Whenever I get the dreaded message that someone’s site is hacked, I thank my security plugin. 🙂 Most hosts take care of security as well of course, but in the end it’s our own responsibility to make sure their efforts have effect.
The number of WordPress plugins I use is not big, although I don’t meet the recommended maximum of 5. Most of these plugins are free versions, but the one I am paying for – and with love – is iThemes.
Table of contents
Is internet security necessary?
The short answer is ‘yes’.
A longer answer is ‘yes, because each day 30.000 new websites are hacked’. A frightening number! Cybercrime will cost the world $6 trillion by 2021.
With my first WordPress blog I was 1 of the about 8% WordPress users among HTML websites, Joomla, Drupal and other systems. Nowadays WordPress is used by over 35% of all websites. And criminals will always go for the big masses.
WordPress is open source, which means anybody can change it or add stuff. Still, you don’t have to be afraid for WordPress itself. The community of developers is a devoted, experienced group. They know what they are doing.
What is WordPress’s vulnerability?
Over 55.000 plugins are developed for WordPress, although not all are published. Every Jack or Jill can make a plugin and upload it to the WordPress Plugin Directory for others to use. 57% of those plugins never got a review. 98% of WordPress vulnerabilities are related to plugins.
Best practice for the use of plugins
- Only install plugins that significantly improve your website;
- Update to the latest version as soon as possible;
- If there are several plugins for the functionality you are looking for than choose the most downloaded ones that are reviewed positively;
- Delete inactive plugins;
- Some plugins are only necessary for a limited time, delete them afterwards.
Plugins under attack
As said, criminals go for the big numbers, so unfortunately it’s not only the unknown, badly constructed plugins that have been under attack. A couple of very well-known plugins were victims as well.
The advantage of the big names is that they will resolve such issues quickly. But you can still suffer from it. It’s good to stay on guard yourself as well and not just leave it to others to take care of security.
According to Blogvault vulnerable plugins are:
- Ultimate Member;
- Yoast SEO;
- Ninja Forms;
- NextGen Gallery;
- All-in-One SEO Pack;
- Contact form 7.
It amazed me that even a plugin like WooCommerce and Yoast were considered vulnerable. And as I was using half of this list of plugins, I wasn’t too pleased to read this either, as you can imagine.
What do you think the most popular plugins are?
- Yoast SEO;
- Akismet, catches 5 million spam an hour;
- Contact form 7;
iThemes Security Pro
The elements of iThemes Security Pro I am most happy with are:
- WordPress Brute Force Protection, this limits the number of failed login attempts allowed per user. Whoever is trying to guess your password, they’ll get locked out after a few attempts;
- Strong Password Enforcement, this is for instance useful for a membership website where members set their own password.
- Lock Out Bad Users, bad users are kept away from your site if they have too many failed login attempts, if they generate too many 404 errors, or if they’re on a bot blacklist. It can be you, if you forgot your password as well, so make sure to white list your own IP-address;
- Email Notifications, you get a message when someone gets locked out after too many failed login attempts or when a file on your site has been changed. You’ll know if your site is under attack when you get too many messages, as happened to one of my websites a couple of times.
My husband and I have 5 websites all together. I am the webmaster of both my own websites and his. iThemes Sync sends me an email whenever WordPress core, plugins or themes need to be updated.
It requires no more than opening the link in that email and pressing a button. It saves a lot of work, and it makes sure I always have the latest versions.
And it warns if the SSL certificate of a website is (almost) out-of-date.
Have you ever ‘done something’ on your website and ended with a mess? Not exactly sure what you did and certainly not sure how to solve it? Well, I did. On numerous occasions. That’s when the automatically made backups saved me. Or rather, saved my website. 🙂
Either I have learned a lot since, or WordPress and the plugins improved: I am happy that most of my backups nowadays are made in vain. It’s like insurance, you pay and hope you will never need it.
Most web hosting companies will backup your website. Sometimes automatically. Sometimes you have to change the settings yourself to make sure a backup is made.
So why a plugin of your own as well? It might be clear I want to be as independent as possible. With iThemes BackupBuddy I always have the availability of the backups at the time I want. I don’t have to wait for any help desk.
The automatic schedules can be set to several options. A full backup will take care of every post, page, comment, file, etc., but is not needed to run every day. Where a database backup can be set to run daily or twice daily, depending on how often changes are made to the website.
The backups can be emailed to you or sent to off-site storage destinations.
However, if your web host has restricted the cronjob of WordPress (cron is a time-based job scheduler) the automatic process is either complicated or impossible.
Is iThemes the only security plugin? Of course not. Other plugins do the job and some of them no doubt just as good. But I have had iThemes for a decade, I am satisfied with the way the helpdesk solves issues and the plugin does the job perfectly.
Do you have a security plugin on your website? Tell me in the comment box.