107

Best WordPress Security Plugin – Better WP Security Plugin

Price:
FREE

Reviewed by:
Rating:
5
On April 22, 2012
Last modified:February 4, 2014

Summary:

WordPress security plugin, best for me, which can handle most of the work for me easily and automatically. The name of that WordPress

UPDATE: Many users are reporting problems while using this plugin. The plugin is a little complex and make changes to your wordpress at a deeper level. So, if you don’t know anything about a particular option in the plugin, it would be a good idea to search about it first, or ask me or friends, otherwise leave it as it is. I will try to help as much as I can. Read the comments, you’ll find problems and  solutions . Thank you!

“Is my WordPress site secured?, Do I have the best WordPress Security Pugin?” Have you ever asked these question to yourself? I did. When one of my friend’s site got hack. Nothing like hack, actually. But it was all messed up. The site was showing some homepage designed by the hackers. All other pages and posts were showing fine. Someone messed with .htaccess file and maybe with the theme files. A simple theme change was the simplest solution to get over the whole problem.

After all this, I came to my WordPress dashboard and had a look to my security plugins. If they were working fine and if my blog is secure from these type of attacks. There are tons of security plugin out there. Most of them has different work and are for different purpose. But what if you can get a single security plugin which can do most of your work?

I have got a very good WordPress security plugin, best for me, which can handle most of the work for me easily and automatically. The name of that WordPress security plugin is Better WP Security.

 

WordPress Security

WordPress Security Plugin – Better WP Security

Better WP Security – The easiest, most effective way to secure WordPress. Improve the security of any WordPress site in seconds.

There are lot of awesome features of this WordPress security plugin. It obscure vulnerabilities (reason for most of the WordPress attacks) , protect the site by blocking users (who tries to attack), detects of all other vulnerabilities and bots and a few more. So, instead of copying all those features, description of this WordPress security plugin here in this post, I would suggest you to have a look at the plugin page and read all about it (MUST READ about a plugin you are going to use). And I will focus what you should do after installing this WordPress security plugin so that you wouldn’t mess up with your site (there are lot of easy ways to mess up the things :) ).

How to secure your WordPress site with Better WP security plugin?

After installing the plugin, you’ll be taken to your WordPress dashboard (if not, go yourself) and you will see a welcome message where the plugin will be asking you to make a back up of your database which will be sent to your email address associated with your site. COOL!

Of course create a back up, get it from your inbox and save it in your hard drive.

Next, you’ll be asked for the permission to edit WordPress core files like wp-config.php . I would recommend you to allow this. But make sure to read the message it will show while asking for this permission like below:

WordPress Security

Finally, after this you’ll get an option for One-Click Protection from basic attacks. Click on the button which says “Secure my sites from basic WordPress attacks”.

Best wordpress security plugin

Okay. Now we are safe from Basic attacks. But it doesn’t mean our site is completely secured and cannot be hacked or messed up by bad guys out there. After this we are taken to our dashboard where we are up with our WordPress site system status. It will show 19 things you need to work on, like in the image below.

WordPress Security pluginNo need to panic if you see items in RED or ORANGE which means your site is not secure on those items. As you can see, there is a link “Click here to fix”, which will take you on the respective item’s settings where you can alter it and secure your site in just few click (nothing complicated there).

The question is, should you do all 19 fixes suggested by this plugin? And the answer is NO, especially in case you are doing all that on your old site, not on a fresh one.

So, for newbies who are new to WordPress and a bit non- techie, here I’m sharing which of these 19 options you should fix and how.

So, in the system status page you will see (also, as in the image I shared above) #3, 4, 6, 8, 11, 12, 15 are already in Green. So, we don’t have to worry about it.

For #1, you can leave it because it is already set for administrators password.

#2. You can go with the Fix suggested by the plugin. When you’ll click on the link “Click here to fix” you will be taken to header tweak settings. Check all three options there.

wordpress security plugin

#5. Now, you have to be a bit careful. If you have a new website and a fresh installation of WordPress then you can go with this fix BUT if you are doing this on your old site then I would suggest you to skip this one. It can mess with your site and posts you have published already.

