Skip to Content
Wordpress / PHPSite Security

Security Issues and Security Plugins Recommendations

This document is a collection of security issues and security plugins recommendations for WordPress.

Security Issues

  • Absence of data encryption
    • Make sure the SSL certificate is installed.
  • Form spams
    • Add Honeypot field
    • Add Google reCaptcha
    • Add validations for fields
    • Plugin recommendations: Basically the 3 methods above will prevent most spam. The following are the additional recommendations.
      • Akismet : block spam comments and spam in a contact form.
      • Gravity Forms Email Blacklist : this is specific to the Gravity Forms email field. It works by blocking either individual email addresses, email address domains, and email address top-level domains(ex. *.com).
    • Vulnerable plugins and themes
    • Plugin recommendations
      • Defender Pro : Malware Scanning, it scans core and plugin files and list out all unknown files, vulnerabilities, and any suspicious code.
  • Too many logins attempt:
    • Plugin recommendations
      • Defender Pro 
        • Login lockout: Setup how many failed login attempts within a specific time period will trigger a lockout.
        • Mask login URL: Replace the default wp-admin or wp-login with a custom slug.
        • Two-Factor Authentication
        • IP block/allowlists: Add IP addresses to the blocklist or allowlist to permanently block them or always allow them to access your website. Force users to change their password upon the next login if there is a security breach.
      • Secure Admin IP  (Lightweight plugin only for login and admin access)\
        • Whitelist IP address: it only allows the IP in the whitelist to access the login and admin page.
  • Plugin conflicts
    • Remove unused themes and plugins. This will also secure the website against WooCommerce vulnerabilities.

Security Plugins Mentioned Above and Costs

  • Defender Pro : main plugin we used and we will recommend the client install it on their websites.
  • Secure Admin IP : free
  • Gravity Forms Email Blacklist : free
  • Akismet : this is only needed for the websites that receive a bunch of spam in comments and form submissions after the Honeypot field and Google reCaptcha setup
    • Basic plan (personal use): $0 - $120/ year
      • Spam protection
    • Pro plan (commercial use): $4.95/month first year, billed yearly
      • Spam protection
      • 10K API calls/mo
      • Product support
    • Business Plan (for large organizations): $24.95/month first year, billed yearly
      • Spam protection
      • 60K API calls/mo
      • Unlimited sites
      • Priority support
Last updated on
HomePHP Debugging