If there’s one aspect of your online business that you absolutely can’t afford to be sloppy about, it is website security.
I remember just a couple of days after our first major acquisition in my earlier startup, we found ourselves locked out of our own website. I can never forget that horrible, stomach-churning feeling and helplessness.
Anyways, that’s another story for another day.
The point is, irrespective of whether you own a personal blog, a small business website or a large e-commerce site, you’ve simply got to take your website’s safety seriously.
In this post, I start with explaining a few basic terms that are commonly used while discussing website security.
I then go on to list key features that every security plugin should include, while also checking alongside if SolidWP’s Solid Security plugin includes that feature.
Table of Contents
Scary Statistics
Sucuri recently published a mid-year security report for 2023, based on data gathered via its free website security checker tool.
Here are a few interesting data points (based on data collected by Sucuri from January 2023) that show you just how widespread hacking attacks are –
Number of websites scanned by Sucuri – 54,743,804
Number of websites found infected – 628,085
Number of websites that contained blocklisted resources – 851,164
According to Sucuri’s SiteCheck, the most common problem with the compromised websites was injected malware and redirects, closely followed by SEO Spam. Injected malware and redirects were responsible for nearly 61.84% of the total website infections detected by SiteCheck.
Worrying enough for you to make sure you’ve done enough to harden your website.
The Basics
If you would like to familiarize yourself with some of the terms used in this article read through this section.
Pros, jump to – “Choosing the right security plugin“
What is a cyber threat?
A cyber threat is any malicious activity carried out by individuals or groups that targets computer systems, networks, or users with the intent to compromise data, disrupt operations, or gain unauthorized access.
These threats range from common malware infections and ransomware attacks to more sophisticated hacking techniques like phishing, denial-of-service (DoS) attacks, and advanced persistent threats (APTs).
Cyber threats exploit vulnerabilities in software, weak security practices, or human error.
The consequences of cyber threats can be severe, including financial loss, data breaches, damage to your reputation, and even legal repercussions.
It’s important to stay alert, employ proper security measures, and keep your WordPress website protected against these ever-evolving cyber threats.
What is a Brute Force Attack?
A brute force attack is a method used by hackers to gain unauthorized access to a website by systematically trying every possible combination of usernames and passwords until the correct one is found.
This method relies on the assumption that weak or commonly used passwords can be easily guessed given enough attempts. Unfortunately, more often than not, that assumption is true.
How do Brute Force Attacks Work?
Brute force attacks utilize automated bots or tools that attempt to log into a website’s login page using various combinations of usernames and passwords. These powerful tools can try thousands, or even millions, of combinations per second.
Once the correct credentials are successfully guessed, the attacker can gain access to the website, take over your website, and even lock you out.
What are biometric passkeys?
Biometric passkeys, also known as biometric authentication or biometric identifiers, are a cutting-edge form of security that uses unique physical or behavioral characteristics to verify a person’s identity.
Instead of relying on traditional passwords or PINs, biometric passkeys use features like fingerprints, facial recognition, iris scans, or voiceprints to authenticate users.
These biometric traits are highly individual and difficult to replicate, making them a secure and convenient way to access devices, accounts, and systems.
Biometric passkeys also eliminate the need to remember complex passwords and provide a friction-less user experience.
What are malware injections?
Malware injections are a form of cyber attack where malicious software is injected into legitimate websites, allowing hackers to gain unauthorized access to sensitive information and cause severe damage.
These injections can occur through various means, such as vulnerable plugins, outdated software, or weak passwords.
Once the malware injection takes effect, it can redirect users to fake sites, steal login credentials, or install additional malware on the victim’s device.
Malware injections can be challenging to detect and pose significant risks to both website owners and their visitors. Which is why it is important to implement security measures such as regular updates and malware scans to protect your WordPress website against malware injections.
What is Turnstile by Cloudflare?
Turnstile is a security mechanism by Cloudflare that enables website owners to create gateways that protect their content and regulate access.
