D.K. Smith – WordPress Security Handbook: Facts & Fiction

Layer Nine: Security Plugins

Simple is better!  We believe giant multi-functional plugins are not the best approach to WordPress security.

• WP Security Scan, use it once to check install, then delete it.
• protect your admin with Limit Login Attempts
  • Simple Login Lockdown is also good
• WP Fortress - improved version of custom WordPress firewall we install on client sites.
• WP Intrusion - our perimeter security alarm that detects hacker probes and more.
  • get both plugins if you "attended" the meetup

For Annabelle... who should not have to deal with working, a baby, and spam too!  Try these...

• Akismet still works well and is worth paying for!
• add the Anti-spam plugin
• Anti-Spam Bee is an effective anti-spam plugin

IMHO, monitoring is not an effective method of securing WP... typically provides a false sense of being secure

• "OOOPS, your site has been hacked... we'll fix it"
  • MUCH BETTER to keep hackers out in the first place
• on-site monitors often generate lots of false positives
  • after a while site owners ignore all changes
• some things change... many site owners don't know if file changes are okay or bad
• okay to use monitoring if it's part of a comprehensive security plan