The plugin’s name isn’t lying; it covers every piece of security. I will list all of the overall topics in this paragraph, but I can’t cover them all. Other than that, I will mention that premium is an option, but it really only enhances already included features rather than adding anything new. In addition, the security points breakdown is a little confusing because the labels are written like imperative sentences, which makes it sound like those are problems you need to change, but the wheel percentages are actually contributing to your security points. Anyways, here’s that list of features:
- User Security
- Database Security
- File Security
- Firewall
- Brute Force Prevention
- Spam Prevention
- Scanner
- Tools
- Two Factor Authentication
Tools is one I want to mention because it contains some very interesting features. There’s a password strength tool that automatically calculates how long it would take for your password to be cracked by an off-the-shelf PC. However, I think it only accounts for length and characters used because I input “password1234” and it read it as very secure. WHOIS lookup allows you to search for the owners of IPs or domains in case you see any that could be malicious. There’s already a website for this tool, but at least it’s more convenient. Custom .htaccess rules gives you a front end for modifying that file which is useful for firewall configuration. Finally, you can lock out all users besides admins if you need to do any updates or security responses.
Database security is interesting because it’s such a simple concept but something I never would have thought of doing. All this section does is put an automatically (or manually) generated prefix on your database tables. What I don’t know is how involved it gets with existing or future table references. Does the prefix just exist as a separate security feature that doesn’t need to be explicitly typed in the name? If it does need to be typed, will the plugin automatically update current and future references, only update current references, only update future references, or not update anything? If the last one’s the case, you’d need to remember the prefix or have it on hand.
Brute force prevention provides simple steps to secure common attack points. Changing the slug of the login page is all you need to make it more difficult for people to find your login page, and it theoretically doesn’t matter what you change it to since anyone who needs to log in would be sent the link anyways. To expand more on this, you can use the browser’s cookies to prevent spam login attempts. To prevent bots, you can add a CAPTCHA to the login. Finally, the most secure option is whitelisting IPs for login, which is what we used to do for a site at my company. An extra feature is the ability to lock out IPs returning 404s.