Comments can be disabled in different ways in WordPress, the settings and how to use WordPress plugins will be discussed in both ways.

How to disable WordPress comments in Settings of WordPress security

This way you can disable WordPress comments in general,

either individually or on specific pages without the need for any plugins.

To disable WordPress comments in general, just go to the WordPress Settings section of the WordPress counter and then the dialogs. You can disable WordPress comments by unchecking the “Allow comments for new posts” section.

If you don’t want to disable comments in WordPress in general and just want to remove this feature for specific pages, you can click on the Edit button in the Posts section.

You will now see information from the published post

that you can uncheck the “Accept comments” check box and then click the Update button.

Disable Comments in WordPress by Disable Comments plugin

With the Disable Comments plugin you can easily paste WordPress comments into any section you need

and do not need to be edited in groups or individually.

Simply click Disable Comments after installing the plugin from the Settings section. On this page, you can disable WordPress comments in groups or categories.

Checking Everywhere will leave comments in all WordPress sections completely disabled.

You can optionally disable comments in WordPress by selecting the On certain post types option

and locking it in any part of WordPress you do not wish to.

Suggested tutorials This session is about WordPress SEO training

 and enhancing WordPress security so we recommend you read on for more useful information.

First thing you need to do is install and activate the Idle User Logout plugin. Upon activation, simply go to Settings » Idle User Logout to configure the plugin.

Start by entering the Idle time. The default value is 20 seconds, but you can set it to a lower or higher value. Next, you need to choose whether to count idle time in WordPress admin area as well. Make sure you uncheck this box for better security.

Click on the save changes button to store your changes.

Now you need to click on the behavior tab on the plugins settings page. On this page, you can fine tune the plugin behavior. You can set different logout rules for different user roles.

You can also select what to do when a user is idle for the given time. You can log out the user and send them back to login page, redirect them to a custom page, show them a popup, etc.

Don’t forget to click on the save changes button to store your changes.

That’s all. We hope this article helped you learn how to automatically log out idle users in WordPress. You may also want to take a look at this tutorial on how to force strong passwords on users in WordPress.

If you liked this article, then please subscribe to our YouTube Channel for WordPress video tutorials. You can also find us on Twitter and Facebook.

How WordPress Handles User Sessions?

Before we move on, lets talk a bit about how WordPress handles user sessions. Like many other web applications, WordPress uses cookies to identify a logged in user. These cookies do not contain your password, just your username and a special key as a proof that you knew the password.

Now if you access your site from a public location and by habit checked “Remember Me” button, then anyone from that computer can login to your site because WordPress allows the same username to be logged in from two different locations.

This is a bit troublesome for security, but it can also be bad for business if you run a membership site selling premium content.

Users can simply share their password with their friends and use the same login information to consume your paid content.

Now wouldn’t it be nice if you could prevent users from staying logged into the same account from multiple places?

Recently when a user asked us this question, we looked around and found a plugin that prevents concurrent logins.

Prevent Concurrent Logins and Password Sharing in WordPress

Video Tutorial

Subscribe to WPBeginner

If you don’t like the video or need more instructions, then continue reading.

First thing you need to do is install and activate the Prevent Concurrent Logins plugin. It works out of the box and there are no settings for you to configure.

You can test the plugin in action by signing in to your WordPress site from two different browsers on your computer or using the private / incognito mode.

When you try to login to your site with the same username and password on the second browser, you will be able to successfully login. However, the plugin will terminate the old session, and clicking on any link in the previous browser window will take you to the login page.

That’s all. We hope this article helped you learn how to stop users from sharing passwords in WordPress by blocking concurrent logins. You may also want to check out our guide on how to monitor user activity in WordPress with Simple History.

Also just a friendly reminder: Passwords can be hacked. If you wan to avoid this, then you need to use strong passwords on your WordPress site. You may also want to force strong passwords for all users on your WordPress site.

If you liked this article, then please subscribe to our YouTube Channel for WordPress video tutorials. You can also find us on Twitter and Google+.

What is McAfee SECURE?

McAfee SECURE is a new certification program by McAfee that lets your visitors know that your website is safe.

This is a great solution for small business owners. The free plan will show the trustmark to 500 visitors per month. For $9 per month you can upgrade to the pro plan which allows you to show trust mark to unlimited users.

Social Proof like security seals are proven to boost engagement and increase sales. The video below explains what this security seal does in 50 seconds:

Subscribe to WPBeginner

Video Tutorial

Subscribe to WPBeginner

If you don’t like the video or need more instructions, then continue reading.

How to Install McAfee SECURE in WordPress

First thing you need to do is install and activate the McAfee SECURE plugin on your website. Upon activation, you need to visit Settings » McAfee SECURE to configure the plugin.

Simply provide your email address and your website’s domain name and then click on the get started button.

This will take you to McAfee Secure website, where you need to provide your personal and business information like name, company name, phone number, etc.

McAfee will now run some tests on your site, and you will land on a confirmation page. This page will show all tests passed under the security heading. You will also be reminded to confirm your email address. Simply check your inbox for an email from McAfee and then click on the confirmation link inside it.

Since you already have the plugin installed on your WordPress site, the McAfee SECURE trust badge will be automatically installed on your site. You can simply visit your website to see it in action.

To further strengthen your security, you can add an SSL and HTTPS in WordPress. We also recommend using Sucuri, to regularly monitor your website for malicious code and activity.

We hope this article helped you add McAfee Secure badge to your WordPress site. You may also want to take a look at our list of 40 useful tools to manage and grow your WordPress blog.

If you liked this article, then please subscribe to our YouTube Channel for WordPress video tutorials. You can also find us on Twitter and Facebook.

Video Tutorial

Subscribe to WPBeginner

If you don’t like the video or need more instructions, then continue reading.

Why you need to Limit Login Attempts in WordPress?

By default, WordPress allows users to enter passwords as many times as they want. Hackers may try to exploit this by using scripts that enter different combinations until your website cracks.

To prevent this, you can limit the number of failed login attempts per user.

For example, you can say after 5 failed attempts, lock the user out temporarily.

If someone has more than 5 failed attempts, then your site block their IP for a temporary period of time based on your settings. You can make it 5 minutes, 15 minutes, 24 hours, and even longer.

How to Limit Login Attempts in WordPress?

First thing you need to do is install and activate the Login LockDown plugin. Upon activation, you need to visit Settings » Login LockDown page to configure the plugin settings.

First you need to define how many login attempts can be made. After that choose how long a user will be unable to retry if they exceed the failed attempts.

You can also define the lockout period for IP range blocks. The default value is 60 minutes, you can adjust that if you need.

The plugin will allow users to keep trying different invalid usernames. Click on yes under lockout invalid usernames option to stop this.

By default, WordPress lets users know that whether they entered an invalid username or invalid password on failed logins. You can hide this by clicking yes under mask login errors option.

Don’t forget to click on the update settings button to store your changes.

Pro Tip

The first layer of protection to your WordPress sites is your passwords. You should always use strong passwords on your WordPress site. We understand that strong passwords are difficult to remember. But see our beginner’s guide which shows the best way to manage passwords for WordPress users.

If you run a multi-author WordPress site, then see how you can force strong passwords on users in WordPress.

No website is 100% safe because hackers always find new ways to get around the system. That’s why it’s crucial that you keep complete backups of your WordPress site at all times. We recommend BackupBuddy plugin. Here’s a list of the best WordPress backup plugins.

If your website is a business, then we strongly recommend that you add a firewall which takes care of the brute-force attacks and so much more. We use Sucuri which guarantees our safety and if anything happens to our site, then their team is responsible to fix it at no-additional charge.

We hope you found this article useful, and you have successfully added login attempts limit to your WordPress site. You may also want to see our list of 13 vital tips and tools to protect your WordPress admin area.

If you liked this article, then please subscribe to our YouTube Channel for WordPress video tutorials. You can also find us on Twitter and Facebook.

Why Add Security Questions to Login & Registration Forms in WordPress?

There are many ways to protect WordPress admin area from unauthorized access. However, if you run a multi-user or WordPress membership site, then it becomes difficult to choose between security and user experience.

Adding a security question to your WordPress site’s login screen acts like an additional password. Your users can choose a question from a list of random questions and then add an answer to that question.

This makes it difficult for hackers to enter a website using compromised password or email address.

Having said that, let’s see how you can easily add security questions to your WordPress site.

Video Tutorial

Subscribe to WPBeginner

If you don’t like the video or need more instructions, then continue reading.

