Plugin - Security
5+ Best WordPress Security Plugins 2015- Genesis Themes 15 Best WordPress Security Plugins For 2015 7 Best WordPress Security Plugins 11 Best WordPress Plugins To Improve the Security of your Blog | Youngblah
Read comments: How to Find Hacked WordPress Files and Protect Against Intrusions Important comment: http://wptavern.com/how-to-find-hacked-wordpress-files#comment-48986
Site Protection by Umbrella Plugins is the only plugin that I know that uses WPScan Vulnerability Database to check your site, and it works perfectly. It also scans WordPress core for unknown files and file modifications by comparing md5 strings. I really like this plugin.
Works with HHVM, but you must edit
auto_prepend_file. In this way, NinjaFirewall is loaded before Wordpress is loaded.
Works along with other security plugins: iThemes Security?
Features I need:
Watch over files (everything) and tells you when changes happen, specially with .php extension. WordPress Sentinel was unmaintained plugin that was doing exactly that.
Log 404’s: I have achieved that with
Redirectionplugin, that we need for other things, mostly 301 redirections.
Nice to have:
Firewall: Monitor any suspicions activities. NinjaFirewall is the only serious candidate with support for HHVM and nginx, for now.
Very exhaustive plugin.
The majority of the features should already work on nginx server, but those involving .htaccess don’t.
iThemes Security was formerly Better WP Security. iThemes Security WordPress Plugin Guide Overview Seems really good and nicely supports
nginx.conf. Can do a lot of things very unobtrusively. Can also scan homepage for malware using Sucuri SiteCheck.
Anti-Malware and Brute-Force Security by ELI Works as expected - not bas. But, simply to much “register me” on the page.
Total Security Has check of file permissions and more things. Option to secure hidden login creates problems on admin-ajax.php.
Shield WordPress Security / ex: WordPress Simple Security Firewall Great explanation of features and the way they are implemented is in this blog post series: Why We Built It Some reviews note that this plugin slows down site - need to check that. Don’t use
.htaccessmodifications by principle, so I concur with them totally.
Important note: All features are available to everyone; no some special premium versions.
I think this is easily the best one to use.
SecureMoz Security Audit is maybe even better than Total Security. Looks great, but unusable as Fatal error on activation?
Plugins to consider:
Code Analyzer Adds
Analyze codeoption on existing
Installed Pluginspage. Beautiful plugin, but only for testing other plugin’s code and to find unwanted code in those plugins.
As an offical Automattic/vip-scanner plugin it should be trusted. Used for checking Theme compatibility; some sort of combination of what used to be the Theme Checker and the Exploit Scanner, exclusively for theme.
Forget about these plugins:
BulletProof Security has so cataclysmic and bloated UI that it’s shitty for sure. I tested it and really incredible pro-Apache shit.
Anti-Malware Security and Brute-Force Firewall has what everyone has plus a terrible UI.
6Scan Security seems to have some really bad reviews about doing nothing but advertising itself.
Their site was down with: Error establishing a database connection. Last blog post was from sep 2014. Avoid it - don’t even bother to try it out.
WPSecureOps Easy Firewall is doing everything with .htaccess and currently intentionally supports only Apache.
Didn’t bother to do a detailed analysis:
- Acunetix WP Security simply has too much bad reviews, specifically about being too slow. It has file scan and couple of configuration directives.
Local malware and exploit scan
I need a plugin that scans files for suspicious patterns (base64_decode, eval, uudecode, etc) and database for posts and comments with suspicious text (iframe, noscript, etc).
I am testing these plugins on real infected site where there was script
WSO Web Shell exploit in file
cache.php seeded inside
Warning: It needs to have Wordress core hashes. If not, when I tested, it found 550 matches and in that way effectively has hide the real threat. Simpy too much information and false positives specifying a lot of regular WP files.
How to obtain core hashes if they are nonexistant:
- must enable
allow_url_fopenor it won’t be possible to generate Wordpress core hashes if they are missing
/wp-content/plugins/exploit-scanner/hashes-generator.phpto generate hashes for latest Wordpress, and manually upload a file to plugin dir.
- You will usually find those hashes already created in philipjohn/exploit-scanner-hashes repository, but don’t forget to look in pull requests that are not merged yet.
Even with valid hashes, it had too much warnings to be really useful. Found my malware, along with the dozen of others.
- must enable
Wemahu is beautiful idea, but they decided to discontinue it. Didn’t found my malware.
AntiVirus is checking only themes directory. No feedback and therefore not very usable.
WP Doctor seems little amateur-ish, and it didn’t detect my exploit.