You don’t want to lose your hard work and see your site go down. Website owners, especially those using popular CMS platforms like WordPress, face numerous threats ranging from relatively harmless (but undoubtedly annoying) spam, to serious hacking attempts that can take down your website and irreversibly delete your data.

Most of us tend not to worry about security until it’s too late, but it’s not something you ever want to overlook. The repercussions can be very serious.

WordPress is a great platform and they do an excellent job with security and releasing swift updates for any vulnerabilities, however due it its popularity and uniformity within the file and database structure, there are many ways that your site is left exposed.

There is no need for alarm however, as there are numerous free or premium plugins that you can easily install and set up on your WordPress website to stay protected. Using these plugins will go a very long way in ensuring that your website is protected against any threat.

We want to see Canadian businesses thrive so here is our list of five top recommendations for free plugins that will keep your website safe:

5. Sucuri

One of my favourite plugins when it comes to keep your website protected and secured is Sucuri. This plugin just needs to be activated and immediately your website will be protected from malicious users.

The way Sucuri works is that it constantly monitors your website files and notices if anything suspicious has been added or if any of your files have been modified. This plugin has saved me on numerous occasions and I highly recommend it as a tool for preventing hacking, and also for restoring your site after a hack.

The plugin works effectively right out of the box, but it has many advanced configurations that can be activated to protect your website further. Only tweak those settings if you are aware of what they do, otherwise you could make the security so robust that you limit your own access. While it won’t break anything on your website, it could cause issues with restrictions.

It has a premium version as well if you want to upgrade which is definitely recommended for larger sites or those facing constant attacks. However, the free version does an excellent job of protecting your website.

Sucuri Security

4. WordFence

Another great security plugin you can use on your website is WordFence. It’s the most popular security plugin with over 22 million downloads. WordFence is similar to Sucuri in that it protects you from hacking attempts and malware. It also uses an integrating caching method that they claim makes your website up to 50x faster.

Because of it’s popularity, it’s very well maintained and updated frequently. They also have extensive documentation to reference and a very active support forum.

Some of the features that come included with WordFence is a powerful firewall, live traffic view, and a full site scan. WordFence has live protection to ensure that you are always secured against any attacks.

WordFence also has a premium version that they offer. With the premium version you get additional features such as premium support, country blocking, scheduled scans, and several more. This is a very powerful security plugin and highly recommended for any WordPress website.

WordFence

3. Updraft Plus

One of the foremost tools that every website owner needs to utilize is to have regular backups of your entire website. This is absolutely critical because once your data is lost, you are generally out of luck.

Hosting providers do usually provide some form of limited back ups, but it’s definitely not something you should rely on. Instead, protect your website by installing a backup plugin.

There are numerous great options to choose from when it comes to a backup plugin, and my recommendation goes to Updraft Plus.

This is a free, easy to use plugin, that has several great features. You can set it up to create backups of your website automatically, and it will also backup your website before you make any updates to your themes or plugins that could override. your data.

Updraft Plus

2. Google Captcha

The best way to prevent spam coming through your website forms is to add a captcha that forces users to verify they aren’t robots. Captchas can come in many different forms, most of them annoying to fill out, but the best of these is undoubtedly the Google Captcha.

Chances are you’ve seen Google Captcha numerous times around the net, it merely asks you to check a box to verify you are human. It may seem simple on the surface, but there is actually an intricate algorithm behind it that detects ‘natural’ movements from the fabricated ones by analyzing various patterns such as your cursor movement prior to clicking the checkbox.

This plugin allows you to setup the captcha on your website with relative ease. It will also give you the option of adding it on your login screen to prevent those incessant login attempts from the bots.

A captcha is a great tool at limiting the number of spam entries you receive and login attempts. While it may not remove all of them completely, it is incredibly effective and will cut the spam down significantly.

Adding a captcha is mostly aimed at reduced spam, but also at limiting automated temps to log into your WordPress. All those entries clogging up your mailbox can get pretty annoying, and on top of that they use up your space bandwidth. Being able to curb that by simply activating this plugin is an obvious choice.

Google Captcha

1. WP Security Audit Log

This simple plugin allows you to keep track of all the activity happening on the back end of your site. You will be able to notice any suspicious activity and which user/IP address this came from though your WordPress dashboard. It’s really simple to use and there is essentially no setup involved beyond just activating the plugin.

I often have this plugin enabled in my arsenal as you always want to be in the loop at all the activity happening on your website. If there is sign of trouble, you can pinpoint exactly where it originated. Otherwise, you may be left out in the dark.

The other benefit of this is that you will have a log of all the activity that you can reference in the case that something may go wrong. It will inform you of any updates to WordPress, themes, or plugins which might have occurred, any blog posts that have been created or deleted, failed login attempts, and several other instances.

This plugin like many of the others on the list, also has a premium version available. This allows you to receive premium support from the authors of the plugin and offers several additional features. There are also many useful add-ons available add onto this plugin such as receiving email notification on any changes you specify. This way you can also stay on top of what’s happening on your website in the background and be immediately altered to any unwelcome activity.

