Keeping your website secure is a 24/7 job. The right tools help keep watch – even when you can’t. They could be the difference between a hacked site and business as usual.
WordPress security plugins are one part of that equation. Along with quality hosting and users practicing secure habits, a plugin can thwart common attacks. They act as the last line of defense against hackers.
Adding an extra layer of protection is important, as WordPress is a preferred target due to its popularity. Legions of bots are scanning sites, looking for flaws to exploit. A vulnerability in WordPress core, a theme, or a plugin puts you at risk. Custom code that isn’t sanitized is also a major concern.
Thankfully, there is a variety of security plugins available. They cover different niches and use cases. We’ll introduce you to the eight best free options that help lock down your website.
This plugin includes a firewall to prevent malware exploits and brute-force login attempts. However, its comprehensive malware scanner is the real star of the show. The scanner will look inside and outside your WordPress installation to find suspicious code.
Donate to the plugin and receive premium features like a WordPress core file integrity check. It’s worth installing if you suspect your site has been compromised.
Wordfence aims to be a complete security solution for WordPress. The plugin scans for malicious files, detects suspicious user activity, and blocks brute-force login attempts.
It also improves login security with two-factor authentication (2FA) and reCAPTCHA integration. The premium version offers a security audit log, a real-time IP blocklist, and a more robust firewall.
Jetpack has long been a do-it-all plugin suite. Jetpack Protect is a separate plugin for those who only want its security features. It scans your site daily for WordPress, plugin, and theme vulnerabilities.
You’ll also receive brute-force attack protection from botnets and other malicious actors. Upgrade to premium and receive email alerts, one-click malware fixes, and priority support.
The plugin formerly known as “iThemes Security” has plenty to offer in its free version. It protects against brute-force attacks at the local and network levels. Multiple types of 2FA can be added to user accounts, while strong password requirements keep users safer.
The plugin will detect file changes and scan your site for known vulnerabilities. The pro version adds trusted device recognition (to prevent session hijacking), passwordless login, and automated vulnerability patching.
Really Simple Security helps to fill common gaps in WordPress security. First, it ensures your site takes advantage of SSL via 301 redirects from non-HTTPS URLs. It also prevents code execution in your site’s uploads folder, disables the often-hacked XML-RPC feature, and enables 2FA.
You’ll also be notified of any known vulnerabilities. The pro version adds content security policy (CSP) generation, a firewall, and more security customizations.
A single-purpose plugin, Two-Factor adds 2FA to your WordPress website. It supports various methods, including email, Time Based One-Time Passwords (TOTP), and FIDO Universal 2nd Factor (U2F).
TOTP support means you can use it with apps like Google Authenticator. Note that you’ll need to assign 2FA to users individually. This makes it more suited for sites with a small number of users.
Brute force attacks are a problem for virtually every WordPress website. Even small sites can be swarmed by bots attempting to compromise your site. You can use this plugin to mitigate malicious login attempts.
It blocks offending IP addresses and covers all WordPress logins, including WooCommerce and XML-RPC. It’s also compatible with other security plugins. The pro version adds cloud-based IP blocking to the mix.
A safe website starts with securing user accounts. MelaPress Login Security helps by letting you create a custom login security policy. Options include setting a minimum password length, disabling recycled passwords, and forcing a password reset on first login.
You’ll also find brute-force login protection and the ability to limit logins to specific IP addresses. Upgrade to the pro version and gain trusted device recognition, disabling inactive users, and custom user session timeouts.
An Easy Way to Improve WordPress Security
Website security is complicated. It requires several measures to protect against attackers, many controlled by your web host. So, it’s up to us to take extra steps when possible. A WordPress security plugin is an easy way to do so.
The plugins on this list all have different strengths. Some are all-purpose, while others focus on a single aspect of security. Choose the ones that are right for your situation. But beware of combining multiple security plugins – they don’t always play nicely together.
Also, note that a plugin is only part of an overall security strategy. They can help, but won’t make up for an insecure hosting environment.
Now that you know some of the best free security plugins available, take a moment and determine how they fit into your strategy. Stay safe out there!
WordPress Security Plugin FAQs
What Are WordPress Security Plugins?
They are plugins designed to protect your WordPress site from security threats like hacking, malware, and unauthorized access. They add extra layers of security to your site.
Who Should Use WordPress Security Plugins?
Anyone with a WordPress site, from bloggers and small business owners to large organizations, should use security plugins. They’re essential for protecting your website and user data.
Why Are Security Plugins Important for WordPress Sites?
They safeguard your site against various cyber threats. They help prevent data breaches, protect user information, and make your website is safe and trustworthy.
How Do Security Plugins Improve a WordPress Site’s Safety?
They offer features like firewalls, regular security scans, protection against brute force attacks, and alerts for any suspicious activity. Some also help with secure backups.
