Plugin - Security
The Definitive Guide to WordPress Security Plugins
5+ Best WordPress Security Plugins 2015- Genesis Themes 15 Best WordPress Security Plugins For 2015 7 Best WordPress Security Plugins 11 Best WordPress Plugins To Improve the Security of your Blog | Youngblah
Read comments: How to Find Hacked WordPress Files and Protect Against Intrusions Important comment: http://wptavern.com/how-to-find-hacked-wordpress-files#comment-48986
My order:
- Wordfence Security
- Sucuri Security Sucuri Security WordPress Plugin Guide Overview
Wordfence Security
Reviewed plugins
-
Site Protection by Umbrella Plugins is the only plugin that I know that uses WPScan Vulnerability Database to check your site, and it works perfectly. It also scans WordPress core for unknown files and file modifications by comparing md5 strings. I really like this plugin.
-
Plugin Inspector checks only the plugins for risky code and also consults WPScan vulnerability database. So I really like it.
-
Plugin Security Scanner is beautiful small plugin that will once a day check site for WPScan vulnerability and e-mail the administrator if any vulnerable plugins are found.
-
NinjaFirewall NinjaFirewall edition (WP edition): Overview Installing NinjaFirewall with HHVM (HipHop Virtual Machine)
Works with HHVM, but you must edit
php.ini
to addauto_prepend_file
. In this way, NinjaFirewall is loaded before Wordpress is loaded.Works along with other security plugins: iThemes Security?
Features I need:
-
Watch over files (everything) and tells you when changes happen, specially with .php extension. WordPress Sentinel was unmaintained plugin that was doing exactly that.
-
Log 404’s: I have achieved that with
Redirection
plugin, that we need for other things, mostly 301 redirections.
Nice to have:
-
Firewall: Monitor any suspicions activities. NinjaFirewall is the only serious candidate with support for HHVM and nginx, for now.
-
All In One WP Security & Firewall
File Permissions, PHP Security and Default File Security All In One WP Security & Firewall Plugin Overview All In One WordPress Security and Firewall Plugin | Tips and Tricks HQ
Very exhaustive plugin.
The majority of the features should already work on nginx server, but those involving .htaccess don’t.
-
iThemes Security was formerly Better WP Security. iThemes Security WordPress Plugin Guide Overview Seems really good and nicely supports
nginx.conf
. Can do a lot of things very unobtrusively. Can also scan homepage for malware using Sucuri SiteCheck.
WP Performance & Security Security by Supsystic Asgard Security Scanner Sucuri Security - Auditing, Malware Scanner and Security Hardening VaultPress
-
Wordfence Security Wordfence Security WordPress Plugin Guide Overview - WP Knowledge Base WP Knowledge Base
-
Anti-Malware and Brute-Force Security by ELI Works as expected - not bas. But, simply to much “register me” on the page.
-
Total Security Has check of file permissions and more things. Option to secure hidden login creates problems on admin-ajax.php.
-
Shield WordPress Security / ex: WordPress Simple Security Firewall Great explanation of features and the way they are implemented is in this blog post series: Why We Built It Some reviews note that this plugin slows down site - need to check that. Don’t use
.htaccess
modifications by principle, so I concur with them totally.Important note: All features are available to everyone; no some special premium versions.
I think this is easily the best one to use.
-
SecureMoz Security Audit is maybe even better than Total Security. Looks great, but unusable as Fatal error on activation?
Theme Authenticity Checker (TAC) Sucuri Security - Auditing, Malware Scanner and Security Hardening Acunetix WP Security All In One WP Security & Firewall Wordfence Security
https://wordpress.org/plugins/search.php?q=malware+scanner
Plugins to consider:
-
Code Analyzer Adds
Analyze code
option on existingInstalled Plugins
page. Beautiful plugin, but only for testing other plugin’s code and to find unwanted code in those plugins. -
VIP Scanner
As an offical Automattic/vip-scanner plugin it should be trusted. Used for checking Theme compatibility; some sort of combination of what used to be the Theme Checker and the Exploit Scanner, exclusively for theme. -
Quttera Web Malware Scanner Will call Quttera external and free scan. Scanning malware, trojans, backdoors, worms, viruses, spywares and other threats as well as JavaScript code obfuscation, exploits, malicious iframes, malicious code injection, malicious code obfuscation, auto-generated malicious content, redirects, hidden eval code and more. Also, it will check whether your website is blacklisted by Google and other blacklisting authorities.
Forget about these plugins:
-
BulletProof Security has so cataclysmic and bloated UI that it’s shitty for sure. I tested it and really incredible pro-Apache shit.
-
Anti-Malware Security and Brute-Force Firewall has what everyone has plus a terrible UI.
-
6Scan Security seems to have some really bad reviews about doing nothing but advertising itself.
Their site was down with: Error establishing a database connection. Last blog post was from sep 2014. Avoid it - don’t even bother to try it out. -
WPSecureOps Easy Firewall is doing everything with .htaccess and currently intentionally supports only Apache.
-
Security and Vulnerability Shield contacts some not-really-developed http://sitecops.com/ site. Nothing worth installing.
Didn’t bother to do a detailed analysis:
- Acunetix WP Security simply has too much bad reviews, specifically about being too slow. It has file scan and couple of configuration directives.
Local malware and exploit scan
I need a plugin that scans files for suspicious patterns (base64_decode, eval, uudecode, etc) and database for posts and comments with suspicious text (iframe, noscript, etc).
I am testing these plugins on real infected site where there was script
WSO Web Shell exploit in file cache.php
seeded inside uploads
folder.
-
Exploit Scanner
Author donncha works for Automattic so this plugin is really safe, but not up-to-date.Warning: It needs to have Wordress core hashes. If not, when I tested, it found 550 matches and in that way effectively has hide the real threat. Simpy too much information and false positives specifying a lot of regular WP files.
How to obtain core hashes if they are nonexistant:
- must enable
allow_url_fopen
or it won’t be possible to generate Wordpress core hashes if they are missing - Run
/wp-content/plugins/exploit-scanner/hashes-generator.php
to generate hashes for latest Wordpress, and manually upload a file to plugin dir. - You will usually find those hashes already created in philipjohn/exploit-scanner-hashes repository, but don’t forget to look in pull requests that are not merged yet.
Even with valid hashes, it had too much warnings to be really useful. Found my malware, along with the dozen of others.
- must enable
-
Wemahu is beautiful idea, but they decided to discontinue it. Didn’t found my malware.
-
AntiVirus is checking only themes directory. No feedback and therefore not very usable.
-
WP Doctor seems little amateur-ish, and it didn’t detect my exploit.
Sources: