Despite my efforts to secure my websites outside of WordPress, I do run some plugins to enhance security. I use Wordfence set to :
- Lock out after how many login failures = 3
- Lock out after how many forgot password attempts = 3
- Count failures over what time period = 5 or 10 mins.
- Amount of time a user is locked out = 60 days.
I also use these plugins:
- Anti-Malware and Brute-Force Security by ELI,
- CloudFlare (Content delivery cache and helps because it stores ‘local’ copies in each country),
- Exploit Scanner,
- Injection Guard (This is new and should stop soaksoak)
- Quttera Web Malware Scanner,
- Sunny (Connecting CloudFlare and WordPress)
- UpdraftPlus – Backup/Restore (store a copy on dropbox as well to be safe).
These have kept me safe on 55 sites over the last year (except for the Revslider ones attacked in the recent Soaksoak attacks).