I recently spent some time reviewing the WordPress security plugin landscape, since there’ve been some big changes in the past year, and I’ve decided to update some of my standard choices. No single plugin covers all the different requirements, so it’s necessary to use a combination. That can be a problem, though, because the feature-sets often overlap among competing plugins.
I’ve separated the plugins into categories based on their features, and picked my favorite from each category. This selection covers most of the bases while avoiding conflicts between the plugins.
- Firewall / Malware Scan: WordFence Pro (replaces BulletProof Security, Better WP Security, Exploit Scanner, WP Security Scan). WordFence Pro offers remote penetration testing in addition to local scans, which none of the others do. Better WP Security would be my second choice. Bulletproof does a good job, but it’s a pain in the ass to maintain and the UI is horrible.
- Login Protection – Login Security Solution (replaces Login Lock, Login Lockdown, Better WP Security). This one it a huge step up from its competitors, and the developer is a widely recognized security expert. He’s also very responsive to feedback.
- Two Factor Authentication – Google Authenticator or Duo Security.
- Vulnerability Notification: SECURE (formerly MVIS Security Center) is a new plugin, and really the only one in this category. It checks what plugins you have installed, and sends you e-mail alerts when a vulnerability is discovered in one of them. The alternative to using this is checking a dozen RSS feeds every week, so this is a big step forward. WordFence will notify you when a plugin update is available, but MVIS will notify you when a vulnerability is found, even if there isn’t an update.
- Account Permissions – Capability Manager Enhanced lets you create finer-grained user roles, so you don’t have to give all developers/managers full Administrator/Editor rights.
- Logging – Audit Trail logs user actions, so you can know if a user is doing something they shouldn’t. It’s extensible so that you can create custom events to track. It’s not maintained very well, and there are several minor issues with it, but there isn’t a better alternative at this time. I’ve written a sample plugin that can act as a framework for adding custom events, since the documentation for that is non-existent.
- Backups – Backup Buddy or VaultPress.
- Caching – W3 Total Cache or WP Super Cache. This isn’t typically thought of as a security concern, but caching will definitely help protect against DoS attacks, and creating static HTML pages can help avoid certain types of attacks.
There are a lot of plugins out there, and the landscape changes often, so please leave a comment if you know of any others you’d recommend.