviews and seems to do an awful lot for a free plugin.
1) Provides login security.
2) Provides real time scanning.
3) Monitors all traffic in real time.
4) Compares theme and plugin files to WordPress repository version.
5) Lots of other stuff.
Wordfence is worth taking a look at.
6Scan is another plugin that offers WordPress security solutions in the form of prevention. What makes 6scan special though is that it adapts to your website’s environment, rather than just providing a general set of security walls. This definitely makes it one of the best security plugins for 2013.
6scan is constantly updated with emerging threat data and (depending on your version) it will actually plug new security holes as they are discovered. This is especially helpful when you have additional plugins installed that are not updated by their developers frequently. If 6scan sees that one of these plugins has a security vulnerability, it will often fix the problem right away instead of you having to wait months for an update to come from that plugin’s developer, if it ever comes at all.
The plugin has an extremely streamlined, easy to navigate settings menu. I suspect that 6Scan probably does a lot of exceedingly complicated things, like Bulletproof Security does, but it does it in a way that any WordPress user, of any skill level, can implement with ease. That’s what I love most about 6Scan, the user interface is as simple as it could possibly ever be. It really is a completely hands off security solution.
It seems to me that the 6Scan developers are wanting their plugin to be a truly all-in-one security plugin as well. They have recently implemented a login security feature (very important to have) and now even include a backup utility.
6Scan’s backup feature automatically does a full root folder and database backup once a day and stores them off site on their secure servers. It only keeps the last 15 backup sets, but that is more than enough. If you want to keep copies of earlier backups you can simply download them to your computer any time before they are scrubbed from the 6Scan servers so you can keep them forever.
The way it’s going, I think we can expect some really great things from the 6Scan team. They’re already doing things that no other security plugin does and they’re constantly improving the look and functionality of their product.
There are several pricing options for 6scan, but most people will go with the $9.99 per/mo version, which will automatically find and fix new vulnerabilities automatically. In my opinion, this plugin is well worth the price for those of us who aren’t WordPress security experts and are looking for an automated security solution.
Support with 6scan is very good as well from my experience. I had a minor issue with the plugin recently that was resolved within a few hours of my submitting a ticket, so I’m impressed.
As far as the effectiveness of 6Scan’s security measures when compared with BPS, I can’t really say. Only a security expert with the knowledge to evaluate the code of each plugin would know. As far as the average end user experience goes though, 6Scan has my vote.
I’ve never personally given Better WP Security a try, but the sheer scope of its feature set and ambitious design warrant a mention anyway. Better WP Security is a free plugin found in the WordPress repository and it is another plugin that shoots for all-in-one security.
This plugin seems to make a lot of edits to your site and should be used with caution. The developer states several times throughout the plugin description and FAQ pages that it is extremely important to do a full backup of your site before installing this plugin as it may break existing sites.
If you are interested in installing this plugin on an existing site, I recommend you read through the description and FAQ pages thoroughly first.
As I mentioned earlier, login security is a must have feature for your WordPress site. By default WordPress will allow an unlimited number of failed login attempts, allowing attackers to utilize automated brute force attacks to try and crack your login info. I was told by the developer of Bulletproof Security once that any password can be cracked, given enough time.
The answer to this problem is to limit the number of failed logins an attacker can attempt in some way. Typically, login security plugins will automatically lock out an attacker for X minutes after X number of failed logins attempted within X number of minutes. You set the values for X.
The good ones will also hide login error information so attackers don’t know which piece of your login they got wrong. They should also send you an email notification with details on the attack.
As I mentioned earlier 6Scan has these features built into it, so if you’ve decided to use that plugin there’s no need to install additional login security plugins.
If you aren’t using 6Scan however, then Login Security Solution is my #1 recommendation hands-down.
Login Security Solution works a bit differently then similar plugins. Instead of locking out an attacker outright, it will slow down response times more and more, eating up the attacker’s resources. It accomplishes the same goal, just in a slightly different way.
Login Security Solution has all the features you would want in a login security plugin and even has some you wouldn’t think to ask for. My favorite feature: it will actually immediately boot out an attacker if they do manage to break in after X number of login attempts.
It also includes a minor feature that will log out users after X minutes of inactivity. Not really that important unless you’re using your website on a shared computer and forget to log out, but it’s nice to have. 6Scan does not have this feature.
3) Monitor for Attacks
Monitoring is an important part of securing your WordPress blog because if an attacker does gain access to your website and do some damage, you want to undo that damage as quickly as possible.
One of the most common reasons your site will get hacked is to insert malware that will infect your visitors computers. This can get your site blacklisted by the major search engines very quickly so having an early warning system is critical to getting your site back to normal before it’s too late.
Site Lock is a service that will scan your website once a day and alert you if anything is wrong. They are a well respected brand and they have contracts with some of the major hosting providers like Host Gator that give massive discounts for those hosting provider’s customers. You can get Site Lock to monitor your site for as little as $2 a month (depending on the size of your site).
Sucuri is one of the most respected names in website security around. Sucuri focuses mainly on removal services. If your site is infected with malware, you can call Sucuri and they will clean it up for you and get your website back up and running fast. They are pretty much the go to solution for website clean up.
