Alex Grant

Author Archives: Alex Grant

Bloggers Guide to WordPress Security

Quick Navigation

Roughly 30,000 websites are hacked every day. Could your website become one of them? In a perfect world, using a popular content management system like WordPress would end many security woes -- but unfortunately, that's not the case. By default WordPress isn't very well secured; it's built to easily publish content, not necessarily to protect it. If you want to protect your content as blogger, you're going to need to take some extra steps.

But becoming a blogger shouldn't mean that you have to be some sort of technical savant, particularly if you've just started a blog. You're a content producer, not a hacker. Because of that, we've compiled a complete, all-in-one guide to "hardening" and protecting your WordPress blog. And it's a little long -- but most of the steps that you're going to have to take are only going to have to be taken once.

By the end of this guide, you'll know absolutely everything there is to know about WordPress safety and security, from better password habits to modifying the default WordPress configuration files. Whether you're setting up a one man show or creating an immense magazine of content, you'll be able to rest assured that your data, your site, and even your users are protected.

But first... let's talk about the risks.

Why Do I Have to Secure My WordPress Account?

It's a blog -- not a bank account! Why would anyone try to hack your site? It's easy to assume that your one blog isn't going to become the target of a serious attack but, in truth, there are more reasons for a cybercriminal to target you than you might think. WordPress blogs are frequently hacked for the following reasons:

  • To collect your personal information -- or the information of your users. Identity theft is a big reason why a cybercriminal might go after a well-trafficked blog. You don't even need to collect a lot of information to make this viable: the criminals may only be seeking to collect email addresses. They can sell active email addresses to advertising companies or use them as their own spamming lists.
  • To post "black hat SEO" web pages. If your website is currently a highly ranked website (or even a moderately ranked one), a cybercriminal may want to take over your website domain so that they can post their own content on it. This is very similar to domain hijacking and it's designed to leverage the popularity of a existing website in order to sell goods and services, spread malicious programs, or point to affiliate advertising.
  • To steal your website and hold it for ransom. Yes, this happens. And it's usually not obvious. No one jumps out at you from a digital alley and says "$30 or the website gets it!" Instead, they throw a splash page on your website that says that it's been hacked, and then direct you to services that you can purchase that will restore your website... all under the guise of "helping" you from the evil cyber criminals. This works because many people don't back up their websites, so they can't restore their content themselves.
  • To embed malware and malvertising. Some people just want to watch the world burn. A cybercriminal can pull off a rather subtle attack by simply embedding malware and malvertising into your website. Your website will still be up -- so you may not notice that it is currently distributing malicious programs to your users (likely including yourself). Eventually, however, search engines are going to notice and your website is going to be blacklisted.
  • To simply take your website down. DDoS attacks are one of the easiest ways that a cyber-attacker can take a website down. This can happen for a variety of reasons: the attacker may be a competitor, the attacker may disagree with your positions, or the attacker may be trying to use it to gain access to your website by exposing other vulnerabilities.

Apart from this, your website can also be targeted as part of a larger attack. Criminal attackers may simply be scanning for vulnerable WordPress accounts -- because they already know about the vulnerabilities that exist in WordPress. They may simply attempt exploits on all of the websites they find, hoping to recover something of usefulness and interest.

So how do you avoid becoming a target? It all begins with the setup.


Chapter One: Setting Up and Configuring Your WordPress Installation

WordPress is in the business of making it easy for you to post your thoughts and experiences. It isn't necessarily in the business of securing them. The default configuration of your WordPress installation makes it very easy for you to use, but it also makes it easier for others to access. Before you even begin fiddling with your first post, you need to change some settings.

Change Your Administrative Username

By default, WordPress sets your username to "admin." This is a problem: in order to log in, someone only needs to guess your password. But you can defeat this by having a username that is different and that is not visible to the public.

In WordPress, you can't directly change usernames; instead, you have to create a new username and delete the old one before you begin. That makes it a little more complicated, but this is as good a time as any to become familiar with the administrative settings dashboard.

How to Change Your Administrative Username

On the administrative dashboard, click on “Users.” You’ll retrieve a list of current users, which should be only a single user named “admin.”

Next to the Users heading, click on the "Add New" button.

Fill in your user information as directed and select the role of "Administrator." Click on "Add New User."

Hover on the old "admin" user name. Click on "Delete."

Confirm deletion.

Click on your new administrator name.

Scroll down to change the nickname and select to "display name publicly as" this nickname.

Add Two-Factor Authentication

Two-factor authentication adds an additional layer of security upon a traditional username and password combination. Think of two-step authentication as a lock in which you have to turn two separate keys. One of these keys is your login credentials -- your username and password. The other key can be either of the two following options:

  • "Something you are." A fingerprint scan, eye scan, or other biometric service can be used to verify that a user is who they say they are. This is frequently used to lock phones, doors, and other physical devices.
  • "Something you have." A smartphone or similar device can be used to verify a user's identity. Frequently this means sending the user an SMS message with a PIN. The user then has to enter that PIN alongside their login credentials.

Two-factor authentication can only be setup natively on WordPress.com. Otherwise it requires the use of plug-ins such as MiniOrange 2FA, Google Authenticator and Sucuri.

Installing Two-Factor Authentication With Google Authenticator

Go to Add Plug-Ins and select “Add New.”

Search for “MiniOrange Google.”

Click “Install” and then “Activate.”

MiniOrange will send you an email to verify your email.

Then, you can set up your account.

Select the 2fa Tab to select a type of two-factor authentication. The simplest and most secure method is Google Authenticator. MiniOrange also offers premium versions including SMS, as well as less secure via email.

Click on the alert to configure security questions, which will ensure that you do not get locked out of your account.

(Optional) You can also setup which roles have two factor authentication.

WARNING! Using WordPress's optional Jetpack, it's possible to connect your own WordPress website to your WordPress.com login. From then on, you can log into all of your WordPress sites through your WordPress.com credentials. This is not advised. If one of your sites is compromised, all of your sites will be compromised.

Install a CAPTCHA Solution

Everyone knows CAPTCHA. CAPTCHA prevents bots from performing actions on your site, such as trying to log in or trying to submit a form. A bot can be very persistent: not only can they eventually break through your security, but they could overly tax your website, resulting in denied traffic and slow connections.

Though some CAPTCHA systems can seem a bit "annoying" -- such as the ones that are difficult to read -- they can be essential for high volume blogs. The CAPTCHA WordPress Plugin lets you add CAPTCHA controls to login forms, registration forms, comments forms, contact forms, and more. Further, you can control the type of CAPTCHA code that's displayed, so that it has limited impact on your legitimate users.​​

Installing a CAPTCHA Solution

Go to Add-Plugins and Select "Add New."

Search for "Captcha by BestWebSoft."

Click on "Install."

Review Captcha Settings. Enable Captcha for login forms, registration forms, forgot password forms, and comment forms.

Save changes.

From now on, when you login, you’ll be greeted with a captcha code.

Get Spam Protection for Your Comments

At first glance, spam protection seems more like a usability issue than a security issue. "Spam" comments generally come from bots who are seeking to boost the website rankings of other websites. Bots will generate "word salad" comments that have nothing to do with your posts but ultimately link to the site that they are promoting.

​Where it becomes a security issue is two-fold: spam comments can bog your blog down with excess traffic and they can contain potentially malicious links. WordPress does not have built-in spam protection, but it is provided for free through the Akismet WordPress plug-in. There are also some other options, such as the official WordPress security plug-in, and all-in-one systems like Sucuri.

Installing the Akismet WordPress Plug-In

Go to Add Plug-Ins and select "New."

Search for “Akismet.”

Install and activate the Akismet plug-in.

Click on "Set Up Your Akismet Account."

Click on any of the options.

Get an Akismet API Key for free.

Go to the Akismet Settings and enter in the Akismet API Key. Spam protection will begin instantly.

Remove Your WordPress Version Number

WordPress telegraphs the version number that you have installed for the world to see. While this might be interesting information, it can also be harmful. A malicious user could see that you're using a version of WordPress that still has a certain vulnerability -- and they can then target you. The easy solution? Just remove the number.

This takes a bit of editing, so remember to backup your website first. Once your website has been backed up:

Go to "Appearance" and then "Editor."

Go to the right and click on "Theme Functions" (also labeled "functions.php").

Note that some more advanced themes may have a custom functions file. Consult your theme documentation for more details.​

Type "add_filter('the_generator','');

This is WordPress Code that adds a filter to the part of the WordPress library that displays your version, thereby preventing it from being displayed.

Click on "Update File."

This will strip out your version number from your WordPress header and from your WordPress RSS feeds at the same time. Now you just have a few more adjustments to do.

Disable the WordPress API

WordPress offers a REST API for developers who want to integrate their own programs into WordPress. However, there are some issues with the REST API -- most notably that the REST API can actually bypass WordPress's authentication system, including two-factor authentication. Unless you are using it for a custom-built application, it's a solid practice to simply disable the WordPress API entirely. This can be done through a plug-in, such as Disable REST API.

All you need to do is “Install Now” and then “Activate.”​

Disable XML-RPC

XML-RPC is a special WordPress feature that enables remote access and posting. This can be a security issue, as it creates another way that a malicious user could potentially access your site. If you're interested in publishing posts remotely, you may need to leave XML-RPC enabled (it is enabled by default). If you are not publishing posts remotely, there's no way to add an additional vulnerability.

The easiest way to disable XML-RPC is to install the Disable XML-RPC plug-in. Though there are other ways, it would require modifying the code of a different plug-in.

Again, all you need to do is click on “Install Now” and then “Activate.”


Chapter Two: Passwords and Password Hygiene

So far many of the changes that we have made have been designed to counter security issues in the WordPress platform itself. But the platform only represents half of the risk. An equal amount of risk comes from the user -- and, unfortunately, that's you. There are many ways you could potentially (and accidentally) create your own security vulnerabilities. One of the major ways lies in passwords.

As of the most recent versions, WordPress Core actually requires "strong" passwords by default. That means that WordPress won't let you set a password that its own algorithm deems too weak -- and that's a good thing. But there are still some things you should know about how passwords protect you, and how you can protect them.

Crafting a Strong and Memorable Password​

What makes a password good? A good password is both complex and easy to memorize. WordPress will make sure that your password is complex, but the passwords that it automatically generates are most definitely not easy to memorize -- in fact, they're generally impossible to remember. That can lead to people foregoing the automatically generated passwords altogether and attempting to make their own.

Complexity is important because the more complicated your password is, the less likely it is to be guessed by an intruder. But memorization is also important; if you can't remember your password, you're more likely to save it in an app, write it down in your notepad, or simply reset it the first time you forget what it is.​

Most people do not choose good passwords. To understand what makes a good password, let's use an example:

  • "shells" - This is an obviously bad password. It's a single dictionary word. It can easily be guessed, especially if there's some reason for choosing the word shells. And you might think "what person is going to guess 'shells'?" But people are rarely used for this process. Instead, automated scripts are used to go through an entire dictionary worth of words to eventually find the right one.
  • "sh311s" - This is often considered to be a good password, but it really isn't. It's not long enough, and the complexity is simply confusing -- you'll find yourself wondering whether you used an 'e' or a '3'. To a computer, "shells" and "sh311s" are functionally identical.
  • "#[email protected]*zHQWoa*" - This is the type of password that's usually provided through auto generation. In practice, it can be useless; it's only helpful if saved in a password manager, which opens the door to other security issues entirely.
  • "She_sells_sea_shells." - This is actually the best password on this list (well, assuming it wasn't part of a very popular nursery rhyme). It is long, complex, and easy to remember.​

Complexity doesn't mean that your p4ssw0rD has to look complex to you; this is a common misunderstanding. Instead, complexity goes up exponentially by length -- and longer pass "phrases" are generally easier to remember and impossible to easily guess.

Practicing Good Password Hygiene​

Every morning you probably brush your teeth, floss, and wash your face -- though may not in that order. But just as you need to practice good physical hygiene, you also need to practice something called good password hygiene. In IT, good password hygiene means maintaining your passwords properly... and making sure they aren't unnecessarily exposed to risk. Password hygiene is called hygiene because it requires the development of good habits.

