Security is (or should be) one of the major priorities for any website owner, there is no such thing as being too secure. Today I’m going to review a particularly interesting plugin that deals with security, it is made by WPMU and its called Defender Pro. This plugin offers tons of intuitive, easy-to-use tools and really useful features and it’s part of the pack that WPMU offers as a subscription based model.
Defender Price
After that point, everything becomes so much easier. Once the WPMU Dev Dashboard is installed, adding any plugin is as easy as clicking on it in the list and away you go.
Defender Features
Defender can be installed from the list of plugins that is offered through the subscription model. Before installing, you can take a look at the features it has to offer.
Besides doing basic security like analysing your site and offering tweaks, Defender Pro also gives advanced features like 2 factor authentication (2fa), an IP lockout tool and Google blacklist monitoring among others: The plugin isn’t just looking inwardly at what changes you can make to your site in order to make it more secure, it is also looking outward at real world threats and helping you manage them. This is very well packaged plugin.
Performance Before and After
Before digging into the features, let’s take a look at the site performance, without caching and without Defender Pro enabled.
Before
After
And now, this is the performance after Defender Pro is enabled. You can see that the plugin does not add any extra request to the site and the performance is exactly the same as if the plugin was not present. As this isn’t a speed enhancing plugin, we’re not looking for improved results, we just don’t want worse ones. Good job so far.
Configuration
Now, for the welcome screen. Defender Pro let’s you enable everything by way of a quick setup, or you can just skip this welcome screen and do it all yourself. For experienced people, I recommend the latter.
The main features of the plugin are divided into: Automatic File Scans, Audit Logging, IP Lockout and the Blacklist Monitor. You will see there are even more features to be enabled that are not part of this quick setup.
The Dashboard
Once the plugin is enabled and ready, you are greeted with the following Dashboard.
WPMU knows how to do Dashboards, that’s for sure. It’s clean and clear where everything is so even if this is your first time viewing a security plugin’s UI, you’ll likely be able to work your way around. The plugin will notify of any irregularities by displaying yellow and red warnings. The file scanning detected 26 suspicious files on my website and also recommended several security tweaks. The files happened to be old installs left behind by other plugins and were removed with ease. The recommendations were also helpful and easy to execute as the plugin allows you to run them without having to resort to any third party methods, such as FTP etc. The file scanner can detect vulnerabilities on your site and can also control the WordPress Core files from getting altered.
Security Tweaks
Defender Pro recommended that I disable the File Editor inside WordPress, regenerate my security keys and also block certain dangerous folders by applying rules. Since Apache is the only one able to execute rules without altering it’s own configuration the NGINX rules related to my service had to be copy-pasted to the server, that’s not a limitation of the plugin, its just how things are done in NGINX. The plugin makes it easy to do so by displaying the code that needs to be uploaded to the NGINX configuration, very nice.
Once all the security features were implemented the plugin showed a green checklist. Winning.
More Features
The Blacklist Monitor feature shows the current status of your site against Google blacklist. This feature will check your site each 6 hours and report by e-mail if something’s wrong.
Advanced Tools
Under the Advanced Tools menu, you will find some of the most interesting features of this plugin yet.
Two Factor Authentication
The plugin adds the Two-Factor Authentication to your site and the Mask Login Area.
The 2 Factor Authentication can be enabled by using the Google Authenticator App on your phone. This essentially means that anyone trying to use your login details would also need your phone in front of them. It’s a great way to ensure only you can log in as you, and the same for each user on your site.
You can also customize the e-mail sent to the user and activate a fail safe in case the user loses their phone by giving the option for a one time password.
Mask Login Area
The second option under the Advanced Tools is the Mask Login Area. This useful feature allows you to rename the direct link to login to your dashboard. By replacing the /wp-login and /wp-admin with whatever word you desire. While security through obscurity is a hotly debated topic in WordPress and wider software communities, I was just happy to know that Defender gave me the option.
better still, you can even enable the option to redirect any traffic attempting to login to your site by redirecting all the /wp-admin and /wp-login traffic to any URL you like. Cool huh?
In my case, the URL login will need a tiny tweak to my NGINX configuration to skip the cache, just like the /wp-admin, otherwise it won’t work. This is not necessary under Apache.
The IP Lockout Feature
This is one of the most interesting and useful features of Defender Pro so I’m going to take a closer look at it. It even has it’s own Dashboard.
The first part of the feature is the most important since the Login Protection will limit the login attempts on your site with a threshold that is defined by attempts and time-frame. The duration of the lockout allows you to limit the amount of seconds that you give the said IP until it is allowed to try the login again.
The 404 detection will allow you to configure lockouts to any visit that make use of excessive 404 attempts. This may or may not be useful as there are probably genuine users trying to access links on your site that are no longer available.
The IP Banning tool controls how you handle the IP addresses that were previously on a lockout, it includes Whitelist and Blacklist options, as it is to be expected. Its a good idea to go ahead and whitelist your own IP address.
The notifications allows you to control how are you going to receive the notifications to your e-mail. You can add extra recipients here and also control how many emails you receive.
Finally, this is a typical example of how are you going to receive those e-mails whenever problems arise on your site. You can always control and tweak the process to your liking, which is a big plus of the plugin.
Wrapping up
Having an active file scanner, an IP Lockout feature with Login Protection and on top of that a Google Blacklist monitor, a mask for the login area and Two Factor Authentication all in one plugin, with the added bonus of active Audit Logging makes for a superb and very complete package. Remember when comparing prices with other options, you’re not paying for Defender, you’re paying for all that WPMU has to offer and that’s a lot. Without a doubt, this is one of the best security plugins that I have come across and one that I totally recommend if security is a priority on your blog or website. Once again, WPMU has proven to be superb at what they do, providing useful plugins full of options that are easy to navigate and use. Whatever your skill set, this plugin is a solid keeper that feels stable, well coded and bursting with features.
Is Aspen or Divi Space affiliated with WPMUdev in anyway? Or you guys just endorse them as the best choice for security with Defender?
I’ve heard some negative comments about the code quality within Divi groups in the past. Thanks
hello, no we are not affiliated with them and you will also notice there are no affiliate links in the post as they do not have an affiliate program. We are users and fans of their products and from that we choose to support them on our blog and spread the good word about them 🙂 We have not had any experience with bad code in their plugins and every product no matter how good will have a few negative things said about it, although we have not heard what you are referring to.
Considering they did away with their own theme creator system and started endorsing Divi sometime back, I would imagine ensuring they work well with Divi would be a high priority for them. They’ve mothballed/opened several of their plugins that weren’t up to snuff and seem to be streamlining constantly, so I would only expect those issues to become fewer and further between. I have used them in the past, and I found Hummingbird, Defender, and Smush (?) alone to be worth the cost of admission, and then there are the other plugins they provide.
Hi there, looks like a great plugin. I’m already using All In One WP Security & Firewall which is free, what would be the upgrade or difference between WPMU’s Defender and the one I’m already using. The user interface seems a lot nicer but other than that what would make me pay for this premium version?
Take a look at what all you get with the subscription, in addition to Defender, you get Hummingbird Pro, which I found to be quite effective when I was a subscriber, and the free version is pretty good too. Smush (?) their image optimizer works well too, and the Hub, their answer to MainWP or ManageWP is pretty solid. Add on to that, the rest of their plugins, and you get a pretty solid pack of tools for the WP professional. The fact that it can be installed on as many sites as you want, is icing on the cake. Only reason I have canceled my subscription is that I couldn’t swing the $50/mo while I’m working on rebuilding my services, site and client base.