Securing WordPress with Plugins: 18 Ways

WordPress is a wonderful CMS to use to bring your site online and manage your content. As your site gets more popular, you are more likely to face hack attacks. While the WordPress core is secure, there are things you can do to harden WordPress and protect your server against hack attacks. Here are 18 ways you can use plugins to monitor, protect, and recover your site (after a hack attack):

Backup your website: before worrying about how secure your website is, you need to spend some time to set up a reliable backup process for your website. We have already covered plenty of plugins that let you backup your site to Dropbox, Amazon S3, and other offsite locations. The choice is up to you.

Use a firewall: this is a no brainer. By using a firewall, you are going to have an easier time handling hack attacks on your site. We use CSF, but there are also a few decent WordPress plugins that can serve as a firewall.

Limit login attempts and stop brute force hack attempts: we use Limit Login Attempts to keep people from playing around with our login page. We also use .htaccess to limit access to our files by IP. Fortunately, there are many plugins that can help you combat against brute force attacks.

Perform security audits: if you are not analyzing your website to find security holes, how are you going to be prepared for hack attacks. Plugins such as iThemes Security can give you an idea what to do to prepare against hack attacks.

Fix security vulnerabilities: keeping an eye on WordPress issues is one thing, but fixing security holes is a whole other issue. Plugins like Security Ninja give you a clear idea how you can address security holes of your site.

Scan your server & themes for exploits: you can have the strongest firewall installed, but if your server is already infected, you are out of luck. Plugins such as Exploit Scanner can help you identify problematic files and remove them fast. You could also use a plugin like Theme Authenticity Checker to scan your themes for viruses.

Monitor file changes: as a webmaster of a growing site, you may have to wear too many hats. In that situation, it is easy to miss important changes happening on your site. Tools such as CodeGuard help you figure out what is changing on your site, so you can catch hack attempts before they are successful.

Use .htaccess to secure your site: knowing a thing or two about .htaccess and how it works could help your cause here. You can protect files, folders, and a whole lot more with the right directives in your .htaccess file.

Monitor and stop XSS attacks: Cross-site scripting attacks can be particularly nasty. Plugins such as Sucuri and SmartFilter Security help you be prepared for XSS attacks.

Use 2-factor authentication to protect your site: many top sites are already using this feature. WordPress plugins such as Clef let you go password free and use multi-factor authentication to log into your site.

Hide WordPress features: don’t want anyone to know you are using WordPress? There are already a few plugins that can handle the job. This won’t keep your site protected against all hack attacks but might keep newbies at bay.

Monitor user activity: you should always keep an eye on what’s happening on your site. Plugins such as Stream let you see every change made on your site. It logs every logged-in user action and presents the information in an organized fashion to save you time.

Keep an eye on rogue users: if your site offers user registration, you need to take some time to keep an eye on what people do on your site and control rogue users. Thankfully, there are many plugins that can help you remove spam user registrations to make your job easier.

Enforce strong passwords: going back to the previous point, if your site accepts new members all the time, you need to enforce a strong password policy for everyone to keep your community safe. Plugins such as Enforce Strong Password help you do just that. You should also reset passwords every now and then just to be on the safe side.

Deal with fake traffic: fake web-bots can deal a big blow to your business if you are not too careful. Plugins such as Wordfence help you deal with them appropriately.

Use anti-spam plugins: spammers may sound harmless to you in comparison to hackers, but you should still block them. Don’t want to go with Akismet? There are plenty of free alternatives that get the job done.

Keep your plugins and themes updated: this is a no brainer really but not everyone does it. If you have multiple sites, updating them one by one can be challenging. ManageWP and InfiniteWP can help you handle the job.

Fix your hacked site with backup & security plugins: no matter how secure your site looks, there is always a chance it might get hacked. If you have a decent backup or change-tracker plugin, you will be able to restore your site to its original state quickly.

What are your favorite WordPress security plugins? Please share them here.