#6. Database backup: This one is already set to schedule back up regularly. You can edit the settings in the left bar of this plugin. There are two options, one is to get an email of every back up and another is to get the back up in any of your folder and you can get it via FTP client.

#7. I recommend you to do this fix. It will lock your dashboard when you don’t use it. For example, I’m sure you don’t visit your dashboard after you are slept. So, you can enable the Away mode by this option. You can select the time after which the site backend will be disabled and when it will be enabled again. Now, you can sleep without any worry. Anyone visit any dashboard link will be redirected to blog homepage.

#9 and 10. Fix it. There no problem in doing that.

Note: If you do #9 fix then your Login, register URLs will be changed to whatever you make it.

Now, you can leave the rest. One important one is #16 but now we have our .htaccess file fully secured. So, we can skip this.

I’m suggesting to leave the rest because all the other options may cause conflicts with some plugins and themes.

Limit Logins

This is really helpful to stay safe from brute force attack. Brute force attack is like a software trying to login many times with all possible combinations. You can enable/edit this option from left sidebar of this plugin. The plugin will block if a host will enter wrong password more than the times you set. Set email notifications, so that you will be notified every time a host is blocked.

I get 2-3 emails every day, when a host is blocked. When a host is blocked more than 2-3 times, it means may be that host is trying to enter my site. Then I just BAN that host/IP (again, in the left sidebar).

You may get email many times or will get warnings in your dashboard but just have a quick look. It will notify you every time, about every change in your WordPress files.

Which WordPress security plugins you use?

I would love to hear from you. Which plugins you use, why? It would be great if you can share with my readers here.

Abhishek Balani

I'm +Abhishek Balani, owner of this blog. Computer Engineer (very soon), part time Blogger, a little of gEEk, Technology Lover, Mad for Gadgets, Software Freak, Hardware Junkie, Non-Political, Internet Addict, Funny! My other blogs: GeekOddBlogger, TheDroidCafe, NerdsnGeeks .

107 Comments

  1. Funny thing – I tried this and another security plug-in blocked it. :)

    Seriously, this is a good plug-in, from what I can tell. I run a different combination of things, but this does all the right things, from the looks of it. Good post, Abhi.

    I mean – useful, helpful, educational, and proactively preventive post!

    • oh really? You know, when I mentioned you about the hacked site, I had a discussion with DiTesco and he suggested me to remove all the plugins (Firewall, another security plugs) and install that one. And really, it’s GREAT.

      WoW! I’m glad you appreciated me that way. Honored. :D

      • Nice Abhi. Glad you found a “better” way to improve your sites security. It won’t guarantee 100% defense, but making it difficult for someone to do something bad on your site is already a great step. Some will insist, and others will just move on to the next one, to find vulnerabilities.

        • Hello DiTesco,

          Good to see you here. Yeah, I can understand, it can’t assure 100% that the site will not be hacked. But yes, it will surely make it difficult for them.

          Thank you for your visit and comments.

      • It is certain that this plugin can only help the situation a bit but no one should consider it done because every day, there’s always new techniques and tricks out there. You rock @Abhi for sharing this.

        • Hey Olawale,

          Yep, site is not secured 100% but it’s secure very much, I think. Better than before, at least.

          Thank you for the awesome comment, my friend.

      • Hi Abhi,

        After installing this plugin, my website goes offline and shows 500 internal server error.
        Though I like this plugin but due to this not able to use it…please advice.

        • Hello Sudeep,

          Have you updated to wordpress’s latest version. It looks like the plugin is the properly working. I don’t understand what they are doing. For now, keep that plugin deactivated. Until they give an update.