Adding Security Questions to Improve WordPress Login Security

First thing you need to do is install and activate the WP Security Question plugin. For more details, see our step by step guide on how to install a WordPress plugin.

Upon activation, you need to visit Settings » Security Questions page to configure the plugin settings.

You will see a list of security questions already setup. You can add your own security questions by clicking on the “Add more” button at the bottom. Alternatively you can also edit or remove the existing questions.

At the bottom of the settings pages, you will find the options to enable security questions on login, registration, and lost password pages.

Don’t forget to click on the save settings button to store your changes.

That’s all. From now on all users on your site will be asked to select and answer their security question on the login page.

Your WordPress site’s registered users can visit their Profile page to select a security question and add their answer to it.

Users who do not set a security question will still be able to login by just using their username/email and password.

If you enabled security questions on registration page, then new users will be able to select a security question during registration.

Enabling security question on forgot password page will ask users to answer their security question to get the password reset email.

If a user’s email address is compromised, then this would stop someone from gaining access by resetting password.

At WPBeginner, we use Sucuri to protect our website from malicious attacks and login attempts. Sucuri is a web security company that offers website monitoring and firewall services.

See how Sucuri helped us block 450,000 WordPress attacks in 3 months.

We hope this article helped you learn how to add security questions to your WordPress login screen. You may also want to see our guide on how and why you should limit login attempts in WordPress.

If you liked this article, then please subscribe to our YouTube Channel for WordPress video tutorials. You can also find us on Twitter and Facebook.

What is Wordfence? How it Protects Your WordPress Site?

Wordfence is a WordPress security plugin that helps you protect your website against security threats like hacking, malware, DDOS and brute force attacks.

It comes with a website application firewall, which filters all traffic to your website and blocks suspicious requests.

It has a malware scanner that scans all your WordPress core files, themes, plugins, and upload folders for changes and suspicious code. This helps you clean a hacked WordPress site.

The basic Wordfence plugin is free, but it also comes with a premium version that gives you access to more advanced features such as country blocking, firewall rules updated in real time, scheduled scanning, etc.

Having said that, let’s see how to install and easily setup Wordfence for maximum security.

How to Install and Setup Wordfence in WordPress

First thing you need to do is install and activate the Wordfence Security plugin. For more details, see our step by step guide on how to install a WordPress plugin.

Upon activation, the plugin will add a new menu item labeled Wordfence to your WordPress admin bar. Clicking on it will take you to the plugin’s settings dashboard.

This page shows an overview of the plugin’s security settings on your website. You will also see security notifications and stats like recent IP blocking, failed login attempts, total attacks blocked, etc.

Wordfence settings are divided into different sections. The default settings will work for most websites, but you still need to review and change them if needed.

Let’s start by running a scan first.

Scanning Your WordPress Site Using Wordfence

Head over to Wordfence » Scan page and then click on ‘Start a Wordfence Scan’ button.

Wordfence will now start scanning your WordPress files.

The scan will look for changes in file sizes in the official WordPress core and plugin files.

It will also look inside the files to check for suspicious code, backdoors, malicious URLs, and known patterns of infections.

Typically these scans need a lot of server resources to run. Wordfence does an excellent job of running the scans as efficiently as possible. The time it takes to complete a scan will depend on how much data you have, and the server resources available.

You will be able to see the progress of the scan in the yellow boxes on the scan page. Most of this information will be technical. However, you don’t need to worry about the technical stuff.

Once the scan is finished, Wordfence will show you the results.

It will notify you if it found any suspicious code, infections, malware, or corrupted files on your website. It will also recommend actions you can take to fix those issues.

Free Wordfence plugin automatically runs full scans on your WordPress site once every 24 hours. Premium version of the plugin allows you to set up your own scan schedules.

Setting up Wordfence Firewall

Wordfence comes with a website application firewall. This is a PHP based application level firewall.

The Wordfence firewall offers two levels of protection. The basic level which is enabled by default allows the Wordfence firewall to run as a WordPress plugin.

This means, that the firewall will load with rest of your WordPress plugins. This can protect you from several threats, but it will miss out on threats that are designed to trigger before WordPress themes and plugins are loaded.

The second level of protection is called extended protection. It allows Wordfence to run before WordPress core, plugins, and themes. This offers a much better protection against more advanced security threats.