Can Security Plugins Affect the Performance of My WordPress Site?
While some plugins might slightly affect site speed, most well-designed security plugins are optimized to minimize any impact on your website’s performance.
Should I Use Multiple Security Plugins on My Site?
It’s usually not necessary to use multiple security plugins. One comprehensive, well-rated plugin is often enough to cover most security needs.
This security release features four security fixes. Because this is a security release, it is recommended that you update your sites immediately. All versions since WordPress 3.7 have also been updated.
WordPress 5.8.3 is a short-cycle security release. The next major release will be version 5.9, which is already in the Release Candidate stage.
You can update to WordPress 5.8.3 by downloading from WordPress.org or visiting your Dashboard → Updates and clicking Update Now.
If you have sites that support automatic background updates, they’ve already started the update process.
Security Updates
Four security issues affect WordPress versions between 3.7 and 5.8. If you haven’t yet updated to 5.8, all WordPress versions since 3.7 have also been updated to fix the following security issue (except where noted otherwise):
Props to Karim El Ouerghemmi and Simon Scannell of SonarSource for disclosing an issue with stored XSS through post slugs.
Props to Simon Scannell of SonarSource for reporting an issue with Object injection in some multisite installations.
Props to Ben Bidner from the WordPress security team for reporting a SQL injection vulnerability in WP_Meta_Query (only relevant to versions 4.1-5.8).
Thank you to all of the reporters above for privately disclosing the vulnerabilities. This gave the security team time to fix the vulnerabilities before WordPress sites could be attacked. Thank you to the members of the WordPress security team for implementing these fixes in WordPress.
This security release features four security fixes. Because this is a security release, it is recommended that you update your sites immediately. All versions since WordPress 3.7 have also been updated.
WordPress 5.8.3 is a short-cycle security release. The next major release will be version 5.9, which is already in the Release Candidate stage.
You can update to WordPress 5.8.3 by downloading from WordPress.org or visiting your Dashboard → Updates and clicking Update Now.
If you have sites that support automatic background updates, they’ve already started the update process.
Security Updates
Four security issues affect WordPress versions between 3.7 and 5.8. If you haven’t yet updated to 5.8, all WordPress versions since 3.7 have also been updated to fix the following security issue (except where noted otherwise):
Props to Karim El Ouerghemmi and Simon Scannell of SonarSource for disclosing an issue with stored XSS through post slugs.
Props to Simon Scannell of SonarSource for reporting an issue with Object injection in some multisite installations.
Props to Ben Bidner from the WordPress security team for reporting a SQL injection vulnerability in WP_Meta_Query (only relevant to versions 4.1-5.8).
Thank you to all of the reporters above for privately disclosing the vulnerabilities. This gave the security team time to fix the vulnerabilities before WordPress sites could be attacked. Thank you to the members of the WordPress security team for implementing these fixes in WordPress.
Creating project estimates can be difficult. Because no two websites are the same, web designers need to understand a client’s specific needs. That often requires a lot of digging.
It includes asking a lot of probing questions about what the client is hoping to accomplish. From there, it’s time to research competitors and the technologies that will power the website.
And time is the keyword, as the estimation process will take up a lot of it. That may not be a huge deal if you end up booking the project. But if not, it can feel like a massive waste.
That’s why some web designers have transitioned to charging potential clients for project estimates. In some ways, it goes against the grain of the industry norm. But it may also make a lot of sense in certain situations.
Should you start charging for estimates? Here’s a look at the pros and cons of doing so.
Websites Are Increasingly Complex; So Are Estimates
Building a modern website requires a lot of moving parts. And we’re not talking about animation (although that’s a nice touch). No, we’re talking about the various pieces that comprise a website.
Consider content management systems (CMS), static site generators, themes, and plugins. And that’s only scratching the surface. A website may also need to interface with various third-party APIs and cloud services.
Figuring out the logistics of how this all fits together is a challenge. That’s particularly difficult if you haven’t worked with a specific technology before.
Once that’s all squared away, you’ll have to think about the actual design and content portions. Taken together, these are no small tasks.
Harder still is determining an accurate price for these various components. There’s nothing simple about this process.
How Charging for Project Estimates Gives Designers More Freedom
The more project estimates you create over time, the more likely it is that you’ll sour on the practice. You can put in a lot of work, only to have a prospective client say “Thanks, but no thanks.” The feeling of giving away your precious time can be demoralizing.
Charging a fee for this work accomplishes a few things:
1. More Enthusiasm, Less Guilt
Part of the challenge in writing proposals is that they are time-consuming. Thus, you may start to feel a sense of guilt when it takes you away from your paid work. There’s a certain pressure to get back to the other projects on your plate.
Being paid a fee eliminates (or greatly reduces) this pressure. You can now give the task proper attention without worrying so much about the other things you need to get done.