  2. Abhi, unfortunately your that friend is me only. LOL
    You already told me to install this plugin and at last we fixed this mess up that day.
    And yes I would like to thank you for publishing this informative post :)
    And yes one more plugin is there i.e. “Disable Directory Listing” as it prevents virtual directory listing services from listing the contents of directories or show a page in place of a directory’s listing.

    • Hey Luv,

      If you’ll crawl through the options in this plugin, you’ll find that option about which you are talking. Have a look and let me know if I’m wrong. I guess, I did see something like that.

      Thank you for appreciation. :D

    • Hey Ifham,

      If you are not a non techie then I would suggest you to go through the details of the rest which I left. Better prevention better security.

  3. Hey Abhi

    Agree with your limiting login attempt and IP blocking is a bit great idea I also openly challenged for hacking my wallpaper site on testing but indeed no one success in that but really it’s very hard to secure your system with attackers.

    • Hey Rizwan,

      Yep, both are good in their own. You know, as I said in my article, I get 2-3 site lockout notification everyday. And if there is site lockout with the same IP. I ban that user.

      Yes, it’s HARD. But you know, there are so many kids, little unskilled hackers who think they know hacking very well. But actually, whatever they do can be done by anyone. We all know there are tons of articles on Google to hack which is ABSOLUTELY WRONG, I think.

    • Thank you, Sajith! Good to see you around my blog.

      Did you see my strategy where I did share my strategy to get lots of comments on your guest post?

      See in the sidebar, image at the top.

    • Hey Mohd. Afnan,

      It’s good that you have installed this. But it doesn’t guarantee that your blog is completely secured from hackers. But that’s confirm that after installing this plugin our blog is more secure, better than before, at least.

  4. Hello Abhi,
    Nice post regarding WordPress security. I am currently using two plugins on my site for the wordpress security 1) Secure WordPress 2) BulletProof Security and i am very happy with its out come. It’s also very important to backup your wordpress data on regular basis and for that i am using Xcloner want to know which one you are using for backup purpose?

    Thank you and have a good day.

    • Hello Jeet,

      You know this plugin do most of my work in single. It automatically make a back up of my database on regular bases. Secure me from most of the vulnerabilities.

  5. I don’t know how to describe my feelings because at this time i am so happy and sad too. I am happy because i have just read an awesome article on WordPress security but after reading your article i see a huge security collapse in your blog and that is your Admin Username i.e “Abhi” is displaying in all your articles. If any hacker see this than he can try to unlock your password and get into your WordPress admin page.

    • Hey Zeeshan,

      I am glad you liked my article but “Abhi” is not my username. And even if any hacker will attempt to hack my site then after his 2-3 tries, his IP will be blocked for my site temporarily. And if that IP is again blocked temporarily few times then it will be permanently blocked.

  6. Hi, Abhi
    It is good to read all your content to protect our WordPress blog But hackers are very smart even they can hack. I am telling this because in my team a person is certified hacker and network administrator and i told about this article then he laughed and tell all these.

    by the way, It is Awesome :)

    • Hello Avinash,

      Yes, I agree with you. And this security is NOT from certified hackers. It is from those unskilled hackers who try to MESS UP other’s sites by Google tutorials and whatever.

      A hacker is not who can hack a site or change it’s homepage.

      A hacker is one who can decode a password without the help of any software OR make a software himself to do decode an encoded password.

      But I guess, our site is more secured from those who just want to play with others.

  7. Thanks for the writeup on my Better WP Security plugins.

    To address some comments, no, this plugin can’t guarantee you won’t get hacked. Nothing can promise you that. The bulk of attacks on WordPress these days aren’t targeted and are simply the result of a bot stumbling across an un-patched vulnerability, weak password, etc. This plugin is designed to take care of those types of issues. If you’re specifically targeted by someone who knows what they’re doing then all bets are off regardless of the countermeasures you have taken.

  8. I found this post very helpful Abhi. I had taken the option to rename my table prefixes before I read this. So far, I don’t see any issues with it on my 2+ year old blog. Hopefully, I dodged a bullet on this one.

    I’m thankful that I read your comments and DiTesco’s recommendation to delete other security plugins. I removed WordPress Firewall. Do you (or anyone else) recommend removing Login Lockdown too?

    • Hello Sherryl,

      I am glad you found this post helpful… I think, YES, you can remove login lockdown too. Because this plugin has that feature. :D

      Let me know if you need any help. Or would you mind giving me a hand? Have a look to the post linked below. :)

      • Hi Abhi,
        After I commented, I poked around the plugin little and saw that feature was included. Thanks for the reply. I’ll check out your entry. I’m a member of Blog Engage. Maybe it’s time I thought about entering one of their contests too.

        • Your welcome. ANd if you are a member, too, then it’s good for me, I can expect your vote (Of course, only if you LIKE it). :D

          And then you might have heard about the last contest results. You have gotta look at the following link if you didn’t. :) Thanks for visiting my blog. I hope to see you around. :D

    • Your welcome, Trung! Please share this plug in with your friends. So, that they can secure their blogs.

  9. Personally I use WP-Security Scan and harden the rest manually, but this plugin I have run into on a few clients blogs and is very good, unfortunately I had a client click to fix and completely lock up their site so they couldn’t hit anything, no images loading, no wordpress admin.. had to fix it all from Cpanel manually and was a pain.

    • Well, WE have to take care of this. We can mess up our site if me start playing we something we don’t know. For non techies I have mentioned which fixes to apply and which to not. Even after these simple fixes I got some questions. :D But they were not a big deal.

  10. hey abhi great post , i am using this plugin which limits the no. of login to 3. great plugin , you should check it out.

    • Hello Saad,

      Thank you for the recommendation. But if you look into this plugin, this plugin has a built-in option to limit login.

      Thank you for commenting.

  11. Thanks for the details on the settings for Better WP Security. I haven’t had any problems using the settings you recommend. This is a really great plugin.

    • Hello Braddock,

      Thank you for stopping by!

      Glad you found it useful. If you can return the favor, then please visit my contest entry and show some support by hitting all share buttons and commenting. It’d be great help.

      Thanks, anyway!

  12. Thanks for the plugin…………..earlier i was using BPS security plugin…..but now m using this one, hope it woks fine……….:)

    • Hey Shivam,

      This plugin doesn’t guarantee of 100% safety but it works much better and it’s definitely secure our blog from many vulnerabilities.

      Thank you for comments. Please have a look to my contest entry linked below. You support would be appreciable.

    • Thank you, Sai!

      I appreciate your comments. If you can, then please have a look to my contest entry and show some support by hitting all share buttons and commenting. It would be really great.

  13. Hello Abhi, then, installing this plugin will be all about security or some other thing to add?

  14. i am getting error on my site when using this plugin and got a message saying locked out

    A host, 70.25.46.222(you can check the host at http://ip-adress.com/ip_tracer/70.25.46.222) has been locked out of the WordPress site at http://mysite until Friday, August 3rd, 2012 at 5:14:58 pm UTC due to too many attempts to open a file that does not exist. You may login to the site to manually release the lock if necessary.

    does this gives that error message?

    • This is not error. It’s just reporting. If you get lock out notification from the same IP address again and again then it means someone is trying to hack your site from that IP address. Then you can go to this plugin and add that IP address in BAN hosts to ban that user from your site.

      Let me know if you get that. There’s nothing to worry.

  15. Is It true that plug ins turn sites slower?

    And what do you think of only using a plugin that block login attempts after a number of 3 or so and all the other tricks like back ups etc making manually? would it be the same?

    • Hey Ariel,

      Yes, few plugins may turn the sites slower, especially those 404 plugins. But not necessarily all plugins, actually most of the plugins doesn’t.

      Yes, you can use that plugin, to lock users out after few attempts but it will secure you only from those brute force attacks.

      There are many other things we need to take care of when it comes to security like .htaccess files (especially this one, I see a lot of cases when hackers play with this file if they are left open).