Here is how you would set up the extended protection.

Visit Wordfence » Firewall page and click on the Optimize Firewall button.

Wordfence will now run some tests in the background to detect your server configuration. If you know that your server configuration is different from what Wordfence has selected, then you can select a different one.

Click on the continue button.

Next, Wordfence will ask you to download your current .htaccess file as a backup. Click on the ‘Download .htaccess’ button and after downloading the backup file click on the continue button.

Wordfence will now update your .htaccess file which will allow it to run before WordPress. You will be redirected to the firewall page where you will now see your protection level as ‘Extended protection’.

You will also notice a ‘Learning Mode’ button. When you first install Wordfence, it attempts to learn how you and your users interact with the website to make sure that it doesn’t block legitimate visitors. After a week it will automatically switch to ‘Enabled and Protecting’ mode.

Monitoring and Blocking Suspicious Activity Using Wordfence

Wordfence shows a very useful log of all requests made to your website. You can view it by visiting Wordfence » Live Traffic page.

Here you can see the list of IPs requesting different pages on your website.

You can block individual IPs and even full networks on this page.

You can also block suspicious IPs manually by visiting the Wordfence » Blocking page.

Advanced Settings and Tools in Wordfence

Wordfence is a powerful plugin with lots of useful options. You can visit Wordfence » Options page to review them.

Here you can selectively turn features on and off. You can also enable or disable email notifications, scans, and other advanced settings.

On Wordfence » Tools page, you can run password audit to ensure that all users on your website are using strong passwords. You can run whois-lookup for suspicious IP addresses and view diagnostics information to help debug issues with the plugin or your WordPress site.

Premium version users can also setup two-factor login to strengthen login security on their websites.

Wordfence vs Sucuri – Which One is Better?

Now some of you will probably be thinking how Wordfence stacks against Sucuri?

Sucuri is another popular website security suite that comes with a website application firewall, malware scanner and removal.

At WPBeginner, we use Sucuri. Check out our Sucuri review to see how it helped us block more than 450,000 WordPress attacks in 3 months.

Both Wordfence and Sucuri are great choices to improve your WordPress security. However, we believe that Sucuri has some features that give it a slight edge over Wordfence.

One of them is website application firewall. Wordfence WAF is an application level firewall, which means it is initiated on your server.

On the other hand, Sucuri website firewall is a DNS level firewall. This means all traffic to your website goes to their cloud proxy before reaching your website. This helps Sucuri block DDOS attacks more efficiently and also reduces server load on your website.

We hope this article helped you learn how to install and properly setup Wordfence on your website. For more security tips, you should also check out our ultimate WordPress security guide for beginners.

If you liked this article, then please subscribe to our YouTube Channel for WordPress video tutorials. You can also find us on Twitter and Facebook.

What is a WordPress Firewall Plugin?

A WordPress firewall plugin (also known as web application firewall or WAF), acts as a shield between your website and all incoming traffic. These web application firewalls monitor your website traffic and blocks many common security threats before they reach your WordPress site.

Aside from significantly improving your WordPress security, often these web application firewalls also speed up your website and boost performance.

There are two common types of WordPress firewall plugins available.

DNS Level Website Firewall – These firewall route your website traffic through their cloud proxy servers. This allows them to only send genuine traffic to your web server.

Application Level Firewall – These firewall plugins examine the traffic once it reaches your server but before loading most WordPress scripts. This method is not as efficient as DNS level firewall in reducing the server load.

We recommend using a DNS level firewall because they are exceptionally good at identifying genuine website traffic vs bad requests.

They do that by tracking thousands of websites, comparing trends, looking for botnets, known bad IPs, and blocking traffic to pages that your users would normally never request.

Not to mention, DNS level website firewalls significantly reduce the load on your WordPress hosting server which makes sure that your website does not go down.

Having said that, let’s take a look at the best WordPress firewall plugins that you can use to protect your website.

۱٫ Sucuri

Sucuri is the leading website security company for WordPress. They offer DNS level firewall, intrusion and brute force prevention, as well as malware and blacklist removal services.

All your website traffic goes through their cloudproxy servers where each request is scanned. Legitimate traffic is allowed to pass through, and all malicious requests are blocked.

