How to choose a website security plugin if you are a novice webmaster

Unfortunately, site owners often think about security only after an attack has already occurred. To avoid having to deal with the consequences of hacking, it is better to immediately install a plugin that will provide comprehensive protection for your site against common threats.

My name is Alexey Soldatov, I lead technical support at SpaceWeb. In this article I’ll tell you how to choose truly reliable ones from the wide variety of plugins. At the end – a selection of good free plugins for popular CMS.

What plugins can do to protect a website

Good plugins vary in small ways, but are similar in their core functionality. All of them should protect the site from the most common threats: the introduction of malicious code, suspicious traffic, spam and unauthorized changes to the source code.

The list below can be used as a universal checklist. When choosing a plugin, make sure it has most of these features.

Let's look at the main functions using the example of plugins for WordPress, Joomla! and OpenCart.

1. Find and remove malicious code and programs

Here are the four most common types of attacks on a website:

XSS attack — injection of malicious JavaScript code,
LFI — inclusion of a local file;
SQL injection — injection of malicious code into requests that the site makes to its database;
Injection of malwarefor example, backdoors.

Each of them is successfully fought, for example, plugin Defender Security for WordPress. At the request of the administrator, it scans the code of files on the server or headers of requests to the site. And then, using signature analysis, it finds malicious code. After this, the administrator can select and delete suspicious files in two clicks.

*Defender Security shows suspicious files and changes to them*

Defender Security scans the site in proactive protection mode, that is, it detects threats as they appear. But not all plugins can do this. Most of them look for suspicious code or files on the server only at the request of the site administrator. Therefore, from time to time you need to go to the plugin admin area and run a scan manually to check if the site is infected.

And if you use CMS Joomla!, for this purpose you can use, for example, a plugin RSFirewall or Admin Tools Professional. There is a module for sites on OpenCart “Report on changes to site files”.

2. Block users who repeatedly unsuccessfully try to enter the site

One of the most common ways to hack a website is a brute force attack, or brute force attack. The hacker program will try different combinations of data until it guesses the username and password. To protect against this type of attack, you can use, for example, the above-mentioned Defender Security or All-In-One Security.

The plugin allows you to install a counter on any form of the site, which limits the number of unsuccessful login attempts. If the user exceeds the attempt limit, the plugin will temporarily block his IP address. The bot will almost certainly not be able to bypass such a block: there are too few attempts to find the correct username and password combination.

Some plugins allow the administrator to view information about visitors and their actions: username, IP address, login and logout date and time, including failed login attempts. Knowing this, the administrator can manually block or unblock users.

*In All-In-One Security, you can manually configure the number of login and login attempts, as well as the blocking time*

To protect against brute force attacks on sites on Joomla! you can use, for example, the RSFirewall plugin or Securitycheck Proand on OpenCart – a module “Login blocking when opening OpenCart password”.

3. Install a firewall

A firewall is a proactive protection against hacking and DDoS attacks. It identifies and blocks malicious traffic in real time based on specified rules.

For example, using the same Defender Security, you can block IP addresses from which malicious traffic comes. Developers collect a “black list” of addresses from which sites with Defender Security installed were attacked, and then write it in the form of rules for the plugin.

Another option is blocking by user-agent, the user’s “digital fingerprint”. This is the name given to the combination of browser and operating system characteristics. The plugin will determine which OS and browser the attacker used to log into the system, and will block him even after changing the IP. You can also set up blocking based on the region where the unwanted traffic is coming from.

*In Defender Security you can view logs: find out what traffic was blocked when*

Website owners on Joomla! can install for this purpose, for example, a multifunctional plugin GP Firewalland for OpenCart there is a module OpenCart Defender.

4. Set up protection against spam and bot registrations

To combat spam and bots, you can use plugins to configure two-factor authentication, comment filtering, and captcha.

To install two-factor authentication (TFA) on your site) for users who register on the site or log into their profile, you need to configure the plugin’s API integration with one of the popular TFA services. For example, for the same All-In-One Security it is Google Authenticator, Microsoft Authenticator, Authy. Standard two-factor authentication can be set up for all users for free. And the premium tariff of the plugin provides even more features:

set up mandatory TFA for specific roles. For example, for site administrators and editors.
make TFA requests after a certain time, for example, twice a week.
create a list of trusted devices for which it is not necessary to request TFA at each login;
make emergency access codes in case the user loses the device.

Another plugin – Solid Security — allows you to create different user groups and configure the required security level for each of them. For example, you can set up mandatory two-factor authentication for buyers and online store administrators. But give administrators the opportunity to change this option in the plugin settings.

To add two-factor authentication to a website using a plugin Wordfence Security, set up integration with any application or authentication service based on TOTP, a time-based one-time password. For example, Google Authenticator, Authy, 1Password or FreeOTP. These services generate a unique secret key in the form of a QR code, which the user scans with their phone. Codes are generated every 30–60 seconds – during this time you need to confirm access.

Security plugins can also filter spam. For example, All-In-One Security automatically blocks spammers by IP. At the same time, the administrator can block suspicious users manually.

The plugin can track an abnormally large number of comments on a site or mark addresses from which suspicious traffic is coming. But he cannot analyze the content of comments. To prevent users from breaking the rules, set up pre-moderation in the CMS. Then comments will be published only after they are read and approved by a moderator.

