You’ve got your own site and need to make it secure. But how do you start implementing solid security measures? Plugins are basic add-ons to your WordPress website, giving you extra functionality.
Some customize the look of your posts. Some boast search engine optimization features. And there are some great plugins to make sure your website is safe from hackers, bots, and malware.
Here are some of the best WordPress plugins you should need to protect your site from cyberattacks.
As its name implies, Wordfence Security is designed chiefly for WordPress. It’s also one of the most popular plugins, boasting over 150 million downloads. That’s because even its free version includes all the main things you need to protect your website. It’s also very easy to use, with a pleasing layout that lets you simply assess and block main threats.
Its firewall runs on the endpoint, i.e. your server, which, unlike cloud services, doesn’t break end-to-end encryption. In theory, the downside is that it could slow down your site. However, there’s no noticeable lag and its positives completely outweigh the negatives.
It’s a comprehensive approach to security, allowing you to manually block suspicious IP addresses and countries known for cyberattacks which aren’t your target audience. You get access to live stats, to identify attempted hacks, Google crawlers, and malicious bots.
Wordfence is free to use on multiple WordPress sites, but there is a premium option which offers faster updates. These are rolled out to free users 30 days later.
Especially impressive is the additional service Wordfence offers: if you’ve been hacked, the developers will clean your site, secure it again, and give you a year’s subscription to premium (worth $99) for just $179.
All in One WP Security & Firewall recognizes that not everyone knows what happens behind the scenes online. They just want to run a website for a specific purpose without having to learn programming.
This plugin is designed for different levels of expertise: Basic, Intermediate, and Advanced. All in One WP Security & Firewall is a great plugin, no matter if you’re inexperienced or a developer.
First, it fairly grades your site’s security and suggests how to make it safer. It will implement the latest security tips from WordPress’ parent companion, Automattic. And you can create a blacklist of certain requirements in order to block a user. That means, if you notice a particular malicious trend affecting your blog, you can counter it.
This is all completely free too!
All in One WP Security & Firewall automatically takes backups of your site, so nothing is lost in the event of a hack. However, be careful: some hosts like Kinsta don’t let you take your own backups and will block this plugin. Research this before adding All in One WP Security & Firewall to your plugin list.
by bombarding login pages with information. Hackers can gain access to a site this way—especially if using obvious username and passwords, like “1234” or “password”. We advise against it, but nonetheless, many users still use basic login details. Brute force attacks are not only dangerous for your site: they also slow it down for genuine visitors.
Login LockDown works by recording the IP addresses and timestamps of every login. If there are more than three failed login attempts in five minutes, the plugin locks those IPs out from the login page for an hour.
You might be worried about this if you have numerous contributors to your site; after all, you don’t want them locked out if they forget their password. Fortunately, admins can release locked IP addresses in Login LockDown’s options panel.
Here, you can also customize the number of failed login attempts before restrictions are implemented.
Most WordPress users have Jetpack, but not solely for its security features.
Created by Automattic, Jetpack offers accurate stats, theme customization, and an SEO tool. That’s in addition to security features like spam filters and protection against brute force attacks.
While its free version isn’t the best available, its dual functions—security and site optimization—make it a fantastic option for newcomers and seasoned developers. It does slow websites down, but it’s not a considerable lag.
Jetpack Premium (from $99 per year) further offers VaultPress, which automatically backs up your site. This happens on their own servers, so your site doesn’t experience any lags. The backup is then scanned for malware and suggests patches. Jetpack’s Professional version will fix these security problems for you too.
VaultPress can be bought on its own, but works in conjunction with Jetpack if you’ve installed that already.
Some plugins offer two-factor authentication
on login, but many don’t. And yet it’s essential for keeping your site secure. That’s where Google Authenticator comes in.
Two-factor authentication means anyone logging in has to use multiple methods to get into your site.
If someone’s found out your password, for instance, they can’t gain access without a second factor. If you’re accessing it via your smartphone, this might be your fingerprint or Face ID. Alternatively, an authentication code can be sent to a registered device when the relevant password is used on a PC or laptop. Google Authenticator lets you choose the right method for you.
The basic free model is perfect for this. The Standard package is available at a small increment, starting at just $5 a year (catering for up to two users), and includes security questions as an added measure. The Premium upgrade has numerous further features including greater customization.
Each package boasts add-ons for short-codes and personalization. But for most, the free version is ideal.
BulletProof Security offers a free version or a one-off lifetime payment of $69.95—both are great for most websites. Don’t be put off by BulletProof Security’s simplistic aesthetics: it’s a decent plugin that offers a firewall, backups, and typical malware scanning.
Beyond those basic functions, it also has idle session logout. If anyone’s logged into your site then left that tab open, BulletProof Security will sign out after a little time. It means no strangers can gain access through open sessions.
The interface isn’t the easiest here. Fortunately, it comes with a free set-up wizard so you can implement the basics without giving yourself a headache. It’s particularly good for developers, though, with exclusive intruder detection features.
It includes a Maintenance Mode feature, which locks people out of your site until you deactivate it. True, your stats will be affected by the loss of traffic, but this gives you time to apply updates, take backups, and could be used for promotion purposes.
You don’t want clients visiting a half-finished website, so Maintenance Mode generates hype by telling them when to return.
Your WordPress Site Is Secured—What Next?
Now you’ve secured your website, there are many other further plugins available to make it exactly how you envision it. Many increase your site’s performance; others add social functionalities like Disqus and social media sharing buttons.
With your WordPress site secure, it’s time to make it more popular