WordPress Security

3 Proactive WordPress Security

In the field of Information Security (InfoSec) we like to use the phrase defense in depth.

To appreciate this ideology, you have to subscribe to a very simple principle: There is no 100% complete solution capable of protecting any environment.

In this section, we’ve listed a number of solutions you can employ on your website to provide an effective defense in depth strategy. By layering these defensive controls, you’ll be able to identify and mitigate attacks against your website.

WordPress Security Plugin — Prevention Category

These plugins look to provide some level of prevention, otherwise known as a perimeter defense for your website. Their objective is to stop hacks from happening by filtering incoming traffic.

Prevention plugins are often limited to working at the application layer, meaning the attack has to hit the WordPress application for them to respond. Attacks against server software cannot be prevented with security plugins, which is why we recommend considering a cloud-based WAF instead.

WordPress Security Plugin — Detection Category

Protection is great for known issues, but not so great for the unknown. Being able to detect anything that gets past your perimeter defense is extremely valuable, which is where detection comes into play.

These plugins will attempt to identify intruders through File Integrity Checks, scanning for indicators of compromise, or a combination of the two mechanisms.

The effectiveness of these plugins is strictly determined by the order in which they are installed. For instance, if the plugin is based on integrity checks, then it needs to be installed on a fresh, known-good environment so that it can create a baseline to check from.

Some plugins may compare known third-party themes and plugins to their own repository in order to work with websites that have already been compromised, but these are not compatible with customized or little-known files.

Tip

Detection plugins are important in identifying if something has gone wrong on your website. These tools ensure that you’re informed when a security incident occurs.

WordPress Security Plugin — Auditing Category

Contrary to popular belief, security is not a set it and forget it undertaking. You have to invest time into the process and get acclimated with what is going on, who is logging in, what is changing, and when the changes are being made.

Auditing plugins can help you answer the questions above by offering basic administration features that help you identify, thwart, or respond to a compromise.

WordPress Security Plugin — Utility Category

This is perhaps the most diverse bucket of the entire WordPress Security Plugin ecosystem. Some plugins are those we consider to be the Swiss Army knives of the security landscape. These utility plugins have a much smaller set of functionality.

These plugins can be exhaustive in their security configuration options. They have every possible configuration you could or might ever want to employ and are best suited for users who like to tinker or want the ability to configure specific options to meet their needs. For example, some security plugins simply disable XML-RPC or move your login page.

We also reserve this category for toolsets like backups or maintenance plugins that address specific security functions.

Originally published at sucuri.net on January 2, 2018.