Author Archives: Pardeep Goyal
Author Archives: Pardeep Goyal
I never worried about the security of my website in the initial days of my blogging business.
No one hacked my website, neither I had any virus or malware attacks.
But that does not mean that I did the right thing. I escaped from the hackers because of my luck but that's not how online businesses are run.
I was very careless about maintaining my website.
Often a times my website became slow or unresponsive because I hosted my website with a cheap web hosting company (GoDaddy). The issues got resolved after I moved my website to a high performance web host (SiteGround).
A good hosting solves most of the performance issues and the basic security comes by default with SiteGround hosting plans.
Chances are still there that we can get into the trouble if we don’t keep our website safe. After all our business (revenue) comes from our website. Loss of every minute of website uptime means revenue loss.
And we can't afford the data loss at all. Right?
Let’s understand what we need to do to keep our website safe & secure.
There can be security threats on your website from two sources.
If you are not popular then hackers will not target your website.
Hackers target big brands, government websites and people who are earning well from their websites.
However, If your website is hosted on your self-managed servers (dedicated hosting, AWS) then bitcoin miners may hack your machine and use for bitcoin mining.
The moment you launch your website, lots of automated software tools will start attempting to break your security.
You will start receiving continuous login attempts to your website, spam comments, article submissions and various other un-identified things.
You can install security plugins to keep your website secure.
You must go through the manual health check of your website
#1. Strong Password
Not to mention that you must set a strong password for your website. It should contain Alphabets, Numbers and Special Characters. Never ever use English grammar words or easily identifiable works like your own name or website name as your password. If possible, use non-English words with combination of special characters.
Good password examples - Ud7@Par!nd@, Gl0b@lW@rm!ng
Bad passwords examples - PluginHackers@123, password1234
#2. Change default username ‘admin’
By default wordpress installation will give you admin as the username of administrator. All the bots will try to break the password of default ‘admin’ username, better not to user ‘admin’ as username.
You should either change the default admin username at the time of installation or create a new user as administrator and delete the default ‘admin’ user.
#3. Change default login URLs
By default anyone can see the login page at URL yoursite.com/wp-admin
For the safety purpose, you should change the default URL to something else.
There are different plugins to perform different type of security tasks. If you know your requirements then it becomes easy for you to pick the right plugin for securing your wordpress website. Otherwise you can pick the generic plugin that can perform most of the tasks.
Don’t install all the plugins mentioned in this article as installing unnecessary plugins will slow down the performance of your wordpress website.
For the comparison purpose, we will look at the following things apart from the main features of the plugins.
Sucuri is the most popular and full featured security plugin for wordpress. It prevents the website from brute force attacks, scan the entire file system for malware infection and keeps monitoring for any ongoing malicious activities.
The plugin will ask you to get the API code and registration with their website. It’s just a single click process.
After the registration and API access - the plugin will test the website for any malicious activity.
I fell in love with their interface and clean report.
They provide many other options to secure your website
All in all, the plugin has a beautiful interface and easy to understand settings for a layman.
Look at their hardening options.
You can enable and disable security options with a single click.
However, when I tried to enable the Firewall Protection, I got this message, “SUCURI: The firewall is a premium service that you need purchase at - Sucuri Firewall”
I think that’s justifiable. The sucuri is still giving a lot of options to use as free and high level security options are available in the premium version of the plugin.
Their premium plan starts at $16.66/month and that includes SSL certificate from LetsEncrypt.
I bought the SSL certificate for my website at $80 per year, so my effective price becomes half for the premium version of Sucuri after adjusting the cost of SSL certificate.
The complete website protection package includes
Here is the link to get the premium version of Sucuri ($16.66/month)
You can also get just the Sucuri Firewall Website Application Firewall (WAF) / Intrusion Prevention System (IPS) at $9 per month.
Click here to buy Sucuri Firewall ($9/month)
Update Secret Keys Option
Interestingly, they have option to update all the security keys in case your website is compromised for any reason. The hackers won’t be able to access your website with the old security keys.
This is one of the most popular security plugin for wordpress websites - with more than 1,000,000 installs till date.
The plugin will check if your site is infected with any malware or suspicious code. You will get peace of mind after installing Wordfence security plugin as it protects your website from brute force attacks and malware infections.
After installing WordFence, you will see the dashboard showing the status of features, monthly stats and number of threats counts.
And they have additional security measures for the premium users.
“As a free Wordfence user, you are currently using the Community version of the Threat Defense Feed. Premium users are protected by an additional 199 firewall rules and malware signatures.”
Wordfence security plugin did not find any threats on my website.
[Sep 07 07:17:52] Preparing a new scan. Done.
[Sep 07 07:17:52] Scanning for old themes, plugins and core files Secure.
