How to Reset a WordPress Password from phpMyAdmin

Do you want to reset your WordPress password using phpMyAdmin? If you are unable to reset your WordPress password, then there is a way to reset it directly in your WordPress database using phpMyAdmin. In this article, we will show you how to easily reset… Read More »

The post How to Reset a WordPress Password from phpMyAdmin appeared first on WPBeginner.

Do you want to reset your WordPress password using phpMyAdmin? If you are unable to reset your WordPress password, then there is a way to reset it directly in your WordPress database using phpMyAdmin. In this article, we will show you how to easily reset a WordPress password from phpMyAdmin.

Reset your WordPress password from phpMyAdmin

Why Reset WordPress Password from phpMyAdmin

WordPress makes it super easy to reset your password. You can simply go to the login screen and click on the ‘Lost your password’ link.

Recovering lost password in WordPress

Clicking on it takes you to password reset page where you can enter your username or email address to reset the password. After that WordPress sends a password reset link to the email address associated with that user account. For more details see our guide on how to recover a lost password in WordPress.

However, if you don’t have access to the email address, or your WordPress site fails to send an email, then you will not be able to reset your password.

In such a situation, you will need to reset your WordPress password directly in the database. The easiest way to do that is by using phpMyAdmin.

Having said that, let’s see how you can easily reset a WordPress password from phpMyAdmin.

How to WordPress Password From PhpMyAdmin

If you don’t want to watch the video tutorial, then you can continue reading the text version below:

First you need to login to the cPanel dashboard of your WordPress hosting account. Next, you need to click on the phpMyAdmin icon under the database section.

phpMyAdmin in cPanel

This will launch the phpMyAdmin app where you need to select your WordPress database.

Select your WordPress database

You will now see the list of tables in your WordPress database. Now you need to look for the ‘{table-prefix}_users’ table in this list and click on the ‘Browse’ link next to it.

Browse users table in phpMyAdmin

Note: Table names in your WordPress database may have a different table prefix than the one we are showing in our screenshot.

You will now see the rows in your WordPress users table. Go ahead and click on the edit button next to the username where you want to change the password.

Editing user in phpMyAdmin

PhpMyAdmin will show you a form with all the user information fields.

You will need to delete the value in the user_pass field and replace it with your new password. Under the function column, select MD5 from the drop down menu and click on the Go button.

Change your password

Your password will be encrypted using the MD5 hash and then it will be stored in the database.

Congratulations! You have successfully changed your WordPress password using phpMyAdmin.

Now some of you may be wondering why did we select the MD5 hash to encrypt the password.

In the older version, WordPress used MD5 hash to encrypt passwords. Since WordPress 2.5, it started using stronger encryption technologies. However, WordPress still recognizes MD5 to provide backward compatibility.

As soon as you login using a password string stored as a MD5 hash, WordPress recognizes it and changes it using the newer encryption algorithms.

We hope this article helped you learn how to reset a WordPress password from phpMyAdmin. You may also want to see our ultimate step by step WordPress security guide to keep your WordPress site safe.

If you liked this article, then please subscribe to our YouTube Channel for WordPress video tutorials. You can also find us on Twitter and Facebook.

The post How to Reset a WordPress Password from phpMyAdmin appeared first on WPBeginner.

14 Vital Tips to Protect Your WordPress Admin Area (Updated)

Are you seeing a lot of attacks on your WordPress admin area? Protecting the admin area from unauthorized access allows you to block many common security threats. In this article, we will show you some of the vital tips and hacks to protect your WordPress… Read More »

The post 14 Vital Tips to Protect Your WordPress Admin Area (Updated) appeared first on WPBeginner.

Are you seeing a lot of attacks on your WordPress admin area? Protecting the admin area from unauthorized access allows you to block many common security threats. In this article, we will show you some of the vital tips and hacks to protect your WordPress admin area.

Tips and hacks to protect WordPress admin area

1. Use a Website Application Firewall

A website application firewall or WAF monitors website traffic and blocks suspicious requests from reaching your website.

While there are several WordPress firewall plugins out there, we recommend using Sucuri. It is a website security and monitoring service that offers a cloud based WAF to protect your website.

Website Application Firewall

All your website’s traffic goes through their cloud proxy first, where they analyze each request and block suspicious ones from ever reaching your website. It prevents your website from possible hacking attempts, phishing, malware and other malicious activities.

For more details, see how Sucuri helped us block 450,000 attacks in one month.

2. Password Protect WordPress Admin Directory

Your WordPress admin area is already protected by your WordPress password. However, adding password protection to your WordPress admin directory adds another layer of security to your website.

First login to your WordPress hosting cPanel dashboard and then click on ‘Password Protect Directories’ or ‘Directory Privacy’ icon.

Directory privacy

Next, you will need to select your wp-admin folder, which is normally located inside /public_html/ directory.

On the next screen, you need to check the box next to ‘Password protect this directory’ option and provide a name for the protected directory.

After that, click on the save button to set the permissions.

Password protect directory settings

Next, you need to hit the back button and then create a user. You will be asked to provide a username / password and then click on the save button.

Now when someone tries to visit the WordPress admin or wp-admin directory on your website, they will be asked to enter the username and password.

Enter password

For more detailed instructions, see our guide on how to password protect WordPress admin (wp-admin) directory.

3. Always Use Strong Passwords

Always use strong passwords

Always use strong passwords for all your online accounts including your WordPress site. We recommend using a combination of letters, numbers, and special characters in your passwords. This makes it harder for hackers to guess your password.

We are often asked by beginners how to remember all those passwords. The simplest answer is that you don’t need to. There are some really great password manager apps that you can install on your computer and phones.

For more information on this topic, see our guide on the best way to manage passwords for WordPress beginners.

4. Use Two Step Verification to WordPress Login Screen

WordPress login screen with Google Authenticator enabled

Two step verification adds another security layer to your passwords. Instead of using the password alone, it asks you to enter a verification code generated by the Google Authenticator app on your phone.

Even if someone is able to guess your WordPress password, they will still need the Google Authenticator code to get in.

For detailed step by step instructions see our guide on how to setup 2-step verification in WordPress using Google Authenticator.

5. Limit Login Attempts

Limit login attempts

By default, WordPress allows users to enter passwords as many times as they want. This means someone can keep trying to guess your WordPress password by entering different combinations. It also allows hackers to use automated scripts to crack passwords.

To fix this, you need to install and activate the Login LockDown plugin. Upon activation, go to visit Settings » Login LockDown page to configure the plugin settings.

For detailed instructions, see our guide on why you should limit login attempts in WordPress.

6. Limit Login Access to IP Addresses

Another great way to secure WordPress login is by limiting access to specific IP addresses. This tip is particularly useful if you or just a few trusted users need access to the admin area.

Simply add this code to your .htaccess file.

AuthUserFile /dev/null
AuthGroupFile /dev/null
AuthName "WordPress Admin Access Control"
AuthType Basic
<LIMIT GET>
order deny,allow
deny from all
# whitelist Syed's IP address
allow from xx.xx.xx.xxx
# whitelist David's IP address
allow from xx.xx.xx.xxx
</LIMIT>

Don’t forget to replace xx values with your own IP address. If you use more than one IP address to access the internet, then make sure you add them as well.

For detailed instructions, see our guide on how to limit access to WordPress admin using .htaccess.

7. Disable Login Hints

Disabled login hints

On a failed login attempt, WordPress shows errors that tell users whether their username was incorrect or the password. These login hints can be used by someone for malicious attempts.

You can easily hide these login hints by adding this code to your theme’s functions.php file or a site-specific plugin.

function no_wordpress_errors(){
  return 'Something is wrong!';
}
add_filter( 'login_errors', 'no_wordpress_errors' );

8. Require Users to Use Strong Passwords

If you run a multi-author WordPress site, then those users can edit their profile and use a weak password. These passwords can be cracked and give someone access to WordPress admin area.

To fix this, you can install and activate the Force Strong Passwords plugin. It works out of the box, and there are no settings for you to configure. Once activated, it will stop users from saving weaker passwords.

It will not check password strength for existing user accounts. If a user is already using a weak password, then they will be able to continue using their password.

