Security of your web site is important. That includes security from you making mistakes, but the topic of this story is security from bad guys. So how hard is great WordPress Security? Surprisingly easy.
In the post we’ve linked below (copied here from our sister service Answer Guy Central), we explain, with an assist from WordPress head honcho Matt Mullenweg, just how easy it is to maintain enough WordPress security to keep you protected from 99% of the bad guys, 99% of the time: just don’t use stupid or easy-to-guess user names.
No, you can’t log into The WordPress Helpers using the name “admin”
WordPress has great security built into it, but we promised you more last week in our story on WordPress htaccess. After all, while keeping your software up-to-date and making sure you have backups of everything goes a long way, when you’re a target you need a great shield.
There are quite a few WordPress Security plug-ins available, and many are free—and yet, still great. Two in particular stand out; BulletProof Security and WordFence. We were using BulletProof, but last week we switched to WordFence. Here’s why:
WordFence interjects a noticeable lag before each visitor to your site can get in. This is worth keeping in mind; users like immediate feedback. It’s doing a lot of work during that lag, and if you believe the WordFence folks that work is adding a super-duper, “compare you to the world” layer of WordPress security—which sounds great but is likely overkill. But WordFence has two more things going for it:
- It’s incredibly easy to set up
- It includes very reliable and very fast caching software, taking away the need for you to add that as a separate item.
We love that second bullet point. Love. And there’s something reassuring about security being tied together with the idea of leaving files behind and knowing they’ll be automatically cleaned up from time to time. But the real issue is point #1.
At their cores, Both WordFence and BulletProof handle security mostly by tweaking your .htaccess file. And as its name suggests, that’s really what .htaccess is for; controlling access. All good. But BulletProof, which doesn’t do that “check everyone’s ID at the door” thing, is so paranoid about protecting .htaccess that if you don’t have a degree in security it’s a bear to get set up.
Did you pick up on all of that? WordFence does more stuff but also can make your site appear slower. BulletProof is harder to set up and use, but ultimately very simple.
Or maybe you’d like to just stick with that advice Matt Mullenweg offered up two years ago. Simple, right?