Need help choosing security plugin setup

  • Hi. I have been looking at security plugins and I have an idea of what I want to use. I need help figuring out if what I am thinking will conflict with other security plugins and if there are any other better options/configurations I could use. I don’t want to use any plugins that require me to create a login so some other site can monitor my site. I’d rather do this myself.

    I want to use as few plugins as possible but still get the features I want. Features include anti-virus, exploit scanner, backup, all the htaccess stuff, hide wp-login.php, forcing user secure passwords and to be able to change/hide the wp-admin and wp-content directories.

    Here is a list of what I am pretty sure I want to use right now but I’m not sure they will all provide me with “exactly” what I’m looking for

    Better WP Security
    Bulletproof Security
    Siri WP Security (mostly to change the login screen appearance. Suggestions?)
    Apocalypse Meow

    Do these play well together?

    Here is a list of plugins I’m looking at:

    WP Security Audit Log
    Login Security Solution
    OSE Firewall
    Server Security Scan
    6Scan Security & 6Scan Backup

    I already know that some of these provide the same function. I need to weed them out. Comments, new and/or better suggestions for other plugins and info on what plugins I can use together to achieve a total security solution would be really helpful.

    Thanks

Viewing 3 replies - 1 through 3 (of 3 total)

  • I use Bulletproof Security and Wordfense Security:
    https://www.ads-software.com/plugins/search.php?q=Bulletproof+Security
    https://www.ads-software.com/plugins/search.php?q=Wordfence+Security

    Bulletproof makes htaccess flexible. solid and easy, and AITpro is great with support. Wordfence has a “Live Traffic” screen I would not want to be without, and it also keeps an eye on all WordPress files. Also, get set up with SFTP and FileZilla if you do not have it already, and take a look at this:
    https://codex.www.ads-software.com/Hardening_WordPress

    Thread Starter jibbl nutz

    (@whatsvictory)

    Thanks leejosepho. I had Wordfence on a play server and I want to go live and make sure I have the best setup for my users. I’m thinking I will go with go with Bulletproof Security, Wordfence Security & Apocalypse Meow.

    The Hardening WordPress article was informative. I’m setting up a new site after years of goofing off via localhost. I’m familiar with SFTP and Filezilla though. I’ve had sites on and off over the years but never really cared too much about security because I never dealt with users. It’s always just been be but now I want an e-commerce setup and I’m really concerned about keeping everyone safe.

    Thanks again.

    Following a lot of trial-and-error while watching for effect, here are some things I now have in place:
    https://codex.www.ads-software.com/Hardening_WordPress#Securing_wp-config.php

    Also:

    # .htaccess file to harden certain WordPress folders (as recommended by Sucuri and others)
# ref: https://www.wpbeginner.com/wp-tutorials/how-to-disable-php-execution-in-certain-wordpress-directories/
# note: Do not use in ~/wp-content if your site uses TimThumb or similar scripts.
# 1. Place in ~/wp-content/uploads and check for problems...
#>> Blocks Plugins Garbage Collector plugin from scanning ~/wp-content/plugins/
# 2. else Place in ~/wp-content/ and check for problems...
# 3. Place in ~/wp-includes and check for problems...
## note: ~/wp-includes has many .php files.
<Files *.php>
deny from all
</Files>

    With BPS, first do a “Create default.htaccess File” to get your permalinks entries in place, then do a “Create secure.htaccess File”, then do an “Activate Website Root Folder .htaccess Security Mode” and an “Activate Website wp-admin Folder .htaccess Security Mode”. At that point, your protection has begun and you can later go to “Custom Code” and tweak as you wish.

    Next:
    https://forum.ait-pro.com/forums/topic/broken-link-checker-plugin-403-error/
    The above for BPS is if you use this:
    https://www.ads-software.com/plugins/search.php?q=Broken+Link+Checker

    Then in reference to this…
    https://llocally.com/blog/2013/08/19/what-is-your-login-username-to-your-wordpress-website/
    …you could use this plugin…
    https://www.ads-software.com/plugins/stop-user-enumeration/
    …or this:

    # added to BPS CUSTOM CODE PLUGIN/THEME SKIP/BYPASS RULES
# BEGIN enumeration and author redirects
## ba00 send username enumeration to Home Page
<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{QUERY_STRING} ^/?author=([0-9]*)
RewriteRule ^(.*)$ /? [L,R=301]
</IfModule>
# END enumeration and author redirects

    AITpro is not a fan of this next one, but I have it at the bottom of htaccess:

    # added to BPS CUSTOM CODE BOTTOM HOTLINKING/FORBID COMMENT SPAMMERS/BLOCK BOTS/BLOCK IP/REDIRECT CODE
## ref https://calladeveloper.blogspot.com/2013/04/global-wordpress-brute-force-attacks.html
# BEGIN br01 stop certain brute-force login attempts
<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{REQUEST_METHOD} =POST
##RewriteCond %{HTTP_REFERER} !^https://(.*)?.yoursite.com [NC]
RewriteCond %{REQUEST_URI} ^/wp-login\.php(.*)$ [OR]
RewriteCond %{REQUEST_URI} ^/wp-admin$
RewriteRule ^(.*)$ - [R=403,L]
</IfModule>
# END br01 stop certain brute-force login attempts

    Then right below that:

    #### prevent view of directives
## add at end of .htaccess
<Files .htaccess>
Order allow,deny
Deny from all
Satisfy All
</Files>

#### prevent view of 403.shtml
## add at end of .htaccess
<Files 403.shtml>
Order allow,deny
Deny from all
</Files>

    I might never completely understand what all the above things are doing, but my list of undesirable/unnecessary IPs being blocked is now greatly reduced!

    And finally, I have just discovered Sucuri shows additions and deletions to WordPress core files where Wordfence only shows changes:
    https://www.ads-software.com/plugins/search.php?q=sucuri

    Good security can take a little time to set up, but then it is there and you can go on about your own business.

Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘Need help choosing security plugin setup’ is closed to new replies.