[Update: Only a few months later, the plugin “Better WP Security” has recently been turned over to a new developer and completely rebuilt. It has also been renamed “iThemes Security” after the new developer. The new version of the plugin has not been tested by Mardesco, and may be dramatically different from the version tested in this review. We note a lot of users posting in the forums about errors caused by updating to the latest version. That new information casts doubt on this review’s conclusions. We apologize for any inconvenience.]
Better WP Security is a security plugin for WordPress. You can download it for free from the WordPress repository. Due to the nature of GPL-licensed, open-source software, the code for Better WP Security incorporates the best features of several other plugins, but has been optimized and combined into a single plugin along with some original functions by the plugin author, Bit51.
You can also install it from the plugin installation tab on your wp-admin.
First in a series
This is the first post in my new series of WordPress plugin reviews. For this exercise I began with a clean, stock installation of WordPress on my local testing server.
I’m going to test how each of the plugins display on a stock installation of the TwentyTwelve theme (version 1.3). Our concern here is plugins, so I’d rather not confuse the issue by potentially introducing theme incompatibility issues. I think we can all agree that all plugins should work with TentyTwelve. So let’s see what happens.
Installing Better WP Security
What’s the first thing you should do on a fresh installation of WordPress? Why, set up a security plugin, of course. I will start with Better WP Security.
I tested Better WP Security version 3.5.6 on WordPress version 3.7.1 running in debug mode on my test environment, with PHP display_errors on. The .zip file for version 3.5.6 is 1.06MB; and the folder weighs in at 3.33MB when uncompressed.
Plugin reputation
Better WP Security is one of the best-known security plugins. The plugin has been downloaded almost 1.2 million times, making it the most popular of the security plugins I will be reviewing. With an average user rating of 4.8 out of 5 stars, this plugin has a pretty stellar reputation.
I always check out the one-star reviews, to see what might cause the most problems. One user who gave the plugin just one star cited getting themselves locked out of their own website due to an incompatibility with the plugin W3TotalCache. Consider yourself warned. Others complain that the plugin developer doesn’t provide enough free support… personally, I don’t think that’s a valid criticism. If the plugin has hundreds of thousands of active users, the plugin developer cannot be reasonably expected to provide free support to every one of them. He’s already giving the software away for free. I do see some more reasonable complaints: people who say that this plugin caused their site to crash. It didn’t crash my test site; but every configuration is different, and sometimes certain plugins are incompatible with each other. And finally somebody states that the Ban feature is not functioning properly. That’s cause for concern. I was unable to test the Ban feature on my test site (see below) but I speculate that it would not be compatible with a cache plugin, because the cached page is served before the security plugin is activated.
First impressions
I activate the plugin and proceed to the “Security” menu which appears in the sidebar. The initial screen offers to create a backup and e-mail it to me. As it happens, my test environment does not have a mailserver, so I skip this step for now.
The next screen is the Better WP Security Dashboard tab. Like the previous screen, it has two buttons. One offers to let me either “Secure my site from basic attacks,” while the other is an option to set up a custom configuration.
I want to see what options are available before I go for broke, so I explore a bit first.
Behind the scenes
Changes to the database
When activated, the plugin creates two new database tables:
wp_bwps_lockouts and wp_bwps_log
All the information goes into wp_bwps_log. My log currently has just five rows in the database, but the columns are packed with so much data I can’t even fit it on my console.
It also creates new entries in the wp_options table. These records have the option_name keys bit51_bwps and bit51_bwps_data.
(If you were wondering, the option named blacklist_keys is the wordpress comment blacklist; not the Better WordPress Security blacklist.)
Options available
The “User” tab checks for known configuration vulnerabilities. My stock installation did not use the default username of “admin”; but it did create the administrative user in the database with a user ID of 1. Better WP Security offers me the option to “Change the Admin User ID.”
The next tab, “Away,” allows you to schedule a time when you won’t be logging in to your WordPress installation’s administrative area; and therefore, nobody should be logging in. In “Away mode,” all logins will be blocked until your scheduled return. Away mode looks like it could be a very powerful tool, with daily lockouts, which could help to prevent login attacks from people on the other side of the planet, who often launch their attacks in the middle of the night our time, which is the middle of the day for them. (However, note that many distributed botnet attacks are often automated, so they can take place at any time.)
I see from comments in the forums that this plugin may conflict with cache plugins. Not sure if that means this one prevents the other from working; or vice versa; or if the two together just cause the entire installation to explode (unlikely). So I perform some tests.
To check the effectiveness of the blacklist feature, first I enable a cache plugin, WP Super Cache. Then I go to the “Ban” tab, and ban myself (127.0.0.1).
Aw, shucks. They thought of that. “You cannot ban yourself. Please try again.” Well, it was worth a try.
