In the last article, I taught you good practices you can have to keep your site more secure. Remember that no website is an impenetrable fortress, and the important thing is to prevent invasions with a backup. Now, you’ll learn the most common purposes of security plugins and see a comparison between the most famous ones, so you can define which one you want on your website.
We need to start by noting that, unless you have done something very serious to annoy a hacker, there is no actual person trying to break into your website. It’ll be a robot. It will enter the “address of your website / wp-admin”, and try combinations of users and passwords. Therefore, the following features work to block these repeated attempts by robots, called “brute force attacks”. With that in mind, to protect yourself, you can install plugins that have:
Malware scanner
Malware is “malicious software”, or a malicious program. It is the general category that includes:
- viruses;
- worms, which are viruses that reproduce in the server;
- Trojan horses;
- spyware;
- ramsomware, programs that hijack files and only return with payment of a ransom;
- adware, programs that install annoying pop-up ads.
Security plugins with malware scanners check your website’s code periodically for any of these pests. The problem is that this requires a little bit from your server and can hinder site loading speed.
Firewall
Just like a fire door, which lets you in and out (usually from emergency stairs) but blocks fires, firewalls are blocks from intrusions, but in the case of plugins, they are made with codes.
Two-factor, or two-step authentication
In your login, in addition to entering the password, you need to do a second step, such as placing a code sent to your email or answering a security question. The goal is to diminish the chances that you are not trying to sign in.
Changing the login URL
The good practices article mentions avoiding standards when creating usernames (especially “admin”), database prefixes (most commonly, “wp_”) and passwords. Changing the default link to log in from “yourwebsite.com/wp-admin” to “yourwebsite.com/anything-else” follows the same line of reasoning: do not give robots the path to your panel.
Login attempts limit
Every human being has the good sense to admit that he forgot his password after a few attempts. Robots, on the other hand, do not. Unfortunately, WordPress’ default is to give endless chances for username and password combinations. There are security plugins that make the login screen act like a cellphone – after X wrong attempts, that IP address cannot try to log in for a set time, or even forever.
If your site prevents you from trying combinations of usernames and passwords after a few attempts, and you don’t have the default username “admin” or an easy password, the chances of an invasion become slimmer.
Three of the most famous security plugins
Sucuri
Sucuri, in fact, is an online security company, and one of the services they offer is the WordPress plugin. In the free version, the plugin:
- has options to tighten the security of the site;
- warns you when you have outdated software;
- look for errors in the code;
- warns you if your site has been blacklisted by search engines;
- malware scanner. As they filter from a remote server, it doesn’t weigh so much on your server, but it’s not so accurate either, because they can only catch what’s on the front end of the site (if you don’t remember what the front end is, reread the front-end and back-end article).
Unfortunately, the firewall is only in one of the paid versions.
Wordfence
Wordfence was created to run on WordPress, and the company specializes in that. They offer:
- firewall to block malicious attacks;
- malware scanner;
- two-factor authentication;
- real-time tracking of website traffic.
- login attempts limit.
All-in-One WP Security & Firewall
The name says it all: this security plugin tries to be as complete as possible. It only has a free version, which includes:
- firewall configuration levels depending on the user’s knowledge level;
- various aspects of login security, such as limiting the number of attempts;
- ways to filter robots in creating users, if your site has user accounts, such as students in a course;
- the option to ban users who add a lot of spam comments;
- measures to prevent brute force attacks, such as changing the login URL
There are so many features that I didn’t even know how to filter what would go into that article.
That’s all for now, folks!
If I didn’t mention something important about security plugins, or you have a favorite plugin that isn’t these three, leave it in the comments! And if you’re wondering how you are going to choose a plugin for your website, here are some suggestions: search for reviews of these plugins on the internet, test which one seems easier for you, or test which of them has the least impact on your site speed.