We all know that WordPress is the famous platform for websites & blogs in the world.
As there are millions of websites and blogs using WordPress, that also brings the security threat.
Main reason for security problems are because of the plugins and themes which we use for various purposes.
Even though WordPress has its own security Measures and provide regular updates, It is safe to tighten up the security of the website to another level.
For this security purpose, there are 100s of security plugins available in WordPress plugin repository.
Choosing a best security plugin is an important job in developing a website.
In our personal experience we have come across lot of security issues over the time and been able to tackle & defend them.
Since WordPress is evolving every day, even the Security Plugins are evolving and being updated frequently with lots of new features.
Out of many security plugins, we recommend “iThemes Security (formerly Better WP Security)” plugin which does a fair job in securing your wordpress website.
ITheme Security Plugin:
This is the best wordpress security plugin considering the level of security and the features it offers.
This plugin comes in both Free and Pro versions. Free version itself is a very good one and has many important security features.
This plugin has almost 800000+ installs with a rating of 4.7 out of 5 and this is such a wonderful stat considering its popularity.
ITheme Security plugin provides 30 features in plugin. Out of that 30, 21 features comes in free version.
Its main features includes
- Notification Email regarding Security issues.
- Locking out the user due to too many invalid login attempts.
- Blocking specific IP addresses from accessing the site.
- Setting Max login attempts per User/Host
- Creating Automatic Database backup and email the SQL file to admin email
- File Permission Settings
- Hiding the Admin URL
- Forcing Users to use strong passwords
- Disabling XML-RPC
- Changing Database table Prefix
- Disable File Editor Option
Main Security Threat:
Main security threat in WordPress is its admin login URL. WordPress admin login URL is www.doaminname.com/wp-admin and all of the hackers are aware of this option.
Basically first registered User is Administrator. And its User Id will be 1 by default.
So Anyone can easily find the admin username by using the website URL followed by “?author=1”
This will display the username in the URL.
So it is such an easy job to try logging into the website with Username and Random passwords in the admin login URL Page.
As these login attempts are tried by BOTS, 100s of login of attempts will be made in a minute and Security plugins will lock that USER and HOST from logging into the site due to too many invalid login attempts. As a result of this Admin will get Site Lockout Notification Email continuously. This one is such a frustrating thing for the admin to receive hundreds of site lockout notification emails.
One solution to this problem is disabling the XML-RPC option in the iTheme Security Settings page.
The Major solution to this problem is changing the Admin Login URL to a random generated text. So that no one will be able to guess the URL. This option is also available in the iTheme Security Settings page.