What You May Not Know about WordPress Security Plugins
When it comes to securing your WordPress install with a security plugin, it can be tempting to enable every feature of the plugin to harden your site. If you start enabling features blindly, you can end up bringing your site to a halt.
This is because security plugins such as iThemes Security and Wordfence Security automatically modify core elements of WordPress such as the database, file paths, permissions, and more to harden the install from attacks.
In a previous article on managed WordPress hosting pros and cons, I briefly went over common security plugins which are used to harden WordPress, however it didn’t discuss how many of the security features work and how they impact your site.
Although one-click WordPress security plugins are a great way to streamline WordPress security, they often have unintended side effects which can hinder the performance of your sites. You can avoid seeing the dreaded WordPress ‘white screen of death’ by paying attention to the details below.
File Change Detection
In the digital security space, intrusion detection systems (IDS) and integrity monitoring are critical tools for server administrators because they allow server administrators to detect malicious activity which happens due to preventive measures failing. In the past, IDS tools were cumbersome and expensive to maintain, however many WordPress security plugins provide similar tools to monitor your website for changes with a few mouse clicks.
In theory, this feature is a great safeguard against subtle attacks which happen behind the scenes, but if not configured properly, your inbox will be flooded with thousands of false positive notices regarding your site. For example, if you have a caching plugin installed on your website, you’ll receive emails documenting every single change as it occurs.
In general, the best way to get around this issue is to avoid change detection all together if you aren’t an experienced WordPress developer. Since every server and WordPress configuration is different, this feature is only beneficial if you can decipher the alerts.
It can be tempting to use country blocking to prevent rogue traffic from hitting your site, however this feature often does more harm than good. The biggest reason is that it’s pretty easy for attackers to get around these blockers simply by spoofing their IP address or using readily available VPN services. In fact, this is something many consumers do themselves in order to get around copyright restrictions on multimedia content.
In theory, country blocking might help if you’re an online merchant who is very concerned about fraudulent transactions. However, if a consumer can spoof their IP to watch a video clip outside of their country, then a fraudster probably is going to use the same technology to access your site.
Shipping restrictions usually are a better way to protect your company from fraudulent transactions. Additionally, while country blocking can block some botnets, an entire cottage industry has spawned around malicious people selling access to compromised systems in developed nations.
Long story short, country blocking may have once been a valid way to reduce your websites threat exposure, however today it’s only good at providing a false sense of security.
Forced SSL for Logins
Forced SSL is one of the best features many WordPress security plugins provide because it is a relatively simple change which can make a huge difference in protecting yourself and users. One of the biggest reasons many websites used to have logins unencrypted is because servers couldn’t handle the overhead for frequent transactions. As computing power became cheaper, SSL became more common.
Today, encryption has become so important that Google recently said it is integrating it into their SEO criteria. The rise of wireless Internet and recent concerns over protecting privacy mean that website operators need to protect their users. Even if you don’t encrypt your entire website, ensuring users have secure login pages is a must in today’s society.
Before you enable forced SSL on your WordPress site, make sure that you have a SSL certificate installed and configured. Most web hosts will handle the installation for you, and you can test the certificate simply by adding
https:// to your site name and then visiting it. If you get a certificate error, then you’ll know you shouldn’t go forward with enabling this option. On the other hand if your site goes through as usual, feel free to go forward with it.
Keep in mind that you’ll need to keep your SSL certificate paid up to ensure the functionality of your site. If you’re on a development server, you could technically use self signed certificates, however they’ll often trigger browser warnings when individuals attempt to visit your site.
The Importance of Common Sense
Just as you wouldn’t change settings blindly on your workstation, you shouldn’t enable security features on your WordPress site without knowing exactly what they do.
Randomly enabling security features not only increases the odds of encountering the dreaded ‘white screen of death’ but also can result in giving you a false sense of security.
As with any tools, they only are useful if they are used properly. If you don’t fully understand the power of common security plugins, then you could be doing more harm than good.
It’s worth mentioning that many experienced WordPress administrators don’t rely on any security plugins at all, they prefer to manually harden WordPress and their servers themselves. If you’re interested in learning more about WordPress security, I’d recommend starting with the official WordPress documentation:
Finally, make sure to exercise common sense when selecting and installing themes and plugins. I’ve also written some tips that can be found below that you may find useful: