WordPress Security Plugin Recommendations

[TheRogueSkolar]

Hi guys,

Man with so many security plugins for WP out there, I’m at a loss at which one to roll with. Talk about analysis paralysis!!!

I’m interested in what you guys have used and what you recommend. Is there one distinguishing feature that made you choose it over the available plugins?

Also is there something I should look out for? At least something that will make, making the decision easier.

Many thanks in advance.

[TheRogueSkolar]

Really!?

I know we’re all busy guys… But just a one-liner will do!

I’m not looking for some literature. Just something to
set me on my way. Done all the goolging…lame b.t.w! Which
is why I ask you folks here.

I’ve narrowed it down to the “Total Security” plugin and another paid pgn.

Dude! I know you folks can drop couple recommendations, and it’s very much appreciated!

Anyway! Thanks folks, really.

Tha Skolar!

[Paulie_D]

I know we’re all busy guys… But just a one-liner will do!

OK…No, I don;t know of any!

On a more serious note…our community is a lot smaller than some and we pretty much all have day jobs and social lives so sometimes a few days might go by before someone who actually HAS an answer will reply.

If not, then perhaps you’re just unlucky enough to have stumped us.

Oh, wait….that was more than one line. :)

[Dustin]

The one I use is called All In One WP Security & Firewall. It’s pretty easy to use and the features are nice. I think I heard about it from The Tao of WordPress and it’s works well as far as I can tell.

I had used BulletProof Security before, however, the first one I mentioned is more user friendly.

[Dustin]

I recommend All In One WP Security & Firewall.

[Alen]

You think installing a plugin will give you more security?

I would suggest you take the server side approach to security. Getting off of shared hosting would be my first step. Moving the core files out of the /public directory. Using .htaccess to limit the access to admin section, ect.

I would exhaust all other avenues before I would consider trusting 3rd party code on the font-end to do security. Just doesn’t sound safe to me.

[Dustin]

And of course, check out the recommendations from the codex.

[Dustin]

Yes, and if you’re on shared hosting and have the money, here’s two recommendations.

1. WP Engine

2. Lightning Base

I’ve heard a few people say they prefer Lightning Base over WP Engine.

[TheRogueSkolar]

@Paulie_D,

@Dustin,

@Alen

Many thanks for your responses and recommendations :-]

It’s appreciated.

Well I’ve got some pretty Solid hosting from MediaTemple and at the
price I’m paying, I think they’ve got some security features built in by
default.

But my experience is mainly with Drupal. Much less security concerns
there…

But with this new project I’m forcing myself to learn WP hence my total
newb-like-lack-of-experience with this.

Dustin,

Thanks again guy for those links. Will check them out and report back.

Big props,

Skolar!

[TheRogueSkolar]

Man what’s the deal with this formatting!?… Anyway…

[MiriamNZ]

I had a site badly hacked (they inserted a sym link that accessed the shared server, !), and they did it by editing the theme files from the wordpress dashboard having hacked the admin password. They were on the site for 4 minutes!

I now am using 2 security plugins:
all-in-one-wp-security-and-firewall
wp-security scan (which is otherwise known as Acunetix WP Security).

Don’t know that I need both, but they do some different things, and I am now anxious about security on this particular site. They seem to be working together ok. I am using security scan as a secondary, really, using it to plug any gaps the first one left.

all-in-one-wp-security-and-firewall has a great dashboard that reminds you of what you have set, and rates the security of the site. Some sites need less than others, eg if they don’t allow registrations.

I am pondering if better-wp-security might be enough on its own.

My current thinking is:
For sites with lots of public registrations: my current two.
For sites without registration, but allowing comments, one of these plus spamming plugins.
For sites with just one owner/editor: wp-security scan with the wp-admin folder locked via htaccess (this requires 2 passwords to get in to edit: one to access the log-in page, then a password to get into the site).
For sites where the 2 passwords to get in is not ok, I might try the better-wp-security on its own.

I’d be interested to hear what you do and how you find it. I couldn’t find discussion on making these choices either.

Cheers
Miriam

[Dustin]

All In One WP Security & Firewall is great in my experience, especially if you utilize the Cookie-Based Brute Force Login Prevention feature.

I haven’t really researched how to get the security meter maxed out yet. I might check that out soon, though.

I would be curious how a service like Sucuri would work. Here’s a somewhat recent article on How to Identify WordPress Vulnerabilities.

[Dustin]

I’ve been using WordFence. I changed one of the core files in a plugin and it sends an email that a file was changed. You can also see live traffic, and login attempts. And it even can scan your files also.

Looks good. Have not heard of that one. I think the All In One plugin has those features as well. I don’t think it has a virus scanner, but it does include file change alerts.

[Author]

Posts