9. Reset Password for All Users

Concerned about password security on your multi-user WordPress site? You can easily ask all your users to reset their passwords.

First, you need to install and activate the Emergency Password Reset plugin. Upon activation, go to visit Users » Emergency Password Reset page and click on ‘Reset All Passwords’ button.

Reset all passwords

For detailed instructions, see our guide on how to how to reset passwords for all users in WordPress

10. Keep WordPress Updated

WordPress often releases new versions of the software. Each new release of WordPress contains important bug fixes, new features, and security fixes.

Using an older version of WordPress on your site leaves you open to known exploits and potential vulnerabilities. To fix this, you need to make sure that you are using the latest version of WordPress. For more on this topic, see our guide on why you should always use the latest version of WordPress.

Similarly, WordPress plugins are also often updated to introduce new features or fix security and other issues. Make sure your WordPress plugins are also up to date.

11. Create Custom Login and Registration Pages

Many WordPress sites require users to register. For example, membership sites, learning management sites, or online stores need users to create an account.

However, these users can use their accounts to log into WordPress admin area. This is not a big issue, as they will only be able to do things allowed by their user role and capabilities. However, it stops you from properly limiting access to login and registration pages as you need those pages for users to signup, manage their profile, and login.

The easy way to fix this is by creating custom login and registration pages, so that users can signup and login directly from your website.

For detailed step by step instructions, see our guide on how to create custom login and registration pages in WordPress.

12. Learn About WordPress User Roles and Permissions

WordPress comes with a powerful user management system with different user roles and capabilities. When adding a new user to your WordPress site you can select a user role for them. This user role defines what they can do on your WordPress site.

Assigning incorrect user role can give people more capabilities than they need. To avoid this you need to understand what capabilities come with different user roles in WordPress. For more on this topic see our beginner’s guide to WordPress user roles and permissions.

13. Limit Dashboard Access

Some WordPress sites have certain users who need access to the dashboard and some users who don’t. However, by default they can all access the admin area.

To fix this, you need to install and activate the Remove Dashboard Access plugin. Upon activation, go to Settings » Dashboard Access page and select which users roles will have access to the admin area on your site.

For more detailed instructions, see our guide on how to limit dashboard access in WordPress.

14. Log out Idle Users

Idle user logout

WordPress does not automatically log out users until they explicitly log out or close their browser window. This can be a concern for WordPress sites with sensitive information. That’s why financial institution websites and apps automatically log out users if they haven’t been active.

To fix this, you can install and activate the Idle User Logout plugin. Upon activation, go to Settings » Idle User Logout page and enter the time after which you want users to be automatically logged out.

For more details, see our article on how to automatically log out idle users in WordPress.

We hope this article helped you learn some new tips and hacks to protect your WordPress admin area. You may also want to see our ultimate step by step WordPress security guide for beginners.

If you liked this article, then please subscribe to our YouTube Channel for WordPress video tutorials. You can also find us on Twitter and Facebook.

The post 14 Vital Tips to Protect Your WordPress Admin Area (Updated) appeared first on WPBeginner.

14 Vital Tips to Protect Your WordPress Admin Area (Updated)

Are you seeing a lot of attacks on your WordPress admin area? Protecting the admin area from unauthorized access allows you to block many common security threats. In this article, we will show you some of the vital tips and hacks to protect your WordPress… Read More »

The post 14 Vital Tips to Protect Your WordPress Admin Area (Updated) appeared first on WPBeginner.

Are you seeing a lot of attacks on your WordPress admin area? Protecting the admin area from unauthorized access allows you to block many common security threats. In this article, we will show you some of the vital tips and hacks to protect your WordPress admin area.

Tips and hacks to protect WordPress admin area

1. Use a Website Application Firewall

A website application firewall or WAF monitors website traffic and blocks suspicious requests from reaching your website.

While there are several WordPress firewall plugins out there, we recommend using Sucuri. It is a website security and monitoring service that offers a cloud based WAF to protect your website.

Website Application Firewall

All your website’s traffic goes through their cloud proxy first, where they analyze each request and block suspicious ones from ever reaching your website. It prevents your website from possible hacking attempts, phishing, malware and other malicious activities.

For more details, see how Sucuri helped us block 450,000 attacks in one month.

2. Password Protect WordPress Admin Directory

Your WordPress admin area is already protected by your WordPress password. However, adding password protection to your WordPress admin directory adds another layer of security to your website.

First login to your WordPress hosting cPanel dashboard and then click on ‘Password Protect Directories’ or ‘Directory Privacy’ icon.

Directory privacy

Next, you will need to select your wp-admin folder, which is normally located inside /public_html/ directory.

On the next screen, you need to check the box next to ‘Password protect this directory’ option and provide a name for the protected directory.

After that, click on the save button to set the permissions.

Password protect directory settings

Next, you need to hit the back button and then create a user. You will be asked to provide a username / password and then click on the save button.

Now when someone tries to visit the WordPress admin or wp-admin directory on your website, they will be asked to enter the username and password.

Enter password

For more detailed instructions, see our guide on how to password protect WordPress admin (wp-admin) directory.

3. Always Use Strong Passwords

Always use strong passwords

Always use strong passwords for all your online accounts including your WordPress site. We recommend using a combination of letters, numbers, and special characters in your passwords. This makes it harder for hackers to guess your password.

We are often asked by beginners how to remember all those passwords. The simplest answer is that you don’t need to. There are some really great password manager apps that you can install on your computer and phones.

For more information on this topic, see our guide on the best way to manage passwords for WordPress beginners.

4. Use Two Step Verification to WordPress Login Screen

WordPress login screen with Google Authenticator enabled

Two step verification adds another security layer to your passwords. Instead of using the password alone, it asks you to enter a verification code generated by the Google Authenticator app on your phone.

Even if someone is able to guess your WordPress password, they will still need the Google Authenticator code to get in.

For detailed step by step instructions see our guide on how to setup 2-step verification in WordPress using Google Authenticator.

5. Limit Login Attempts

Limit login attempts

By default, WordPress allows users to enter passwords as many times as they want. This means someone can keep trying to guess your WordPress password by entering different combinations. It also allows hackers to use automated scripts to crack passwords.

To fix this, you need to install and activate the Login LockDown plugin. Upon activation, go to visit Settings » Login LockDown page to configure the plugin settings.

For detailed instructions, see our guide on why you should limit login attempts in WordPress.

6. Limit Login Access to IP Addresses

Another great way to secure WordPress login is by limiting access to specific IP addresses. This tip is particularly useful if you or just a few trusted users need access to the admin area.

Simply add this code to your .htaccess file.

AuthUserFile /dev/null
AuthGroupFile /dev/null
AuthName "WordPress Admin Access Control"
AuthType Basic
<LIMIT GET>
order deny,allow
deny from all
# whitelist Syed's IP address
allow from xx.xx.xx.xxx
# whitelist David's IP address
allow from xx.xx.xx.xxx
</LIMIT>

Don’t forget to replace xx values with your own IP address. If you use more than one IP address to access the internet, then make sure you add them as well.

For detailed instructions, see our guide on how to limit access to WordPress admin using .htaccess.

7. Disable Login Hints

Disabled login hints

On a failed login attempt, WordPress shows errors that tell users whether their username was incorrect or the password. These login hints can be used by someone for malicious attempts.

You can easily hide these login hints by adding this code to your theme’s functions.php file or a site-specific plugin.

function no_wordpress_errors(){
  return 'Something is wrong!';
}
add_filter( 'login_errors', 'no_wordpress_errors' );

8. Require Users to Use Strong Passwords

If you run a multi-author WordPress site, then those users can edit their profile and use a weak password. These passwords can be cracked and give someone access to WordPress admin area.

To fix this, you can install and activate the Force Strong Passwords plugin. It works out of the box, and there are no settings for you to configure. Once activated, it will stop users from saving weaker passwords.

It will not check password strength for existing user accounts. If a user is already using a weak password, then they will be able to continue using their password.

9. Reset Password for All Users

Concerned about password security on your multi-user WordPress site? You can easily ask all your users to reset their passwords.

First, you need to install and activate the Emergency Password Reset plugin. Upon activation, go to visit Users » Emergency Password Reset page and click on ‘Reset All Passwords’ button.