It’s a user-friendly solution that improves website security while also providing simple ways to connect with visitors.
For example, you can use Turnstile to implement several different gating strategies, like email gating, which requires users to provide their email addresses to access certain content.
Turnstile offers various customization options, so you can match the gateway to your brand’s aesthetic and objectives. It really is a powerful tool that can help you tailor your browsing experience to meet your needs. For those who are looking to protect their website without compromising on user experience, Turnstile by Cloudflare is highly recommended.
What is hCaptcha?
hCaptcha is a security tool that is designed to prevent bots and human abuse on websites. It serves as an alternative to traditional CAPTCHA systems and uses artificial intelligence technology to differentiate between humans and automated bots.
This allows website owners to protect their online forms and prevent spam and abuse while providing a more user-friendly experience for real humans.
hCaptcha offers a range of features, including easy integration with existing websites and plugins, comprehensive security measures, and support for accessibility standards such as Section 508 and WCAG 2.1 AA.
By deploying hCaptcha, website owners can improve security, ensure that online services are accessed by genuine users, and streamline user experience.
Sources:
hCaptcha – Stop bots and human abuse
Moving from reCAPTCHA to hCaptcha – The Cloudflare Blog
Why Solid Security
Solid Security (then iThemes Security) caught my attention while doing research for an article that I was writing about biometric passkeys. Back then, my focus was only on passwordless logins specifically. So while I was impressed with what iThemes had done, I didn’t quite take the time to explore what else the Solid Security plugin had to offer.
Which is why I am revisiting the plugin now and reviewing it in its entirety, to see if it really is one of the best security WordPress plugins out there.
Choosing the Right WordPress Security Plugin
Now, that you are familiar with the basics of website security, let’s talk about what you should look for while choosing the best WordPress security plugin for your website.
Read on for a list of basic features that any security plugin should include, to make your website reasonably safe from hackers.
Against each requirement, I’ve also made a note of whether Solid Security plugin handles that feature.
Firewall Protection:
A strong firewall is the first line of defense against malicious attacks. Look for a security plugin that offers a web application firewall (WAF) to monitor and filter traffic to your website. A WAF can detect and block suspicious activities, such as hacking attempts, DDoS attacks, and unauthorized access, preventing them from reaching your site.
Does SolidWP’s security plugin handle firewall protection?
Yes. The Solid Security plugin offers firewall protection using an in-built integration with Patchstack, that continuously checks for plugin vulnerabilities, instantly setups firewall rules to protect your website and also deploys patches to fix these vulnerabilities automatically.
Brute Force Attack Prevention:
Brute force attacks involve repeated attempts to guess login credentials and gain unauthorized access to your site. Your WordPress security plugin should include features like login attempt limiting, CAPTCHA integration, and IP blocking to protect against brute force attacks. These features help safeguard your website by preventing unauthorized access through repeated login attempts.
Does Solid Security plugin handle brute force protection?
Yes. Solid Security can offers efficient mechanisms to handle brute force protection can block malicious bots using powerful tools like Turnstile, reCAPTCHA, and hCaptcha.
Strong User Authentication:
To enhance the security of user accounts, look for a security plugin that offers multiple options for strong user authentication.
Two-factor authentication (2FA) adds an extra layer of security by requiring users to provide additional verification beyond their usual login credentials. This helps protect against unauthorized access even if passwords are compromised.
And if your plugin allows passwordless login using biometric passkeys, that is the ultimate way to securely login into your website.
Does SolidWP support strong user authentication?
Yes. Solid Security supports two-factor authentication and biometric passkeys, making it’s user authentication process super-strong. If you prefer to stick to old school login methods using a user-created password, you can still force your users to create strong passwords.
Vulnerability Scanning and Patch Management:
Regularly scanning your website for vulnerabilities and promptly applying patches is critical for maintaining a secure WordPress site. Look for a security plugin that provides vulnerability scanning capabilities and offers automatic updates for vulnerable plugins or themes. This feature ensures that your site is protected against known vulnerabilities in your installed software.
