Reginald Chan

Tag: blogging

  • Better WP Security vs Wordfence Security: The Battle For WordPress Best Security Plugin

    Better WP Security vs Wordfence Security: The Battle For WordPress Best Security Plugin

    We could have probably heard that website security is vital especially when hackers are all around nowadays. I am not going to leave any security loopholes in my WordPress site and I am sure you are either. When it comes to WordPress security plugin, there could have hundreds of plugins you can choose from but when you talk about the best, there could be two which comes to my mind.

    Introducing Better WP Security and Wordfence Security.

    Here are some information on both the plugins.

    What is the best WordPress security plugin?
    WordPress is the most popular blogging platform but security threats are very real

    What is Better WP Security Plugin?

    Created by: Bit51

    What Better WP Security does:

    • Remove the meta “Generator” tag

    • Change the urls for WordPress dashboard including login, admin, and more

    • Completely turn off the ability to login for a given time period (away mode)

    • Remove theme, plugin, and core update notifications from users who do not have permission to update them

    • Remove Windows Live Write header information

    • Remove RSD header information

    • Rename “admin” account

    • Change the ID on the user with ID 1

    • Change the WordPress database table prefix

    • Change wp-content path

    • Removes login error messages

    • Display a random version number to non administrative users anywhere version is used

    • Scan your site to instantly tell where vulnerabilities are and fix them in seconds

    • Ban troublesome bots and other hosts

    • Ban troublesome user agents

    • Prevent brute force attacks by banning hosts and users with too many invalid login attempts

    • Strengthen server security

    • Enforce strong passwords for all accounts of a configurable minimum role

    • Force SSL for admin pages (on supporting servers)

    • Force SSL for any page or post (on supporting servers)

    • Turn off file editing from within WordPress admin area

    • Detect and block numerous attacks to your filesystem and database

    What is Wordfence Security plugin?

    Created by: Mark Maunder

    What Wordfence Security does:

    • Scans core files, themes and plugins against WordPress.org repository versions to check their integrity.

    • Includes a firewall to block common security threats like fake Googlebots, malicious scans from hackers and botnets.

    • Includes advanced IP and Domain WHOIS to report malicious IP’s or networks and block entire networks using the firewall.

    • See how files have changed. Optionally repair changed files that are security threats.

    • Scans for signatures of over 44,000 known malware variants that are known security threats.

    • Scans for many known backdoors including C99, R57, RootShell, Crystal Shell, Matamu, Cybershell, W4cking, Sniper, Predator, Jackal, Phantasma, GFS, Dive, Dx and many many more.

    • Continuously scans for malware and phishing URL’s including all URL’s on the Google Safe Browsing List in all your comments, posts and files that are security threats.

    • Scans for heuristics of backdoors, trojans, suspicious code and other security issues.

    • Checks the strength of all user and admin passwords to enhance login security.

    • Monitor your DNS security for unauthorized DNS changes.

    • Rate limit or block security threats like aggressive crawlers, scrapers and bots doing security scans for vulnerabilities in your site.

    • Choose whether you want to block or throttle users and robots who break your security rules.

    • Includes login security to lock out brute force hacks and to stop WordPress from revealing info that will compromise security.

    • See all your traffic in real-time, including robots, humans, 404 errors, logins and logouts and who is consuming most of your content. Enhances your situational awareness of which security threats your site is facing.

    • A real-time view of all traffic including automated bots that often constitute security threats that Javascript analytics packages never show you.

    • Real-time traffic includes reverse DNS and city-level geolocation. Know which geographic area security threats originate from.

    • Monitors disk space which is related to security because many DDoS attacks attempt to consume all disk space to create denial of service.

    • Wordfence Security for multi-site also scans all posts and comments across all blogs from one admin panel.

    • WordPress Multi-Site (or WordPress MU in the older parlance) compatible.

    • Premium users can also block countries and schedule scans for specific times and a higher frequency. 

    I know the list is rather long but it is relatively easy to say that both are trying their best to compete with one another. I tested both Better WP Security and Wordfence Security for a week each on various websites and I was surprised at my decision…really. Let me tell you why. 