WP Security Audit Log

Additional WordPress Security Best Practices (Beyond Plugins)

Now, while plugins are powerful tools for securing your WordPress website, relying solely on them isn’t enough. There are several manual steps you should also take to strengthen your site’s defenses. Implementing these measures alongside your security plugins will create a robust security setup.

1. Use Strong Passwords and Enable Two-Factor Authentication (2FA)

The easiest way for hackers to gain access to your site is through weak passwords. You should ensure that all users, especially for admin users, are using complex passwords that include a mix of upper- and lowercase letters, numbers, and special characters.

• Password Management Tools: Use password managers like LastPass or Bitwarden to create and store strong, unique passwords for every user account.
• Enable Two-Factor Authentication (2FA): Even if a hacker obtains your password, 2FA adds another layer of protection by requiring a second form of authentication, such as a text message or an app-generated code, before logging in.

2. Limit User Roles and Permissions

WordPress allows you to assign different user roles (Administrator, Editor, Author, etc.) with varying levels of access to your site. Always follow the principle of least privilege—only give users the minimum level of access necessary to perform their tasks.

• Avoid Using “Admin” Username: Never use “admin” as a username, as it’s often the default target for hackers during brute-force attacks. Create a unique username for the administrator account.
• Audit User Roles Regularly: Ensure that user roles are reviewed periodically. Remove or downgrade access for users who no longer need elevated privileges.

3. Regularly Update WordPress, Themes, and Plugins

Outdated software is one of the most common entry points for hackers. WordPress, as well as its themes and plugins, regularly release updates that include patches for known vulnerabilities.

• Core Updates: Always update your WordPress installation to the latest version as soon as possible. You can enable automatic updates for minor versions or security releases.
• Plugins and Themes: Don’t forget about plugins and themes, which can also contain vulnerabilities. Keeping these up to date is crucial for your website’s security. Consider removing any plugins or themes that are no longer supported or actively maintained by their developers.

4. Secure Your Hosting Environment

Your hosting environment plays a significant role in the security of your website. Even if you’ve secured WordPress itself, a compromised hosting environment can still lead to vulnerabilities.

• Choose a Reliable Host: Opt for a hosting provider that offers WordPress-specific security features like daily backups, firewalls, and DDoS protection.
• Use SSL Certificates: Ensure your site has an SSL certificate, which encrypts data transmitted between the server and the user. Most reputable hosts now offer free SSL certificates through Let’s Encrypt.
• File Permissions: Restrict file permissions on your WordPress files and directories. Typically, directories should have permissions set to 755, and files to 644, to prevent unauthorized access.

5. Regularly Backup Your Website

Even with the best security measures in place, there’s always the possibility that your site could be compromised. Having a solid backup strategy ensures that, in the event of a hack, you can quickly restore your site to a previous version with minimal data loss.

• Automated Backups: Schedule automated daily or weekly backups of your entire website, including the database and files. Ensure that backups are stored off-site or in a cloud storage solution like Google Drive, Dropbox, or Amazon S3.
• Backup Before Major Changes: Always perform a backup before making significant changes to your website, such as updates to WordPress core, themes, or plugins.

6. Limit Login Attempts

By default, WordPress allows unlimited login attempts, which can leave your site vulnerable to brute-force attacks. You can reduce this risk by limiting the number of times a user can attempt to log in before their account is temporarily locked.

• Configure Login Limits: Some plugins (like Limit Login Attempts Reloaded or Login Lockdown) let you control how many times a user can try to log in before getting blocked. This will discourage automated bots from trying multiple password combinations.

7. Monitor Your Site for Suspicious Activity

Even with all the above measures, it’s crucial to monitor your site for signs of suspicious activity or potential breaches.

• Activity Logs: Use plugins like WP Security Audit Log to track changes made to your site, including login attempts, file changes, and plugin or theme modifications.
• Malware Scans: Regularly scan your site for malware or unusual activity using tools like Sucuri or WordFence. These tools can help you quickly identify and neutralize threats.

Final Thoughts

When we work with our clients from Toronto, we always make sure that their websites are set up securely right from the onset. In fact, we have developed website maintenance packages that cover all the elements discussed in this article.

With WordPress being such a popular platform, there are thousands of plugins for various security functions to choose from. Chances are if you have a concern about something or are looking for a specific solution, there is a plugin that is perfect for your needs.

Your website being compromised has more far reaching detriments than you may realize such as google penalizing your website and ranking you lower in their search results. Also your traffic will take a huge hit if your site is inaccessible which could affect your revenue.

While there is no such a thing as being 100% secure, any steps you take will go a long way in keeping your website protected. Even the most secured websites can still be infiltrated, but it’s better to be protected against 95% of vulnerabilities than 5% in any circumstance.

If you are just starting out and have a relatively small business, you might think that you won’t be target, but that’s not a chance worth taking. At the very least, there are automated scripts and robots always probing the web for vulnerable insecure website.

Don’t take the security of your website lightly and become another victim, get yourself secure and enjoy the peace of mind.

Michael Kogan

Michael is a senior full-stack developer with 10 years of professional experience working on a wide range of projects and environments with a background in digital marketing and UI/UX design to structure websites with the end-user in mind.