It’s an interesting paradox. WordPress powers 35 percent of all websites on the Internet, in part because it’s so flexible and modular. It has a robust library of more than 50,000 plugins, each adding new features and functions to WordPress. Those plugins have been downloaded more than 1.2 billion times. There are also thousands of pre-built themes that provide looks and styles for new websites.
But the paradox is that WordPress itself, along with the add-on plugins and themes. is open source. WordPress core, plugin, and theme development is done by a community of companies, professionals, and individual enthusiasts, each with varying degrees of software development and deployment skills. Each WordPress site is the sum of all those components, so if even one plugin or theme is buggy, corrupted, or filled with malware, the entire site is at risk.
My ZDNet colleague Catalin Cimpanu took a look just today at WP-VCD, a virulent WordPress malware strain that’s attacking sites with brutal effectiveness. Interestingly, it gains a foothold on new sites only when the site operator does something both inadvisable and unethical: downloads a hacked, free version of a commercial plugin.
The operators of WP-VCD have set up a network of WordPress plugin download sites offering free versions of popular premium or freemium plugins. These plugins have been “nullified,” meaning that the licensing code has been removed. Unfortunately, in place of that licensing code, WP-VCD has inserted malware. Read Catalin’s article to learn the details of this nasty infection.
I’m bringing it up because there are ways to protect your WordPress site. In this article, I’m going to discuss some of the better security precautions and plugins you can use to protect your site.
My first piece of advice is as old as the hills: if something seems too good to be true, it probably is. Building software is a lot of work, and while there are people who code just for the fun of it (I’m one of them), supporting a commercial product requires revenue, which means charging for products.
If you see a plugin that normally has a fee, but some site is offering it for free, that’s not an opportunity. That’s a red flag. You’re not putting something over on a “greedy” plugin developer by stealing their code for free. What you’re doing is setting yourself and your site’s visitors up for a world of misery when they get infected by seriously nasty malware.
In almost all cases, there are free alternatives to commercial plugins. So if you don’t want to pay for professional development and support, visit the official WordPress plugin repository and look for what you need.
In 2014, I wrote about how one of my sites got hacked, and it was my own fault. I was busy (legitimately so, I was caregiving terminally-ill parents). I decided that my small gaggle of old archive and personal websites just weren’t a maintenance priority. As a result, I didn’t bother to update them, there was a vulnerability that hackers found, and suddenly my sites were corrupted.
Given that so much of the web is run by WordPress, it’s a juicy target for hackers and they’re constantly finding and exploiting vulnerabilities in either the core code, or in the code of plugins and themes. Fortunately, the entire WordPress developer community actively updates their programming, closing any holes hackers find, often within hours.
But if you don’t run updates, you won’t get those fixes. There’s no excuse for not keeping your site up to date. WordPress has both automatic and one-click update features that allow you to update all the plugins, all themes, and the core code of your entire site at once.
Of course, it’s a good idea to make a backup first, just in case something bad happens during the update. And that brings me to my next critical bit of advice.
Make regular backups
It’s not hard to make a backup of your WordPress site. There are a bunch of free plugins, and you can even do it just by copying files and backing up your database. There are also many excellent commercial plugins and services that automate the process for you. I’ll talk about a few of them below.
Choose a hosting provider wisely
I’ve run my own servers hard-wired to the Internet. I’ve co-located servers at data centers. I’ve run virtual instances of Linux machines at Digital Ocean and Amazon. And I’ve used a wide variety of hosting providers. Each of these is a valid approach to offering your web content to the public, but the one that’s the most common is using a hosting provider who sets up a full stack of web tools that run WordPress.
All hosting providers are not alike. Some are very diligent and perform regular security updates and malware scans. These companies also make sure their underlying software is also up to date. Others, not so much. If you’re going to use a hosting provider, check on their underlying software, read reviews, and make sure you’re relying on one that’s doing the maintenance.
I know it can be compelling to sign up for a service that charges less than a buck a month to host your site, but think about it: how can they make any money? They’ve got to be cutting corners somewhere. You can find inexpensive hosting, but don’t sacrifice your future just because you want to save a few bucks. Do your research. At the very least, read the reviews I’ve written about some of the most well-known hosting providers:
If you’re still not sure how to pick a hosting provider, read my How to choose a web hosting provider guide. It’ll get you a good way there.
Security plugins and services
We’ve covered some best-practices. Now, let’s look at some of the best security plugins and services for WordPress. Most of them are commercial, and most of them are worth it.
Wordfence came out of nowhere a few years ago and took the WordPress world by storm. With over 3 million active installations, almost 3,500 reviews and a five-star average, and almost 200,000 downloads in the last week alone, the base free Wordfence plugin is a powerhouse.
The commercial version is great for managing a bunch of websites. Wordfence not only scans for malware, but builds its own firewall to help prevent hacking in the first place. It, like all the other plugins I’m going to discuss, can’t prevent self-inflicted hacks like those from WP-VCD, but it’s a top-notch go-to solution for end-to-end WordPress site coverage.
When my site was hacked back in 2014, I turned to Sucuri for remediation. While I was at the hospital managing my parents’ care, Sucuri’s engineers were scouring my sites, removing all the malware I let in. Sure, I paid for that service, but it was worth it.
