WordPress Management Best Practices Part 2 – Essential Plugins: WordPress Security

By 20th April 2014 April 21st, 2020 Shield Security

WordPressWe’re not to first to write about essential WordPress plugins, nor is it our first time to write about them either.

But as the WordPress plugin landscape develops, so do our opinions.

Part 2 of this series covers the WordPress Security plugin that we recommend. Of course, if you don’t like our recommendation, then please chose another – but be sure that you do chose one.

Let’s get into it…

Which WordPress Security Plugin To Choose

Simply put, you need something to help harden up your WordPress site. If you followed the first part of this series, you’ll have already changed your default admin username. Win!

The WordPress security plugin we recommend, since we built it(!), is the Shield Security.

Why the Shield Security plugin?

It’s simple, effective, and does a stack of things so you don’t need 3 or 4 extra plugins to do each one.

It’s underlying focus is to provide hardened, WordPress security without modifying any core system files and thereby reduces the risk of breaking your site.  Key features include:

  • self-protection. This is the only WordPress security plugin that provides self protection – that is, you lock down use of this very plugin so that no other user, admin, authorized or not, can make changes to the plugin itself.
  • automatic upgrades.  Using the WordPress Background/Automatic updates system, it will seamlessly upgrade itself to ensure it has the latest features and fixes.
  • firewall blocks. Depending on the type of data contained with the web requests made to the site, it will completely block those requests if it appears suspicous
  • full protection against login hacking and brute force attacks. This plugin doesn’t use fancy IP address blocking after so many attempts. It simply throttles logins, provide 2-factor authentication and more!
  • blocks all spambot comment spam. Simply put, it will block all comments from spambots.
  • WordPress automatic updates configuration. You have full control over the processing of WordPress Background/Automatic updates.
  • WordPress lockdown. You can lock down the admin section to ensure unauthorized users cannot modify core files.

Use the ‘Add New’ plugin option directly from within WordPress and search for “WordPress Simple Firewall”; then install and activate the plugin.

WordPress Security Options

The following are our basic recommended options for running the WordPress Simple Firewall. You can choose to extend these options or reduce them as you desire:

Dashboard

WordPress Simple Firewall – Recommended Settings for Dashboard

Recommended Settings – Dashboard

Admin Access Restrictions is an important layer in your WordPress security. By enabling this feature, only authorized administrators can access and change the options on this security plugin.

They also will be restricted from disabling/un-installing this plugin.

WordPress Firewall

The Firewall has various checks it can perform and if you find you have some plugin or other system that has an incompatibility with it, you can enable or disable individual checks.

You can also choose to white list and black list certain IP addresses as you chose, but really these are generally unnecessary unless you have specific 3rd party service providers that need to remotely connect to your site, and provided for completeness sake.

Login Protection

WordPress Simple Firewall – Recommended Settings for Login Protection

Recommended Settings – Login Protection

Reasons why we feel Login Protection works better than other Login Protection plugins are:

  • 2-Factor Authentication is a critical layer in login systems and should be used everywhere. Using 2-factor authentication with this plugin prevents anyone from impersonating you from any location in the world.
  • There are no extra database calls to analyse visitor IP addresses, in order to check whether an IP should be banned. With the login cool-down period enforced, no-one can brute-force attack your site.  Most brute-force login attacks are run from multiple (100s of) locations, so blocking IP addresses makes no sense.  If you have a cool-down period, you limit the number of login attempts that are even possible so brute force attacks are instantly nullified!
  • By turning on the feature to block remote posts and using GASP, it also prevents bots and brute force login attempts from logging in remotely.

Comments Filter

WordPress Simple Firewall – Recommended Settings for Comments Filter

Recommended Settings – Comments Filter

With our Comments Filters, you wont need any other spam filtering plugin for bot-based spamming.  There are no false positives, and legitimate users have NO problem posting comments whatsoever as there is no Captcha and complicated hoops to jump through – just a simple checkbox.

Automatic Updates

WordPress Simple Firewall – Recommended Settings for Automatic Updates

Recommended Settings – Automatic Updates

WordPress Background/Automatic updates has no configuration options – this plugin lets you manage all aspects of it.  For finer control of Automatic Updates on the plugin/theme level, check out the iControlWP Multiple WordPress Management system.

WordPress Lockdown

WordPress Simple Firewall – Recommended Settings for Lockdown

Recommended Settings – Lockdown

This should be used in conjunction with the WordPress Admin Restriction feature, since they can be easily changed without it.

Some plugins may have problems when you try to mask your WordPress version and you should take care when using this setting.

Other Options for WordPress Security Plugins

If the WordPress Simple Firewall isn’t to your liking, you’ll want to try on some other WordPress security plugins.

One size doesn’t fit all and it’s a matter of experimenting to find out what fits your use-case best.

Some other options are:

Part 3 – Another Essential Plugin for WordPress

Part 3 of this series will focus on another essential plugin for WordPress than you need to regardless of what purpose your WordPress site serves.

If you have any comments on this article and WordPress security in general, please feel free to leave a comment below, or contact us in our help desk.

Join the discussion 2 Comments

  • Jeff says:

    I moving some of my sites to your firewall, and so far, I’m finding it the best solution out there,

    I’d like to know what you suggest to complement your firewall for security?

    I’d also like to know what you think is the best caching plugin?

    The Best SEO plugin. And other best-of-class plugins.

    I like your approach to using only native functions and your thinking on the 80/20 rule.

    I don’t code myself, but i would like to know of other best-of-class plugins that you use on your own sites.

    Regards,

    Jeff

    View Comment
    • Paul G. says:

      Hi Jeff,

      Thanks for the great feedback Jeff – delighted to hear what you think of the plugin and that you find it’s serving you well.

      Part of the plan for this series is to, as I’ve done with the security plugin, is list out the core, essential plugins that I recommend. In brief, to answer your questions here, for now at least I recommend:

      SEO: WordPress SEO plugin by Yoast

      Caching: W3 Total Cache (at least if you install this, activate the Browser caching section to ensure correct headers are used)

      WordPress Security: Apart from the WordPress Simple Firewall, I don’t use another WordPress security plugin or service… the only thing I use is CloudFlare:
      http://www.icontrolwp.com/2012/08/cloudflare-boost-wordpress-security-performance/

      One other notable plugin is “Redirection” and I use that to monitor 404s and also create redirects if I rename something or change anything.

      Also, in case this is something you’d be interested in, we’ll be creating a control panel for the Simple Firewall to manage your site directly from within iControlWP dashboard itself. Making bulk, network-wide management easier…

      I hope that helps!
      Thanks,
      Paul.

      View Comment

Leave a Reply

x Logo: ShieldPRO
This Site Is Protected By
ShieldPRO