Whenever I get the dreaded message that someone’s site is hacked, I thank my security plugin. 🙂 Most hosts take care of security as well of course, but in the end, it’s our own responsibility to make sure their efforts have effect.
The number of WordPress plugins I use is not big, although I don’t meet the recommended maximum of 5. Most of these plugins are free versions, but the one I am paying for – and with love – is SolidWP (formerly iThemes).
Some of the links are affiliate links. As an affiliate associate, I earn a small commission when you purchase any of the products offered through the shared links at no extra cost to you. This helps me to maintain this website and I thank you for supporting me.
Table of Contents
The best WordPress security plugin
In my opinion, SolidWP Security Pro is the best WordPress security plugin. I also use SolidWP Sync and SolidWP BackupBuddy. And especially that last one has saved me on several occasions.
Is internet security necessary?
The short answer is ‘yes’.
A longer answer is ‘yes because each day 30.000 new websites are hacked’. A frightening number! Cybercrime will cost the world $6 trillion by 2021.
When I started my first WordPress blog, I was 1 of about 8% of WordPress users among HTML websites, Joomla, Drupal and other systems. Nowadays WordPress is used by over 43% of all websites. And criminals will always go for the big masses.
WordPress is open source, which means anybody can change it or add stuff. Still, you don’t have to be afraid of WordPress itself. The community of developers is a devoted, experienced group. They know what they are doing.
What is WordPress’s vulnerability?
Over 55.000 plugins are developed for WordPress, although not all are published. Every Jack or Jill can make a plugin and upload it to the WordPress Plugin Directory for others to use. 57% of those plugins never got a review. 98% of WordPress vulnerabilities are related to plugins.
Best practice for the use of plugins
- Only install plugins that significantly improve your website;
- Update to the latest version as soon as possible;
- If there are several plugins for the functionality you are looking for, then choose the most downloaded ones that are reviewed positively;
- Delete inactive plugins;
- Some plugins are only necessary for a limited time, delete them afterwards.
Plugins under attack
As said, criminals go for the big numbers, so unfortunately it’s not only the unknown, badly constructed plugins that have been under attack. A couple of very well-known plugins were victims as well.
The advantage of the big names is that they will resolve such issues quickly. But you can still suffer from it. It’s good to stay on guard yourself as well and not just leave it to others to take care of security.
According to Blogvault vulnerable plugins are:
- Yoast SEO;
- SEOPress;
- WooCommerce;
- W3Total Cache;
- Elementor;
- WP Statistics;
- Ninja Forms;
- NextGen Gallery;
- Contact form 7;
- WordFence.
It amazed me that even plugins like WooCommerce and Yoast are considered vulnerable. And as I was using half of this list of plugins, I wasn’t too pleased to read this either, as you can imagine.
Check the list of vulnerable plugins regularly and take the appropriate precautions in time.
Fun fact:
What do you think the most used plugins are?
- Yoast SEO;
- Akismet, catches 5 million spam an hour;
- Jetpack;
- Contact form 7;
- WooCommerce.
SolidWP Security Pro
The elements of SolidWP Security Pro I am most happy with are:
- WordPress Brute Force Protection, which limits the number of failed login attempts allowed per user. Whoever is trying to guess your password, they’ll get locked out after a few attempts;
- Strong Password Enforcement, this is for instance useful for a membership website where members set their own password;
- Lock Out Bad Users, bad users are kept away from your site if they have too many failed login attempts, if they generate too many 404 errors, or if they’re on a bot blacklist. It can be you, if you forgot your password as well, so make sure to whitelist your own IP address;
- Email Notifications, you get a message when someone gets locked out after too many failed login attempts or when a file on your site has been changed. You’ll know if your site is under attack when you get too many messages, as happened to one of my websites a couple of times.
SolidWP Sync
My husband and I have 4 websites altogether. I am the webmaster of both my own websites and his.
SolidWP Sync, which is part of SolidWP Security, sends me an email whenever WordPress core, plugins or themes need to be updated.
It requires no more than opening the link in that email and pressing a button. It saves a lot of work, and it makes sure I always have the latest versions.
And it warns if the SSL certificate of a website is (almost) out-of-date.
