Recommended security plugin for ClassicPress

Web242 · December 9, 2019, 11:44pm

Hi,
For WordPress sites we use WordFence. Obviously that is not going to work well with ClassicPress.

What is the recommended security plugin to install for ClassicPress and help keep sites secured?

Cheers
Avrom

ozfiddler · December 9, 2019, 11:50pm

I use Shield Security – Smart Bot Blocking & Intrusion Prevention – WordPress plugin | WordPress.org on all my sites

Paul has made a commitment to support CP and it does a great job. It recognises all the CP files in the scans.

Avrom, you might want to check out this thread where I am keeping track of the more important plugin options. "Must Have" Plugins List

Web242 · December 9, 2019, 11:52pm

Awesome, thanx!

1stepforward · December 10, 2019, 9:44am

I’m moving my sites over to Shield too and so far so good.

joyously · December 10, 2019, 2:29pm

Have you tried NinjaFirewall?

1stepforward · December 10, 2019, 5:15pm

I haven’t personally @joyously.

As it’s a WAF, I like the theory behind the way it works - i.e. traffic hits NinjaFirewall before it hits WordPress / ClassicPress, so on that basis it does sound interesting.

Is this something you use? How have you found it?

And have they said anything about supporting CP?

joyously · December 10, 2019, 6:10pm

I put it on one client WP 4.9 site, but they haven’t really populated the site yet, so I don’t know much about it.

Simone · December 10, 2019, 6:16pm

Not a plugin, but apache mod_security is a big help for security.

1stepforward · December 10, 2019, 6:43pm

I was just looking at NinjaFirewall in more detail and spotted this post on the Plugin Vulnerabilities site. That makes me a bit wary of it.

(Incidentally, I see that ClassicPress has its own subscription on the PV site now https://www.pluginvulnerabilities.com/product/plugin-vulnerabilities-subscription-for-classicpress/)

Agree, along with things like fail2ban and CSF/LFD. Server security is topmost priority for me but I still always add a security plugin in WP/CP.

Simone · December 10, 2019, 7:04pm

Mod_security, fail2ban, ImunifyAw for plesk, scheduled checks with clamav and maldet is my common setup.
Also proper file permisson/ownership (seems obvious but I saw a lot of chmod -R 777 done in the root folder of WP).

Web242 · December 10, 2019, 7:26pm

Hi Simone,
Thank you! What I am specifically asking about is security plugins for ClassicPress. Since the community use these plugins, they know which ones they like and recommend.

Cheers
Avrom

timkaye · December 10, 2019, 7:55pm

I use WPBruiser. I have one site that’s been under attack from a botnet in Romania for three weeks now, and WPB has managed it without causing any issues for genuine users.

anon95694377 · December 12, 2019, 11:52am

@timkaye I wasn’t familiar with WPBruiser and took a look at the repo page. Looks like it’s potentially a good firewall and spam preventer, but what do you use for malware scanning?

timkaye · December 12, 2019, 3:52pm

Apart from preventing spam registrations, logins and comments, the best approach to security for WordPress/ClassicPress is done from outside of WP/CP. So I never use a plugin for that. It comes too late and simply isn’t powerful enough. If you have a good host, then they should be managing all that for you.

Web242 · January 2, 2020, 1:54am

Hi,
I gave up on Shield Security Pro. Paul is a great guy, and its a great plugin, but for me unusable. Far too complex, too many options, and messed up access on the back-end.

What would be a second choice security plugin from the CP community?

anon71687268 · January 2, 2020, 2:21am

Given the nature of “security”, no matter which plugin you use, it’s going to have tons of options and settings. The only security plugin that is supporting ClassicPress at this time is Shield, so, it’s really the best option. And, at only $12/year for pro, it’s also a pretty great deal. I’m not affiliated, but, am a user.

ozfiddler · January 2, 2020, 3:05am

I’m using Shield too on all my sites but I agree with you, Avrom. The interface is hard work. Every time I set up a new site I have to puzzle over it.

I do wonder how many of the options I really need, and if I could just make do with brute-force protection and disabling various unnecessary features in functions.php.

(and I also agree, Paul is a great guy).

anon71687268 · January 2, 2020, 3:16am

The thing about a lot of these features is, you only need them, once you need them. I’m wondering if we might ask what ended up breaking on your site @Web242? Perhaps one of us can help, as well. I spent 3 hours configuring every last option in the plugin just yesterday.

@ozfiddler, what about exporting/importing the options from site to site? That’s built in.

ozfiddler · January 2, 2020, 3:25am

Not to the free version.

It worked out too expensive for all the sites I manage to go pro for all of them

viktor · January 2, 2020, 3:59am

I’ve been bugging Paul about better bulk pricing for a while now. They suppose to change pricing model “soon” and re-brand to ShieldSecurity.io - at least that’s what was announced this summer.