[Sep 07 07:17:52] Scan complete. Congratulations, no new problems found. Scan Complete.
The additional benefits of WordFence plugin
They offer pretty good options in the free version but the interface is not user friendly. No doubt the plugin is popular but it’s most appropriate for the developers rather than a regular user like me & you.
Single license key with 1 year validity costs you $99.
Personal Biased Opinion : If I have to choose between Sucuri and Wordfence then I will pick Sucuri.
iThemes security will help you change the default admin user name and block the IP address of known hacker website servers.
You will also be secured from brute force attacks. The plugin will send you notifications whenever there is any unauthorised change in your file system.
iThemes offers a lot of options in their free version.
This is how their dashboard looks.
I went through the security check option and enabled brute force protection.
Security check results are below for my website.
They clearly shows you what options are available in the free version and what would you get in their premium version.
The premium version starts at $80 per year, valid for 2 websites.
You will be secured against most of the bots attack that try to exploit the vulnerabilities of wordpress, free themes and loopholes of hosting servers.
Bulletproof security will protect your website from running malicious scripts, SQL injections and brute force attacks.
I installed it on PluginHackers and the setup wizard gave me following report.
It gives this notification after the running the Setup Wizard.
“BPS Setup Verification & Error Checks
If you see all Green font messages displayed below, the Setup Wizard setup completed successfully.
If you see any Red font or Blue font messages displayed below, click the Read Me help button above and read the "Notes" help section.”
I saw all messages in Green so I assume the website is secure as per BulletProof plugin.
They give a lot of other options and everything is free.
Most of the options are beyond the understanding capacity of a normal user.
I am also not a security expert. Tested the security plugin as a regular user like you.
The plugin will offer most of the features that are required by a first time user. Your website will be secured from the brute force attacks and malicious codes that try to steal your website information.
You will see this simple dashboard after installing the plugin
The settings are difficult to understand for the novice user however they have provided a lot of options in the free version
Their malware scanner option is paid but the rest of the features are free.
That makes them stand out from other plugins which offers the basic features under their paid plan.
But the negative point is that the plugin will not provide you continuous monitoring & prevention from threats.
Overall, it’s a good choice for people who don’t have any budget to spend on security plugins.
The plugin will automatically check brute force attacks and the strength of your password. You will be able to hide the version of your wordpress from the eyes of hackers.
Free version of Security Ninja plugin will run 48 security tests on your website.
Here is the list
And the results of my website when I run the security tests.
My website failed at 18 security tests.
On clicking details, tips and help button, the plugin shows the solution that can be applied manually.
Some of the solutions may not possible on the shared web hosting but I have not tried to fix all the issues reported by the Security Ninja.
The plugin has 5 other option tabs
But all the options are available in Pro version.
The free version will just show you the issues and a recommended solution. But if you really want to fix the issues automatically and protect your website from future threats then a paid version will solve your problem.
However, it’s worth trying the free version of Security Ninja, just to see how many errors are pointed out by the plugins.
And what can you fix manually.
Acunetix will perform the basic security checks and help you secure your website against brute force attacks. You can change the permissions on files and change the default messages that user see on wrong password attempts.
I read the good reviews when I was researching about the best wordpress security plugins.
But I did not felt like installing the plugin on my website when I saw that the plugin has not been updated for past 2 years.
Yet, Acunetix WP Security offers the basic level of protection for the websites.
The plugin checks for security vulnerabilities and suggests corrective actions
I included the plugin in the list so that you know that Acunetix was referred as one of the best plugin by WordPress experts and it does it’s work (happy users are saying that).
The plugin is totally focused on protecting your website from any virus or malware attacks. It’s useful for people who are running their websites on windows server as most of the viruses attach windows.
You may need protection from malwares, adwares, hidden links, redirection, spywares and other bad code that may be hidden in plugins & themes that we install from any random developers.
This plugin solves a single problem of unauthorised access to your website by any hacker.
The user will be enforced for double authentication after installing this plugin on your wordpress website. The first step would be using correct username/password and the second step would be authentication through a text/voice or mobile app.
VaultPress is a combination of backup and firewall protection for your website. You can get those as a combo or separate package depending on your requirement.
The plugin will scan your files and keep you protected against the threats from malwares.
No matter at which business level are you - A security plugin is must for your wordpress website.
Almost all the plugins provide Protection against brute force attacks (DDos attacks) and basic website health monitoring. All In One Security Plugin will do all the work that is expected from a free plugin.
But if you have an annual budget of $100 to spend on the security of your website - then Go with Sucuri Security (Two options - Securi Firewall $9/month and Complete Protection $16.66/month)
If your requirement is purely Virus & Malware protection then you should pick WP Antivirus Site Protection.
I will update the article after a few weeks after hearing your thoughts in the comments. Let me know if you need any more clarification about the security plugins.