  • Always memorize your passwords. In the prior section, we discussed why making passwords memorable is important. Even if you have to use some sort of mnemonic device, passwords should always be committed directly to your memory.
  • Never save your passwords in plain text. If your passwords are saved somewhere on your computer, such as in a notepad on your computer's desktop, anyone will be able to view it and log into your WordPress account. This also goes for post-it notes on physical desk tops.
  • Don't give out your passwords to others. Though you may trust someone, that doesn't necessarily mean that their password hygiene is up to snuff. When you give out a password, you run the risk that someone else might lose that password.

Remember: passwords are the first line of defense you have when securing your WordPress account. Though they aren't the only security you should rely upon, a well-crafted and well maintained password can do much of the heavy lifting in terms of your system security.

Making Sure Your Password Can't Be Reset

...At least, not without your knowledge. One substantial security risk involving passwords is the ability to reset a password. Other user accounts can be particularly bad about this; a malicious user might be able to reset your password simply by knowing a little about you, such as your birth date. WordPress requires that you have access to your administrative email account to reset your password. And that also means that your security is only as good as your email security.

WARNING! Anyone who has access to your email account can easily find a way to access your WordPress account -- and can lock you out of both. Just as it's important not to share your WordPress login information, it's also important not to let anyone use your email account.

Locking Out Multiple Sign On Attempts

WordPress does not have built-in functionality for locking out multiple sign-in attempts. And that means that a persistent individual can sit there virtually all day just trying different username and password combinations. A login limiting plug-in will limit a user to a certain number of tries during a certain amount of time -- such as three tries every hour. It can also permanently lock down a system (until properly unlocked) if a certain number of incorrect attempts are made. This can be achieved through the installation of a single-use plug-in such as WP Limit Login or a more comprehensive security solution such as Sucuri.

Installing WP Limit Login Attempts

Install and activate WP Limit Login Attempts, and then modify your settings:

  • Number of login attempts: the number of attempts allowed before locked down initiates.
  • Lockdown time in minutes: the amount of minutes the user will be locked out for.
  • Number of attempts for captcha: when a captcha will engage to prevent bot attempts.
  • Enable captcha: whether you want to add a captcha at all.

YOU SHOULD KNOW: At any time, you can go to your plug-ins in the administrative dashboard and select “deactivate.” If your blog appears to be acting strangely or loading slowly, you may want to deactivate plug-ins one by one to determine which plug-in might be the culprit. Incorrect settings could lead to performance issues later on.


Chapter Three: Adding an Internal Monitoring System

Up to now, you may have noticed that securing WordPress involves a lot of small changes, management, and maintenance. You can bolster the overall security of WordPress through the use of an internal security monitoring system, which will actually make many of these changes on your behalf. Wordfence and Sucuri are two of the most popular management systems; though WordPress offers an official security plug-in, its uses are fairly limited.

Monitoring Security with Sucuri

Offering "complete website security," Sucuri is able to both clean previously hacked websites and protect websites from attacks.

Sucuri is the leading commercial option for all-in-one WordPress security. For SMBs and professionals, Sucuri is likely one of the better options -- it comes with a wealth of robust features that both protect your website while also reducing the amount of time you need to spend on setup and administration. Some of the most prominent features of Sucuri include:

  • Site Cleaning. If you've already been hacked, Sucuri can restore your website and clean up any malicious infections. These features include the ability to reset the password of any user, reset existing plug-ins, and trace back potentially malicious activity.
  • Site Reputation. If your site has already been blacklisted by Google or disabled by its host, Sucuri can detect this and help you become reestablished.
  • Site Protection. If you want to protect yourself from being hacked, Sucuri offers DDoS and brute force protection, in addition to protection against many current security exploits and vulnerabilities.
  • SSL Certificates. Sucuri provides SSL certificates for their customers under their professional plans. SSL certificates make it possible to encrypt and protect your blog's transmitted data.
  • Advanced Website Protection. Sucuri scans, detects, and mitigates attacks against websites through their Website Application Firewall, including DDoS attacks and brute force password attacks.
  • Scanning and Monitoring. Sucuri actively scans websites for signs that they may have been attacked, such as through malware or malvertising.
  • Site Hardening. Sucuri additionally makes many changes to improve WordPress's overall security, such as: updating WordPress and PHP, removing the visible WordPress version, protecting the uploads directory, restricting access to internal directories, updating and using security keys, and checking for information leakage.

Sucuri is a comprehensive security plug-in that can be installed for free. To install Sucuri, download the “Sucuri WP Plugin.”

Click on “Sucuri” in your new administrative panel. Sucuri will first ensure that WordPress has not been modified in any way.

It will also make sure that the site is clean and it is not blacklisted.

Before going further, you will need to generate an API key. This will enable firewall protection. Simply provide your domain and email address to get started.

Once the API key is generated, you’re free to go through the Sucuri WP plug-in settings, which are comprehensive.

  • Scanner. This system looks for changes that have been made to your WordPress installation. If you are experiencing issues with WordPress, you can consult with the scanner to find out more.
  • Hardening. This feature goes over many of the changes that we have made and more, allowing you to automatically do things such as: werify your PHP version, delete the default administrative account, and block PHP files in the wp-includes directory.
  • Post-Hack. Secret security keys can be used to improve upon your security and authentication, and any user passwords can be reset, in addition to any installed plug-ins.
  • Alerts. Here you’ll be able to control where security alerts go – generally to your administrative email account.
  • API Service Communication. Your API key and its details are stored here – there shouldn’t be any changes that you need to make.
  • Website Info. This contains all of the credentials and other information related to your website.

Monitoring Security with Wordfence

Wordfence is the leading "freemium" plug-in for all-in-one WordPress security, with a large inventory of free features in addition to paid options.

Accessible and affordable, Wordfence presently has millions of users across the globe. Wordfence provides firewall, malware scanning, and login security services, all designed to build on top of WordPress Core. Even the free version of the plug-in is relatively feature complete. Some notable features include:

  • Web Application Firewall. The Wordfence Web Application Firewall detects attacks such as SQL injections, malicious file uploads, and DDoS attempts.
  • Website Scanning. Wordfence can provide hardening for your website by detecting problems in its public configuration, backups, posts, comments, and passwords.

There are also some premium features available:

  • Protection against spam. Wordfence can check comments against lists of known spammers, in order to better detect and remove spam. This feature takes the place of plug-ins such as Akismet.
  • Protection against blacklisting. Wordfence can additionally check to see if your website may be getting spammed to other sites. This is a commonly used tactic to get a website blacklisted; if Google sees your website being used in this fashion, it may remove you from search engine results.
  • Rate limiting. Wordfence can limit high volume traffic to a certain rate, so that users such as bots can still access the site, but without interfering with its responsiveness. This can be especially useful to limit crawlers -- bots that look through websites to index them for search engines.

Wordfence can adversely impact the performance of high traffic sites -- but caching and better performance optimization can also be used to address this. In recent iterations, Wordfence has addressed and reduced its usage of overhead.

Monitoring Security with WordPress Security

WordPress officially provides some advanced security features through its WordPress Security plug-in -- but the features provided are fairly rudimentary and shouldn't be relied upon to secure an entire site.

You can obtain some basic security features through the use of Jetpack Personal or Jetpack Business, both of which include the official WordPress Security Plug-In. WordPress Security includes spam filtering, technical support, daily off-site backups, and one-click restoration. But it is not designed to monitor and protect against advanced threats. WordPress security is mostly designed to quickly deploy backups of your system in the event that something goes wrong. It can be very useful in the event that your website is hacked or that an employee makes a mistake that damages your site, but it is mostly responsive rather than preventative.


Chapter Four: Securing Your Web Hosting Account

Unless you are hosted directly on WordPress.com, your WordPress site is going to run on top of a hosting account. And that means that your hosting services are going to have to be just as secure as your WordPress installation. By gaining access to your web hosting account, an attacker can do anything they want -- including deleting your website entirely.

Finding the Right Hosting Service

First thing's first -- you usually want to work with a hosting service that is either experienced with WordPress or specifically targeted towards WordPress bloggers. Not only will their server environments be well-suited to the needs of WordPress, but they will also be able to provide better security tailored around the system.

There are thousands upon thousands of hosting services available, and though they may seem to be identical, some of them are far safer than others. When looking for a web host, you should consider the following:

  • Are they popular? Major web hosting services such as HostGator, DreamHost, and GoDaddy all have to have top-of-the-line security solutions because of the sheer number of clients that they have available. That doesn't necessarily mean they are the best hosts (many of them have fairly limited resources), but they are more likely to be secure than other low cost services.
  • Is the account shared? Shared hosting packages may have additional security vulnerabilities, as multiple clients are in the same server environment. Most bloggers will not want to spend the money for a dedicated server, but they can still invest in a VPS (virtual private server) to reduce their risk.
  • Do they have built-in security features? A reputable hosting service will discuss the security features the offer, such as complimentary SSL certificates, automated backups, and firewalls.

As with many things, you don't want to go with the most affordable hosting service. Look for a good blend of features and reputation; there are many very cost-effective options that aren't necessarily bottom tier.

Adding External Monitoring Systems

Monitoring systems, firewalls, and scanners can all be used to protect your website from intrusion attempts. Popular options include Cloudflare and Sucuri, and some web hosts also provide their own utilities. These solutions are designed to detect, identify, and mitigate threats. They can recognize potentially suspicious traffic and deny it -- while still keeping a website up and active.

External monitoring systems are particularly useful against DDoS attacks. A monitoring system will be able to identify a DDoS attack and will be able to deny all illegitimate requests while still allowing ordinary traffic to flow through. External monitoring systems can also be used to detect and reject potentially unsecured connections.

What's a DDoS? In a distributed denial of service attack, a cyber-attacker uses multiple devices to continually create connections to a target. Eventually the target -- in this case your WordPress site -- becomes so inundated with requests that it can no longer respond, even to legitimate ones. This is one of the easiest and fastest ways to take a website down.​

Cloudflare is a particularly useful tool for WordPress bloggers. Not only does it protect against DDoS attempts and detect potentially malicious traffic, but it operates primarily as a Content Delivery Network. A CDN speeds up a website by caching its data; users will be able to access the website much faster and there will be less load distributed to the server. Cloudflare is also completely free and can manage multiple sites at once, additionally providing analytic data through which you can measure your website's traffic and performance.

Setup an SSL Certificate and Configure WordPress

SSL certificates can get a little technical -- all you really need to know is that using an SSL certificate means that your data is going to be encrypted. And that means that people who are seeing your data being transmitted won't be able to read it. Many websites you use probably use an SSL certificate. You can usually tell because there will be a "locked" icon by the URL and the URL will start with "https://" rather than "http://."

Not all hosting accounts will come with an SSL certificate. You may need to purchase one through your web host as an add-on -- or you may need to use a security plug-in that comes with one, such as Sucuri. Your web hosting service will be able to install the SSL certificate on your account but, either way, you'll need to configure WordPress to use SSL.

How to Add SSL and HTTPS to WordPress

Click on your "General" settings in your administrative dashboard.

Change your WordPress and Site Address URLs to "https" rather than "http".​

If you have already added content to your WordPress site, you may also need to include a redirect. For this, you will need to browse to the main directory of your web host. This is usually called "htdocs," but may also be your website's name. Here you will want to modify a file called ".htaccess" to include the following text:

RewriteEngine On

RewriteCond %{SERVER_PORTZ} 80

RewriteRule ^(.*)$ https://www.[blog].com/$1 [R,L]

In the above example, [blog] will be the domain of your blog. This will redirect any requests to "http" to "https" automatically.​

Update Your File Permissions

File permissions tell your web server who is allowed to view and access each of your website's files. By default, WordPress is often installed with "777" permissions for its directories. Though FTP, you can select these directories, right click, and change these permissions to either "750" or "755." While everyone will be able to edit these files, modifying them and deleting them will require additional permissions.

Your wp-config.php file should be set to "600," and the files within your WordPress directories should be set to "640" or "644." These permissions will still let you do anything you need to do; it will simply reduce the chances that someone else could alter or delete your files.

Turn Off PHP Error Reporting​

By default, many servers wil lsend out an error message if PHP code fails -- and WordPress is written in PHP. These errors are designed to help developers when they are debugging, but because they can expose parts of your website's code, they can also be a substantial security risk. To address this, you need to turn off PHP error reporting. In the event that PHP does encounter an error, it will simply send a blank page.

This requires a modification of your wp-config.php file, which can be found via FTP (or a file browser) in the base directory of your WordPress installation. At the top of wp-config.php, below the first line, you should put:

error_reporting(0);

@ini_set('display_errors',0);

Of course, this also means that you aren't going to know what specifically failed in the event that your website does fail -- and, in that situation, you might need to temporarily toggle errors back on.​


Chapter Five: Protecting Against Your Users

Bloggers often run in packs. If you're running a blog that has multiple contributors, then your greatest threat might not be from the outside -- it may actually be your own users. Users tend to make mistakes; in fact, when businesses are hacked, it's almost always internal. 52% of cyber attacks occur due to system failures or human error.

The Importance of Restricting Permissions

In security, there are things that are called "best practices." These are the things that we do in an ideal world to create the lowest risk environment. One of the most important security best practices is to restrict user permissions to only what they truly need to complete their day-to-day tasks. When you do not restrict permissions appropriately, you run the risk that:

  • A single user could cause substantial damage -- either intentionally or accidentally. There is no reason for a contributor to be able to delete another contributor's posts, but they might start to do so if they think those posts were inappropriately filed under "their account."
  • A single user login breach could become more dangerous. If a malicious user gets into a contributor's account, they are fairly limited in the amount of damage they can do. If a malicious user gets into an administrator's account, there's far more potential for damage. The fewer users there are with administrative powers, the better.

It's also a good practice not to assign temporary permissions -- i.e., not to make a user an administrator for a temporary amount of time to make some adjustments. Though this is commonly done to make a job simpler, it can easily be forgotten later on.

Setting Password Restrictions

Thanks to Chapter Two, you now know how to set a good password. But that doesn't necessarily mean that your users do. When left to their own devices, users could set very simple passwords that will easily be cracked -- and that compromises your entire system. To avoid this, you can set up restrictions regarding the passwords that your users can set.

The most important factor you want to look at is length, but you also want a decent variety of characters in addition to alphanumeric ones. You may want to request at least one number (0-9) and at least one special character (_;,/`~*). Keep in mind that very restrictive password combinations actually tend to work against you rather than for you, as users will be more likely to create passwords that are difficult to remember. Difficult to remember passwords will need to be either written down or reset.​

By default, WordPress core ensures that users have "strong" passwords and tests passwords for its complexity. If you have a current version of WordPress, you may not need to worry about this. But if you need to add this functionality, you can use a plug-in such as Force Strong Passwords.​

Managing User Sign-Ups New users should always be restricted to a "contributor" status, and for the best security, they should have to be manually approved. Letting users create their own accounts can be dangerous otherwise!​

​Log Out Idle Users​

Users sometimes forget that they've logged into their account. When they do this, they expose the blog to tremendous risk -- anyone who is on the same computer and wants to tamper with your website can. To deal with this, you can install a plug-in that will automatically log users out after they've been idle for a certain amount of time.

The most popular way to do this is through the Idle User Logout Plugin. This plug-in lets you select which roles will idle and how long it will take them to log out when idle. Users won't lose their data; they'll simply need to login again before they can continue making adjustments.​


Chapter Six: Protecting Against Third-Party Utilities and Services

There are two third-party threats that you need to be most conscientious of: third-party plug-ins and third-party advertising networks. Both of these can add content and programming to your website that could either damage your site or harm your users.

Validating Third-Party Plug-Ins​

Plug-ins for WordPress are generally guaranteed to be malware free; otherwise they would not be included within the WordPress repository. However, that is not the major concern -- the major concern is that these plug-ins may not be as secure as they should be. Anyone can write and publish a plug-in, including an inexperienced developer who could potentially create a plug-in with security vulnerabilities. If part of your website is vulnerable, all of your website is vulnerable.

Before installing a third-party plug-in, you should ask yourself the following questions:

  • How many reviews does it have and how highly is it rated? You should avoid plug-ins that appear to have been barely used or that have just been published for the first time; they could have security issues that have not ye been discovered.​
  • How polished is the plug-in and its documentation? The more documentation a plug-in has, the better -- that means the developer is being conscientious and mindful of its design. Likewise, a plug-in that is visually polished will likely have been produced by someone who is detail-oriented.
  • How many other plug-ins has the developer released? The more experienced the developer is with WordPress, the more likely they are to produce solid, secured plug-ins for the platform. If they haven't released any other plug-ins, they may not be aware of WordPress's unique security environment.

Avoiding Malicious Third-Party Services

The most common type of malicious third-party service has to do with "malvertising." Malvertising refers to advertisements that actually contain malicious code. Many bloggers fund their blogs through the use of third-party ads. Malvertising targets the users rather than the owner of the blog themselves, but it can also get a blog blacklisted if the malicious code is detected on their site. There are a few ways to avoid these products:

  • Only use popular services. Google Adsense and Bing Ads are two of the most popular networks, but that doesn't mean they don't ever contain malicious code -- it just means they are less risky.​
  • Invest in a monitoring solution. As noted, even popular third-party network can be infested, especially if the malicious attacker is using a previously unknown vulnerability. A monitoring solution will identify malicious code when it is run on your site, rather than trusting the service to detect it.
  • React quickly to potential threats. If you do suspect that malicious code is being run on your site, it's important to address it immediately -- even if that means taking down your advertising while you figure the situation out. Otherwise you can lose traffic and damage your website's reputation.

Identifying Potentially Harmful Plug-Ins or Themes

The Internet is a vast and wide place, and sometimes when looking for plug-ins or themes you can be directed to individual websites or repositories that promise some of the most popular WordPress tools. But whenever you are promised something for free, it's likely that there's a catch. In the case of plug-ins or themes, the catch is often a virus.

When purchasing a premium plug-in or theme, it is important to go through the WordPress.org repository or a trusted corporate site. There are many websites that promise premium plug-ins or themes for free. These assets have been stolen -- and even if they don't include malicious code, it still won't be legal to use them.​

Only Installing the Plug-Ins You Need

Though plug-ins can add some fantastic functionality, they may not always be strictly necessary for the operation of your blog. Think critically about each plug-in that you install; each one isn't just a security risk, but will also consume the overhead of your website and ultimately slow it down.


