Web security has probably never been more important than it is today. Whether we’re talking about protection for your site and data, or that of your visitors you could easily say protecting that data is one of the pillars of a successful site. To emphasize the point, just think of the backlash data links have caused for compromised sites in the past.
WordPress as a platform has some rudimentary security functions built in, but those are nowhere near enough to survive unscathed on the web, especially if you consider that an averagely popular site comes under attack roughly 40 times a day. These attacks range from hackers directly targeting your site for sensitive data, malicious software like malware infecting your site, or other security breaches accidental or intentional. Any type of successful attack results in loss of data, a drop in SEO rankings, a ruined brand image, etc. which can all spell doom very quickly if you’re not prepared.
The bad news is that these attacks can’t be prevented, however, they can be repelled. To accomplish this feat, you’ll need to resort to a security plugin – a specialized piece of software that’s designed to keep your site safe from anything that comes at you. It’s important to note that security plugins are much like an insurance policy – you don’t need them until things go wrong, but once they do, you’ll be glad to have them. The alternative isn’t an option – without proper security measures in place you’re just inviting trouble, and on the web, you’ll find it in a flash.
Because security plugins don’t function well together with other security plugins, you’ll be using just one and since there are so many of them out there, it could be hard to single out the best from the rest. To make it easy on you, we’ve found one and will show, in detail, why Security Ninja could be the perfect option for you.
Security Ninja – a WordPress staple
Chances are, if you’ve been in the website management game, you’ve heard of Security Ninja before. After all, it’s been around for over 11 years and has over 10 thousand users. Those are some impressive numbers, and the great thing is that the plugin’s gotten better over time, and expanded with new features over time.
Security Ninja is a freemium plugin, probably the most common type out there, because it’s very practical. You have a free version that’s easily available for everyone and acts as a gateway. It offers some basic features, but essentially, its purpose is to get some info about the plugin first-hand. The PRO version is the one that you’ll want to go with if you’re at all serious about security. This is also the version we’ll be focusing on.
A quick tip – along with the free version, you can also try the great demo the devs have set up, which enables you an even better insight into all the features Security Ninja provides, so be sure to check it out for yourself.
The many modules of Security Ninja
Security Ninja goes about its features through modules. Each of these is responsible for a specific aspect of the overall security. There are seven modules in total, and when they add up, your site should be locked up tight. Let’s go over each of them so you get a better idea of what’s included.
Any good protection method starts with a firewall – it’s your first line of defense and has the main goal of stopping anything malicious from accessing your site/data. The firewall should always be top-notch because it represents the best kind of protection – if nothing gets through there’s no chance of any harm.
Security Ninja combines several protection methods to keep your site safe and while nothing is ever 100% foolproof, this firewall comes very close:
- Block over 600+ million bad IPs, from the internal database.
- Block IPs based on country.
- Block spam with an updating blacklist of 100000+.
- Block suspicious requests.
- Prevent brute-force attacks attempting to log in by limiting the number of tries.
- Redirect blocked visitors away from your pages.
- Rename the default WordPress admin URL.
- Use the Security Ninja blocklist network to connect all your protected websites.
Furthermore, to prevent hacking attempts, all incoming traffic is thoroughly scanned for potentially dangerous code, blocks malicious requests, and blocks uploading .exe files.
All the databases which are featured are updated automatically and constantly, so you’ll always be a step ahead of the attackers without having to do anything manually. The backend is designed to provide you with easy access to all features you can customize manually (like blocking countries) so even newcomers won’t have any issues.
While you’re always looking at firewalls to keep anything malicious out, as we’ve mentioned, nothing works 100% of the time. In those rare cases where something does get through, you’ll need a quality scanner to detect the issue, quarantine, and remove it. By scanning the code of incoming with the PHP malware scanner the code is checked and if anything seems off, it’s flagged.
It’s important to note that not everything that’s flagged is automatically malicious, sometimes the code just looks suspicious. The files are flagged automatically, but once they’re singled out, you’ll be prompted to check them out manually, and if you think something is odd, it’s advisable to do just that.
The malware scanner is completely optimized for working in WordPress with a large number of files, is completely integrated into the Security Ninja GUI, is compatible with all themes and plugins, and enables the following:
- One-click scan
- Scan all theme and plugins files (active and disabled)
- Scan the wp-content upload folder
- Scan the WordPress installation
- Scan the options DB table
- Whitelist flagged files that are safe (manually)
- Delete flagged files
WordPress, just like any other OS, has core files that are crucial for it to function. In the case of WordPress, the core files number over 1200, which is a lot of opportunities for potential trouble. You can locate these files in folders that consist of the root of your website (wp-admin and wp-includes) and any file starting with wp-, like wp-load-php, wp-config.php, etc.