      Let me know if you need any more help.

  16. Abhi, what way use this plug in to protect .htaccess files ?

    And the back ups are sent to email, do you say in the email is the site files? if so, I think to have read somewhere that for example in hostgator is possible to make back ups, is it correct? then which one would be better?

    • To protect .htaccess files, maybe, the plugin fix the values for the files. I am not so sure, though.

      Yes, the back ups are sent to your email address and if you wish, instead of getting a regular back up email, you can rather get the back up file uploaded to your WordPress directory which can be accessed later via FTP.

      Yes, hosting services provide this back up service, and it’s good. But they charge money for this.

      Contact me through my contact form if you still have any doubt.

  17. Wow! This is really useful guide on best WP security plugins. I didn’t know about Better WP security plugin, it seems to be a really good plugin. Well, I’m using Login Lockdown to limit login attempts, it is a useful plugin. Thanks Abhi for this excellent post :)

    • Hello Nizam,

      Login lockdown option is there in this plugin. And there are some more freaking awesome option with in the plugin. You can try it.

      Thanks for comments. I hope youshared.

    • Hello Enstine,

      I am glad you liked it. Don’t forget to share this with your friends. Isn’t it a very useful plugin? :)

  18. Thank you for sharing this post Abhi. Needed the tips in enabling the plugin. It seen like I was trying to learn a new language but you put your How To. setting this up made easy. thanks

  19. Sounds like something that is worth a try. Especially I love item #7 where I can disable dashboard login when I go to sleep; sweet :)

    • Right, Jane! It’s worth a try. I was getting so many hacking attempts emails. Now they are all stop, because hackers know my site is not THAT MUCH vulnerable so they skip it.

      And about that disabling dashboard, sometimes, when I am up till late, my blog kick me out of my dashboard after the time I have set up. LOL!

      Thanks for adding your comments, Jane.

      Take care while installing the plugin, I know you will but still. :)

  20. I think most people don’t think twice about their blog’s security until it’s too late. Thanks for sharing this plugin with us, I will be installing it soon.

    • Right, Ian!

      People think about security when it’s too late or when they have met some security issues already.

      I am glad I did it before someone hacked my account. :)

  21. HI Abhi, I was installing this plugin the other day, then i stopped and did not activate it when it asked which you mentioned in header tweaks. Abhi explain please, why you kept first two points in header tweaks?

    Waiting…

    • Hey Hassan,

      If you did read carefully, I mentioned in point #2 – “Check all three options there.”

      You have to check all three options in header tweaks. They are not necessary for our blog and they also makes our blog vulnerable in front of other.

      Let me know if you need any help regarding this.

        • How many times I will have to confirm for the same thing ? I already did two times.

          YES, We have to check all three.

          Don’t worry. Just make a back up before starting the process. Okay?

          If you still find any problem, contact me through the contact form. I will be happy to help. :D

          After you are done with this plugin, please take a minute to visit the link below and write some comments. That’d be great.

          Thank you!

  22. HeyAbhi,

    Really Nice Plugin, i was searching for something that gives some nice Security Options, it seams that this one is giving all that we Need.

    Do you Know maybe some other Plugins, or This one is Really the Best? :)

    Tnx for Info, and Keep up the Great Work…

  23. Great review. This plugin really gives lots of options to configure your security. And Personally I am using it to at-least make my blog secure.

  24. thnx abhi i m using this plugin 1st time before this i use bullet proof but i think this one better .
    but thnx 2 u you help fot setting of this plugin..

  25. I’m afraid it will trash my site. I tested this on my backup wordpress and it did some very bad things to the site.

    For now I’m using Pie Register – which at least ads re-captcha for users wishing to register and then I have to approve them.

    Its a start at least (and thanks for showing it to me too!)

    • The pleasure is all mine, Kharim!

      I did sum up few useful plugins to use in 2013 in one of my previous posts. You might wanna check it out, too.

