Security is (or should be) one of the major priorities for any website owner, there is no such thing as being too secure. Today I’m going to review a particularly interesting plugin that deals with security, it is made by WPMU and its called Defender Pro. This plugin offers tons of intuitive, easy-to-use tools and really useful features and it’s part of the pack that WPMU offers as a subscription based model.
After that point, everything becomes so much easier. Once the WPMU Dev Dashboard is installed, adding any plugin is as easy as clicking on it in the list and away you go.
Defender can be installed from the list of plugins that is offered through the subscription model. Before installing, you can take a look at the features it has to offer.
Besides doing basic security like analysing your site and offering tweaks, Defender Pro also gives advanced features like 2 factor authentication (2fa), an IP lockout tool and Google blacklist monitoring among others: The plugin isn’t just looking inwardly at what changes you can make to your site in order to make it more secure, it is also looking outward at real world threats and helping you manage them. This is very well packaged plugin.
Performance Before and After
Before digging into the features, let’s take a look at the site performance, without caching and without Defender Pro enabled.
And now, this is the performance after Defender Pro is enabled. You can see that the plugin does not add any extra request to the site and the performance is exactly the same as if the plugin was not present. As this isn’t a speed enhancing plugin, we’re not looking for improved results, we just don’t want worse ones. Good job so far.
Now, for the welcome screen. Defender Pro let’s you enable everything by way of a quick setup, or you can just skip this welcome screen and do it all yourself. For experienced people, I recommend the latter.
The main features of the plugin are divided into: Automatic File Scans, Audit Logging, IP Lockout and the Blacklist Monitor. You will see there are even more features to be enabled that are not part of this quick setup.
Once the plugin is enabled and ready, you are greeted with the following Dashboard.
WPMU knows how to do Dashboards, that’s for sure. It’s clean and clear where everything is so even if this is your first time viewing a security plugin’s UI, you’ll likely be able to work your way around. The plugin will notify of any irregularities by displaying yellow and red warnings. The file scanning detected 26 suspicious files on my website and also recommended several security tweaks. The files happened to be old installs left behind by other plugins and were removed with ease. The recommendations were also helpful and easy to execute as the plugin allows you to run them without having to resort to any third party methods, such as FTP etc. The file scanner can detect vulnerabilities on your site and can also control the WordPress Core files from getting altered.
Defender Pro recommended that I disable the File Editor inside WordPress, regenerate my security keys and also block certain dangerous folders by applying rules. Since Apache is the only one able to execute rules without altering it’s own configuration the NGINX rules related to my service had to be copy-pasted to the server, that’s not a limitation of the plugin, its just how things are done in NGINX. The plugin makes it easy to do so by displaying the code that needs to be uploaded to the NGINX configuration, very nice.
Once all the security features were implemented the plugin showed a green checklist. Winning.
The Blacklist Monitor feature shows the current status of your site against Google blacklist. This feature will check your site each 6 hours and report by e-mail if something’s wrong.
Under the Advanced Tools menu, you will find some of the most interesting features of this plugin yet.
Two Factor Authentication
The plugin adds the Two-Factor Authentication to your site and the Mask Login Area.
The 2 Factor Authentication can be enabled by using the Google Authenticator App on your phone. This essentially means that anyone trying to use your login details would also need your phone in front of them. It’s a great way to ensure only you can log in as you, and the same for each user on your site.
You can also customize the e-mail sent to the user and activate a fail safe in case the user loses their phone by giving the option for a one time password.
Mask Login Area
The second option under the Advanced Tools is the Mask Login Area. This useful feature allows you to rename the direct link to login to your dashboard. By replacing the /wp-login and /wp-admin with whatever word you desire. While security through obscurity is a hotly debated topic in WordPress and wider software communities, I was just happy to know that Defender gave me the option.
better still, you can even enable the option to redirect any traffic attempting to login to your site by redirecting all the /wp-admin and /wp-login traffic to any URL you like. Cool huh?
In my case, the URL login will need a tiny tweak to my NGINX configuration to skip the cache, just like the /wp-admin, otherwise it won’t work. This is not necessary under Apache.
The IP Lockout Feature
This is one of the most interesting and useful features of Defender Pro so I’m going to take a closer look at it. It even has it’s own Dashboard.
The first part of the feature is the most important since the Login Protection will limit the login attempts on your site with a threshold that is defined by attempts and time-frame. The duration of the lockout allows you to limit the amount of seconds that you give the said IP until it is allowed to try the login again.
The 404 detection will allow you to configure lockouts to any visit that make use of excessive 404 attempts. This may or may not be useful as there are probably genuine users trying to access links on your site that are no longer available.
The IP Banning tool controls how you handle the IP addresses that were previously on a lockout, it includes Whitelist and Blacklist options, as it is to be expected. Its a good idea to go ahead and whitelist your own IP address.
The notifications allows you to control how are you going to receive the notifications to your e-mail. You can add extra recipients here and also control how many emails you receive.
Finally, this is a typical example of how are you going to receive those e-mails whenever problems arise on your site. You can always control and tweak the process to your liking, which is a big plus of the plugin.
Having an active file scanner, an IP Lockout feature with Login Protection and on top of that a Google Blacklist monitor, a mask for the login area and Two Factor Authentication all in one plugin, with the added bonus of active Audit Logging makes for a superb and very complete package. Remember when comparing prices with other options, you’re not paying for Defender, you’re paying for all that WPMU has to offer and that’s a lot. Without a doubt, this is one of the best security plugins that I have come across and one that I totally recommend if security is a priority on your blog or website. Once again, WPMU has proven to be superb at what they do, providing useful plugins full of options that are easy to navigate and use. Whatever your skill set, this plugin is a solid keeper that feels stable, well coded and bursting with features.