Reset all passwords

For detailed instructions, see our guide on how to how to reset passwords for all users in WordPress

10. Keep WordPress Updated

WordPress often releases new versions of the software. Each new release of WordPress contains important bug fixes, new features, and security fixes.

Using an older version of WordPress on your site leaves you open to known exploits and potential vulnerabilities. To fix this, you need to make sure that you are using the latest version of WordPress. For more on this topic, see our guide on why you should always use the latest version of WordPress.

Similarly, WordPress plugins are also often updated to introduce new features or fix security and other issues. Make sure your WordPress plugins are also up to date.

11. Create Custom Login and Registration Pages

Many WordPress sites require users to register. For example, membership sites, learning management sites, or online stores need users to create an account.

However, these users can use their accounts to log into WordPress admin area. This is not a big issue, as they will only be able to do things allowed by their user role and capabilities. However, it stops you from properly limiting access to login and registration pages as you need those pages for users to signup, manage their profile, and login.

The easy way to fix this is by creating custom login and registration pages, so that users can signup and login directly from your website.

For detailed step by step instructions, see our guide on how to create custom login and registration pages in WordPress.

12. Learn About WordPress User Roles and Permissions

WordPress comes with a powerful user management system with different user roles and capabilities. When adding a new user to your WordPress site you can select a user role for them. This user role defines what they can do on your WordPress site.

Assigning incorrect user role can give people more capabilities than they need. To avoid this you need to understand what capabilities come with different user roles in WordPress. For more on this topic see our beginner’s guide to WordPress user roles and permissions.

13. Limit Dashboard Access

Some WordPress sites have certain users who need access to the dashboard and some users who don’t. However, by default they can all access the admin area.

To fix this, you need to install and activate the Remove Dashboard Access plugin. Upon activation, go to Settings » Dashboard Access page and select which users roles will have access to the admin area on your site.

For more detailed instructions, see our guide on how to limit dashboard access in WordPress.

14. Log out Idle Users

Idle user logout

WordPress does not automatically log out users until they explicitly log out or close their browser window. This can be a concern for WordPress sites with sensitive information. That’s why financial institution websites and apps automatically log out users if they haven’t been active.

To fix this, you can install and activate the Idle User Logout plugin. Upon activation, go to Settings » Idle User Logout page and enter the time after which you want users to be automatically logged out.

For more details, see our article on how to automatically log out idle users in WordPress.

We hope this article helped you learn some new tips and hacks to protect your WordPress admin area. You may also want to see our ultimate step by step WordPress security guide for beginners.

If you liked this article, then please subscribe to our YouTube Channel for WordPress video tutorials. You can also find us on Twitter and Facebook.

The post 14 Vital Tips to Protect Your WordPress Admin Area (Updated) appeared first on WPBeginner.

5 Best WordPress Firewall Plugins Compared

Are you looking for the best WordPress firewall plugin for your website? WordPress firewall plugins protect your website against hacking, brute force and distributed denial of service (DDoS) attacks. In this article, we will compare the best WordPress firewall plugins, and how they stack up… Read More »

The post 5 Best WordPress Firewall Plugins Compared appeared first on WPBeginner.

Are you looking for the best WordPress firewall plugin for your website? WordPress firewall plugins protect your website against hacking, brute force and distributed denial of service (DDoS) attacks. In this article, we will compare the best WordPress firewall plugins, and how they stack up against each other.

Best WordPress firewall plugins compared

What is a WordPress Firewall Plugin?

A WordPress firewall plugin (also known as web application firewall or WAF), acts as a shield between your website and all incoming traffic. These web application firewalls monitor your website traffic and blocks many common security threats before they reach your WordPress site.

Aside from significantly improving your WordPress security, often these web application firewalls also speed up your website and boost performance.

There are two common types of WordPress firewall plugins available.

DNS Level Website Firewall – These firewall route your website traffic through their cloud proxy servers. This allows them to only send genuine traffic to your web server.

Application Level Firewall – These firewall plugins examine the traffic once it reaches your server but before loading most WordPress scripts. This method is not as efficient as DNS level firewall in reducing the server load.

We recommend using a DNS level firewall because they are exceptionally good at identifying genuine website traffic vs bad requests.

They do that by tracking thousands of websites, comparing trends, looking for botnets, known bad IPs, and blocking traffic to pages that your users would normally never request.

Not to mention, DNS level website firewalls significantly reduce the load on your WordPress hosting server which makes sure that your website does not go down.

Having said that, let’s take a look at the best WordPress firewall plugins that you can use to protect your website.

1. Sucuri

Sucuri

Sucuri is the leading website security company for WordPress. They offer DNS level firewall, intrusion and brute force prevention, as well as malware and blacklist removal services.

All your website traffic goes through their cloudproxy servers where each request is scanned. Legitimate traffic is allowed to pass through, and all malicious requests are blocked.

Sucuri also improves your website’s performance by reducing server load through caching optimization, website acceleration, and Anycast CDN (all included). It protects your website against SQL Injections, XSS, RCE, RFU and all known-attacks.

Setting up their WAF is quite easy. You will need to add a DNS A record to your domain and point them to Sucuri’s cloudproxy instead of your website.

At WPBeginner, we use Sucuri to improve our WordPress security. See how how Sucuri helped us block 450,000 WordPress attacks in 3months.

Pricing: Starting from $199.99/year billed annually.

Grade: A+

2. Cloudflare

Cloudflare

Cloudflare is best known for their free CDN service which includes basic DDoS protection as well. However, their free plan doesn’t include website application firewall. For WAF you will need to signup for their Pro plan.

Cloudflare is also a DNS level firewall which means your traffic goes through their network. This improves performance of your website and reduces downtime in case of unusually high traffic.

The Pro plan only includes DDoS protection against layer 3 attacks. For protection against advanced DDoS layer 5 and 7 attacks, you will need at least their business plan.

Cloudflare has its pros, which include CDN, caching, and a larger network of servers. The downside is that they do not offer application level security scans, malware protection, blacklist removal, security notifications and alerts. They also do not monitor your WordPress site for file changes and other common WordPress security threats.

For more details see our comparison of Sucuri vs Cloudflare.

Pricing: Starting from $20/month for Pro plan and $200/month for Business.

Grade: A

3. SiteLock

SiteLock

SiteLock is another well-known website security company offering website application firewall, DDoS protection, malware scan and removal services.

SiteLock’s WAF is a DNS level firewall with a CDN service included in all plans to improve performance of your website. They offer daily malware scans, file change monitoring, security alerts, and malware removal.

All plans include basic DDoS protection while advanced DDoS protection is available as an add-on. They also allow customers to display SiteLock trust seal on their websites.

They have also partnered with many hosting companies to offer their basic plan as an addon. If you start your WordPress blog with Bluehost then you will be shown SiteLock as an addon that you can add to your hosting package.

However, it is unclear what’s included in that addon, and how it is different than the plans offered on SiteLock’s official website.

Pricing: Accelerate Plan costs $299 / year and Prevent plan costs $499 / year.

Grade: B+

4. Wordfence Security

Wordfence

Wordfence is a popular WordPress security plugin with a built-in website application firewall. It monitors your WordPress site for malware, file changes, SQL injections, and more. It also protects your website against DDoS and brute force attacks.

Wordfence is an application level firewall which means that firewall is triggered on your server and bad traffic is blocked after it reaches your server but before loading your website.

This is not the most efficient way to block attacks. Large number of bad requests will still increase load on your server. Because it’s an application level firewall, WordPress does not come with a content delivery network (CDN).

Wordfence comes with on-demand security scans as well as scheduled scans. It also allows you to manually monitor traffic and block suspicious looking IPs directly from your WordPress admin area.

To learn more about Wordfence, see our guide on how to install and setup Wordfence security in WordPress.

To get their sophisticated application level firewall, you really need the Premium version.

Pricing Basic plugin is Free. Premium version pricing starts from $99/year for a single site license.

Grade: B

5. BulletProof Security

BulletProof Security

BulletProof security is another popular WordPress security plugin. It comes with a built-in application level firewall, login security, database backup, maintenance mode, and several security tweaks to protect your website.