The Sucuri plugin will do regular malware scanning and the company offers a web application firewall that’s designed to block assaults at the application level, rather than at the packet level your hardware firewall is designed to manage.
As with Wordfence (and most of these products), Sucuri offers both a free plugin with over 600,000 active installations and a paid premium service.
As a WordPress site manager, I’m of two minds about Jetpack. This is a giant bundle of additional WordPress features and functions put out by Automattic, the commercial company behind WordPress. The idea of Jetpack was to make it easier for new site operators to have a wide range of helpful features, but it’s a huge plugin that adds a ton of cruft to your interface.
That said, with over five million active installations, it’s definitely popular. It offers brute-force attack protection, spam filtering, downtime monitoring, site backup, a secure login upgrade, malware scanning, and a log of all site changes. And those are just the security features!
I will tell you that there are a lot of upsells with this install, but given that they’re by the company that runs WordPress, you can be sure they are solid offerings. If you’re not sure what to do to protect your site, you could do a lot worse than just installing Jetpack, enabling some of its features, and buying one of the cheaper plans.
Two Factor and Google Authenticator
WordPress does not offer two-factor authentication out of the box (out of the download?). When you’re connecting to the back-end management interface, all you need is a user name or email address and a strong password.
Fortunately, it’s pretty easy to add two factor auth using either Two Factor or Google Authenticator. Installing and setting up either of these plugins makes quick work of adding another security layer to your site.
The free version of Two Factor has 10,000+ active sites, and there is no premium upgrade. It’s just plain free. Google Authenticator is a very deep tool with a bunch of paid upgrade options, ranging from additional authentication methods up to enterprise-level authentication and user management features.
ManageWP, which is now owned by GoDaddy, is my go-to solution for keeping my 10+ sites up to date. There are premium options (and I pay for some of those features for a few of my sites), but you can get solid update management and backups with ManageWP for free.
You install a ManageWP worker plugin (900,000+ active installs), which talks to the ManageWP service. All the magic is done in the ManageWP.com web interface. I use it as one of my primary backup tools and it does a daily or monthly backup of my sites to a cloud storage provider. Some of my sites won’t ever change again, so the free monthly backup works perfectly for me.
But the real secret sauce is in update management. Rather than having to login to the admin interface for all my sites, I just login once to ManageWP, hit update, cross my fingers, and wait for all my sites, all my themes, all my plugins, and all my WordPress core files to update automatically. I’ve never had it break an update, but with that much power in one single button click, I’m very glad I have backups.
Limit Login Attempts Reloaded
There used to be a plugin called Limit Login Attempts, but it hasn’t been updated for a while. Limit Login Attempts Reloaded is a fork of that original open source project that’s been kept current by its developers.
This free plugin (with more than one million active installs) does one thing and does it well (and for free): It blocks excessive brute-force login attempts. If some hacker out there is trying to pound on your site to login, Limit Login Attempts Reloaded will stop responding after a set number of attempts.
Like the 2FA plugins and ManageWP discussed above, this is a no-brainer install. Even if you’re not willing to spend a penny on security, you can reduce your threat profile measurably with this one install.
BBQ: Block Bad Queries
BBQ is another web application firewall, but that’s pretty much all it does. The free version (with 100,000+ active installations) intercepts all URL requests to your site and filters out anything that might be a hacker trying to find a weakness in your site through the URL parameter interface.
BBQ has a ton of depth for what it does and it’s another smart install. There is a pro version that goes even further.
More security suites
There are almost a thousand security-related plugins in the WordPress.org repository. We’ve talked about eight of the best above. While we can’t discuss all thousand plugins, I wanted to give an honorable mention to the following popular packages. Each of these has both free and premium offerings.
All In One WP Security & Firewall: Tons of features, a clear user interface, and completely free. With 800,000+ installs,
iThemes Security: Another comprehensive security plugin by a company that’s been selling WordPress add-ons for years. The free version has 900,000+ active installs. This is a good buy if you’re using some of iThemes’ other products, particularly BackupBuddy.
SecuPress: Developed by well-known WordPress add-on developers, SecuPress (with only 20,000+ active installations, but don’t hold that against it) has one of the cleanest user interfaces in this category. It’s still relatively new, but worth checking out.
SiteGuard WP Plugin: With 200,000+ active installations, SiteGuard adds a lot of security features but focuses on logins as its core. It’s free only, and a little difficult to get started with, but the default settings will work for most sites.
Anti-Malware Security and Brute-Force Firewall: The free version has 200,000+ active installs and almost all five-star reviews. It offers basic login protection, malware scanning, and scans for some WordPress-unique historic vulnerabilities. It’s a smart take on WordPress defense.
BulletProof Security: This is at the end of our list because while it does its job, it’s a bit hard to use. That said, the premium version is a one-time fee, unlike the subscription programs increasingly favored by WordPress plugin developers.
So there you go. WordPress security is not a fun topic, but as one of the most popular website building environments, it’s a very tempting target. I run all my sites on WordPress and believe it’s worth it, but you do need to take the time (and spend a few bucks) to keep your visitors safe.
You can follow my day-to-day project updates on social media. Be sure to follow me on Twitter at @DavidGewirtz, on Facebook at Facebook.com/DavidGewirtz, on Instagram at Instagram.com/DavidGewirtz, and on YouTube at YouTube.com/DavidGewirtzTV.