I recently spent some time reviewing the WordPress security plugin landscape, since there’ve been some big changes in the past year, and I’ve decided to update some of my standard choices. No single plugin covers all the different requirements, so it’s necessary to use a combination. That can be a problem, though, because the feature-sets often overlap among competing plugins.
I’ve separated the plugins into categories based on their features, and picked my favorite from each category. This selection covers most of the bases while avoiding conflicts between the plugins.
- Firewall / Malware Scan: WordFence Pro (replaces BulletProof Security, Better WP Security, Exploit Scanner, WP Security Scan). WordFence Pro offers remote penetration testing in addition to local scans, which none of the others do. Better WP Security would be my second choice. Bulletproof does a good job, but it’s a pain in the ass to maintain and the UI is horrible.
- Login Protection – Login Security Solution (replaces Login Lock, Login Lockdown, Better WP Security). This one it a huge step up from its competitors, and the developer is a widely recognized security expert. He’s also very responsive to feedback.
- Two Factor Authentication – Google Authenticator or Duo Security.
- Vulnerability Notification: SECURE (formerly MVIS Security Center) is a new plugin, and really the only one in this category. It checks what plugins you have installed, and sends you e-mail alerts when a vulnerability is discovered in one of them. The alternative to using this is checking a dozen RSS feeds every week, so this is a big step forward. WordFence will notify you when a plugin update is available, but MVIS will notify you when a vulnerability is found, even if there isn’t an update.
- Account Permissions – Capability Manager Enhanced lets you create finer-grained user roles, so you don’t have to give all developers/managers full Administrator/Editor rights.
- Logging – Audit Trail logs user actions, so you can know if a user is doing something they shouldn’t. It’s extensible so that you can create custom events to track. It’s not maintained very well, and there are several minor issues with it, but there isn’t a better alternative at this time. I’ve written a sample plugin that can act as a framework for adding custom events, since the documentation for that is non-existent.
- Backups – Backup Buddy or VaultPress.
- Caching – W3 Total Cache or WP Super Cache. This isn’t typically thought of as a security concern, but caching will definitely help protect against DoS attacks, and creating static HTML pages can help avoid certain types of attacks.
There are a lot of plugins out there, and the landscape changes often, so please leave a comment if you know of any others you’d recommend.
A few comments…
MVIS Security Center does seem to provide a new niche service that will keep you out in front of new exploits and vulnerabilities. However, there’s a catch. Being that they are based in Singapore, the terms of use and just the fact they are foreign based is going to make this a no-go for certain companies.
Instead of Audit Trail, I’m using ThreeWP Activity Monitor, which seems to do most if not all of the same thing, but makes it a bit easier to comprehend.
Yeah, the MVIS terms, and the fact that it sends data to their servers, can definitely be a problem. I wanted to use it with an enterprise client a few months ago, but wasn’t able to for those reasons. One idea I’ve had to work around that, though, is to setup a dummy blog with no content, and then install MVIS and copies of the plugins that are activated on the real blog.
That way you still get the alerts, but don’t risk compromising any data. The downside, though, is that you have to keep the plugins in sync. It’d probably be fairly easy to write a script to do that with WP-CLI, but I haven’t had the time to try yet.
Thanks for the heads up about Activity Monitor. I’ve added that to my list and will have to try it out :)
Great blog post. A previous developer installed Bulletproof and while it seems to be doing its job, we would like to try something else.
What do you think I need to know before uninstalling it? Will it leave a generic .htaccess file or will I have to make one from scratch?
Thanks for you thoughts on this!
I’m not sure about the uninstall process, you should probably consult their documentation on that. I wouldn’t be surprised if they fail to leave the .htaccess file in a pristine condition, though, so I’d recommend backing it up before the uninstall, and manually reviewing it afterwords.
Thanks for these tips. Had some huge issues with WP-Better-Security out of the blue and this list of plugins really did the job and actually increased the speed on my blog, thanks!
Hi Ian, IThemes Security is the best plugin and gave me the right solution for security on my website. Thanks for your helpful tips.