The Core Scanner, just as the name suggests, scans these core files on your copy of WordPress and compares them to that of the secure master copy at WordPress.org and if there are any discrepancies, they’re highlighted. After identification, you’ll have the option to revert these files to their normal values.
The Core Scanner doesn’t necessarily fix only files that were corrupted from without; you’ll also be able to restore files that were broken as a result of internal issues like accidental deletion, incompatibility, update problems, etc.
Now, it’s worth mentioning that every official and most unofficial sources suggest you never tinker with the core files. However, experienced users could find some benefit to their site by making some precise changes. That’s why you always have the option to just ignore a file that pops up in the scan, just be sure you’ll always recognize your work from potential loopholes others can exploit.
Most users update WordPress as soon as they’re prompted to do so, or simply leave it on automatic – this won’t interfere with the scanner. It’s automatically updated to the latest version of WordPress so files that are changed through the official update will never be flagged.
Site security should be an automated process, as much as it possibly can. Manually doing such an important job, only leaves room for mistakes. The scheduled scanner lets you set up a timetable for automated scans that will run in the background, making sure everything is in tip-top shape.
Setting up the process couldn’t be easier, all you have to do is decide on how often you want the scan to run (twice a day is recommended) and enter your email address to be notified of the results. The emails can be sent after every scan, or only if something was found – this depends solely on your needs.
We all know what a log is – it’s a record of all actions made, in this case, on a site. Naturally, the more you’re active on the backend, the more useful keeping a log is – as the number of actions grows, keeping track of them gets increasingly harder. Probably even more important than simply tracking your activities is the ability to keep track of anything suspicious. If anything goes wrong on your site and can pinpoint the time when it went wrong, chances are, you’ll be able to go through the log for some crucial information.
The great thing about the Security Ninja event logger is that it tracks both backend and frontend actions, enabling you to look up what you’ve done, but also what others have to potentially endanger the overall security of the site. You’ll be able to keep track of more than 50 events, all of which will be easily filtered through and you can even set up email notifications for specific events.
The first thing that comes to mind is most likely a reflex response – I’ve made sure my site doesn’t have vulnerabilities. As we’ve already mentioned – nothing is foolproof and you need to be aware of potential issues that can’t be avoided.
The Vulnerability Scanner is there to detect known problems that a plugin might have and that can be exploited. Public repositories for WordPress vulnerabilities are scanned (such as the National Vulnerability Database) and compared to the plugins you have active on your site. With the notification, you’ll get a clear report on the problem and a way to fix it.
For plugins that aren’t abandoned by their devs, a bug report will guide them to repair it in an update. Therefore, most of the time “the fix” for a vulnerability is simply keeping your plugin updated to the latest version.
It’s worth noting that the Vulnerability Scanner is a free module, available to both free and premium users, so everyone can reap the benefits.
We’ve saved the best for last. The security tests are what set Security Ninja apart from similar plugins. These tests are a culmination of years of work and real-life issues that will give you an in-depth insight into the inner workings of your site for everything, across the board, not just regarding security.
Over 50 tests can be run and the reports, while comprehensive, are very easily understood, they’re even color-coded so you can instantly detect the problematic ones. These include everything from checking if your updates are up-to-date to checking your password strength. Each test, along with the result, comes with extra details and tips you can access – works for both passed and failed tests.
Just like the Vulnerability Scanner, Security Testing is available to both free and premium users. However, while everyone can run the tests, premium users have added features when it comes to interaction with the results. Some failed tests can be instantly resolved using the auto-fixer which is a premium feature.
Security Ninja and MainWP
Many website managers that handle multiple sites have resorted to using the MainWP dashboard which lets them keep track of all of them from a single location. The devs behind Security Ninja have stepped up their game and made a MainWP extension that gives you an overview of all your sites with Security Ninja activated on them. You’ll need to install the extension only on your master site, so you won’t even have to go through the hassle of individual installations.
Using the extension, you’ll save yourself a bunch of time, because you’ll get to check for vulnerabilities and run tests (just like the modules) for your sites without having to access the backend of each one, which can be tedious if you’re running several at once. Of course, if you’re alerted about serious issues, you’ll want to go check it out first-hand, but most of the time, when things are running smoothly, an overview check is just what you needed.
Website security is not something you can just take lightly and hope everything turns out fine. While most processes can, and should, be automated, it still represents both a time and a financial investment that’s crucial for a successful site. Security Ninja is the perfect tool because it supports a hands-on and hands-off approach to the issue. After the plugin is set up, it requires minimal manual inputs, however, if you decide to micromanage the various aspects, a slew of customizable settings and options open up.
With a free version available to anyone and a well-built demo, you can get a great insight into everything that’s on offer, and we’re certain you’ll quickly follow up with the pro version that unlocks all the features.