Welcome to Rise Forums

Join our fantastic community to connect with like-minded website owners, WordPress users, and online entrepreneurs.

Security Plugin?

Discussion in 'WordPress Plugins' started by Heather, May 20, 2016.

  1. In a group I'm in, someone mentioned "security plugin."

    I am not sure what that is, and I'm not sure if any of mine qualify as that, and also not sure if I should add another plugin to my site...

    What I have that I was thinking might fall into this category are these:

    Limit Login Attempts
    Updraft Plus for backups...

    So... I thought I'd ask y'all what a security plugin is and if you think I need to add yet another plugin to my website... ?

    Thank you!
  2. Those are all pretty decent examples (though I think Limit Login Attempts I'd probably classify only as "Security").

    Security plugins I guess analyse your site a little bit to make sure everything is secure and working. It can check with publically available repositories for WordPress to see if the code on your site matches with theirs. It could also run background checks on files to see if commonly used commands for spamming (such as base64 or eval) are being used.

    Examples are Sucuri Security, WordFence and iThemes Security. I used the first two, which could be slightly overkill (especially as WordFence is quite resource intensive).

    Be warned: false positives CAN occurwith these plugins, but it's good to get an overview of your site.
    Heather likes this.
  3. I know one very good plugin, it's called HUMAN BRAIN :)
    To be honest, the easiest way to hack something are weak, dictionary based passwords.
    Then badly written code.
    Then hacker skills.

    Outdated WordPress website with weak password can be hacked by script bot (you just need sort of crawler to get all the vulnerable sites and process them).
    Badly written code can be used by 'hacker' with basic skills and common tools.

    The so called 'secured' sites and networks can be hacked by medium to highly skilled persons. With 0-day vulnerabilities nothing is safe.

    Getting back to your question - use iThemes Security. Try to enable as much as possible to make it harder for script kiddies to find your login url, username, etc.

    PS. Nice tool to determine if your site is wide open for simple hacks is WPScan (easy to use on Linux and virtual machines - I love you Kali Linux)
    Rhys Wynne and Heather like this.
  4. Thank you both! I just installed iThemes Security... but now I'm afraid I might do something to get myself locked out. I did the thing where I whitelist my IP address for one day...

    @Kris Hoja - What does o-day mean?
  5. It's a vulnerability that only the one who found it knows about it. So no antivirus, no firewall and no other security program/setup/plugin etc. can help.
    Heather likes this.
  6. Not sure if i am late into this discussion. I did try All in One WordPress security and Firewall. It is better than sucuri and ithemes security but yes with security plugins if you do too much you can land up having a broken website or locked out yourself.
  7. iThemes will certainly lock you out at times. Already happened with my sites a couple times.

    But, if you can use phpmyadmin, you can remove the lockouts.
    Heather likes this.
  8. Thank you, Raspal.
  9. Heather likes this.
  10. Thanks! I just decided I probably don't need it since I'm not sure how to use it. :)
  11. Do you use any other security suite like Wordfence?
  12. I have Limit Login Attempts.

    I have Akismet... but I guess that's not really a security plugin. That's just for blocking spam (which is annoying but not a security risk?).
  13. Hi @Heather,

    I looked into some friends' sites and realised there's some things I can share here to improve on security
    1. PHP - Do remember to update to the latest version of PHP, or at least one that is supported. And ensure that your server's PHP version is updated regularly when vulnerabilities are announced. I have a friend who commissioned someone from Australia (Web Ninja) to build a MYOB connected site for them. Interestingly, Web Ninja's sites are all on... PHP 5.3.3, released in 2010
    2. WordPress version - If you don't regularly update your site, perhaps best would be to have some kind of auto update system, to prevent your plugins from being a backdoor. I just had a case where an expensive site got hacked 2 months in, due to some outdated plugins =.=
    3. Clef - I just installed Clef and disabled normal logins for admins. This would help stop people from using brute force logins
    4. Backups - If you run a medium sized site like mine (4.5GB of images and a few hundred posts/products), best would be something that backs your data up regularly without running out of space. That's why I'm on VaultPress :)
    5. Server - If you've a good sys admin, you can get some server based protection done as well :) That's why I shifted to WPHostingSpot :D Oh yea, and you get a lot faster too. Many thanks to Brian for the tip on the host. Here's my article on it - WPHostingSpot Review – How My Site Loaded 60% Faster
    Heather likes this.

Share This Page