BulletProof security does not offer a very good user experience and many beginners may have difficulty understanding what to do. It does come with a setup wizard that automatically updates your WordPress .htaccess files and enables firewall protection.

It does not have a file scanner to check for malicious code on your website. The paid version of the plugin offers extra features to monitor for intrusion and malicious files in your WordPress uploads folder.

Pricing: Free basic plugin. Pro version costs $59.95 for unlimited sites and lifetime support.

Grade: C

Conclusion

After careful comparison of all these popular WordPress firewall plugins, we believe that Sucuri is undoubtedly the best firewall protection you can get for your WordPress site.

It is the best DNS level firewall with the most comprehensive security features to give you complete peace of mind. On top of that, the performance boost that you get from their CDN is very impressive.

We hope this article helped you find the best WordPress firewall plugin for your website. You may also want to see our ultimate step by step WordPress security guide for beginners.

If you liked this article, then please subscribe to our YouTube Channel for WordPress video tutorials. You can also find us on Twitter and Facebook.

The post 5 Best WordPress Firewall Plugins Compared appeared first on WPBeginner.

5 Best WordPress Firewall Plugins Compared

Are you looking for the best WordPress firewall plugin for your website? WordPress firewall plugins protect your website against hacking, brute force and distributed denial of service (DDoS) attacks. In this article, we will compare the best WordPress firewall plugins, and how they stack up… Read More »

The post 5 Best WordPress Firewall Plugins Compared appeared first on WPBeginner.

Are you looking for the best WordPress firewall plugin for your website? WordPress firewall plugins protect your website against hacking, brute force and distributed denial of service (DDoS) attacks. In this article, we will compare the best WordPress firewall plugins, and how they stack up against each other.

Best WordPress firewall plugins compared

What is a WordPress Firewall Plugin?

A WordPress firewall plugin (also known as web application firewall or WAF), acts as a shield between your website and all incoming traffic. These web application firewalls monitor your website traffic and blocks many common security threats before they reach your WordPress site.

Aside from significantly improving your WordPress security, often these web application firewalls also speed up your website and boost performance.

There are two common types of WordPress firewall plugins available.

DNS Level Website Firewall – These firewall route your website traffic through their cloud proxy servers. This allows them to only send genuine traffic to your web server.

Application Level Firewall – These firewall plugins examine the traffic once it reaches your server but before loading most WordPress scripts. This method is not as efficient as DNS level firewall in reducing the server load.

We recommend using a DNS level firewall because they are exceptionally good at identifying genuine website traffic vs bad requests.

They do that by tracking thousands of websites, comparing trends, looking for botnets, known bad IPs, and blocking traffic to pages that your users would normally never request.

Not to mention, DNS level website firewalls significantly reduce the load on your WordPress hosting server which makes sure that your website does not go down.

Having said that, let’s take a look at the best WordPress firewall plugins that you can use to protect your website.

1. Sucuri

Sucuri

Sucuri is the leading website security company for WordPress. They offer DNS level firewall, intrusion and brute force prevention, as well as malware and blacklist removal services.

All your website traffic goes through their cloudproxy servers where each request is scanned. Legitimate traffic is allowed to pass through, and all malicious requests are blocked.

Sucuri also improves your website’s performance by reducing server load through caching optimization, website acceleration, and Anycast CDN (all included). It protects your website against SQL Injections, XSS, RCE, RFU and all known-attacks.

Setting up their WAF is quite easy. You will need to add a DNS A record to your domain and point them to Sucuri’s cloudproxy instead of your website.

At WPBeginner, we use Sucuri to improve our WordPress security. See how how Sucuri helped us block 450,000 WordPress attacks in 3months.

Pricing: Starting from $199.99/year billed annually.

Grade: A+

2. Cloudflare

Cloudflare

Cloudflare is best known for their free CDN service which includes basic DDoS protection as well. However, their free plan doesn’t include website application firewall. For WAF you will need to signup for their Pro plan.

Cloudflare is also a DNS level firewall which means your traffic goes through their network. This improves performance of your website and reduces downtime in case of unusually high traffic.

The Pro plan only includes DDoS protection against layer 3 attacks. For protection against advanced DDoS layer 5 and 7 attacks, you will need at least their business plan.

Cloudflare has its pros, which include CDN, caching, and a larger network of servers. The downside is that they do not offer application level security scans, malware protection, blacklist removal, security notifications and alerts. They also do not monitor your WordPress site for file changes and other common WordPress security threats.

For more details see our comparison of Sucuri vs Cloudflare.

Pricing: Starting from $20/month for Pro plan and $200/month for Business.

Grade: A

3. SiteLock

SiteLock

SiteLock is another well-known website security company offering website application firewall, DDoS protection, malware scan and removal services.

SiteLock’s WAF is a DNS level firewall with a CDN service included in all plans to improve performance of your website. They offer daily malware scans, file change monitoring, security alerts, and malware removal.

All plans include basic DDoS protection while advanced DDoS protection is available as an add-on. They also allow customers to display SiteLock trust seal on their websites.

They have also partnered with many hosting companies to offer their basic plan as an addon. If you start your WordPress blog with Bluehost then you will be shown SiteLock as an addon that you can add to your hosting package.

However, it is unclear what’s included in that addon, and how it is different than the plans offered on SiteLock’s official website.

Pricing: Accelerate Plan costs $299 / year and Prevent plan costs $499 / year.

Grade: B+

4. Wordfence Security

Wordfence

Wordfence is a popular WordPress security plugin with a built-in website application firewall. It monitors your WordPress site for malware, file changes, SQL injections, and more. It also protects your website against DDoS and brute force attacks.

Wordfence is an application level firewall which means that firewall is triggered on your server and bad traffic is blocked after it reaches your server but before loading your website.

This is not the most efficient way to block attacks. Large number of bad requests will still increase load on your server. Because it’s an application level firewall, WordPress does not come with a content delivery network (CDN).

Wordfence comes with on-demand security scans as well as scheduled scans. It also allows you to manually monitor traffic and block suspicious looking IPs directly from your WordPress admin area.

To learn more about Wordfence, see our guide on how to install and setup Wordfence security in WordPress.

To get their sophisticated application level firewall, you really need the Premium version.

Pricing Basic plugin is Free. Premium version pricing starts from $99/year for a single site license.

Grade: B

5. BulletProof Security

BulletProof Security

BulletProof security is another popular WordPress security plugin. It comes with a built-in application level firewall, login security, database backup, maintenance mode, and several security tweaks to protect your website.

BulletProof security does not offer a very good user experience and many beginners may have difficulty understanding what to do. It does come with a setup wizard that automatically updates your WordPress .htaccess files and enables firewall protection.

It does not have a file scanner to check for malicious code on your website. The paid version of the plugin offers extra features to monitor for intrusion and malicious files in your WordPress uploads folder.

Pricing: Free basic plugin. Pro version costs $59.95 for unlimited sites and lifetime support.

Grade: C

Conclusion

After careful comparison of all these popular WordPress firewall plugins, we believe that Sucuri is undoubtedly the best firewall protection you can get for your WordPress site.

It is the best DNS level firewall with the most comprehensive security features to give you complete peace of mind. On top of that, the performance boost that you get from their CDN is very impressive.

We hope this article helped you find the best WordPress firewall plugin for your website. You may also want to see our ultimate step by step WordPress security guide for beginners.

If you liked this article, then please subscribe to our YouTube Channel for WordPress video tutorials. You can also find us on Twitter and Facebook.

The post 5 Best WordPress Firewall Plugins Compared appeared first on WPBeginner.

How to Block IP Addresses in WordPress

Do you want to block specific IP addresses from accessing your WordPress site? Blocking IP addresses is used as a solution to block spam and hacking attacks on your website. In this article, we will show you how to block IP addresses in WordPress, and… Read More »

The post How to Block IP Addresses in WordPress appeared first on WPBeginner.

Do you want to block specific IP addresses from accessing your WordPress site? Blocking IP addresses is used as a solution to block spam and hacking attacks on your website. In this article, we will show you how to block IP addresses in WordPress, and we will also show you how to find out which IP addresses needs to be blocked.