SolidWP BackupBuddy
Have you ever ‘done something’ on your website and ended up with a mess? Are you not exactly sure what you did and certainly not sure how to solve it? Well, I did, and on numerous occasions. That’s when the automatically made backups saved me. Or rather, saved my website. 🙂
Either I have learned a lot since, or WordPress and the plugins improved: I am happy that most of my backups nowadays are made in vain. It’s like insurance, you pay and hope you will never need it.
Most web hosting companies will back up your website. Sometimes automatically. Sometimes you have to change the settings yourself to make sure a backup is made.
So why a plugin of your own as well? It might be clear I want to be as independent as possible. With SolidWP BackupBuddy I always have the availability of the backups at the time I want. I don’t have to wait for any help desk.
The automatic schedules can be set to several options. A full backup will take care of every post, page, comment, file, etc., but is not needed to run every day. Where a database backup can be set to run daily or twice daily, depending on how often changes are made to the website.
The backups can be emailed to you or sent to off-site storage destinations.
However, if your web host has restricted the cronjob of WordPress (cron is a time-based job scheduler) the automatic process is either complicated or impossible.
Final words
Is SolidWP the only security plugin? Of course not. Other plugins do the job and some of them no doubt just as good. But I have had SolidWP for a decade, and I am satisfied with the way the helpdesk solves issues and the plugin does the job perfectly.
Do you have a security plugin on your website? Tell me in the comment box.
Hi Hannie,
Oh wow, this article opened my eyes. Of course, I’m aware that hackers could try to be maliciously attacking my site. But it is not something that I always think about. But after reading your article, I realize that I need to seriously consider doing something to protect my site even further. So thank you for this article. This plugin sounds like a great one. I will be looking deeper into it.
You wouldn’t have a life, if you had to think about everything that could happen all the time, Amanda. But we should indeed look into it at times and do whatever possible to make sure our website is secure.
Take care. 🙂
Very interesting article and now I am checking our system. We have two websites and my husband serves as webmaster for both. I concentrate on writing. I am the sole writer for my site and tend to write one article a week for his. Your article has me wondering about our security now, I will certainly be asking him about it. Thanks.
Well, Deb, I am sure, Richard has taken good care of it. And on the off chance he hasn’t, let him read this article! I have read a distressing post on our WA forum (hence the inspiration for this blog) of someone who was hacked, so we really need to take care of security and backup ourselves as well, not just leave it to the host.
I think iThemes sounds like a great plugin. What is the cost? Do the other 2 plugins come with the first one? or are they separate?
On another topic, I can’t believe the plugins under attack! So sad! I have several of those listed! I might need to rethink them I guess!
Hi Brianna, I didn’t include the prices, because they depend on the number of sites you will want to use them on.
There is a Suite that combines the plugins. For me that has too many parts that I won’t use, that’s why I have them separately.
I agree it’s really sad that plugins are attacked. As soon as you rethink your used plugins, you’ll find out other plugins come under attack as well. So you might not go that far, just be aware that it can happen. The really good plugins will make sure they solve any problems as soon as they can. Make sure you have backups. And not only a recent one, but some that are older as well. Because if you don’t know when the infection took place, yesterday’s backup can be as worthless as the present installation.
Hi Hannie,
This is brilliant.
I’m definitely bookmarking this particular post (your website is bookmarked already anyway), as I’ve learned quite a few things, many of which I have taken for granted over the years.
The list of the most vulnerable plugins surprised me, although it actually makes sense, as many of them are deemed as some of the most popular WP plugins (at this moment in time I only use one of them).
I was obviously aware of security issues and hacking, but some of the figures you have quoted are quite extraordinary. I’m truly shocked by just how much of this goes on.
I must admit my own best practice for plugins pretty much mirrors your own, so (touch wood) I’ve been lucky so far.
With that said, I have complete faith in you and would always look into your recommendations, so I’m going to have a play around with iThemes on my dummy/practice site (we should all have one of these) and see what I think.
Thanks
Partha
Oh Partha, I am honored that you bookmarked my website. That’s marvelous!
Yes, those numbers are awful, aren’t they. I get so sick and tired of people who do their utmost to ruin things. Why not give all that energy to do something positive? They’re often quite creative, so I don’t understand that need to destruct. And obviously they go after the most popular plugins. As long as we are aware of the phenomenon and have taken our precautions, we’re good, I guess.
And you’re right about the dummy site. Although this can also pose a vulnarability, because we might tend to give less attention to a site that has no full function. Or do you have it on your computer, offline?