Plugins: Security

The Definitive Guide to WordPress Security Plugins

5+ Best WordPress Security Plugins 2015- Genesis Themes 15 Best WordPress Security Plugins For 2015 7 Best WordPress Security Plugins 11 Best WordPress Plugins To Improve the Security of your Blog | Youngblah

Read comments: How to Find Hacked WordPress Files and Protect Against Intrusions Important comment: http://wptavern.com/how-to-find-hacked-wordpress-files#comment-48986

My order:

• Wordfence Security
• Sucuri Security Sucuri Security WordPress Plugin Guide Overview

Wordfence Security

Reviewed plugins

• Site Protection by Umbrella Plugins is the only plugin that I know that uses WPScan Vulnerability Database to check your site, and it works perfectly. It also scans WordPress core for unknown files and file modifications by comparing md5 strings. I really like this plugin.

• Plugin Inspector checks only the plugins for risky code and also consults WPScan vulnerability database. So I really do like it.

• Plugin Security Scanner is beautiful small plugin that will once a day check site for WPScan vulnerability and e-mail the administrator if any vulnerable plugins are found.

• NinjaFirewall NinjaFirewall edition (WP edition): Overview Installing NinjaFirewall with HHVM (HipHop Virtual Machine)

  Works with HHVM, but you must edit php.ini to add auto_prepend_file. In this way, NinjaFirewall is loaded before Wordpress is loaded. Works along with other security plugins: iThemes Security?

Ma ipak preskači naširoko: WP Cerber Security WordPress plugin: firewall, anti-spam, integrity checker and malware removal ali je removed: WP Cerber Security, Anti-spam & Malware Scan to je isti autor kao “plugin-inspector”.

Cerber mi je ostavio strašan šit u bazi, napravio gomilu tabela. Imaš objašnjeno šta da brišeš ovde: Removing the Cerber Security Plugin Data from your Child Site - MainWP WordPress Management

What features I actually need

Features I need:

• Watch over files (everything) and tells you when changes happen, specially with .php extension. WordPress Sentinel was unmaintained plugin that was doing exactly that.

• Log 404’s: I have achieved that with Redirection plugin, that we need for other things, mostly 301 redirections.

Nice to have:

• Firewall: Monitor any suspicions activities. NinjaFirewall is the only serious candidate with support for HHVM and nginx, for now.

• All In One WP Security & Firewall

  File Permissions, PHP Security and Default File Security All In One WP Security & Firewall Plugin Overview All In One WordPress Security and Firewall Plugin | Tips and Tricks HQ

  Very exhaustive plugin.

  The majority of the features should already work on nginx server, but those involving .htaccess don’t.

• iThemes Security was formerly Better WP Security. iThemes Security WordPress Plugin Guide Overview Seems really good and nicely supports nginx.conf. Can do a lot of things very unobtrusively. Can also scan homepage for malware using Sucuri SiteCheck.

WP Performance & Security Security by Supsystic Asgard Security Scanner Sucuri Security - Auditing, Malware Scanner and Security Hardening VaultPress

• Wordfence Security Wordfence Security WordPress Plugin Guide Overview - WP Knowledge Base WP Knowledge Base

• Anti-Malware and Brute-Force Security by ELI Works as expected - not bas. But, simply to much “register me” on the page.

• Total Security Has check of file permissions and more things. Option to secure hidden login creates problems on admin-ajax.php.

• Shield WordPress Security / ex: WordPress Simple Security Firewall Great explanation of features and the way they are implemented is in this blog post series: Why We Built It Some reviews note that this plugin slows down site - need to check that. Don’t use .htaccess modifications by principle, so I concur with them totally.

  Important note: All features are available to everyone; no some special premium versions. I think this is easily the best one to use.

• SecureMoz Security Audit is maybe even better than Total Security. Looks great, but unusable as Fatal error on activation?

Theme Authenticity Checker (TAC) Sucuri Security - Auditing, Malware Scanner and Security Hardening Acunetix WP Security All In One WP Security & Firewall Wordfence Security

https://wordpress.org/plugins/search.php?q=malware+scanner

Plugins to consider:

• Code Analyzer Adds Analyze code option on the existing Installed Plugins page. Beautiful plugin, but only for testing other plugin’s code and finding unwanted code in those plugins.

• VIP Scanner
  As an offical Automattic/vip-scanner plugin it should be trusted. Used for checking Theme compatibility; some sort of combination of what used to be the Theme Checker and the Exploit Scanner, exclusively for theme.

• Quttera Web Malware Scanner Will call Quttera remote but free scan. Scanning malware, trojans, backdoors, worms, viruses, spywares and other threats as well as JavaScript code obfuscation, exploits, malicious iframes, malicious code injection, malicious code obfuscation, auto-generated malicious content, redirects, hidden eval code and more. Also, it will check whether your website is blacklisted by Google and other blacklisting authorities.

Forget about these plugins:

• BulletProof Security has so cataclysmic and bloated UI that it’s shitty for sure. I tested it and it is really incredible pro-Apache shit.

• Anti-Malware Security and Brute-Force Firewall has what everyone has plus a terrible UI.

• 6Scan Security seems to have some awful reviews about doing nothing but advertising itself. Their site was down with: Error establishing a database connection. Last blog post was from sep 2014. Avoid it and don’t even bother to try it out.

• WPSecureOps Easy Firewall is doing everything with .htaccess and currently intentionally supports only Apache.

• Security and Vulnerability Shield contacts some not-really-developed http://sitecops.com/ site. Nothing worth installing.

Didn’t bother to do a detailed analysis:

• Acunetix WP Security simply has too much bad reviews, specifically about being too slow. It has a file scan and a couple of configuration directives.

Protect WordPress using HTTP authentication

The implementation of HTTP authentication through PHP, specifically with the help of a plugin and I am using the first plugin because it works directly and simply.

• WP Basic Authentication allows for the configuration of a user-pass and then determines whether only the backend, only the frontend, or both are protected.
• WP BASIC Auth enables authentication for each user with their individual password.
• Basic Auth for WP-Admin
• HTTP Auth

This approach, compared to web-server based HTTP authentication, has its flaws, as all non-PHP files are still directly accessible. For example, all media files can still be accessed via direct paths. In cases where HTTP authentication is implemented through the web server, it protects access to all files on the server.

10up/wpcli-vulnerability-scanner: WP-CLI command for checking installed plugins and themes for vulnerabilities reported on wpvulndb.com