How to Block IP Addresses in WordPress

What is an IP Address?

If internet was a physical world, then think of IP addresses as country, street, and house numbers. They are basically 4 sets of numbers from 0-255 separated by dots and look like this:

172.16.254.1

Each computer connected to the internet has an IP address assigned to them by their internet service provider.

All visitors to your website have an IP address which is stored in your website’s access log files. This means that all websites that you visit also stores your IP address.

You can hide this information by using a VPN service. This allows you to hide your IP address and other personal information.

Why & When You Need to Block IP Addresses?

Blocking an IP address from accessing your website is an effective way to deal with unwanted visitors, comment spam, email spam, hacking attempts, and DDOS (denial of service) attacks.

The most common sign that your website is under a DDOS attack is that your website will frequently become inaccessible or your pages will start taking forever to load.

The other attacks are more obvious such as when you start getting spam comments or a lot of spam emails from your contact form. We have a list of ways to fight spam comments, but the last solution is to block IP addresses.

Finding Out IP Addresses You Want to Block in WordPress

WordPress stores an IP addresses for users that leave a comment on your website. You can see their IP address by visiting the comments page in your WordPress admin area.

IP addresses stored in WordPress comments

If your website is under DDOS attack, then the best way to locate the IP addresses is by checking your server’s access log.

To see those logs, you will need to login to the cPanel dashboard of your WordPress hosting account. Next, locate the ‘logs’ section and click on the ‘Raw Access Logs’ icon.

Raw access logs

This will take you to the access logs page where you need to click on your domain name to download the access logs file.

Download access log file

Your access log file will be inside a .gz archive file. Go ahead and extract the file by clicking on it. If your computer does not have a program to handle .gz archive files, then you will need to install one. Winzip or 7-zip are two popular choices among Windows users.

Inside the archive, you will see your access log file which you can open in a plain text editor like Notepad or TextEdit.

The access log file contains raw data of all requests made to your website. Each line begins with the IP address making that request.

IP addresses in access log file

You need to make sure that you don’t end up blocking yourself, legit users, or search engines from accessing your website. Copy a suspicious looking IP address and use online IP lookup tools to find out more about it.

You will have to carefully look at your access logs for suspicious unusually high number of requests from a particular IP address. Tip: there’s a way to automate this that we share at the bottom of this article.

Once you have located those IP addresses, you need to copy and paste them in a separate text file.

Blocking IP Addresses in WordPress

If you just want to stop users with a specific IP address from leaving a comment on your site, then you can do that inside your WordPress admin area.

Head over to Settings » Discussion page and scroll down to ‘Comment Blacklist’ text box.

Blacklist IP addresses in WordPress comments

Copy and paste the IP addresses that you want to block and then click on the save changes button.

WordPress will now block users with these IP addresses from leaving a comment on your website. These users will still be able to visit your website, but they will see an error message when they try to submit a comment.

Blocking an IP Address Using cPanel

This method completely blocks an IP address from accessing or viewing your website. You should use this method when you want to protect your WordPress site from hacking attempts and DDOS attacks.

First, you need to login to cPanel dashboard of your hosting account. Now scroll down to the security section and click on ‘IP Address Deny Manager’ icon.

IP Address Deny Manager tool in cPanel

This will take you to the IP Address Deny Manager tool. Here you can add the IP addresses you want to block. You can add a single IP address or an IP range and then click on the add button.

Blocking IP addresses in cPanel

You can come back to the same page again if you ever need to unblock those IP addresses.

When IP Address Blocking Doesn’t Work – Automate It!

Blocking an IP address would work if you are just blocking some basic hacking attempts, specific users, or users from specific regions or countries.

However, many hacking attempts and attacks are made using a wide range of random IP addresses from all over the world. It is impossible for you to keep up with all those random IP addresses.

That’s when you need a Web Application Firewall (WAF). For the WPBeginner website, we use Sucuri. It is a website security service that protects your website against such attacks using a website application firewall.

Basically, all your website traffic goes through their servers where it is examined for suspicious activity. It automatically blocks suspicious IP addresses from reaching your website altogether. See how Sucuri helped us block 450,000 WordPress attacks in 3 months.

We hope this article helped you learn how to easily block IP addresses in WordPress. You may also want to see our ultimate step by step WordPress security guide for beginners.

If you liked this article, then please subscribe to our YouTube Channel for WordPress video tutorials. You can also find us on Twitter and Facebook.

The post How to Block IP Addresses in WordPress appeared first on WPBeginner.

How to Install and Setup Wordfence Security in WordPress

Do you want to install and setup Wordfence security plugin on your website? Wordfence is a popular WordPress plugin that helps you tighten the security of your WordPress site and protects it from hacking attempts. In this article, we will show you how to easily… Read More »

The post How to Install and Setup Wordfence Security in WordPress appeared first on WPBeginner.

Do you want to install and setup Wordfence security plugin on your website? Wordfence is a popular WordPress plugin that helps you tighten the security of your WordPress site and protects it from hacking attempts. In this article, we will show you how to easily install and setup Wordfence security plugin in WordPress.

How to install and setup Wordfence

What is Wordfence? How it Protects Your WordPress Site?

Wordfence is a WordPress security plugin that helps you protect your website against security threats like hacking, malware, DDOS and brute force attacks.

It comes with a website application firewall, which filters all traffic to your website and blocks suspicious requests.

It has a malware scanner that scans all your WordPress core files, themes, plugins, and upload folders for changes and suspicious code. This helps you clean a hacked WordPress site.

The basic Wordfence plugin is free, but it also comes with a premium version that gives you access to more advanced features such as country blocking, firewall rules updated in real time, scheduled scanning, etc.

Having said that, let’s see how to install and easily setup Wordfence for maximum security.

How to Install and Setup Wordfence in WordPress

First thing you need to do is install and activate the Wordfence Security plugin. For more details, see our step by step guide on how to install a WordPress plugin.

Upon activation, the plugin will add a new menu item labeled Wordfence to your WordPress admin bar. Clicking on it will take you to the plugin’s settings dashboard.

Wordfence settings dashboard

This page shows an overview of the plugin’s security settings on your website. You will also see security notifications and stats like recent IP blocking, failed login attempts, total attacks blocked, etc.

Wordfence settings are divided into different sections. The default settings will work for most websites, but you still need to review and change them if needed.

Let’s start by running a scan first.

Scanning Your WordPress Site Using Wordfence

Head over to Wordfence » Scan page and then click on ‘Start a Wordfence Scan’ button.

Start a Wordfence scan

Wordfence will now start scanning your WordPress files.

The scan will look for changes in file sizes in the official WordPress core and plugin files.

It will also look inside the files to check for suspicious code, backdoors, malicious URLs, and known patterns of infections.

Typically these scans need a lot of server resources to run. Wordfence does an excellent job of running the scans as efficiently as possible. The time it takes to complete a scan will depend on how much data you have, and the server resources available.

You will be able to see the progress of the scan in the yellow boxes on the scan page. Most of this information will be technical. However, you don’t need to worry about the technical stuff.

Once the scan is finished, Wordfence will show you the results.

It will notify you if it found any suspicious code, infections, malware, or corrupted files on your website. It will also recommend actions you can take to fix those issues.

Free Wordfence plugin automatically runs full scans on your WordPress site once every 24 hours. Premium version of the plugin allows you to set up your own scan schedules.

Setting up Wordfence Firewall

Wordfence comes with a website application firewall. This is a PHP based application level firewall.

The Wordfence firewall offers two levels of protection. The basic level which is enabled by default allows the Wordfence firewall to run as a WordPress plugin.

This means, that the firewall will load with rest of your WordPress plugins. This can protect you from several threats, but it will miss out on threats that are designed to trigger before WordPress themes and plugins are loaded.

The second level of protection is called extended protection. It allows Wordfence to run before WordPress core, plugins, and themes. This offers a much better protection against more advanced security threats.

Here is how you would set up the extended protection.

Visit Wordfence » Firewall page and click on the Optimize Firewall button.

Optimize Wordfence firewall

Wordfence will now run some tests in the background to detect your server configuration. If you know that your server configuration is different from what Wordfence has selected, then you can select a different one.