      Thanks for stopping by, my friend.

    • Hello Sudeep,

      I am trying to find a best plugin like this one for now. But please install login lockdown and wordpress firewall 2 for now for security. I will update the information on Fanpage as soon I get a good working plugin about security.

  26. Hi Abhi,
    At wp repo, I found alternatives to your recommendations and I felt that I should share them.
    I installed simple login lockdown which is very much similar to you stated but the plugin is an updated one.
    Also I installed OSE Firewall which is again an updated and do lots of work .You can even show a security seal in your website .

  27. Abhi- I would also requst you to review OSE Firewall plugin, I know it’s not so deadly like we are used to but surely a good alternative till the time we do not get a best one.

  28. Hey Abhi-

    How are you?

    Is there a way to rename the login, register and admin urls without any plugin?
    I have already googled it but can you please tell me a fool-proof way.

  29. Can you tell me what to do about this message I got when using this plugin?
    Your database contains 65 404 errors

    • Hello Tisa,

      I have never seen any error like this. Please try Google or plugin site for solution. I will surely get back if I find any solution.

  30. Wow finally! a security plugin worth looking into and since the wordpress attack this can be the perfect solution to fight hackers. Thanks for the awesome post.

  31. Abhi -I’m not a happy camper with this plug in. I followed all the instructions and got to #10. It took me to a page where I’m supposed to click some boxes and add IP addresses in the boxes. It then recommended this http://hackrepair.com/how-to-block-bots-from-seeing-your-website-bad-bots-and-drive-by-hacks-explained as a good site where you could get the IP addresses. So I copied those and put a few of them into the boxes to test. I got a 500 Error code and now cannot open or access my site from anywhere. It’s a nightmare!

    I DID do a backup.
    Do I make a dummy site and import the backup into that through PhP my Admin on my Cpanel? Or do I need to use the FTP client to access it and remove the entire Better WP plug in and then start over?

    I have checked and my database is OK – but I can’t get into the site.
    Help?!
    Thanks for a great article that I WISH I had read before trying to do this plug in on my own!!!!
    Vickie

    • I would suggest you to first login to your FTP and rename your .htaccess file to something else and create a blank file and name it .htaccess. See if you can login after that or revert back.

  32. Hi Abhi – thanks. But it didn’t work. Turns out I’m not the only one – http://wordpress.org/support/view/plugin-reviews/better-wp-security?filter=1
    Do you know – if I go in through FTP can I just delete this plug in? Or if I’m getting a 500 error code, is it holding my .htaccess file hostage?

    What a mess. As the above link states – if you aren’t comfortable doing a lot of coding in the back end of your WP site, don’t use this plug in. It’s not as intuitive as some users make it sound.

    • Hey Vickie,
      You must have noticed in #16. It changed the file permissions of wp-config and .htaccess. It does that to enhance security. Also it modifies our .htaccess file.
      That is why I asked you to try with .htaccess file.

      You should NEVER delete the plugin directly from cPanel. Doing that doesn’t completely uninstalls the plugin which may make problems later in your DB. I have experienced that.

  33. Abhi and other readers – here’s what I did to fix it (Yeah!)
    1. I’m on a Cpanel, so I went in to plug ins in the root file and deleted Better WP Security.
    2. I found the .htaccess file and changed permissions from 644 to 677, then edited out everything from #Better WP Security all the way down to #Begin WP
    3. Saved file
    4. Changed permissions back to 644
    5. Refreshed page and voila! My site is back up.

    Thanks for the guidance and info on this program. I think there are different levels of “newbie” and some of us just shouldn’t be messing around in the section of Better WP that has you listing blocked sites and agents…

    • I am glad you were able to solve the problem.
      You are right, this plugin is a little complicated if you don’t know this stuff. But there are lots of tutorial on the plugin.

      Thanks for putting the solution of your problem. :)

      Keep visiting OddBlogger. :D

Leave a Reply

Your email address will not be published. Required fields are marked *