Top plugins every WordPress site needs

Craig Johnson looks at the best WordPress plugins covering security, search engine optimization and performance.

WordPress plugins

We look at the best WordPress plugins for security, SEO and performance

So you've just finished setting up your brand spanking new WordPress site! Or maybe you have one that you've been using for quite some time now. Either way there are three things on the top of my list I want to get handled; Security, Search Engine Optimization and Performance.

If you're anything like me, you just picked up the highest rated most installed plugins and called it a day.

But then I said, no! No more! Today is not that day where I call it a day, today I will seek out and find four or five plugins for each category and take meticulous notes to determine truly what are the best plugins for security, SEO and performance optimization. And here is the result of that endeavour.

Security

I selected five of the most highly rated plugins available on WordPress: some are really popular, some not as much but still very effective. Here is what I ended up with:

While evaluating the various plugins, some features stood out as common amongst all of them.

  • Login Security: typical features here included number of failed login attempts, amount of time a user will be locked out and enforcing strong passwords.
  • File change detection scan and email notifications: Notifies the admin when file changes in the WordPress directory occur.
  • IP Blacklist to lockout: Allows the creation of a list of IPs to lockout and prevent from accessing your website.

But the devil is in the details. So without further ado…

Wordfence Security

Features:

  • Runs on your server and shows you, in real-time, all the traffic that is hitting your server right now, including those non-human crawlers, feed readers and hackers that Analytics can't track. Breaks the attackers into categories.
  • Includes Falcon Engine, the fastest WordPress caching system available, according to Wordfence.
  • Advanced Blocking is a feature in Wordfence that lets you block whole networks and certain types of web browsers. You'll sometimes find a smart attacker will change their IP address frequently to make it harder to identify and block the attack. Usually those attackers stick to a certain network or IP address range. Wordfence lets you block entire networks using Advanced blocking to easily defeat advanced attacks.
  • Scans for malicious urls in comments and posts.
  • Scans your core themes, files and plugins against its repository to identify inconsistences that may be vulnerabilities.
  • Scans for malicious files and malicious code in your entire WordPress base directory.
  • Free Firewall.

Downfalls:

  • You have to manually enable all security features and it doesn't explicitly identify the important ones to enable. Not very user friendly.
  • No feature to back up your database.

iThemes Security

Features:

  • Scans and categorize issues by priority and offer fixes. You have to manually enable these fixes but this is minor in the grand scheme of things.
  • Dashboard Away mode. You can literally disable your WordPress dashboard while it is not in use. Use with caution and understanding.
  • Disable XML-RPC: Your site will not be susceptible to denial of service attacks via the trackback/pingback feature.
  • Directory Browsing: Prevents users from seeing a list of files in a directory when no index file is present, also disables file writing permissions. Helps protect your sensitive website files from being tampered with.
  • Capable of doing daily scheduled backups of your website's database.
  • Allows renaming of the directory where WordPress files are kept to throw off would be hackers, the same is possible for prefixes that your database tables have.
  • Strong passwords can be enforced for different levels of users.
  • Protects upload directory: checks if the uploads directory of your site allows the direct execution of PHP files.

Downfalls:

  • Firewall is a paid feature.

Sucuri Security - Auditing, Malware Scanner and Security Hardening

Features:

  • Free Malware Scan, Offers recommendations that are manually implemented by the user. Scans can be schedules up to 3 times a day.
  • Protects upload directory: checks if the uploads directory of your site allows the direct execution of PHP files.
  • Restrict wp-content access: This option blocks direct access to any PHP file located under the content directory of this site. Similar in function to restricting access to sensitive WordPress files on your server.
  • Able to generate new security keys for passwords anytime. This makes hacking your website passwords significantly more challenging.
  • Detailed login info for all users, login activity, password, IP address
  • Option to re-install non-premium plugins. Why would you want to do this? To get rid of potential infections that are or have affected your website.
  • Ability to run various tasks provided by plug-ins at anytime or on a schedule such as cron or a cache clean up. Not quite a security feature but neat none the less.
  • Able to edit .htaccess file(advanced users) directly from dashboard and view error logs easily.

Downfalls:

  • Firewall is a paid feature.
  • No option for database backups.

BulletProof Security

Features:

  • One-Click setup wizard which scans your website for issues and fixes them automatically.
  • htaccess files security status, what's wrong and right with your website. Editor included for advanced users.
  • Full & Partial DB Backups, Manual & Scheduled DB Backups, Email Zip Backups, Automatically Delete Old Backups.
  • Tools to change & check your WordPress Database Table Prefix.
  • Security Log that tracks blocked hackers, spammers, scrapers, bots, etc. HTTP 400, 403 & 404 Logging.
  • Protects the root folders from attacks using the Root Folder BulletProof Mode feature. Same for wp-admin folder. It isn't stated how exactly it protects your folder but the assumption is it blocks direct access to these files and folders.

Downfalls:

  • Firewall is a paid feature.
  • Features such as Brute-force login protection and XML-RPC DDos protection are not included with the plug-in but instead offered as bonus code. Instructions to implement are straight forward but really why am I doing this?

All In One WP Security & Firewall

Features:

  • Firewall included.
  • Dashboard gives a brief rundown of all the critical components that need fixing, users currently logged in and blocked IP's.
  • Automatic backups can be scheduled by weeks, days and hours.
  • Able to add prefixes to website databases to reduce chances of intrusion.
  • Cute security points system (cosmetic). Also lists features in terms of how advanced the changes will be.
  • Scans important WordPress files and recommends changes in permissions. Restricts access to WP default files as well.
  • Includes Captcha on the WP registration page.
  • Disable XML-RPC: Your site will not be susceptible to denial of service attacks via the trackback/pingback feature.
  • Disable Trace and Track: HTTP Trace attack (XST) can be used to return header requests and grab cookies and other information. This hacking technique is usually used together with cross site scripting attacks (XSS).Disabling trace and track on your site will help prevent HTTP Trace attacks.
  • Proxy comment posting: This setting will deny any requests that use a proxy server when posting comments. By forbidding proxy comments you are in effect eliminating some SPAM and other proxy requests.
  • Advanced character string filter: This is an advanced character string filter to prevent malicious string attacks on your site coming from Cross Site Scripting (XSS).
  • Honeypot: This feature allows you to add a special hidden 'honeypot' field on the WordPress login page. This will only be visible to robots and not humans. Since robots usually fill in every input field from a login form, they will also submit a value for the special hidden honeypot field. If that field contains a value when the form is submitted, then a robot has most likely submitted the form and it is consequently dealt with.

Downfalls:

  • Malware scan is a paid feature.
  • Does not provide you with a list of vulnerabilities your website has and how to fix them. It is basically up to you enable the features you want.

Next page: SEO plugins