I am in charge of maintaining websites for large corporations and global companies built with WordPress.
Especially right after I was in charge of global companies, there were many DDos attacks and the servers were under heavy load, making access impossible, so I had to investigate the cause and take countermeasures.
Although I was not in charge, I saw a situation where the programme of a friend’s site was tampered with and WordPress itself was destroyed.
I have therefore reassured myself about security, and summarised the measures that I think are good to take at the very least.
Translated with DeepL.com (free version)
Three factor of security
The international standard ISO/IEC 27000 defines the term information security as ‘maintaining the confidentiality, integrity and availability of information’.
Confidentiality is ‘ensuring that only those who need it can access the information they need’.
Integrity is ‘ensuring correct data, protected against unauthorised change or tampering’.
Availability ‘ensures that services are accessible and available when they are needed’.
Protecting these is the concept of security.
Translated with DeepL.com (free version)
Cyber security framework.
The National Institute of Standards and Technology (NIST) has developed guidelines for cybersecurity by publishing the NIST Cybersecurity Framework (NIST CSF).
Governance (GV) to align strategy and policy and to support the following decisions on which measures should be prioritised.
Preventive measures
Identify : identify risks
Protect : measures to protect against risks
Detect : Detection of risks that have occurred
Post-event measures
Respond : to detected risks
Recover : rapid response to the original situation.
WordPress security plugins
Two main plugins are popular for WordPress.
These cover almost all proactive (Identify, Protect, Detect) and reactive (Respond, Recover) measures.
Wordfence Security and,
Solid Security.
As far as comparing Active installations is concerned, Wordfence Security looks good.
Common essential functions
Most WordPress sites can be infected or infiltrated by vulnerable plugins, themes and WordPress core files.
Features that are essential for security plugins include.
・Malware scanning
・Firewalls
・IP blocking
・Brute force attack protection
・2FA authentication
・Activity log reporting
・Backup functions
Compare with Wordfence Security and Solid Security
There are no major functional differences between the two plug-ins, but the details will be sorted out.
malware scan
Both have features.
Wordfence has a malware scanner, but the free version is 60% effective. Malware signatures are also provided with a 30-day delay, so you need to upgrade to get them in real time.
Solid Security scans plugins, themes, WordPress Core, Google Safe Browsing and passwords. It scans automatically in the settings. However, scan times cannot be specified, so it is difficult to guarantee availability if load timing cannot be controlled.
malware removal
Solid Security does not have this feature.
Wordfence has the option to remove or repair infected files, but you have to enter a paid plan, which is quite annoying.
firewall
Wordfence has a good firewall with two modes: learning mode and protection mode When Wordfence is installed, the firewall first starts in learning mode. In this mode, the Wordfence firewall understands normal website traffic and how visitors pass through the firewall. This allows it to block unwanted traffic and effectively prevent threats.
Solid Security provides the option to create your own firewall rules. These rules can be used to block attackers based on specific criteria, with options for fine-grained control over firewall settings, such as IP management and configuration automation.
It can be used like manipulating iptables, so it may be Linux user-friendly.
Summary
In conclusion, Solid Security is recommended. Personal.
The reasons are that the UI is easier to understand and less prone to human error than Wordfence, and it is a lightweight plugin.
Wordfence often comes up on the agenda for slowing down site speed, but if you don’t get a lot of traffic, or if you have server specs that can withstand it, I think it’s a good choice.
Security measures include plugin settings, of course, and especially vulnerabilities can be hit, so a regular watchdog system and updates are more important.