WordPress users can generally be divided into two groups: those whose sites have been attacked, and everyone else. If you are in the latter group you might not realize why firewall plugins are so important.
Let me tell you about what happened to me, so that you don’t make my mistake and have to learn the hard way that an ounce of prevention is worth a pound of cure.
In 2017 the most common botnets are made up of smart appliances or IP webcams, but back then the popular targets were blogs running WordPress.
Ironically enough, my WordPress site was being attacked by other WordPress sites that wanted to hack their way in, steal control of my site, and turn it into a bot that could be used to attack even more sites.
The bot net kept hitting my registration page and login page again and again, trying to gain access. I fought off that botnet because I had already taken basic steps to secure my site. I had disabled new user registration, deleted the original admin account, and had a complex password.
But one key step I neglected was to install a firewall plugin. If I had installed that I might never have noticed the attacks.
In a nutshell, securing your website with a firewall is the first and best way to keep hackers from loading your pages with adverts for viagra, attacking your visitors, or trying to hack other sites.
Forgoing website security will eventually hit you where it hurts – in your pocketbook. It’s not just the big sites that are at risk, either; hackers are just as happy targeting small sites, meaning you may need to step up your game in order to keep your website safe.
Note: this is not a comprehensive list. I left out a number of plugins because they either had poor ratings, hadn’t been updated, or had few users.
- Jetpack – This is not a plugin you would expect on a list of security plugins, but Jetpack does have a few basic security features. If you upgrade to the paid plan, you can use it to make backups, and it can also protect your site from spam (Akismet) and from attempts to brute-force hack your site via the login page.
- Wordfence – This is the single most popular firewall plugin on this list, and my second-favorite. It supports everything from scanning, protection against brute-force attacks, two-factor authentication, and it will even tell you when links in comments lead to suspicious sites.
- All In One WP Security & Firewall – this is my current preferred plugin because it’s easy to use and to set up. It’s not nearly as popular as Wordfence, but I like it because it has nearly as many features and because how well it explains what it wants you to do and as well as why.
- Sucuri – Best-known for its highly-rated (paid) malware cleanup service, Sucuri released this plugin so that its clients can be protected from the inside out. It’s not quite as feature rich as Wordfence or All-in-One, though.
- iThemes Security – This plugin supports two-factor authentication, malware scanning, user tracking, password expiration, and can track changes in WP files to protect you against malware rewriting your code to hide itself. Perhaps its most useful feature is the way it lets you grant temporary admin or editor access to a user and then automatically reset the user’s privileges after a set period.
I can recommend any of the above five plugins from personal experience, but there are many other possible options. Here are another four plugins you might try:
- Anti-Malware Security and Brute-Force Firewall
- Shield Security
- BulletProof Security
- WordPress Security by CleanTalk
And if you’re looking for a specialized, single-purpose plugin, here are a few that come highly-recommended.
- BotNet Attack Blocker – this plugin keeps bots from repeatedly trying to log in to your site. It will also lock you out if you get your password wrong too many times, but that is a risk worth taking.
- Google Authenticator – The name of the game is two-factor authentication, and this plugin can do it.