This also affords you the freedom to dig deeper into the project requirements than you otherwise might. Theoretically, you’ll be less likely to miss those little details that can impact the overall cost. That’s better for both you and your client.
2. It Filters Out Less-Desirable Clients
Have you ever felt compelled to provide an estimate for a project you aren’t interested in? That may be the biggest of all time-wasters.
The mere fact that you’re charging for your time will act as a repellant to some clients (more on this in a moment). Particularly those with very low budgets and those who don’t value your expertise.
Meanwhile, clients who don’t mind paying for top-notch service likely won’t blink an eye at your fee.
Determining a Fair Price for Estimates
It’s important to find a balance between being fairly compensated and helping potential clients see the value. Price your project estimates too high and the value proposition is a hard sell.
There are many ways to calculate a price. For example, you could go with a standard hourly rate and charge based on the actual time spent researching, meeting, and discussing the project. But the drawback there is uncertainty.
A flat fee might be more desirable, as all parties will be on the same page from the start. The challenge is in determining a price that will cover you in most scenarios.
Here’s a potential solution: Take a look back at some recent proposals and think about the time you put into them. Try to find the median time spent and charge based on that.
Let’s say you charge $50 per hour, and it generally takes you around two hours to create a project estimate. Using this formula, the flat fee would be $100.
If that’s not the best fit for your business, then don’t be afraid to get creative in how you structure things. Just remember that simple is often better.
Potential Pitfalls
Depending on your situation, there can be some downsides to charging for website estimates. The biggest might be that you risk missing out on projects.
Some clients will undoubtedly be turned off by paying for an estimate. As we mentioned, this can help you weed out the undesirables. But there could be times when a legitimately interesting project slips through your fingers.
Much also depends on your typical clientele. If you focus on smaller projects, then a significant portion of a client’s budget could be spent on an estimate. While you could apply some or all of your fees towards the actual project, it’s still a risk.
In addition, this practice may not be well-suited for those who are just starting out in web design. When your business is at its most vulnerable, limiting your possibilities too much isn’t advisable. In general, waiting until you have an established presence in the market is a better bet. That’s when you can afford to be a bit choosier.
So, while this may seem like a no-brainer, there are some important considerations. Implementing a policy like this can have unintended consequences.
Regardless of the Task, Your Time Is Valuable
The promise of “free estimates” is common throughout a lot of industries. And while that can certainly draw in potential clients, it can also be abused. A long, arduous process means time taken away from other important tasks.
For freelancers, this can be draining – both financially and mentally. You might be thrilled that people are interested in hiring you. On the other hand, you’re sacrificing time for paying customers to serve those who haven’t paid you a thing.
Charging a fee for project estimates is one way to recoup some of the value you bring to the table. It means not being bothered by cheapskates or those who aren’t serious about their project. And it compensates you for the time you’ve put in.
Only you can determine whether or not it’s the right fit for your business. But it’s worth consideration.
Yesterday I received an email from a reader asking ‘Are you ok?’.
It’s been nearly 8 months since the last time I wrote here. In that
last post I celebrated blogging on this website for 15 years with
some consistency, so perhaps it’s a bit ironic for that to be immediately
followed by complete silence.
The last big gap in blogging for me was in 2017, the year I joined Yelp.
This experience was so depressing, every day I was done work I had no
creative energy left for anything else.
2021 was a bit different though. 2 years back I started a software
development agency, which grew from 2 to 5 people in the last year.
The stakes have increased quite a bit, and it’s taken up a lot of my
emotional reserves.
I’ve also made the mistake of not taking any vacation all year. There was
just not much gas left in the tank. This is so stupid. Less time off doesn’t
result in more productivity. I know this, but the last 2 years there’s been
little travel or activities due to lockdowns and restrictions. Every day
looks the same and it kind of just flew by.
Over the last holidays I’ve taken an actual break though, and have since
started several new projects and buzzing with new ideas. I’m still motivated
to work on Curveball and Ketting (we use it every day for almost
every customer!), and I’ve also started a series of live streams in which
I build a Time Tracking application with Hypermedia on twitch.tv/evrt3.
If this sounds interesting, the first few episodes are up on
my youtube channel, but I’ll share more on this blog later.
December was a busy month for the WordPress community. In the latest episode of the WP Briefing podcast, WordPress Executive Director Josepha Haden Chomphosy shares a carol of thanks and shows her gratitude to all the people who make the WordPress project a success.
(…) I know that we have gotten so much done together in the last few years. And I am equally sure that we’re going to get so much done in the years to come. And so thank you all so much for your continued work with WordPress and the way that you just bring your best at all times.
