WordPress is used by 31.1% of all websites in the world. No doubt that the most popular CMS is the hacker’s target. The WordPress core is relatively secure but it does not include security features to scan malware files, stop brute-force attacks, bad bots, malicious URL requests, etc.
The good news is that WordPress has plugins for almost everything! Hundreds of free and open source WordPress security plugins are available at WordPress.org.
Here are some WordPress security plugins, though not as well known as the other popular plugins, that are lightweight, fast and compatible with RunCloud web server stacks, Native NGINX and NGINX+Apache2 Hybrid.
NinjaFirewall (WP Edition) is a web application firewall plugin that sits in front of WordPress. It can hook, scan, sanitise or reject any HTTP/HTTPS request sent to a PHP script before it reaches WordPress.
NinjaFirewall is a lightweight, fast, rich features web application firewall for WordPress. It does not depends on .htaccess file for security filters, thus it supports both Apache and NGINX web servers.
2. BBQ: Block Bad Queries
Block Bad Queries (BBQ) is a simple, fast plugin that protects your WordPress site against malicious URL requests. It works with websites that unable to use .htaccess rules, like sites running on NGINX web server.
Malicious URL requests is one of the popular methods to hack WordPress site. Block Bad Queries checks and block all incoming requests that contains high risk query strings. It is plug-n-play and no configuration required, also compatible with other security plugins.
3. WP fail2ban
Brute-force password-guessing attacks never stop and they affect website performance. Blocking attacks at server level is always better performance than blocking at web application level.
4. Plugin Security Scanner
Plugin Security Scanner checks your WordPress site’s plugins or themes for security vulnerabilities against WPScan vulnerability Database. The scanner runs daily and send email to administrator if any vulnerable plugins or themes are found.
It is important to make sure all your site’s plugins and themes do not contain known security vulnerabilities. If plugin security update is not yet available, you should remove the plugin or find an alternative solution.
5. WP Security Audit Log
WP Security Audit Log keeps a real-time log of everything happens on your WordPress site. The changes that the plugin can keep a record of including post, page, custom post type, tags, categories, user accounts, WordPress core and settings, plugin and theme changes, WordPress database changes, and more.
With an real time user activity and monitoring log, you can keep an eye on what is happening on your website, and easily spot suspicious behavior before it is too late.
6. Blackhole for Bad Bots
Blackhole for Bad Bots is a simple plugin that creates a honeypot trap for bad bots. It includes a hidden link to your WordPress site and you add a line in robots.txt file to forbids bots from following the hidden link. Any bots that ignore or disobey the robots.txt rule will crawl the link and be trapped — denied further access to your site.
Robots.txt, the robots exclusion standard, is a standard specifies how to inform the web robot about which areas of the website should not be processed or scanned. Good robots should follow the standard. We can safely assumes any robot that does not follow robots.txt rules is a bad robot, then blocks it from accessing your website anymore.
StopBadBots blocks bad bots and web spiders from visiting your WordPress site. It does not uses robots.txt nor .htaccess. The database includes over 2570 bots and automatically updates. You can manually add unlimited bots and option to enable/disable blocking for each bot.
Bad bots affect your website performance, steal your content, consume bandwidth, and look for vulnerabilities to hack your site. StopBadBots is lightweight and easy to setup to solve bad bots problem.
No plugin will hacker-proof your WordPress site. These security plugins help to stop most attacks and hacking attempts, as well as free up system resources from dealing bad requests.
How do you secure your WordPress site? Please share with us in the comment below.