WordPress is one the most widely used pieces of software on the web, making it a huge target for attackers regardless of their intentions. The great thing is that, being so widely used and respected, WordPress also benefits from a large community of supporters that develop plugins to enhance its functionality.
One area that benefits from this fervor is security. Multiple services and plugins exist to help you lock down your WordPress site, making it far more difficult to attackers to gain access to it. Today we’re going to take a look at two leading security plugins: WordFence and Better WP Security.
The story of how WordFence got its start was new to us, but the reason is one we know well. The creator, Mark Maunder, is the person responsible for discovering a massive security hole in what was a very popular thumbnail plugin called TimThumb. He patched it, donated the code back to TimThumb, and then set about building his own security plugin to protect his WordPress-based website after it was exploited via TimThumb.
WordFence’s name is very appropriate; it effectively puts up a virtual fence around your WordPress site. We feel some of the most important features include:
- Scans of WordPress, theme files, and plugins
- Real-time views of hacking traffic
- Blocking fake search engine crawlers
- Tracking IP address to their source
- Scans for backdoors
- Blocking brute-force attacks
WordFence also offers a premium version of their plugin for $39 per year, which is likely worth the cost if you run a popular website. The premium version offers more frequent scans, two-factor authentication, and country blocking which can be highly useful for locally-focused websites.
Better WP Security
Better WP Security has been developed by multiple people, but development is now led by Chris Wiegman at iThemes. It attempts to take WordPress security best practices and package them all into a single plugin, which has led to features like:
- Removing or obscuring information about your WordPress install
- Removing the default “admin” account
- Vulnerability scans and fixes
- Banning bots and malicious agents
- Forcing SSL
- Monitoring the file system for changes
While the goals are the same, WordFence and Better WP Security do not overlap entirely. For example, Better WP Security helps prevent many potential vulnerabilities from becoming problems, even for unpatched WordPress installations, by obscuring information like the version of WordPress being used, which plugins and versions are installed, and changing several defaults to make it harder for attackers to even figure out what exploit to take advantage of. This helps deter attackers in the first place, and they will typically move on to an easier target.
WordFence, on the other hand, has a mix of proactive and reactive measures. It will block known bots, brute force attacks, scan your WordPress site for vulnerabilities and backdoors, and it takes advantage of machine learning capabilities to automatically block new types of attacks. The real-time view of attackers and crawlers could be a boon for those of you looking to identify a resource hog.
Regardless, both plugins are very good at what they do and will protect the average WordPress site extremely well. If you feel it’s worth the money, WordFence Premium is your best bet for features like country blocking, two-factor authentication, and remote scans. If you’re on a budget, install either plugin and get it configured. Regardless, in this day and age you must be taking advantage of the free, easily accessible security measures available to you.