- Aug 21, 2014
- by Brad Litwin
When searching through all of the potential plugins to install on your WordPress site, you may notice that many of the popular plugins have to do with security. This may seem very tempting to let a plugin handle all of your security needs for your site but, security plugins forget one important fact about the web: if your site is too slow for people to navigate it, people won’t visit your site.
Most Security plugins add lots and lots of rules into your .htaccess file which the web server has to parse for every page load (even for static .html files). The longer .htaccess gets, the slower the site will get. I’ve seen as many as 900 rules in a single .htaccess file from WordPress security plugins: needless to say, this site was one of the slowest that I have ever seen. There are better ways to secure a WordPress site. When security plugins are not writing hundreds of .htaccess rules, many of them use large amounts of CPU power to search through lists of bots and IP addresses of potential hackers. They also write to log files constantly, which clogs up the performance of your server. If it has Security in the name, chances are that it will slow down your site.
How do you secure our site without security plugins?
The simplest and most affective way to secure your site is to use a strong admin username and password. Most of the time, the username for the site admin is drumroll please…. “admin”. Using the same admin username as everybody else makes it easy for botnets to hack your site, since all they need to do is figure out your password (which is probably “pass” or “password” J.K… right? ) and they’re in.
Moving your login page is the simplest way to prevent bots from attempting to log into your site. You can use “Rename wp-login.php” to change the URL of your login page, then bots will have no idea where to go to even attempt logging in. You can also name the login page anything you want by a setting in wp-admin (Settings > Permalinks > Login url) . So if you really want, your login page can be http://example.com/BotsCanNeverFindMyLoginPage/.
Try to stay away from plugins and themes that allow for arbitrary uploading of files. Some themes allow PHP files to be uploaded and executed. In general, be careful when choosing plugins and themes. Also, visit our Knowledge Base to learn more about how to secure your WordPress Site, and check out how to optimize your WordPress site with A2 Optimized. And if you really need to use a security plugin: check out our helpful Knowledge Base articles on configuring WordPress plugins.