Get the Most Out of Defender and Maximize WordPress Security
Anyone who owns, builds, manages, or hosts WordPress sites should be obsessed with security. It’s not that WordPress isn’t a safe platform to build websites with. It’s just that, being the most popular and widely used CMS in the world, WordPress is an easy target for hackers. This is why WordPress blogs can’t and shouldn’t stop talking about WordPress security.
The nice thing about security getting so much attention is that there are a plethora of solutions readily available to address it. For instance, there are security monitoring tools like WP Checkup that take care of the first half of the battle against WordPress vulnerabilities. But that can’t be enough. You also need tools that enable you to defend against and mend security vulnerabilities and breaches as well.
This is why we have WordPress security plugins. Sure, there are other security tools and firewalls you should make use of outside of WordPress, but plugins help you put up a strong defense right from within your website. If you’re not familiar with the Defender plugin, then I’d urge you to give it a closer look.
There’s a lot going on with this plugin–in both the free and premium versions–so let’s dig in and see how you can make the most of it.
Defend Your WordPress Site with the Free Defender Plugin
For those of you wary about jumping into a new premium WordPress plugin (especially one that handles your WordPress security) without first trying it out, there’s good news. Defender is now available for free in the WordPress repository.
Let’s take a closer look at the features you really need to take advantage of with the free version of Defender and get the most out of it to maximize your security:
Fortify the WordPress Login
Although the Defender dashboard puts a greater emphasis on things like tidying up your database and adding extra security measures to things like PHP and the file editor, I suggest you start in the IP Lockouts section of the plugin.
Defender is right in prioritizing the scanning and active cleanup of WordPress within the dashboard. However, making sure the front door to your site (i.e. the login page) is locked up tight should be done first. The quicker you can fortify the login against brute force attacks with IP lockouts and blacklisting, the sooner you can start using this plugin to actively monitor and fix your site.
Start first with Advanced Tools. This section will enable you to turn on two-factor authentication for your WordPress users.
In addition to being able to enforce two-factor authentication based on user role, there are additional settings you should configure. With these options, you can make it easier for users to get the Google Authenticator tool to work for them. You can also use this to monitor your users and ensure that they’re abiding by password security best practices.
Now, moving over to the IP Lockouts section, you can use these login fortification methods:
- Login rules, restrictions, and lockouts
- Block bots with 404 error detection
- IP blacklisting (or whitelisting)
Also, don’t forget to use the Logs and Notifications settings here to ensure that you’re regularly informed when malicious break-in attempts are made on your login.
Use the Recommended Security Tweaks
The WPMU DEV blog contains many resources that provide guidance on how you can better harden security in WordPress. That’s awesome since you know there’s always somewhere to go if you have a question or need quick assistance on a security matter. However, wouldn’t it be better if someone would just look at your WordPress site and tell you what to do?
That’s what Defender does with Security Tweaks. And, not only that but Defender will provide full explanations as to how you’ve successfully secured your site:
Defender will also tell you where serious issues exist as well as how to fix those issues:
This makes it so much easier to spot your WordPress site’s weaknesses and fix them on the spot. Simply hit the “Fix the Issue” button when you’re ready to take action or hit “Ignore” to skip it and move on to the next one.
Scan Your Files
Do you ever worry about what hackers are doing to your site behind the scenes? For instance, the white screen of death or some other obvious crack in the facade of your WordPress site would tip you off that someone has gained unwarranted access. But how are you supposed to know when that happens with your database? It’s not like you comb your files or code on a regular basis, so how could you even spot something like that?
The Defender plugin will take care of this for you at the core level.
When you use the File Scanning tool, Defender scans your core files to see if anything has been changed against what it was expecting to find there. If any errant code is detected, Defender will notify you of the issue. In order to receive these notifications, be sure to update the Settings under File Scanning so they go to the right person and so you know exactly what you’re looking at (if you choose to customize the message).
Once you’ve seen the scan results, you have two options. You can fix the issue and restore the file back to safety with a single click. Or, if you recognize the file and want to keep it as is, simply ignore the warning.
Defend Your WordPress Site with the Premium Defender Plugin
Now, if you already have a WPMU DEV membership or you’re interested in the upgraded Defender plugin, this section is for you.
The premium version of Defender is identical to the free version when you first activate it in WordPress, so don’t be alarmed. It may be the same dashboard, but you’re about to crack open a whole bunch of security premium features for your WordPress site.
Here are the ones you need to take advantage of now:
Check Your Blacklist Status
No one wants to be on a blacklist–especially when it comes to a WordPress website.
If you’re unfamiliar with this, it basically just means that search engines blocked your site because it posed a security threat to users. That said, it’s not like Google is going to email you and say, “Hey, we decided to boot your site from search. Cool?” Nope, instead, you need a tool like this to let you know when it happens.
Once Defender has detected that your site has been blacklisted, you can start digging through all the security scans and logs to try to identify the source of the breach and kick it out of there ASAP.
Automate Security Scans
In the free version of this plugin, you saw that there’s a built-in security scanning and monitoring service included in Defender. That’s definitely awesome. However, what if you want to make it even easier to scan your site and be notified of the results? And what if you want to scan more than just the core for issues?
Well, that’s why you’ve upgraded to premium.
With the premium plugin, you can enable scanning for:
- The WordPress core
- Your WordPress plugins and themes
- Suspicious code found elsewhere on your site
Oh, and you can automate scanning as well, so you can rest assured that someone is watching out for your site’s security as frequently as it’s needed.
Receive Audit Logs
In addition to watching over the core and software installed in your WordPress installation, you can also activate audit logs within Defender.
Basically, Defender will watch over every move made on your WordPress site. Think of it like your very own surveillance system that tells you who did what to which file and when. This is obviously helpful when it comes to tracking down hackers’ actions on your site, but it might also come in handy if an employee or client “breaks” something and you need to figure out what happened.
Event Logs allow you to conduct more granular searches in the logs to identify where things went awry, saving you time in trying to troubleshoot them when you’re feeling completely blind to the source of the problem.
Create Custom and Automated Security Reports
Here’s another way in which the premium Defender plugin aims to make security easier for you.
Specifically, there are three security reports you can create, customize, and schedule within Defender:
- File scanning
- Audit logging
- IP Lockouts
Each of these has already been mentioned in this article, but what I didn’t mention was how easy the premium plugin makes it to customize and automate the sending of these security reports to yourself (and other admins).
The setup is as simple as this:
Simply choose the frequency and time in which you want to receive the report and then find out what’s going on with everything from lockouts to general activity audited without having to log back into WordPress.
WordPress plugins aren’t meant to be installed and left to their own devices. If you really want to get the most bang for your buck with Defender (let alone any WordPress plugin), then you need to understand how it works. That way, you can configure it in a way that improves your workflow and maximizes results.