Click on the continue button.

Next, Wordfence will ask you to download your current .htaccess file as a backup. Click on the ‘Download .htaccess’ button and after downloading the backup file click on the continue button.

Wordfence will now update your .htaccess file which will allow it to run before WordPress. You will be redirected to the firewall page where you will now see your protection level as ‘Extended protection’.

Extended protection enabled

You will also notice a ‘Learning Mode’ button. When you first install Wordfence, it attempts to learn how you and your users interact with the website to make sure that it doesn’t block legitimate visitors. After a week it will automatically switch to ‘Enabled and Protecting’ mode.

Monitoring and Blocking Suspicious Activity Using Wordfence

Wordfence shows a very useful log of all requests made to your website. You can view it by visiting Wordfence » Live Traffic page.

Here you can see the list of IPs requesting different pages on your website.

Live traffic tool in Wordfence

You can block individual IPs and even full networks on this page.

You can also block suspicious IPs manually by visiting the Wordfence » Blocking page.

Manually block IPs in Wordfence

Advanced Settings and Tools in Wordfence

Wordfence is a powerful plugin with lots of useful options. You can visit Wordfence » Options page to review them.

Wordfence options

Here you can selectively turn features on and off. You can also enable or disable email notifications, scans, and other advanced settings.

On Wordfence » Tools page, you can run password audit to ensure that all users on your website are using strong passwords. You can run whois-lookup for suspicious IP addresses and view diagnostics information to help debug issues with the plugin or your WordPress site.

Premium version users can also setup two-factor login to strengthen login security on their websites.

Wordfence vs Sucuri – Which One is Better?

Now some of you will probably be thinking how Wordfence stacks against Sucuri?

Sucuri is another popular website security suite that comes with a website application firewall, malware scanner and removal.

At WPBeginner, we use Sucuri. Check out our Sucuri review to see how it helped us block more than 450,000 WordPress attacks in 3 months.

Both Wordfence and Sucuri are great choices to improve your WordPress security. However, we believe that Sucuri has some features that give it a slight edge over Wordfence.

One of them is website application firewall. Wordfence WAF is an application level firewall, which means it is initiated on your server.

On the other hand, Sucuri website firewall is a DNS level firewall. This means all traffic to your website goes to their cloud proxy before reaching your website. This helps Sucuri block DDOS attacks more efficiently and also reduces server load on your website.

We hope this article helped you learn how to install and properly setup Wordfence on your website. For more security tips, you should also check out our ultimate WordPress security guide for beginners.

If you liked this article, then please subscribe to our YouTube Channel for WordPress video tutorials. You can also find us on Twitter and Facebook.

The post How to Install and Setup Wordfence Security in WordPress appeared first on WPBeginner.

The Ultimate WordPress Security Guide (Step by Step)

WordPress security is a topic of huge importance for every website owner. Each week, Google blacklists around 20,000 websites for malware and around 50,000 for phishing. If you are serious about your website, then you need to pay attention to the WordPress security best practices.… Read More »

The post The Ultimate WordPress Security Guide (Step by Step) appeared first on WPBeginner.

WordPress security is a topic of huge importance for every website owner. Each week, Google blacklists around 20,000 websites for malware and around 50,000 for phishing. If you are serious about your website, then you need to pay attention to the WordPress security best practices. In this guide, we will share all the top WordPress security tips to help you protect your website against hackers and malware.

Improve WordPress Security

While WordPress core software is very secure, and it’s audited regularly by hundreds of developers, there is a lot that can be done to harden your WordPress website.

At WPBeginner, we believe that security is not just about risk elimination. It’s also about risk reduction. As a website owner, there’s a lot that you can do to improve your WordPress security (even if you’re not tech savvy).

We have a number of actionable steps that you can take to improve your WordPress security.

To make it easy, we have created a table of content to help you easily navigate through our ultimate WordPress security guide.

Table of Contents

Basics of WordPress Security

WordPress Security in Easy Steps (No Coding)

WordPress Security for DIY Users

Ready? Let’s get started.

Why Website Security is Important?

A hacked WordPress site can cause serious damage to your business revenue and reputation. Hackers can steal user information, passwords, install malicious software, and can even distribute malware to your users.

Worst, you may find yourself paying ransomware to hackers just to regain access to your website.

Why WordPress Security is Important

In March 2016, Google reported that more than 50 million website users have been warned about a website they’re visiting may contain malware or steal information.

Furthermore, Google blacklists around 20,000 websites for malware and around 50,000 for phishing each week.

If your website is a business, then you need to pay extra attention to your WordPress security.

Similar to how it’s the business owners responsibility to protect their physical store building, as an online business owner it is your responsibility to protect your business website.

[Back to Top ↑]

Keeping WordPress Updated

Keeping WordPress Updated

WordPress is an open source software which is regularly maintained and updated. By default, WordPress automatically installs minor updates. For major releases, you need to manually initiate the update.

WordPress also comes with thousands of plugins and themes that you can install on your website. These plugins and themes are maintained by third-party developers which regularly release updates as well.

These WordPress updates are crucial for the security and stability of your WordPress site. You need to make sure that your WordPress core, plugins, and theme are up to date.

[Back to Top ↑]

Strong Passwords and User Permissions

Manage strong passwords

The most common WordPress hacking attempts use stolen passwords. You can make that difficult by using stronger passwords that are unique for your website. Not just for WordPress admin area, but also for FTP accounts, database, WordPress hosting account, and your professional email address.

The top reason why beginners don’t like using strong passwords is because they’re hard to remember. The good thing is you don’t need to remember passwords anymore. You can use a password manager. See our guide on how to manage WordPress passwords.

Another way to reduce the risk is to not give any one access to your WordPress admin account unless you absolutely have to. If you have a large team or guest authors, then make sure that you understand user roles and capabilities in WordPress before you add new user and authors to your WordPress site.

[Back to Top ↑]

The Role of WordPress Hosting

Your WordPress hosting service plays the most important role in the security of your WordPress site. A good shared hosting provider like BlueHost or Siteground take the extra measures to protect their servers against common threats.

However, on shared hosting you share the server resources with many other customers. This opens the risk of cross-site contamination where a hacker can use a neighboring site to attack your website.

Using a managed WordPress hosting service provides a more secure platform for your website. Managed WordPress hosting companies offer automatic backups, automatic WordPress updates, and more advanced security configurations to protect your website

We recommend WPEngine as our preferred managed WordPress hosting provider. They’re also the most popular one in the industry. (See our special WPEngine coupon).

[Back to Top ↑]

WordPress Security in Easy Steps (No Coding)

We know that improving WordPress security can be a terrifying thought for beginners. Specially if you’re not techy. Guess what – you’re not alone.

We have helped thousands of WordPress users in hardening their WordPress security.

We will show you how you can improve your WordPress security with just a few clicks (no coding required).

If you can point-and-click, you can do this!

Install a WordPress Backup Solution

Install a WordPress backup solution

Backups are your first defense against any WordPress attack. Remember, nothing is 100% secure. If government websites can be hacked, then so can yours.

Backups allow you to quickly restore your WordPress site in case something bad was to happen.

There are many free and paid WordPress backup plugins that you can use. The most important thing you need to know when it comes to backups is that you must regularly save full-site backups to a remote location (not your hosting account).

We recommend storing it on a cloud service like Amazon, Dropbox, or private clouds like Stash.

Based on how frequently you update your website, the ideal setting might be either once a day or real-time backups.

Thankfully this can be easily done by using plugins like VaultPress or BackupBuddy. They are both reliable and most importantly easy to use (no coding needed).

[Back to Top ↑]

Best WordPress Security Plugin

After backups, the next thing we need to do is setup an auditing and monitoring system that keeps track of everything that happens on your website.

This includes file integrity monitoring, failed login attempts, malware scanning, etc.

Thankfully, this can be all taken care by the best free WordPress security plugin, Sucuri Scanner.

You need to install and activate the free Sucuri Security plugin. For more details, please see our step by step guide on how to install a WordPress plugin.

Upon activation, you need to go to the Sucuri menu in your WordPress admin.

Sucuri Admin Menu

The first thing you will be asked to do is Generate a free API key. This enables audit logging, integrity checking, email alerts, and other important features.