My point with this is, if you are running a caching plugin, the static cached pages will be served to your visitors before your plugin is called. (See here for why I think this.) That’s why analytics programs use an AJAX call. The whole point of a server-side cache is that the page is not processed dynamically. If you want to log something unique about each page load, then either you can’t serve a statically cached page; or you have to log the activity through an AJAX call, there doesn’t seem to be a way around it.
Moving right along, the Ban tab allows you to ban users by IPV4 or by User Agent. It also has a blue button that says, “Add host and agent blacklist.” When enabled, this function adds a long list of banned user-agents to your site’s .htaccess file, and directs your server to show those visitors your website’s status 403 “Forbidden” message, rather than ever loading a requested page. (Note: you have to be connected to the Internet to use this function, as it downloads the list of banned user agents from HackRepair.com. However, this is just a one-time setup download.) Personally, I think banning known bad user agents is great. However, I also think the button is misleading, because this ban list does not ban any hosts, despite its label.
The “Dir” tab allows you to change the name of your content directory. This would probably break image paths on an existing site, but apparently you could change it on a new installation to prevent attackers from conveniently searching your directories for plugins and themes with known security vulnerabilities. However, it does not allow you to rename the wp-admin folder; that function is available through the “Hide” tab.
The “Backups” tab allows you to optionally schedule regular database backups. That way if your site ever becomes compromised, you can restore the data from a backup. This is not one of those WordPress XML files, either; this is a proper .sql file to completely restore your database from scratch. Of course, your typical WordPress user probably doesn’t know how to do this; but you could always send the file to your web host’s support department, or take the time and figure it out. This tab also allows you to store the backups locally (rather than sending them via e-mail) which is why I’m able to take a peek.
The “Prefix” tab tests whether your database installation is using the default WordPress table name prefix, and asks you to change it if you are.
The “Hide” tab makes common attacks much more difficult by obscuring the location of your login page, administrative area, and user registration link. (Not to be confused with the “hide” tab.)
The “Detect” tab bans users who generate too many 404s. Unless you’ve recently changed your site’s URL structure (and you haven’t yet implemented the redirects to get people to the right place) then a legitimate user should only rarely generate a single 404 error, if they follow a bad link. However, a bot or other attacker who is poking around your filesystem seeking security vulnerabilities on your website might generate dozens of 404 errors within a few minutes. The “Detect” tab allows you to instantly ban users who cross a certain threshold.
The “Detect” tab also allows you to enable “File change detection.” When enabled, this system effectively makes a list of all the files in your website’s directories, and notes the file size and hash value of each file. BWPS then scans your filesystem for changes once every 24 hours. If there is a change to the filesystem, you will see an alert, either presented at the top of the screen when you log in to your wp-admin, or e-mailed to you depending on your preferences. This is intended to let you know if an attacker has compromised your system, for example by inserting a back door into your core files. Please note that a system like this will result in a large number of false positives: for example, any time you upload a photo, or if you install a new plugin or theme; not to mention every time there is an update for the WordPress core or any of your themes or plugins.
The “Login” tab incorporates functionality similar to the “Limit Login Attempts” plugin. (The wonders of open source, right? One plugin can incorporate another.) I used to use the “Limit Login Attempts” plugin, before it turned out to have a vulnerability that failed to block attacks over XML-RPC; and before distributed botnets rendered IP-based lockouts effectively pointless.
The SSL tab allows you to enforce SSL, if your site has it enabled. (Note: if you haven’t paid for an expensive security certificate on your server, then enabling this option will break your site.)
The Tweaks tab recommends a long list of security fixes, and allows you to selectively implement them from the interface as you like.
The Logs tab shows all logged events. This includes 404 errors; failed login attempts; lockouts; and a list of all changed files.
Finally, let’s see what happens if we click that blue button on the BWPS dashboard, the one that offers single-click protection against most known attacks.
It says, “Your website is now protected from most attacks.” It then lists a total of 21 potential vulnerabilities, and shows me that I’m green for just 5 of them. Hmmm…
The public-facing result
Better WP Security does not change the generated source code for a typical WordPress page. Neither a typical visitor not an attacker would be able to immediately tell that this plugin was installed and active.
Uninstalling
Deactivation does not remove the database tables. In fact deactivating the plugin does not seem to make major changes to the system. However, for reasons I can’t explain, deactivation did cause an error in WP Super Cache.
Upon deletion, the plugin completely cleans up after itself. The log and lockout tables are deleted from the database. The plugin options are deleted from the wp_options table in the database. It even removes the deny rules it had added to my .htaccess file. This is admirable, because I’ve worked with a lot of plugins that are not nearly so thoughtful.
Assessment
Better WP Security will strengthen your website’s defense against attacks. If you are not yet using a security plugin on your website, or if you are only using one of the old login protection security plugins that relies on IP logging for lockout-based security measures, then I would recommend implementing Better WP Security to protect your website from malicious activity.
How does this plugin compare to other WordPress security plugins? I don’t know yet. I’ll review several of them individually, and then I’ll write up an overall comparison, in which I’ll select the one I like best.