Having just installed a good security plugin on my WP site it is amazing to see how many requests are being made from potential hackers/spammers!
There is no website that is safe from hackers, we see news stories of major sites, even tech sites being hacked and passwords and personal data being stolen.
There are two security plugins I have tried in the recent past, the first was WordFence.
WordFence is easy to set up and it talks you through setting up things like the firewall and it learns over a few days how to best protect your site. You get notifications when there are issues and you run scans of your site to find issues.
WP Cerber Security Plugins
The second is WP Cerber. WP Cerber I found comes across as more complicated to set up however I found it to be more interactive and informative. When you get someone attempting to hack into your site, or trying brute force or spam comment, WP Cerber gives you their IP address, the URL of the file or page they were accessing or requesting to and gives you an easy option to blacklist the IP or a range in that network. Click on an IP once and you can see all the request or hack attempts they have made. Look at what they are targetting and then you can see this is a frequent IP used and so you can blacklist it in one click.
Ive noticed brute force atttempts on mostly wp-admin or wp-login pages on WordPress sites. Another file targetted frequently is xmlrpc.php. Now there are some people that say the best thing is to just delete or block access to this file but it is actually used by certain services/features/plugins so maybe not the best option. There are WordPress plugins that can modify access to xmlrpc.php but you need to be sure you know what they do and are compatible with your site.
WP Cerber also has a Site Integrity scanner it will scan all your files and let you know if there are any issues, but the problem I found is that you get alot of false positives for examples if a WordPress core php file has been modified even in the slightest but this maybe has been done by your theme or a plugin. Also several times it has shown some issue and then Ive opened the PHP file in an editor and not found that issue anywhere. So something not quite right in the way it works or how I use it.
Update – I switched another site from Wordfence to Wp Cerber. The reason is that each of these security plugins have different settings and if you really want the best security you need to tweak and also experiment a bit with these. For example if you are using WP Cerber with a cache plugin or a CDn you need to make sure the plugin is correctly tracking IPS’s you need to make sure it sees your own logged IP correctly if not then you change settings and also do some DNS updates on your domain. Another setting I found useful was that it allows you to change the actual login URL which are lot of time exploited by brute force hackers.
Have a look at these two security plugins yourself and see which one you are more comfortable using as they both have a good reputation it depends on how for example automated they are if you dont have much time.