Sucuri Generate Free API

The next thing, you need to do is click on the Hardening tab from the Sucuri Menu. Go through every option and click on the “Harden” button.

Sucuri Hardening

These options help you lock down the key areas that hackers often use in their attacks. The only hardening option that’s a paid upgrade is the Web Application Firewall which we will explain in the next step, so skip it for now.

We have also covered a lot of these “Hardening” options later in this article for those who want to do it without using a plugin or the ones that require additional steps such as “Database Prefix change” or “Changing the Admin Username”.

After the hardening part, most default settings of this plugin are good and doesn’t need changing. The only thing we recommend customizing is the Email Alerts.

The default alert settings can clutter your inbox with emails. We recommend receiving alerts for key actions like changes in plugins, new user registration, etc. You can configure the alerts by going to Sucuri Settings » Alerts.

Sucuri Email Alerts

This WordPress security plugin is very powerful, so browse through all the tabs and settings to see all that it does such as Malware scanning, Audit logs, Failed Login Attempt tracking, etc.

Enable Web Application Firewall (WAF)

The easiest way to protect your website and be confident about your WordPress security is by using a web application firewall (WAF). The firewall blocks all malicious traffic before it even reaches your website.

Sucuri Website Application Firewall

We use and recommend Sucuri as the best web-application firewall for WordPress. You can read about how Sucuri helped us block 450,000 WordPress attacks in a month.

Sucuri Attack Block Chart

The best part about Sucuri’s firewall is that it also comes with a malware cleanup and blacklist removal guarantee. Basically if you were to be hacked under their watch, they guarantee that they will fix your website (no matter how many pages you have).

This is a pretty strong warranty because repairing hacked websites is expensive. Security experts normally charge $250 per hour. Whereas you can get the entire Sucuri security stack for $199 per year.

Improve your WordPress Security with the Sucuri Firewall »

Sucuri is not the only firewall provider out there. The other popular competitor is Cloudflare. See our comparison of Sucuri vs Cloudflare (Pros and Cons).

[Back to Top ↑]

WordPress Security for DIY Users

If you do everything that we have mentioned thus far, then you’re in a pretty good shape.

But as always, there’s more that you can do to harden your WordPress security.

Some of these steps may require coding knowledge.

Change the Default “admin” username

In the old days, the default WordPress admin username was “admin”. Since usernames make up half of login credentials, this made it easier for hackers to do brute-force attacks.

Thankfully, WordPress has since changed this and now requires you to select a custom username at the time of installing WordPress.

However, some 1-click WordPress installers, still set the default admin username to “admin”. If you notice that to be the case, then it’s probably a good idea to switch your web hosting.

Since WordPress doesn’t allow you to change usernames by default, there are three methods you can use to change the username.

  1. Create a new admin username and delete the old one.
  2. Use the Username Changer plugin
  3. Update username from phpMyAdmin

We have covered all three of these in our detailed guide on how to properly change your WordPress username (step by step).

Note: We’re talking about the username called “admin”, not the administrator role.

[Back to Top ↑]

Disable File Editing

WordPress comes with a built-in code editor which allows you to edit your theme and plugin files right from your WordPress admin area. In the wrong hands, this feature can be a security risk which is why we recommend turning it off.

Disable file editing

You can easily do this by adding the following code in your wp-config.php file.

// Disallow file edit
define( 'DISALLOW_FILE_EDIT', true );

Alternatively, you can do this with 1-click using the Hardening feature in the free Sucuri plugin that we mentioned above.

[Back to Top ↑]

Disable PHP File Execution in Certain WordPress Directories

Another way to harden your WordPress security is by disabling PHP file execution in directories where it’s not needed such as /wp-content/uploads/.

You can do this by opening a text editor like Notepad and paste this code:

<Files *.php>
deny from all
</Files>

Next, you need to save this file as .htaccess and upload it to /wp-content/uploads/ folders on your website using an FTP client.

For more detailed explanation, see our guide on how to disable PHP execution in certain WordPress directories

Alternatively, you can do this with 1-click using the Hardening feature in the free Sucuri plugin that we mentioned above.

[Back to Top ↑]

Limit Login Attempts

By default, WordPress allows users to try to login as many time as they want. This leaves your WordPress site vulnerable to brute force attacks. Hackers try to crack passwords by trying to login with different combinations.

This can be easily fixed by limiting the failed login attempts a user can make. If you’re using the web application firewall mentioned earlier, then this is automatically take care of.

However, if you don’t have the firewall setup, then proceed with the steps below.

First, you need to install and activate the Login LockDown plugin. For more details, see our step by step guide on how to install a WordPress plugin.

Upon activation, visit Settings » Login LockDown page to setup the plugin.

Login LockDown settings

For detailed instructions, take a look at our guide on how and why you should limit login attempts in WordPress.

[Back to Top ↑]

Change WordPress Database Prefix

By default, WordPress uses wp_ as the prefix for all tables in your WordPress database. If your WordPress site is using the default database prefix, then it makes it easier for hackers to guess what your table name is. This is why we recommend changing it.

You can change your database prefix by following our step by step tutorial on how to change WordPress database prefix to improve security.

Note: This can break your site if it’s not done properly. Only proceed, if you feel comfortable with your coding skills.

[Back to Top ↑]

Password Protect WordPress Admin and Login Page

Password protecting wp-admin

Normally, hackers can request your wp-admin folder and login page without any restriction. This allows hackers to try their hacking tricks or run DDoS attacks.

You can add additional password protection on a server side which will effectively block those requests.

Follow our step-by-step instructions on how to password protect your WordPress admin (wp-admin) directory.

[Back to Top ↑]

Disable Directory Indexing and Browsing

Directory browsing

Directory browsing can be used by hackers to find out if you have any files with known vulnerabilities, so they can take advantage of these files to gain access.

Directory browsing can also be used by other people to look into your files, copy images, find out your directory structure, and other information. This is why it is highly recommended that you turn off directory indexing and browsing.

You need to connect to your website using FTP or cPanel’s file manager. Next, locate the .htaccess file in your website’s root directory. If you cannot see it there, then refer to our guide on why you can’t see .htaccess file in WordPress.

After that, you need to add the following line at the end of the .htaccess file:

Options -Indexes

Don’t forget to save and upload .htaccess file back to your site. For more on this topic, see our article on how to disable directory browsing in WordPress.

[Back to Top ↑]

Disable XML-RPC in WordPress

XML-RPC was enabled by default in WordPress 3.5 because it helps connecting your WordPress site with web and mobile apps.

However because of it’s powerful nature, XML-RPC can significantly amplify the brute-force attacks.

For example, traditionally if a hacker wanted to try 500 different passwords on your website, they would have to make 500 separate login attempts which will be caught and blocked by the login lockdown plugin.

But with XML-RPC, a hacker can use the system.multicall function to try thousands of password with say 20 or 50 requests.

This is why if you’re not using XML-RPC, we recommend that you disable it.

There are 3 ways to disable XML-RPC in WordPress, and we have covered all of them in our step by step tutorial on how to disable XML-RPC in WordPress.

Tip: The .htaccess method is the best one because it’s the least resource intensive.

If you’re using the web-application firewall mentioned earlier, then this can be taken care of by the firewall.

[Back to Top ↑]

Automatically log out Idle Users in WordPress

Logged in users can sometimes wander away from screen, and this poses a security risk. Someone can hijack their session, change passwords, or make changes to their account.

This is why many banking and financial sites automatically log out an inactive user. You can implement similar functionality on your WordPress site as well.

You will need to install and activate the Idle User Logout plugin. Upon activation, visit Settings » Idle User Logout page to configure plugin settings.

Logout idle user

Simply set the time duration and uncheck the box next to ‘Disable in wp admin’ option for better security. Don’t forget to click on the save changes button to store your settings.

For more detailed instructions, see our guide on how to automatically log out idle users in WordPress.

[Back to Top ↑]

Add Security Questions to WordPress Login Screen

Security questions on login screen

Adding a security question to your WordPress login screen makes it even harder for someone to get unauthorized access.

