Must Have Wordpress Plugins?

[Progger]

Hello,

Hours ago i have setup a fresh WP,and notice the first bruteforce attack

Please tell me some "must have" Plugins for Affiliates!

[universal4]

WP Cerber

Handles turning on or off RPC control if you choose and a LOT of brute force control right out of the box.

Handles redirecting the log in and much much more.

You can have it notify you every time a brute force attempt is made or turn that off, it logs the ip/subnets making the attempts.

I have tried many others, but I install this one first on all new WP Installs now.

Rick
Universal4

[Progger]

htaccess and IP-Range,serverside are maybe better than all this plugins.

But lets move on, best seo plugin? Yoast ?

[universal4]

Yes, could be in your situation that works best for you, but many users need a more simple way.

I am not sure how much monitoring you are doing on the logs, but you might wanna try WP Cerber to capture the brute force IP's for you, you could set it to not block, or allow the block and remove later and add the ip's manually yourself, not sure if it would save you time parsing the logs or not...just a thought...

We recently had the seo plug ins question asked...last week if I recall, the two most suggested were Yoast and All in One

Rick
Universal4

side note: I tend to take the worst offenders and add them to the server firewall, which stops them from hitting ANY site not just the ones blocked at site level

[Progger]

i don't wanna put more plugins on my WP than necessary,because this can ends in a hack or a slow page.

And,i have post my .htaccess on a another topic, maybe u can check it - it works for me,but feedback from are another person are always helpful.

[DaftDog]

For security Wordfence premium: https://www.wordfence.com/

[universal4]

I agree with progger on suggestions to use the least amount of plugins, I have found that wp cerber does not eat up a bunch of overhead and I have run some tests on stock installs of wordpress on an IP where I even left the hello world post to make it appear as a newbie page and even after the log filled with hundreds of block ip subnets after thousands of attack it did not seem to affect the performance at all...but this is always a concern and we should always be aware to monitor such things as the wrong plug-in or too many plug-ins can slow a site to a crawl.

Rick
Universal4

[allfreechips]

Modsecurity on apache filters a ton of traffic just from malformed headers alone, I also tracked clicks on casino reviews on some new sites and noted that most bots wil hit 10-15 reviews in seconds, by far not natural behavior so I then can place them in a deny or better yet redirect their ass into something less desirable. Cloudflair also filters a lot of unwanted traffic but I think Progger noted in the past about not liking them! The free service is great

[AussieDave]

IMO these "Brute Force Attack" or "Security" WP plugins are flawed. Blocking IP's is only good for individual people trying to hack your wp-login. These days, 99% of all un-authorised access attempts, probing etc., etc, is donr via bots, who are using botnets. Many many Million of IP's.

These WP plugins give people a false sense of security imho. The amount of dangerous bots they allow access for, is disturbing.

The trick to stop this garbage, is to identify varied signals common to these attacks etc. For example: Blocking outdated browsers; FireFox 40.0 seems to be a popular identifer used by bots for the last year or so. Also blocking access from hosting companies, servers etc, instead onlt allowing bona fide ISP's access is another good way to stop the crap gaining access.

I'm not going to post here my security methods. But feel free to PM me

[AussieDave]

or better yet redirect their ass into something less desirable.

Problem with that is, spambots or hackbots don't (usually) follow forwarding rules

[Progger]

move the wp-admin on a another link and use a second login over htaccess.... problem solved.
************************************************** *************************
The other problem...content scraping/grabbing. Here i maybe need a plugin.

[sweetbet]

iQ Block Country - Block visitors from visiting your website and backend website based on which country their IP address is from.

[petimi]

Jetpack's Security module is also very powerful against bruteforce attacks (works together well with Wordfence too if you want to be super careful).
Enable "Brute force attack protection" and you can also manage whitelisted IPs manually (whitelist yourself).

[guala]

apart from all the security plugins listed above I always download yoast, wp-optimize and wp smush

[Progger]

yoast is a past from my design and 7 other plugins...i have to use it.

[ApostaGanha]

reviewer
mailpoet
optinmonster
social warfare
Contact Form 7
OneSignal Push Notifications

[ApostaGanha]

w3 total cache

[Progger]

Thanks aposta,

I use some plugins already...compression is the next stage.
Plugin or serverside...i need to check it.

[ApostaGanha]

Autoptimize and CDN

[AussieDave]

Jetpack's Security module is also very powerful against bruteforce attacks (works together well with Wordfence too if you want to be super careful).
Enable "Brute force attack protection" and you can also manage whitelisted IPs manually (whitelist yourself).

I don't wish to cut you down, but these WP "security" plugins are only good for actually keeping human (unlawful) access at bay. Fact is though, that's a very, very small % of 'attacks' a WP site is hit with on a daily basis. Instead, a site is hit with literally millions of BotNet IP's. So blocking these attampted "login ins" will only stop a single IP.

So what happens is you get hit a million + times with one botnet then others do the same. All this achieves is a HUGE Database full of banned BotNet IP's, which doesn't stop the crap trying to login into your site, or even spammers, who now use BotNets too.

One simple process can acheive all this, and do away with extra plugins which do take up (sometimes) massive resourses, which slow down your site. Granted theough, you'd need to be php/.htaccess savvy. If your not I suppose you've got limited options.