I recently started to notice a pattern.
Occasionally I like to read what web blogs are publishing about WordPress Security.
It’s almost as if I am searching for something that I may have overseen. But it’s not an obsession; it’s more a kind of update thing. Is there something new going on, something that I should tell my tribe?
I often said that security isn’t an absolute.
Every person who tells you to make sure to apply security standards to your WordPress website is right in making this statement.
But what should be done and how to do it, is not always clear to everyone.
There are a lot of steps to take, possibly. But that makes it also very confusing. The diversity of tasks that are recommended in all these online sources makes it pretty easy to get overwhelmed. And when people get overwhelmed, it’s just natural that they don’t do anything about the issue at all.
So, when I read the hundredth article about the same, same, same … I noticed the pattern.
The pattern is:
Throwing a hundred tasks at someone – left, right, left, right – and not providing a map how everything fits together … is a recipe for overwhelm.
Let’s say there are 101 tasks you need to do to achieve a certain level of security in your WordPress application.
If you would do only twenty of it, you’d feel you have done something for your bad conscience. But in your subconscious, there is this thought lurking around, that maybe twenty isn’t enough.
If you’d have done fifty, you would feel a bit better. But in your subconscious, you’d always know, it is not enough. This nagging feeling may never completely disappear.
I have another idea.
A CHANGE IN PERSPECTIVE.
Thinking Security in Layers
Instead of having a battle with negative emotions and resulting emotional distress, let’s relax for a moment.
And I want to bring in some structure on how to approach WordPress security.
I suggest to think of security in a layered concept, and I suggest to categorize the tasks into these three layers:
Layer 1 – PROTECTION
Layer 2 – DETECTION
Layer 3 – AUDIT
The layer of protection should obviously prevent hacks from happening.
The layer of detection should detect hacks that have already happened.
The layer of audit should actively monitor a website’s activity, and raise an alarm if a suspicious activity is about to happen.
Using Plugins in a Layered WordPress Security Setup
These 101 tasks is a fictive number. I didn’t count them up.
But I know for sure there are many steps to take to tighten security in WordPress.
Luckily, there are plugins that support you in this matter. But now you need to find out which one is best for you. You may find yourself asking:
- Is one security plugin enough?
- Or, should you play safe and choose, let’s say, ten?
- Are free ones ok, or do you have to buy a premium version?
- And which one should you choose?
The security plugins in the WordPress ecosystem come in varying degrees. But the sheer amount of plugins available makes it difficult to find the perfect candidate. From the almost 50’000 free plugins available in the WordPress Plugin Directory, as of today, there are 4’116 plugins with the keyword ‘security’.
If you would apply this layered security approach when choosing a WordPress security plugin, you would have to know upfront which security plugin belongs to which category. That’s perhaps the biggest roadblock at this stage. You would need a certain overview of necessary tasks and a certain idea what each plugin is capable of doing, to satisfy your website’s security demands.
As desperate as this might look for a novice right now, I can assure you there is a good way to follow through.
The truth is, there isn’t a single solution that is true and valid for everyone out there.
It would be super-convenient if there were one. But every website setup is somewhat different and requires different settings.
… is not a 100% solution. Protection is great for the known issues, and not so great for the unknown issues.
While you may have confidence in a plugin that protects your website, you still want to have a mechanism available that detects anything that gets past your perimeter defense.
Through some basic administration, you can achieve greater success in identifying, thwarting or responding to a compromise.
Not all WordPress Security Plugins are made Equal
I said before that there are more than 4’000 free plugins with the keyword ‘security’ available. Now it is your task to filter them out.
The first thing you want to do is running a basic quality check on each candidate that you consider to use.
There are two basic things you want to keep in mind:
#1: A plugin needs to get regularly updated.
Lots of plugins are abandoned by their developers over time, which means no more updates to patch any holes that are discovered. Out-of-date plugins are a prime gateway for hackers to take over a website.
#2: Use the wisdom of the crowd.
This huge number of plugins (and growing) doesn’t allow WordPress to make quality checks on them. While many plugins might be great at what they are doing, a good percentage of plugins is made up of code that is littered with security holes.
Of course, a user doesn’t know that. An average user cannot verify whether or not a plugin is coded securely.
We all have to rely upon that the plugin developer knew what he was doing. But experience shows that this is not always the case.
For this reason, you need to rely on other users. You will have to keep an eye on how many installs a plugin has, and how its review status is.
These are the first two things to be aware of. And this is true for all plugins, not just WordPress security plugins.
Let me illustrate that by an example:
This plugin is a security plugin, and it comes with the promising name “WP Smart Security”.
I placed the DO NOT TOUCH prominently, so let me explain why it raised a red flag for me:
- It has 700+ active installs. – Only.
- It has one 5-star review. – Only. Is it absurd to assume that this rating was given by the developer itself?
- It was last updated 8 months ago. – For a security plugin, that’s an eternity.
- And it wasn’t up-to-date with the current WordPress version (on the day I made the image).
You know, I am not saying this security plugin is bad.
I haven’t installed it and tested it, so I cannot make this kind of judgment. However, it falls through the two basic quality guidelines for WordPress plugins, and that’s why it doesn’t get a chance to be installed on my website.
By the way it presents itself to the world, I’d rather not want to use it.
Note: I made this picture some while ago. But when I checked back when writing this post, it was last updated more than a year ago, and had 4’000+ installs. But still only one 5-star review. Hm. 🙁
I think you get the idea.
When it comes to choosing a plugin in WordPress, there are some general considerations.
And when choosing a WordPress Security Plugin, these general considerations need to be applied as well, of course.
In regards to the layered security concept: you will have to dig a little deeper and find out how to categorize a security plugin so that you can come up with a structure for your website’s security.
In a moment, I am going to show you how the most popular security plugins fit into each category. But in general, these are the questions you will have to ask yourself upon validating a security plugin:
- Does it attempt to prevent hacking attacks by closing commonly known security holes?
- Does it detect successful hacks?
- Or does it audit what’s going on with your website?
- Or does it have features from all categories, and is more of a utility plugin?
The big players in the WordPress Security Plugin market are well-acknowledged for what they do. I am using all of them myself, so I can recommend them. Here’s how they fit into the categories:
All three plugins come as a free and premium version.
I consider them a good base.
Even if you don’t want to pay for their premium features, you are already in good hands with their free version.
They allow you to set a strong foundation for a solid security strategy.
With that having said, you have something to think about. WordPress security is not something you can tick off in an afternoon’s session. There’s a bit of commitment needed.
And I want to help you to get into this vibe with the free email course I have just launched.
The 5 Day WordPress Security Challenge takes you on a journey that’s a bit off the mainstream road.
Well, not completely. But it’s not one of the standard courses or statements you’ll find in almost every small biz weblog.
For instance, I will show you how to configure a security plugin. Upon making a tick here or there – we need to understand the consequences. And I will help you with that. But it’s more than that.
I have carefully picked the content of this course, and I am making it available for free to you. All you need to do is join the challenge, and you will be able to start the very next day with lesson 1.