You can add security questions by installing the WP Security Questions plugin. Upon activation, you need to visit Settings » Security Questions page to configure the plugin settings.

For more detailed instructions, see our tutorial on how to add security questions to WordPress login screen.

[Back to Top ↑]

Fixing a Hacked WordPress Site

Many WordPress users don’t realize the importance of backups and website security until their website is hacked.

Cleaning up a WordPress site can be very difficult and time consuming. Our first advice would be to let a professional take care of it.

Hackers install backdoors on affected sites, and if these backdoors are not fixed properly, then your website will likely get hacked again.

Allowing a professional security company like Sucuri to fix your website will ensure that your site is safe to use again. It will also protect you against any future attacks.

For the adventurous and DIY users, we have compiled a step by step guide on fixing a hacked WordPress site.

[Back to Top ↑]

That’s all, we hope this article helped you learn the top WordPress security best practices as well as discover the best WordPress security plugins for your website.

If you liked this article, then please subscribe to our YouTube Channel for WordPress video tutorials. You can also find us on Twitter and Facebook.

The post The Ultimate WordPress Security Guide (Step by Step) appeared first on WPBeginner.

Sucuri vs CloudFlare (Pros and Cons) – Which One is Better?

Due to an increased emphasis on website security in today’s digital landscape, one of the most common requests we’ve gotten from readers is to do a pros and cons analysis of Sucuri vs CloudFlare to explain which one is better. Sucuri and CloudFlare are online… Read More »

The post Sucuri vs CloudFlare (Pros and Cons) – Which One is Better? appeared first on WPBeginner.

Due to an increased emphasis on website security in today’s digital landscape, one of the most common requests we’ve gotten from readers is to do a pros and cons analysis of Sucuri vs CloudFlare to explain which one is better. Sucuri and CloudFlare are online services that offer website firewall, CDN, and DDoS protection services. In this article, we will compare Sucuri vs Cloudflare with pros and cons to find out which one is better.

Sucuri vs CloudFlare (Pros and Cons)

Even the most secure websites on the internet are vulnerable to distributed denial of service attacks (DDoS), hacking attempts, and malware injection.

As a WordPress site owner you can use some security best practices like password protecting admin directory, limiting login attempts, adding two factor authentication, etc.

However these tips only work on software level which leaves your website mostly open to other types of attacks. These attacks can cause financial damage, data loss, poor search rankings and bad user experience.

Sucuri and CloudFlare offer a website application firewall (WAF).

This means that all your website’s traffic goes through their server scanners. If a request looks malicious, then the firewall would block it before it even reaches your website.

On the surface, these two services look nearly identical, but there are some key differences.

In this comparison, we’ll focus on:

  • Features
  • Pricing
  • Malware Removal Service

By the end, you’ll know exactly which platform is best for you.

Ready? Let’s compare Sucuri vs Cloudflare.

Features

In this section, we will look at the features offered by Sucuri and CloudFlare.

It’s important to note that both services offer different plans that come with different set of features.

As a user, make sure you’re not a victim of their marketing site because not all plans come with all the features.

CloudFlare Features

CloudFlare is best known for their free CDN service. They specialize in mitigating DDOS attacks using their Website Application Firewall product. CloudFlare keep your site available to users during an attack or under heavy traffic when your server is not responsive.

Their website firewall blocks suspicious traffic before it even reaches your website. The firewall also extends to form submissions which protects your website from comment spam and registration spam.

CloudFlare website firewall

CloudFlare also offers free and custom SSL certificates with all their plans. Free and pro plans only allow you to use CloudFlare issued certificate. For custom certificate you will need to upgrade to their Business or Enterprise plan.

While CloudFlare offer a free option that includes CDN, most other features including their Website Application Firewall require a paid plan.

CloudFlare doesn’t offer server scanning service to detect malware. It also doesn’t offer a malware removal guarantee if you were to be hacked on their watch.

Sucuri Features

Sucuri is one of the most reputable website security and monitoring service. They offer comprehensive website monitoring, scanning for malware, DDoS protection, and malware removal services.

Sucuri offers CloudProxy, a website firewall and load balancing service. It blocks suspicious traffic from reaching your website by effectively blocking DDoS attacks, code injection, bad bots, and other website threats. See our case study of how Sucuri helped us block 450,000 attacks in 3 months.

Sucuri offers integration with the free Let’s Encrypt SSL for their basic plan. You can also use custom SSL certificates with their professional and business plans.

Sucuri CloudProxy

Sucuri scans your website regularly for file changes, code injection, and malware. They clean up hacked sites, with support for all popular CMS software like WordPress, Joomla, Drupal, etc.

Winner: Sucuri is a clear winner because they offer a better combination of tools and services (Website Firewall + Load Balancing + Malware Cleanup / Hack Repair).

Pricing

Pricing is an important factor for many small businesses.

Here, we will compare the different pricing plans offered by CloudFlare and Sucuri, so you know exactly what you’re getting for your money.

FREE is not always better :)

CloudFlare Pricing Plans

CloudFlare offers a free CDN service for all. They don’t charge you for the bandwidth which means you will be able to use their free CDN regardless of your traffic volume.

However, this free plan does not come with the website application firewall. Your website may benefit from CDN, but it will not be properly protected against DDoS attacks, spam, bad traffic, etc.

For their web application firewall, you need the Pro plan which costs $20 / month (this is what you need for improved security).

This pro plan does not include advanced DDoS mitigation and custom SSL. For those features, you will need their Business plan which costs $200 per month.

Sucuri Pricing Plans

Unlike CloudFlare, Sucuri doesn’t offer a free plan. Their website security stack plan starts at $199.99 for an year, which is cheaper than CloudFlare’s pro plan.

This basic plan includes full website monitoring, website application firewall, DDoS protection, malware removal, and free LetsEncrypt SSL certificate.

Instead of excluding features from lower level plans, Sucuri uses priority as an incentive for their higher paying plans.

For example, malware removal estimated time for basic plan is 12 hours, 6 hours for professional plan, and 4 hours for business plan. However, the actual cleanup timings are way faster than that for all customers.

They offer 24/7 support as part of all plans. Their business plan subscribers can also use the Live Chat support.

Winner: Sucuri is an obvious choice for small businesses when it comes to pricing. CloudFlare Pro costs $240 / year vs Sucuri cost $199 / year and offer more features. To unlock same features, you’d have move up to CloudFlare’s $2400 / year plan. Sucuri’s most expensive plan is at $499 / year.

Malware Removal Service

Apart from denial of service attacks, malware and code injections are the most common threats faced by WordPress site owners.

Let’s see how both services protect your website against those common threats.

Website security and malware removal

CloudFlare – Security and Malware Removal

CloudFlare free version is basically a content delivery network which helps make your website fast.

The website security firewall comes with their paid plan. It includes CloudFlare’s ready to use custom rules set. These rules protect your site from common code injection hacks, XSS JavaScript exploits, and form submissions.

However, they do not offer file change detection, malware scanning, blacklist monitoring, and many other security features. You can add third-party apps for malware scanning, but these services will cost you additional fees.

Sucuri – Security and Malware Removal

Sucuri is a security focused company. They specialize in monitoring websites and protecting them against malware and other attacks.

Sucuri’s website application firewall protects you against DDOS, SQL injections, XSS JavaScript injections, comment and contact form spam.

However, if something crosses all those security barriers and somehow reaches your website, then Sucuri offers to clean up your website (for free).

If you already have a website affected with malware, then Sucuri will clean that up as well.

Winner: Sucuri – For combining website application firewall with monitoring, malware protection, and clean up services.

Conclusion

CloudFlare and Sucuri both offer protection against DDoS attacks on your website. CloudFlare does a little better in the content delivery network area.

Sucuri fares better in the overall features, better security monitoring, and lower prices. If you are using a CMS like WordPress, then Sucuri is what you need.

We hope this article helped you compare pros and cons of Sucuri vs CloudFlare. You may also want to see our list of 7 best WordPress backup plugins.

If you liked this article, then please subscribe to our YouTube Channel for WordPress video tutorials. You can also find us on Twitter and Facebook.

The post Sucuri vs CloudFlare (Pros and Cons) – Which One is Better? appeared first on WPBeginner.