    Security effectiveness

    Better WP Security – 9.5/10, Wordfence Security – 9.5/10

    When it comes to security, I can tell you that both plugins look very seriously into the matter. Both actually impressed me more than what I actually expected them to perform. If you are going to install either one of these, rest assured your security effectiveness will be top of the chart. And that, I am definitely sure. 

    User-friendly UI

    Better WP Security – 9/10, Wordfence Security – 9.5/10

    I have very split decision in this. I love Better WP Security’s direct layout but I prefer the Wordfence Security interface. Basically in Better WP Security, you will be able to see all the issues in different colours (red as dangerous, green as safe etc). With a simple click, it will redirect you immediately to the setting for you to do any adjustment required. Compared to Wordfence Security, the layout is more ‘WordPress-like’ (imagine using W3TC).

    Both plugins layout are extremely versatile and easy to navigate through. At the same time, both the plugins developers are doing a great job by trying to provide a compact view on the plugin dashboard itself. Here’s are what both dashboards look like:

    Better WP Security offers more security features compared to the rest of the WordPress security plugins.
    Better WP Security Dashboard

     

    Wordfence security provide easy to use navigation for both experience and beginers website developers.
    Wordfence Security Dashboard 

    Plugin usability

    Better WP Security – 7/10, Wordfence Security – 9/10

    When it comes to security plugin usability, this is where it makes all the difference. Better WP Security plugin is great but what makes it short from getting a higher score from me is because it requires a higher curve of WordPress understanding for a person to actually utilize it properly. In other words, you are open to all options to configure your WordPress but you are prone to create an accidental mistake if you have no idea what you are doing.

    Compared to Wordfence Security, most options are pretty direct and even a beginner could use the plugin to the maximum of its capabilities. This definitely gives a better rating to Wordfence Security compared to the latter. 

    How important is website loading speed for you?

    Better WP Security – 10/10, Wordfence Security – 8/10

    To be very honest, I been trying to search for this answer but failed miserably. Whenever I use Wordfence Security, I noticed that my site is loading less than one second slower compared to the time I used Better WP Security. after checking with various programs and tools, it really seems like Wordfence Security’s firewall feature is creating a small ‘lag’ which affects the page loading speed. Maybe this could be me but I am not experiencing that when I am using Better WP Security. 

    My honest conclusion between Better WP Security and Wordfence

    If I would to choose and could only choose one as my best WordPress security plugin, then my money is going to Better WP Security. I know! I love Wordfence Security plugin and it is very close to flawless.

    However, having the small page load ‘penalty’ really turns me off. Regardless what WordPress security plugin you choose, I am sure both of these plugins will not let you down.

    How about you? Do you have any favorite security plugins you would like to share? Or, maybe you have your opinion on both the plugins? Feel free to fill the form below and tell us what you think.

    If you like this article, could you please share this for me using the red Google+ button below?

  • Serve Static Content From Cookieless Subdomain for CloudFlare (Updated 2018)

    Serve Static Content From Cookieless Subdomain for CloudFlare (Updated 2018)

    Interesting read: Money Brighter is one of the best LLC in Texas! If you are thinking of speeding up your website, Google might be telling you the answer is to create a cookieless subdomain or domain. Well, that’s easy for you to say. How to serve static content from a cookieless domain? More importantly, what is a cookieless subdomain?

    Instead, you can consider a cookieless subdomain is a term to describe data transferring from one point to another (in this case, data movement from subdomain to domain) has no cookies attached. Indirectly, this boost the loading speed of your domain.

    This is what Google explain in its own words:

    ​Why is serving static content over cookieless domain important?

    ​Static content, such as images, JS and CSS files, don’t need to be accompanied by cookies, as there is no user interaction with these resources. You can decrease request latency by serving static content from a domain that doesn’t serve cookies. This technique is especially useful for pages referencing large volumes of rarely cached static content, such as frequently changing image thumbnails, or infrequently accessed image archives. We recommend this technique for any page that serves more than 5 static resources. (For pages that serve fewer resources than this, it’s not worth the cost of setting up an extra domain.)

