Find the best wordpress security plugins in 2021 to update the wp security rules to get rid of unwanted bot traffic, brute force attacks that slowing down your website. prevent security vulnerabilities like source code injection, sql injection, DDOS attacks by rate limiting rules etc. There are many wordpress security plugins out there, but we have to choose them wisely based on our security rules, most hosting provides hardens their server security but most cases our shared hosting account suspended by one following reasons.
All in one security plugin
Basic Rules:
- Change Username by default its admin (its easy to crack when cracker knows the username).
- Rename login Page (by default its wp-login.php) if someone knows its wp by footprint or source they hit this.
- Change DB Prefix by Defaults its wp_Options (easy way to sql injection)
- COmment captcha enabling captcha to submitting a posts avoids some bot comments.
- Login Lockdown Features: if certain requests during the time it will lock ip address for few minutes to prevent attack.
- Automated Database Backups:
WordPress Security Plugins FIrewall Rules
DIsable XML RPC (wordpress checks latest plugins through XML RPC cron functions)
Disables Pings for XML RPC: jetpack plugin otr wordpress android apps need this functionality
Disable Index Views: Apache server ip server not done, you can do this by all in one wp security plugin’s firewall rules.
Disable Trace and Track: HTTP Trace attack (XST) Used to cross site scripting attacks (XSS). (No other functionality affected)
Bad Query Strings:
This setting will implement the 6G security firewall protection mechanisms on your site which include the following things:
1) Block forbidden characters commonly used in exploitative attacks.
2) Block malicious encoded URL characters such as the “.css(” string.
3) Guard against the common patterns and specific exploits in the root portion of targeted URLs.
4) Stop attackers from manipulating query strings by disallowing illicit characters.
Prevent Hotlinking to files (image pdf)
How this Affects?
If you hae a good image, someone copied their blog posts. (so eery his page gets load, you server has sere the image as cdn)
If their page get lot hits. your server gets down due to request per second limits reached by your server, high cpu, memory usage.
you can do this cloudflare, apache, nginx server configuration
#2 Wordfence The best wordpress Security Plugin – Firewall & Malware Scan
Premium and Free
Active installations:3+ million
Rating 4.8 /5 (3600 votes)
Wordfence plugin Premium Features (free version is delayed by 30 days)
- Real-time firewall rule and malware signature updates
- Real-time IP Blacklist from reported sources
- Country blocking
Free Features
- Login Lockdown
- Ip blocking
- 2Fa 2 factor authentication
- Lie traffic monitor by Ip Address
- System scanner is 3rd features analyzed files & permissions , FIle source code to identify malicious scripts (Source code injections).
#3 Jetpack plugin for wordpress Security
Jetpack by wordpress team. all in features bundled with moduled. every feature build as module. For security lets dig it now
Install the Plugin, go to modules and activate the Security features and then configure settings.
- Free:
- Personal:
- Professional:
- EnterPrise:
Traffic & Insights
site stats
Google analytics integration in premium
Automation
auto Post sharing, Related Posts
SEO
Xml Sitemap
Site verification
Jetpack Plugin Security Features for wordpress
Brute force attack Protection
downtime monitoring
secure authentication
easy plugin management
plugin auto updates
site activity 20 events
Backups not in free
Security scanning including malware scan
not in free version
TIp: Look at the backend team of Plugin and their company
How Source code injection works & ways to remove it?
When you download pirated theme or plugin. the cracks leaves php backdoor,
Mostly the code in index.php.
When the user visited the website they place ads from different ad networks. or requesting user to download a software like flash player by a popup page on your website. (incase of adsense they may change publisher id & ad code but adsense not allowed this on unverified sites.)
They download other software instead of flash player.
Scan with wordfence or other tools or edit manually all files and remove the code.
NOTE: Don’t use all Features unless you know what you doing. (less resources consumption)
adds lot of rules to your .htaccess file but it slows down your wp-admin access. maybe it slows your website performance.
the best feature is Disabling brute force attack by custom URL login page and custom keyword with string to store a cookie on your pc with a secret word. all other trying to access they will redirect where you want.
google Authenticator plugin
Add step 2 verification WordPress login: you can use google Authenticator plugin. for that you have t o install google authenticator app on mobile.
You can login with wordpress.com username & password if you installed jetpack plugin.
How to prevent WordPress brute force Attacks Login lockdown?
Login Lockdown by IP Address banning really not works for brute force attacks, because hackers use lots of ip address.
Don’t expose wp-login.php
Protect wp-admin directory with .htaccess password.
Always check the error log in WordPress directory.
Block brute force attack by XML -RPC.php
try to rename xml-rpc.php but we can get errors in access logs. but we can protect it by .htaccess
<FilesMatch “xmlrpc.php”>
Order Deny,Allow
deny from all
</FilesMatch>
Block XML RPC & anonymous referees
Block No referer request by .htaccess apache
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{REQUEST_METHOD} POST
RewriteCond %{REQUEST_URI} .(wp-comments-post|wp-login)\.php*
RewriteCond %{HTTP_REFERER} !.*chagewithyour.com.* [OR]
RewriteCond %{HTTP_USER_AGENT} ^$
RewriteRule (.*) http://%{REMOTE_ADDR}/$1 [R=301,L]
</ifModule>
You can block post requests to avoid injecting malicious script.
evasis 20 apache module blocks XML RPC.php
ip based login — wordpress without any securing plugins
Allow login from only from your workstation if your isp provides a static ip. if dynamic IP you can add isp hostname or you can check hostname by ip address online with this word on google host to ip. or subnet mask of ip. to know your id just do search as what is my ip.
add this .htaccess file
<FilesMatch “wp-login.php”>
Order Deny,Allow
deny from all
allow from 8.8.8.8
</FilesMatch>
subnet ip address are start with same address but last few digits different
Allow from dynamic ip
<FilesMatch “wp-login.php”>
Order Deny,Allow
deny from all
allow from .isp.example.com
</FilesMatch>
Limited Access to Wp-admin folder
add the same code in wp-admin .htaccess folder.
.htaccess password protecting wp-login.php without any wordpress security plugins
<Files ~ “^\.ht”> Order allow,deny Deny from all </Files>
<Files wp-login.php>
AuthUserFile ~/.htpasswd
AuthName “Private access”
AuthType Basic
require user green
</Files>
Authorization file can be located anywhere in the directory. but you have to give the exact path.
create a New file called .htpasswd and paste the htaccess password there.
you have to generate htacess password using one of many available tools like Cpanel, ssh.
USE Cloudflare and Select security level medium or high based on your requirement.
Securing Apache server
Evasis module
Mod security
Firewall IPtables or UFW for Debian 8, SELinux
Note: the conflict between security rules may cause server slowdown.
HaCkEd By RxR HaCkEr
HaCkeD By SA3D HaCk3D
wordpress security vulnerabilities
- wp-login.ph
- xml-rpc.php
- wp-cron.php
- Bot spam comments by wordpress footprints “post a comment, wordpress, login to post” (wordpress comment management)
- php backdoors on pirated themes (some pirated themes provides includes some back doors) one case i saw they replaced with their adcode to earnmoneey.
Attacks
Sql injection, Source code Injection, Brute force attack to wp-login php,
Best practices:
Rate limiting, blocking , Human verification methods.