The third way to protect against spam and bots is captcha. To connect it to your website using one of the security plugins, you need to set up API integration with popular captcha services. The Defender Security plugin has Google reCAPTCHA, the All-In-One Security plugin has Cloudflare Turnstile or Google reCAPTCHA, Honeypot or a simple mathematical captcha. You can configure the plugin to have a moderator manually approve or reject user accounts.

If the security plugin does not have a captcha function, you can connect a separate captcha service. For example, install the plugin reCaptcha or service SmartCaptcha from Yandex. We have detailed article with instructionshow to install captcha for a WordPress site.

For sites on Joomla! the principle is the same: it’s easier to use separate captcha and two-factor authentication services: reCAPTCHA or hCaptcha, Google Authenticator. There is a module for sites on OpenCart “Two-step authorization for Opencart”.

5. Protect and restore important files

Such important data usually includes CMS core files, site theme, manually coded code or CSS. So, using the All-In-One Security plugin, you can limit access rights to them. For example, leave editing rights only to the administrator, and give users with other roles viewing rights.

The Wordfence Security plugin works differently. It compares site files, themes, and plugins to those in the WordPress.org repository, verifies their integrity, and notifies the site owner of any changes. If someone edits the files, it will be possible to overwrite them from the original version.

A plugin BulletProof Security for WordPress it can do even more: automatically create database backups, send them by email, delete outdated copies and restore the site from a backup in case of damage. This is convenient if you don’t want to regularly backup your site manually.

Website owners on Joomla! can use for this purpose, for example, the Securitycheck Pro plugin. There is a module for sites on OpenCart “Backup Backup for OpenCart”.

*Database backups in BulletProof Security can be created manually or automatically*

Website owners on Joomla! can use for this purpose, for example, the Securitycheck Pro plugin. There is a module for sites on OpenCart “Backup Backup for OpenCart”.

6. Save information about suspicious events

Plugins for comprehensive site protection keep an audit log: they give administrators the ability to view all events on the site. Here's what you can learn with All-In-One Security:

activity by username, IP address, login and logout times;
a list of users who are in the system during the audit;
a list of all failed login attempts;
information about adding, deleting, updating, activating or deactivating other plugins without the knowledge of the administrator.

But not all plugins notify you of problems on the site. The premium version of All-In-One Security has this feature: the plugin sends an e-mail to the administrator within 24 hours from the moment the threat appears.

But Defender Security only saves information in logs and displays alerts in the control panel. If changes appear on the site that you did not make, or it stops working completely, you will have to view the plugin log manually. It's better to do this once a week. Even if outwardly nothing suspicious happens on the site, problems may appear “under the hood”.

Wordfence Security checks core files, themes and plugins for malware, backdoors, SEO spam, malicious redirects and code injections. It does this by comparing files, themes, and plugins with those in the WordPress.org repository, checking their integrity, and reporting any changes to the admin panel. Malware injection data is updated within 30 minutes, and in the premium version – in real time.

*BulletProof Security plugin security log*

From plugins for Joomla! For example, Securitycheck Pro has a security log: the site owner can view it in the administration panel or export it in .csv format. OpenCart modules can handle this task “Report on changes to site files”.

How to choose plugins to protect your website on different CMSs

To choose a tool that is convenient and suitable for you, make sure that the plugin meets these three criteria:

The features you need are in the free version. Most of the plugins with high ratings are foreign. Russian users may have problems paying for extended tariffs.
The database of malicious files and code elements is regularly updated. New threats appear constantly. It is important that the plugin is able to recognize them. It is better to choose plugins with a five star rating in WordPress plugin store – their developers usually maintain a list of known exploits, quickly create and release protections, and then add information about them to the plugin database. This way, plugins will be able to monitor threats that have appeared recently and combat them.
The plugin interface is clear and convenient. Developers often post videos in official stores demonstrating what it looks like to work with the plugin from the admin panel. Watch these videos in advance and evaluate how comfortable it will be for you to work with such a plugin.

Below is a selection of highly rated plugins for popular CMSs. And if our help is not enough for you, go to the documentation of a specific plugin – their functions are described in even more detail there.

5 Highly Rated Plugins on WordPress.org:

4 highly rated plugins on joomla.org:

How to protect your website on OpenCart

There are no comprehensive security plugins for this CMS. There are only individual solutions for a specific problem. To protect your site from most common threats, install several plugins at once. For convenience, use the list from the block “What plugins can do to protect a site.”

Examples of security modules in the OpenCart store

How to protect a website on 1C-Bitrix

“1C-Bitrix: Site Management” is already built into the CMS “Proactive Defense” module. It has the necessary functions for site security; there is no need to install additional plugins.

To understand which threats are most important to protect your site from, it is better to conduct a comprehensive security audit. You can do this using free or paid scanner programs such as Detectify or HX Scanner. Or you can order an audit from companies that specialize in this; they will be able to decipher the results for you and give specific recommendations. Next, you need to choose a plugin that has all or most of the features you need.

For greater site security, update not only plugins, but also CMS and site themes. Old versions may have vulnerabilities that have already been discovered and fixed in new ones.

How do you protect your site and do you do it at all? Share in the comments!