    ​​What does this means to you?

    All static contents or data that are transferred with the accompanied by cookies. Though cookies are not needed for any transaction and do not serve any advantage, they will automatically be available for all data transfer. The only way to avoid such is when static contents are obtained from a cookieless site.

    ​Static content + ​cookieless domain?

    ​Serving static content or resources from a cookieless domain reduces the total size of requests made for a page. It is also important to note that there is no point setting up static subdomain for this matter if you are using a powerful web host or having very less page.

    ​Now that we had gone through the relationship between cookieless subdomain and serving static content, let’s explore the right way to serve the following static resources from a domain that doesn’t set cookies.

    ​How to create a cookieless subdomain using CNAME?

    ​When it comes to creating a cookieless subdomain, using a CNAME could be the easiest way of all​ (at least for me). This step is extremely easy to follow and ​after configurations, you can start serving static resources from a domain that doesn’t set cookies.

    • ​Go to your cPanel (most shared web hosting offers this)
    • ​Create a subdomain (any name would do, e.g. static.domain.com)

    ​This subdomain will serve as a CDN subdomain which is the key criteria to enable the process of serving static content from cookieless domain.

    Selecting the right installation path for the subdomain

    In order to create a proper cookieless subdomain, you have to ensure that when you are creating your subdomain, make sure it is pointing to your root directory instead of creating a secondary one. For example, my root directory is /public_html and thus, it should be pointed or directed to /public_html and not the default, /public_html/static.

    How to create a subdomain?
    This is what you see when you are pointing to subdomain to the right path 

    Editing the DNS Zone

    Once you have done pointing the subdomain, head over to your DNS Zone Editor. At times, these might be labeled as Simple or Advanced DNS Zone Editor for several types of cPanel but they are all alike.

    How do you create a subdomain for serving static content?
    Pointing subdomain to the right domain 

    You would need to either create or modify the Name to your subdomain name and CNAME as your main domain. Of course, for the Type, you would need to select CNAME. You may start this by hitting the create button and if there is already a record, you just need to modify the settings to the above.

    Still not sure? Let me explain to you, in other words. When you create the CNAME record you want to enter your static domain/subdomain as the label, name or an alias and your A record domain as the content or value. (The CNAME term, which stands for Canonical Name, actually refers to the domain you are mapping to, not the alias.  The common practice of referring to the alias as the CNAME is in fact backwards.) 

    Making sure the subdomain is cookieless

    I could not emphasize how important this is but you must not skip this step no matter what. In WordPress, there are two common cookie-setters which are WordPress and Google Analytics. All you need is to do little changes in the configurations and you would be well on your way to a cookieless subdomain.

    For WordPress, head over to your wp-config by login into your cPanel. Open it up and add this line to the file. If you are wondering where exactly you may place this file, you can place it at the bottom most of the script.

    define(‘COOKIE_DOMAIN’, ‘www.yourdomain.com’);

    This is definitely a no-brainer but just to make sure, do remember to change your domain to your own domain name. After that, save the file and you are good to go!

    For Google Analytics, all you need to do is to search for the specific code you had earlier placed in on your site and replace the code with the below one. For a quick tip, most Google Analytics code is kept close to the <body>.

    _gaq.push( [‘_setAccount’, ‘UA-xxxxxxx-1’], [‘_setDomainName’, ‘www.yourdomain.com’], [‘_trackPageview’] );

    Again, change your domain as seen above to your own domain URL and save the file.

    Important note: If you are using cloudflare or any type of Content Network Delivery (CDN), please get your hosting and CDN provider to verify on the CNAME. For example, using Cloudflare will give you an error when you are following the above guide in changing the CNAME. Basically, the hosting or CDN provider will give you a new A figure to place in. 

    You are all done!

    Now, treat yourself to a bottle of beer for the hard work and congratulations. You had managed to create a cookieless subdomain from scratch. This is one of the cheapest (and fastest) way to create a cookieless subdomain when it comes to serving static content to improve your website speed.