WordPress is the most popular CMS, it is believed that 30% of the websites on the internet is powered by WordPress alone. Considering the fact that WordPress is extremely popular, this also makes it vulnerable to hacking due to the flexibility of WordPress in accepting third party themes and plugins.
Prevention is better than cure, this is why it is important to have good plugins that prevent your site from being hacked. By default, WordPress core has some basic security measures in place, but it’s nothing compared to what a reputable security plugin does for you.
Wordfence and Sucuri Security are two of the more well known security plugins for WordPress. However, I find them too ‘heavy’ for my shared hosting. Below are a few simple and light plugins that do a good job of protecting your site. I use these plugins on some of my WordPress sites, so far so good.
Stand Alone Firewall
NinjaFirewall (WP Edition) is a true Web Application Firewall. Although it can be installed and configured just like a plugin, it is a stand-alone firewall that sits in front of WordPress. NinjaFirewall can hook, scan, sanitise or reject any HTTP/HTTPS request sent to a PHP script before it reaches WordPress or any of its plugins. All scripts located inside the blog installation directories and subdirectories will be protected.
Stop Bad Bots & Request
Block Bad Queries (BBQ) is a simple, super-fast plugin that protects your site against malicious URL requests. BBQ checks all incoming traffic and quietly blocks bad requests containing nasty stuff like eval(, base64_, and excessively long request-strings.
- Blocks a wide range of malicious requests
- Blocks directory traversal attacks
- Blocks executable file uploads
- Blocks SQL injection attacks
- Scans all incoming traffic and blocks bad requests
- Scans all types of requests: GET, POST, PUT, DELETE, etc.
3. WP fail2ban
Block Brute Force Attacks
fail2ban is one of the simplest and most effective security measures you can implement to prevent brute-force password-guessing attacks. This plugin protects your wp-login.php from brute-force password guessing bots. WP fail2ban also stops comment spam bots, failed pingbacks and many more.
Hide Important WordPress Files
The easy way to completely hide your WordPress core files, login page, theme and plugins paths from being shown on the front side. This is a huge improvement over Site Security, no one will know you actually run a WordPress. Provide a simple way to clean up html by removing all WordPress fingerprints.
- Block any direct folder access to completely hide the structure
- Custom wp-login.php filename
- Block default wp-login.php
- Block XML-RPC API
- Adjustable theme url
- New child Theme url
- Change theme style file name
- Clean any headers for theme style file
- Custom wp-include
- Block default wp-include paths
- Block defalt wp-content
- Custom plugins urls
- Individual plugin url change
- Block default plugins paths
- New upload url
- Block default upload urls
- Remove wordpress version
While keeping your WordPress core, themes and plugins up to date is important, using the right plugin is just part of the solution. If you are on a shared hosting, some security features due to the server OS are beyond your control. You can be hacked if the server is compromised or has lots of weak security holes.
The next best solution is to have a proper backup in the event your site is hacked beyond salvage.