Does Solid Security WordPress plugin offer vulnerability scanning?
Yes. Solid Security plugin integrates with Patchstack, that allows you to scan for vulnerabilities and also update your site automatically whenever a patch becomes available to handle a vulnerability.
Security Audit Logs:
Having access to comprehensive security audit logs can help you track and analyze security-related events on your website. Look for a security plugin that keeps a log of activities such as login attempts, file modification, and plugin updates. This enables you to identify any suspicious behavior and take action to address potential security concerns.
Does Solid Security create activity logs?
Yes. Solid Security creates activity logs for important actions on your website, so that you can refer to these logs later, to detect suspicious behavior – log ins, log outs, account creation and deletion, addition or removal of plugins, changes to posts or pages and switching themes.
User-Friendly Interface:
Last but not the least, consider the usability and user-friendliness of the security plugin. Look for a plugin that offers a clear and intuitive interface, allowing you to manage security settings and monitor your site’s security easily. A well-designed user interface can save you a lot of time and effort while maintaining a secure WordPress site.
Does Solid Security have a user-friendly interface?
Image Credit : https://solidwp.com/blog/ithemes-security-pro-feature-spotlight-wordpress-security-dashboard/
Yes. Solid Security has an easy-to-understand visual dashboard that shows you everything that you need to know about your website’s security in a single consolidated view.
Regular Backups:
While not directly a security feature, regular backups are crucial in case of a security breach or unexpected data loss. A good WordPress security plugin might provide automated backup functionality, allowing you to easily restore your site to a previous state if needed. Look for a plugin that offers both full site backups and incremental backups for efficient storage usage.
Does Solid Security WordPress plugin offer backups?
Like I said earlier, this is not really a security feature, so Solid Security itself doesn’t offer backups, but if you go in for SolidWP’s Suite of products, this plugin fits nicely along with Solid Backup, which can backup your website and restore it as well.
Getting Started with SolidWP
Based on the features listed on its website, SolidWP’s (previously iThemes) security WordPress plugin shows plenty of promise. It literally ticks everything you could ever want from a security plugin, so I decided to take it for a spin.
Here’s how to get started with Solid Security –
Activate your license
Enter your SolidWP account credentials to activate your license. Beginners might need help with this, since it is not all that intuitive.
Solid Backup integrates with PatchStack, but you need to purchase a license separately for PatchStack, for the two to work together.
Customized Wizard – What type of website?
This is actually neat, because the wizard is tailored based on what type of website you are using this on.
Preconfigured Settings – Whose website is it?
If you are setting up Solid Security for a client, then you might need to create different privileges for them, hence the question.
Password Policy
Setting up a strong password policy is absolutely necessary so that login credentials are not hacked easily. If you decide to enforce it, the password will be checked against a database by have i been pwned and rejected if it is listed there.
Strengthening your logins – using 2fa
Solid Security allows you to force users to use 2fa Two Factor Authentication to sign in, adding an extra layer of protection.
Global Settings
Login Security
One of the best features of Solid Security is its ability to login using biometric passkeys. In other words, it allows users to log in via mechanisms like fingerprints, face id etc., getting rid of passwords completely.
Firewall Settings
Site Check
User groups
Notifications / Alerts
In Conclusion
Solid Security definitely ticks all the boxes and I haven’t been able find any shortcomings so far.
The plugin has seen continuous improvements to keep up with the latest security methods, like biometric keys, integrating with Patchstack, Turnstile etc.
Coupled with the fact that it is developed by a strong knowledgeable team that also offers stellar customer support, I would say it is definitely one of the best security plugins you can use for your WordPress website.
Maintaining the security of your website is really important and selecting a reliable security plugin is the first step towards ensuring you are in safe hands.
Stay proactive, keep your plugins and themes updated, and regularly monitor your site’s security to stay one step ahead of potential threats.