Josepha Haden, Executive Director of the WordPress project
We said goodbye to 2021 with the annual State of the Word, along with the release of WordPress 5.9 Beta 4, among many other exciting updates. Read on to learn more about the latest community achievements.
WordPress 5.9: The first release candidate just landed
With less than three weeks to go until the final release, this version continues the work from last year and marks the hard string freeze point of the 5.9 release schedule.
Are you interested in contributing to WordPress core? Join the #core channel, follow the Core Team blog, and check out the team handbook. Also, don’t miss the Core Team’s weekly developer chat on Wednesdays at 8 PM UTC.
Gutenberg releases: Versions 12.1 and 12.2 are here
The Core Team launched two new versions of Gutenberg last month. Both come with new features, code quality improvements, and bug fixes.
Gutenberg 12.1 marks the return of the template List View and includes several Navigation block enhancements, new global styles features, an improved developer experience for block themes, and more.
The Gutenberg 12.2 release focuses on user experience improvements and brings the block styles preview to the Widgets Editor, among other new features.
State of the Word 2021, the annual keynote address delivered by WordPress co-founder Matt Mullenweg, was livestreamed from New York City on December 14, 2021. The event gathered WordPress enthusiasts at 29 watch parties around the world.
Matt shared his thoughts on the progress of the WordPress project and made announcements regarding its future in 2022. The presentation was followed by a Question and Answer session.
In 2021, 2572 people contributed to WordPress source code using Trac, including 305 first-timers. Check out A Year in Core – 2021 for more interesting stats on WordPress Core contributions.
The Diverse Speaker Training Group (#WPDiversity) shared its accomplishments from last year in this 2021 year-end report.
The Training Team planned a sprint to audit and revisit the Learn WordPress content for the WordPress 5.9 release.
The Design Team summarized some of the key changes behind the Openverse redesign.
Feedback/Testing requests: Contribute by testing or translating WordPress 5.9
Your feedback on WordPress 5.9 release candidates is still needed and appreciated! If you haven’t tried this version yet, you can find instructions on testing 5.9 features in this post.
Apply to speak or host a workshop at WordCamp Europe 2022
WordCamp US 2022 is currently looking for organizers.
The WordPress community celebrated its first in-person WordCamp after 21 months in Sevilla (Spain) on December 11-12, 2021. WordCamp Taiwan was held online the same weekend.
The Training Team hosted several WordPress Social Learning Meetups last month, and there will be many more in January 2022.
Last year the WordPress Foundation made significant progress in its mission to educate the public about open source software. Learn more about it in this 2021 recap.
The Call For Sponsors and Call For Speakers for WordCamp Europe 2022 are open! Read this post to learn more about the Organizing Team’s plans for the first in-person WordCamp Europe in three years.
Have a story that we could include in the next ‘Month in WordPress’ post? Let us know by filling out this form.
California Crane School, Inc. filed a class action antitrust case [3:21-cv-10001, C.C.S.I. v Google LLC] on 12/27/21 against Google and Apple and the Chief Executive Officers of both companies alleging violations of the Antitrust Laws of the United States.
The complaint charges that Google and Apple agreed that Apple would not compete in the internet search business against Google. The complaint claims that the means used to effectuate the non-compete agreement included:
Google would share it’s search profits with Apple
Apple would give preferential treatment to Google for all Apple devices
Regular secret meetings between the executives of both companies
Annual multi-billion-dollar payments by Google to Apple not to compete in the search business
Suppression of the competition of smaller competitors and foreclosing competitors from the search market
Acquiring actual and potential competitors.
The complaint alleges that advertising rates are higher than rates would be in a competitive system. The complaint seeks the disgorgement of the billion-dollar payments by Google to Apple. The complaint asks for an injunction prohibiting the non-compete agreement between Google and Apple; the profit-sharing agreement; the preferential treatment for Google on Apple devices; and the payment of billions of dollars by Google to Apple.
The complaint also calls for the breakup of Google into separate and independent companies and the breakup of Apple into separate and independent companies.
Attorneys representing the plaintiffs are Joseph M. Alioto and Tatiana V. Wallace of Alioto Law Firm, Lawrence G. Papale of Law Offices of Lawrence G. Papale, Robert J. Bonsignore of Bonsignore Trial Lawyers PLLC, Christopher A. Nedeau of Nedeau Law PC, Josephine Alioto of The Veen Firm, Jeffery K. Perkins of Law Office of Jeffery K. Perkins, Theresa Moore of Law Offices of Theresa D. Moore, Lingel H. Winters of Law Offices of Lingel H. Winters.
One of the issues that I see here is that because of this agreement between Google and Apple, smaller search engines, who are actually competitors of Google, cannot get a chance to be embedded into Apple’s products. If you’re a smaller search engine trying to get more market share, then getting your search engine into Apple’s products would help. But you’re unable to do that because of this agreement between Google and Apple.