However, Sucuri also provides monitoring and prevention. They will scan your site regularly, like Site Lock, to make sure you are notified quickly of unauthorized changes and you can also choose to install their plugin which provides preventative measures via a web application firewall and 1-click hardening.
If you only have 1 website to secure, Sucuri will run you $90 a year. Really not a bad price when you consider all you are getting.
Sucuri also provides a free scanner that anyone can use at any time to scan their site for threats.
I mentioned Code Guard earlier as a backup solution but they also double as a website monitoring service. Every time Code Guard preforms a backup they will also check that backup for malware and most importantly check for any changes to your files.
By finding and alerting you to any and all changes made to your files, Code Guard actually has the potential to discover threats that the scanners might not. A scanner can only recognize a threat if it has seen it before. Here is a snippet from Code Guard’s website to help explain what they do:
“Other website security products scan for known malware traces. State of the art malware is polymorphic: the code rewrites itself with each replication in an effort to evade detection. Studies have shown that other scanning products are at best 40% effective.
Unlike other products, CodeGuard does not look for bad code patterns. CodeGuard looks for changes and reports them to you so you can understand whether they are good or bad. You are empowered to know what’s happening. Because CodeGuard identifies all changes, it cannot be evaded by self-modifying code, and is even effective against zero day expoits, malware that has never been seen before.”
4) Repairing Your Website
Hopefully you’ve been making regular backups. I cannot stress enough the importance of a good backup strategy. If there is no other option but repair however, then once again Sucuri is your best bet.
Although the plugins and services we have discussed are great helpers in the fight against website disaster, they can’t do everything for you. You still need to take care of your website and try as best you can to limit the risk of disaster. Below is a list of best practices you can follow to help your WordPress blog live a healthier and happier life.
1) Always keep your WordPress version, plugins and themes up to date. There’s a reason for those little update notification icons you keep seeing in your dashboard…don’t ignore them. Like your PC, very often these updates carry important fixes to newly discovered security vulnerabilities.
If you ignore security updates you are leaving open windows for hackers to climb through and ransack your website.
2) Take care in your plugin and theme selection. Not all plugins and themes are created equal. One of the most exploited WordPress vulnerabilities is poorly coded themes and plugins. You should almost never download plugins that are not found in the WordPress repository.
Obvious exceptions are premium plugins and those offered by other well respected companies. Just don’t go installing random plugins from unverified sources. They’re out there and they’re dangerous.
The same goes for themes. Do yourself a favor and invest in a quality premium theme with great support. There are many, many…many themes. You can find a short list of some of the best near the bottom of this post if you’re interested.
3) Before you install any plugin updates, it’s always a good idea to backup your database just in case something goes wrong. You can do this via various plugins, phpMyAdmin, and cPanel (visit the backup section above).
4) Before installing a major WordPress core update, it’s a good idea to make a full backup of your site (files and database). You might also want to adopt the habit of waiting 1-2 weeks before installing new WordPress updates for 2 reasons.
One, is to let others test it first and give WordPress time to iron out all the kinks. And the 2nd reason is to give plugin developers time to test and release compatibility updates of their own. Yes, there may be important security updates in there, but a couple of weeks usually won’t hurt and it can save you a heap of trouble.
5) Change your cPanel password. Email isn’t the most secure mode of transportation so it’s always a good idea to change the initial cPanel password your hosting provider emailed to you. Remember, all the WordPress security measures in the world can’t help you if your cPanel is compromised.
6) Change your administrator username from the default “Admin” to something obscure (not your actual name). 99% of brute force login attacks use the username Admin to try and break in because hackers know that thousands of WordPress users never change the default. By leaving your username as Admin, you are basically giving away half of your login credentials.
To change your username you will actually need to create a new account with admin access and then use that account to delete your old admin account. If you have any posts associated with your old account, make sure you elect to have those posts moved to your new account or they will be lost.
If you’re comfortable using phpMyAdmin, you can use it instead to change your username without actually deleting your original account. A tutorial can be found here.
7) If you’re going to make posts using your admin account, make sure your publicly displayed name is something other than your username (you want your username to be a secret). To change it, simply navigate to the “edit profile” section of your WordPress dashboard and look for the drop down box labeled “Display name publicly as”.
8. Check out this WordPress hardening article found in the WordPress Codex for tons of other tips on how to make your WordPress install more secure.
9) If you need to FTP into your site, use SFTP instead. SFTP encrypts all your transfers so that if someone is listening in on your connection they won’t be able to get any information. If you are using File Zilla you can accomplish this by going to the site manager and adding your site (see image below):
a) In the host field type your domain name.
b) In the port field you will need to enter the port used for SFTP. You can get this from your hosting provider. If you are using Host Gator, enter 2222 into the port field.
c) In the protocol field choose SFTP.
10) Keep updated antivirus software on the PC you access your website from. All of this website security will be for nothing if you have a keylogger on your computer that simply steals your login info the next time you sign in to your blog. There are many antivirus options out there, both free and paid.
When it comes to the security of your website, it pays to do your due diligence. The plugins and strategies outlined in this post will go a long way to helping you keep your data safe and secure from disaster.
Hopefully you’ve gained a lot of valuable knowledge about how to protect your WordPress site. This concludes my review of the best WordPress security plugins for 2013.
Let me know what you think in the comments below…what are your favorite security plugins?
Thanks for visiting!
To Your Online Success,