Chapter Seven: Computers, Connections, and the Internet of Things

Consider an encrypted, password-protected hard drive, and a thief who wants the data that is held within it. It would take days or weeks for the thief to hack into the hard drive -- and the thief only has a few minutes of time. What does the thief do?

The thief picks up the hard drive and walks away with it.

Protecting Your Blog Against Physical Intrusion​

Today we have smartphones, tablets, and laptops, all connected to the Internet and connected to your blog. Losing any one of those items could mean compromising your blog, unless you make sure that you've taken the appropriate steps to protect yourself. These are:

  • Always make sure that your devices are secured. All of your devices should be protected by either a PIN or a password -- and, where applicable, you should use two-factor authentication such as a fingerprint reader or an ocular scanner. Your devices should automatically lock after a certain amount of time, so that they will password protect themselves when they are idled.
  • Don't use public computers to access your blog. You never know what could be on a public computer and you can never be too cautious. If login information is stored on that computer, someone could use that computer to log in as you. Likewise, you shouldn't log into your email account either -- because it could contain information that could be used to access your blog.
  • Never access your blog through public WiFi. A public WiFi connection can be run by anyone... including people who are trying to look at your data or insert malicious code into your data transfers. SSL largely helps with this by encrypting your website's traffic, but there can still be potential vulnerabilities related to a public WiFi connection.

Chapter Eight: Constructing Your Disaster Preparedness Plan

It's the blogger's worst nightmare: what happens when your site goes down? Do you know where your backups are? How quickly can you deploy them? And how current are they? In order to avoid downtime, you have to be able to answer these questions quickly and reliably.

What is a Disaster Preparedness Plan?​

A disaster preparedness plan outlines the steps that you need to take to get your website up and running again after it has been taken down. And your website could go down for any reason: your blog could be hacked, your hosting provider could go out of business, or you could even make a mistake leading to data loss.

At its most fundamental, a disaster preparedness plan usually involves backup solutions and how to re-deploy your blog's data. But a disaster preparedness plan might also include failover services, such as the ability to redirect your traffic somewhere else while you are down, or the ability to notify your readers that there may be problems.

In general, it's a good idea to:​

  1. Have a temporary page in place that will tell your readers that your website is down and that it is expected to be back up by a certain time.
  2. Know where to find your current backups and how to restore them as quickly as possible.

Be able to start and restart services that your website depends upon, such as your web service or your database.

The Four Best Practices for Website Backups​

  1. Backups should be automatic. Don't rely upon manual backups; there will come a time when you'll forget. Schedule your backups to run during the lowest traffic hours of your website (as they do consume some system resources), and make sure that they are running as scheduled. Don't forget to check on them frequently; they could fail if they run out of storage space.
  2. Backups should be incremental. You should always have monthly, weekly, and daily backups to fall back on. You never know when an intrusion could occur -- or when data could be lost. It's very possible that you might find yourself having to go back several days or even several weeks to completely restore your site.
  3. Backups should be redundant. Never store your backups only in one place. Cloud backup solutions are especially useful because they are naturally redundant... but what happens if you lose access to the service provider? Ideally, you should have backups both through your web host and through a secondary service.
  4. Backups should be elsewhere. Your backups shouldn't only be stored on your host; that's a recipe for disaster if your hosting account itself is hacked. Likewise, you don't want your backups to only be on a local or external drive -- what happens if that drive crashes?

Options for Backing Up Your WordPress Site

  • Your web hosting service. Most web hosting services offer their own backup system, which should be used as a secondary backup option. But don't assume that your web host automatically does it. Notably, VPS systems (virtual private servers) usually leave it to you to install a backup solution manually.
  • A cloud-based backup solution. There are subscription-based backup solutions that are located on the cloud, which can take backups automatically from your system. WordPress offers cloud-based backups through its WordPress Security plug-in.
  • As a feature in comprehensive security plug-ins. Security plug-ins often include the ability to manage your backups, as this is a part of managing security and mitigating potential risks. Sucuri has a particularly comprehensive backup and restoration system.

An ideal backup solution will backup your website both on your website host and on a cloud solution. This gives you multiple options to recover your data and allows for almost immediate re-deployment of your site should data be lost or corrupted.


Chapter Nine: Managing and Monitoring Your WordPress Site

Your job isn't over once you've configured your website and installed your tools. Your WordPress site will also need to be managed, monitored, and maintained over time. If you want to keep your website secure, you'll need to update it regularly and defend against new and technologically-advanced threats.

Keeping Your WordPress Site Current

You may have noticed that WordPress updates itself quite frequently. These updates concern more than just functionality and improved workflow -- they also address new and emerging security threats. Updating your WordPress site frequently is critical to maintaining a healthy security ecosystem.

Some security plug-ins, such as Sucuri, will routinely check to make sure that you are running the current version of WordPress. And though hiding your WordPress version can protect you from some threats, other more persistent cyber criminals may not be fooled.

Abandoning Out-of-Date Plug-Ins​

WordPress tracks which plug-ins have been frequently updated and which plug-ins have not been tested with current versions. Plug-ins that are not kept current should be replaced with plug-ins that are, even if the newer plug-ins might not offer the same functionality.

Older plug-ins will have the same issues as older WordPress installations; they could contain vulnerabilities that have been identified. Once a vulnerability has been identified in an older system, all a cyber-criminal has to do is look for a blog that's still using that old system.

Keeping Your Site Clean​

Websites evolve. Over time you'll add and remove content, install and uninstall plug-ins, and change themes. Keeping your site clean is a matter of deleting anything that you aren't using right now: inactive plug-ins, old themes, and other unnecessary content.

Not only are these inactive items taking up space and other resources, but they could actually still represent a security risk even if they have already been deactivated. Plug-ins, in particular, need to be completely deleted in order to remove their risk. Otherwise they will still be on your server and their scripts can still be used.​


Testing Your Site’s Vulnerabilities

Security Ninja is a powerful WordPress plugin that lets you run numerous security tests probing the defenses and vulnerable areas of your site. The plugin is entirely automated – push the button to run the tests. Its free version includes more than 50 tests on brute-force attacks, file permissions, version hiding, 0-day exploits, database configuration, WP core version, plugin updates, PHP and MySQL version, and more. Security Ninja free does not make any changes to your site – it just shows where you need to improve.

Its paid version adds seven modules that check and fix the vulnerabilities. Core Scanner checks your WordPress core files and restores the ones that have been modified illegitimately. Malware Scanner checks your themes, plugins, and files for malicious content, while Events Logger tracks what you and your users do on your site. Database Optimizer cleans the garbage out of your disk space. Auto Fixer automates backups and code edits, while Cloud Firewall blocks malicious IPs.


Conclusion

Though it may seem that securing WordPress is difficult, it's really just a matter of being thorough and vigilant. "Hardening" WordPress does require that you go through certain configuration steps -- and that you install security-related plug-ins. But once you have properly secured your WordPress installation, it should mostly be able to take care of itself. Moving forward, your blog will be able to protect itself... and you'll know what to do if it ever cannot.

Security plug-ins such as Sucuri and Wordfence can take a substantial amount of burden off of you as the blog owner. Both Wordfence and Sucuri will commit many of the above mentioned configuration changes on their own -- and will be able to monitor and manage your website 24/7. By automating parts of your WordPress security, you'll both be able to improve upon its accuracy and reduce the amount of time you need to spend on site administration.

There are countless threats out there -- and there are many reasons why a malicious attacker might target a WordPress site. With cyber criminals rapidly becoming more persistent and threatening, it becomes necessary for bloggers to be proactive about their security solutions. A proactive blogger will be able to protect their blog's data against even some of the most advanced threats.

Through this eBook you will have hopefully learned all of the information that you needed to learn about hardening WordPress -- but the world of security is also always changing. If you want to make sure that your site is secured into the future as well, you will need to remain current on modern security threats and solutions. The job of a blogger is never over as far as website maintenance and security is concerned.

But by properly securing your website, you'll be able to build traffic faster, develop a solid reputation, and sidestep many of the costly issues associated with having a website taken down or otherwise compromised. Securing your website is one of the first steps towards developing a solid blog that will be able to steadily grow in popularity. A secured blog will have minimal downtime and will be able to serve its user base both better and more consistently.

That's it. Now happy blogging!

7 Best VPNs for iPhone in 2019

Top 3 VPNs

bestvpn choice badge
  • check
    Fastest and most reliable VPN
  • check
    User-friendly
  • check
    148 server locations
  • check
    24/7 customer support
  • check
    Good speeds
  • check
    Intuitive software
  • check
    Accepts Bitcoin
pure vpn desktop
  • check
    Awesome add-ons
  • check
    Easy to use
  • check
    Affordable

VPNs are now common place for accessing the internet safely. In Indonesia 41 percent of internet users use VPNs, it’s 39 percent in Thailand, 36 percent in all of Saudi Arabia, the UAE, Brazil, and Turkey. Of China’s 649 million internet users, 29 percent use VPNs — that’s approximately 190 million people. Across the globe, VPN use is growing.

Also growing - smartphone use. More people connect to the internet via smartphones than any other device. Governments, criminals and all the people you’d rather stay away from know this, so the hot target now is the smartphone.

If you’ve followed the news — even remotely — you’d remember the case of unlocking a terrorist’s iPhone. Well, 46 percent of iPhone users backed Apple’s refusal to unlock that iPhone, against 35 percent who wanted it unlocked. Crazy huh?

Poll results show “a consistent desire on the part of Americans to keep their phone, Internet communications and other data private.” Specifically, people don’t want to grant the government this access. In fact, 55 percent of respondents feel the government would take advantage and spy on them if they could unlock iPhones.

In March 2017, the US Senate signed into law a bill authorizing ISPs to sell your data to advertisers without your consent. That, in my opinion, looks like a validation for people’s fears. In case you’re still thinking encryption is some dark practice, how would you love to know that the United Nations actually encourages it?

Whether you sided with Apple on the iPhone saga or not, consent before selling off your private data should be the standard, right?

On the other hand, there’s real danger out there with data breaches. Even the banks are betting billions of dollars on it. Bank of America says it has an unlimited budget for it. So what’s “it"?

Cybersecurity.

It’s the only item that commands an unlimited budget from the banks. J.P. Morgan raised its cybersecurity spending by 100 percent in 2016, going from $250 million in the previous year to $500 million.

Lucky for you, you don't need an “unlimited” budget to stay safe online. Albeit, you need the BEST security. With a good VPN (and some common sense) you’ll be safe - especially if you have an iPhone. 


1. ExpressVPN

ExpressVPN tops this list. The service is easily the most feature-rich of all the services we examined. You can even install and use it on three devices at the same time. Their 30-day Money-back Guarantee (without questions) covers for all plans, giving you the opportunity to test drive everything they have for a full month without commitment.

They have a reputation for speed and would be great for video and audio streaming. Although personally identifiable data aren’t logged, ExpressVPN logs non-identity data like the dates (but not times) you connected to their VPN service, your choice of VPN location, and the total amount of data transferred each day. The service says that non-identity logs help them make decisions on when to buy new servers, how to improve speed and stability, and helps them give their users better customer service. These logs have no time stamps and no personally identifiable information like IPs — in essence, you should be safe.

ExpressVPN uses 256-bit encryption — the industry’s best encryption standard for non-corporate users — to protect your connection. They also encrypt your streaming using AES-256-CBC. They even support P2P.

The service maintains a detailed support center. They have setup guides, robust troubleshooting articles, and a thorough FAQs page. You may contact support using the “Live Chat” feature on their website. Alternatively, you may reach their support via email or the website’s contact form.


Note: ExpressVPN is now offering a reader exclusive: save 49% on my top recommended VPN.

Pros:

  • Fast performance (good for video/audio streaming)
  • 256-bit Advanced Encryption Standard (AES)
  • Over 1000 servers in 94 countries
  • Unmetered bandwidth
  • P2P and BitTorrent friendly
  • Intuitive user interface
  • Disconnect protection
  • Never logs identity-based data
  • Five-star customer service and 24/7 live chat

Cons:

  • Expensive ($8.32 to $12.95 monthly)
  • No free version (only paid version with 30-day money-back guarantee)

2. NordVPN

If you want a rather security-rich VPN for your iPhone, then you’d like NordVPN. This service has unique features like double VPN encryption, VPN into Tor, and then automatic kill switch. You’ll pre-set the kill switch feature to turn off any application in the event of internet speed degradation to avoid data and DNS leaks.