Sucuri also improves your website’s performance by reducing server load through caching optimization, website acceleration, and Anycast CDN (all included). It protects your website against SQL Injections, XSS, RCE, RFU and all known-attacks.

Setting up their WAF is quite easy. You will need to add a DNS A record to your domain and point them to Sucuri’s cloudproxy instead of your website.

At WPBeginner, we use Sucuri to improve our WordPress security. See how how Sucuri helped us block 450,000 WordPress attacks in 3months.

Pricing: Starting from $199.99/year billed annually.

Grade: A+

۲٫ Cloudflare

Cloudflare is best known for their free CDN service which includes basic DDoS protection as well. However, their free plan doesn’t include website application firewall. For WAF you will need to signup for their Pro plan.

Cloudflare is also a DNS level firewall which means your traffic goes through their network. This improves performance of your website and reduces downtime in case of unusually high traffic.

The Pro plan only includes DDoS protection against layer 3 attacks. For protection against advanced DDoS layer 5 and 7 attacks, you will need at least their business plan.

Cloudflare has its pros, which include CDN, caching, and a larger network of servers. The downside is that they do not offer application level security scans, malware protection, blacklist removal, security notifications and alerts. They also do not monitor your WordPress site for file changes and other common WordPress security threats.

For more details see our comparison of Sucuri vs Cloudflare.

Pricing: Starting from $20/month for Pro plan and $200/month for Business.

Grade: A

۳٫ SiteLock

SiteLock is another well-known website security company offering website application firewall, DDoS protection, malware scan and removal services.

SiteLock’s WAF is a DNS level firewall with a CDN service included in all plans to improve performance of your website. They offer daily malware scans, file change monitoring, security alerts, and malware removal.

All plans include basic DDoS protection while advanced DDoS protection is available as an add-on. They also allow customers to display SiteLock trust seal on their websites.

They have also partnered with many hosting companies to offer their basic plan as an addon. If you start your WordPress blog with Bluehost then you will be shown SiteLock as an addon that you can add to your hosting package.

However, it is unclear what’s included in that addon, and how it is different than the plans offered on SiteLock’s official website.

Pricing: Accelerate Plan costs $299 / year and Prevent plan costs $499 / year.

Grade: B+

۴٫ Wordfence Security

Wordfence is a popular WordPress security plugin with a built-in website application firewall. It monitors your WordPress site for malware, file changes, SQL injections, and more. It also protects your website against DDoS and brute force attacks.

Wordfence is an application level firewall which means that firewall is triggered on your server and bad traffic is blocked after it reaches your server but before loading your website.

This is not the most efficient way to block attacks. Large number of bad requests will still increase load on your server. Because it’s an application level firewall, WordPress does not come with a content delivery network (CDN).

Wordfence comes with on-demand security scans as well as scheduled scans. It also allows you to manually monitor traffic and block suspicious looking IPs directly from your WordPress admin area.

To learn more about Wordfence, see our guide on how to install and setup Wordfence security in WordPress.

To get their sophisticated application level firewall, you really need the Premium version.

Pricing Basic plugin is Free. Premium version pricing starts from $99/year for a single site license.

Grade: B

۵٫ BulletProof Security

BulletProof security is another popular WordPress security plugin. It comes with a built-in application level firewall, login security, database backup, maintenance mode, and several security tweaks to protect your website.

BulletProof security does not offer a very good user experience and many beginners may have difficulty understanding what to do. It does come with a setup wizard that automatically updates your WordPress .htaccess files and enables firewall protection.

It does not have a file scanner to check for malicious code on your website. The paid version of the plugin offers extra features to monitor for intrusion and malicious files in your WordPress uploads folder.

Pricing: Free basic plugin. Pro version costs $59.95 for unlimited sites and lifetime support.

Grade: C

Conclusion

After careful comparison of all these popular WordPress firewall plugins, we believe that Sucuri is undoubtedly the best firewall protection you can get for your WordPress site.

It is the best DNS level firewall with the most comprehensive security features to give you complete peace of mind. On top of that, the performance boost that you get from their CDN is very impressive.

We hope this article helped you find the best WordPress firewall plugin for your website. You may also want to see our ultimate step by step WordPress security guide for beginners.

If you liked this article, then please subscribe to our YouTube Channel for WordPress video tutorials. You can also find us on Twitter and Facebook.