Look to the right of the page and you’ll see the effect that becoming a new dad has had on my free time. Couple that with needing to do a load of work on the house, and my capacity for looking after this website has become near zero. The problem is that administrative overhead didn’t go away – comments still needed to be moderated, and the number of failed login attempts was starting to become a worry. So one lunchtime at work I decided to look at some WordPress security tools. Ultimately I came up with two plugins and a useful website that are detailed below.
Two-factor Authentication: Needs work
The first thing I wanted to look at was getting some multi-factor authentication (2FA) on the site. Because there is no HTTPS support for CallamMcMillan.com (It’s not worth the cost of a certificate), 2FA would be an ideal mitigating control should the passwords ever be compromised. Looking through the list of plugins, most 2FA systems had only been installed a couple of hundred times which did not inspire confidence. I therefore tried Clef which had a decent install base. The plugin for WordPress seems to work fine, but the companion app for your phone is less intuitive and won’t do simple things like let you log into another site without first logging out – this means you can’t have multiple sessions open as I do.
My advice: If your use case is as simple as it comes, Clef may do the job for you, but it’s not perfect.
Wordfence: Useful but not cheap
After the failure of Clef to do what I needed, I went looking for a new 2FA product and came across Wordfence which bills itself as a sort of all-in-one WordPress security product. Wordfence also provides a way of dealing with all the failed logins, the vast majority of which come from outside the UK. Since I virtually never leave the country, and if I do, I have a VPN back to my house, this was an easy win. Except, that’s not the case, as while Wordfence is free to install, if you want 2FA or geo blocking, then you’ll have to pay. The pricing isn’t outrageous, but it’s not trivial either – about $50 per year if you do one site for one year at a time. Without a licence it still provides some nice logging and alerting features, which justifies its continued use on the site.
My advice: If you have a paying client, this is the perfect WordPress security package. Install and forget.
IP Geo Block: WordPress Security done right
Giving up on the idea of getting a working two factor solution, I instead went looking for some risk mitigation and found the IP Geo Block plugin. This is a simple plugin that lets me blacklist logins from certain countries. It’s free, and it works. All you have to do is install it and choose the countries to be whitelisted. In this case, the UK is whitelisted and the rest of the world is blocked (remember I have a VPN). In a stroke this cuts out 99% of the failed logins. If you’re running a site from a country such as China on the other hand, this is less likely to be of use for you since this is one of the main sources for failed logins. The plugin can also be used for comment blocking, but this functionality isn’t being used because of another tool at my disposal which is covered below.
My advice: For a basic level of WordPress security, this is hard to beat.
Splorp: Comment blocking
The site employs an open comment system – anybody can post without registration, but every post has to be moderated by me. That’s great, but a way is needed to ensure that the moderation queue remains small and manageable. If you’re drowning in spam comments, it can be hard to see the useful ones. This could be achieved by a plugin, but instead I am using the Splorp blacklist – Link which you copy into your Blacklist field and it bins comments matching any of the terms here. In the time I’ve been using it, no legitimate comments have been classed as spam, and only a couple of spam comments have been termed genuine. This counts as a win.
My advice: Not every solution has to be complicated. This one isn’t, and it works.