Having a zero-log policy makes NordVPN particularly suited for iPhone encryption. Although not as fast as ExpressVPN, you can conveniently install and use it on six devices simultaneously. They have excellent customer care, albeit communication options are limited to email, social media (Facebook and Twitter), and ticketing.They are P2P-friendly.

Users can access up to 3,000 free proxies. You may request a dedicated IPs at a special price. Their SmartPlay feature makes it easy to access streaming services.

Pros:

  • Exceptionally strong security
  • Maintains a Zero-log policy
  • 1004 servers in 59 countries
  • Flexible payment options including Bitcoin
  • Six simultaneous connections
  • Custom software for iOS
  • Shared IPs (both static and dynamic)
  • Unlimited bandwidth
  • Supports P2P and BitTorrent
  • Fully featured with free proxy lists, encrypted chats, SmartPlay, and more.

Cons:

  • Double VPN encryption may slow you down
  • No Live Chat option for customer service (options are limited to email, social media, and ticketing)

3. Private Internet Access

Private Internet Access (PIA) works excellently on iPhones and gives a seven-day trial with Money-back Guarantee. It has competitive pricing, at $3.33 to $6.95 monthly payments (depending on the plan you choose). This service is headquartered in the US and in Iceland; both countries have no mandatory policies on storing user data. PIA have a zero-log policy, albeit, they don’t support the IKEv2 security protocol as of now.

This service protects against MITM (man in the middle) attacks, protecting you from ARP (Address Resolution Protocol) spoofing. This protection is effective for preventing hackers from accessing your IoT devices. So if you need a VPN that’s compatible with your iPhone and smart home, then you may want to consider PIA.

Their iOS software works well on the iPhone, albeit, you’ll have to manually set it to OpenVPN to enjoy the speed — in default mode, PIA performs poorly on speed tests.

Don’t know how to set up a third-party OpenVPN? No worries. Read on.

It’s good to note that Private Internet Access has detailed step-by-step guides with illustrations on their website to guide you.

Furthermore, the Android version has more advanced features than the iPhone version. For example, when using Private Internet Access on your iPhone you can’t designate VPN connection to specific apps like you’d do on the Android version.

Apart from PayPal, Private Internet Access has other payment options like Bitcoin, OKPay, CashU, Amazon, Google Wallet, and Ripple. In addition to all these, the service takes different gift cards from 90 retails like Bloomingdales and Starbucks — this adds an extra layer of security as you can buy the cards with cash and then use them to make payments.

Private Internet Access, for policy conflicts requiring them to log user data in Russia, has removed their servers from the country. They have kill switch enabled, and also have a tool called MACE for ad-blocking and tracker-blocking.

Pros:

  • Maintains a zero-log policy
  • Connect 5 devices to one account
  • Unmetered bandwidth
  • 3250+ servers in 25 countries
  • Easy to use, instant setup
  • Ad-blocking
  • Multiple payment options including Bitcoin
  • P2P and BitTorrent friendly

Cons:

  • US-based VPN service
  • It has a rigid interface and Netflix doesn’t play well on it

4. IPVanish

IPVanish has superior features that are best for advanced VPN users. Beginner VPN users may have simpler needs and wouldn’t find uses for features like BitTorrenting and automatic IP address cycling. For heavy downloaders, IPVanish is ideal as it doesn’t restrict BitTorrenting to just a few servers. NordVPN allows, but restricts bitTorrenting to only some servers — IPVanish gives complete freedom and flexibility with BitTorrenting.

However, they have servers across the world, including China and India — Central, South and North Americas, Europe, Africa, the Middle East, and across Asia. In keeping with their zero-log policy, IPVanish suspended their operations in Russia when it came in conflict with the local law there.

Their website offers robust, specific instructions on device configurations. So you shouldn’t have a hard time with your iPhone configurations. You can connect five devices concurrently on one account.

They have quality speed, albeit not as fast as ExpressVPN or the others. — you won’t be miserable. Apart from PayPal, they also accept payments via Bitcoin, GiroPay, Boleto and iDeal.

IPVanish’s interface could use some improvements and the service is expensive. Secondly, IPVanish doesn’t block ads. And then, it’s expensive.

Pros:

  • Seven-day Money-back Guarantee
  • 40,000+ shared IPs
  • Unmetered bandwidth
  • Maintains a zero-log policy
  • 256-bit Advanced Encryption Standard (AES)
  • Unlimited server switching
  • Allows BitTorrenting
  • Connect 5 devices simultaneously
  • Multiple payment options including Bitcoin

Cons:

  • Poorly designed and unpleasant interface
  • Expensive ($6.49 to $10.00)
  • No ad-blocking

5. PureVPN

PureVPN is a Hong Kong based VPN service that’s been in business since 2006. In Hong Kong, data-retention isn’t mandatory; so PureVPN wouldn’t be storing users’ data. The service accepts payment across multiple platforms including all major credit cards, cryptocurrencies (including Bitcoin), Alipay, CashU, many others, including Starbucks, Walmart, and other gift cards.

PureVPN gives a Seven-day Money-back Guarantee on all their pricing plans. However, they don’t refund payments made via certain channels (as indicated on their website).

For new VPN users, PureVPN is set to automatically choose a security protocol it thinks is best. Advanced users can choose from all available protocols, including PPTP, L2TP, SSTP, OpenVPN, and IKEv2. PureVPN also has a custom protocol, it’s called Stealth protocol. Each of these protocols has security and speed ratings attached to them. PureVPN offers advanced security protection including 256-bit AES, DDoS protection, and NAT firewire.

Pros:

  • 750+ servers in 141 countries
  • 88,000+ IPs
  • Advanced security protection
  • Split tunneling
  • No limits on bandwidth
  • Intuitive user interface
  • P2P and BitTorrent friendly
  • Multi-payment options including Bitcoin
  • 24/7 customer service including Live Chat

Cons:

  • Poor experience with Netflix
  • No ad-blocking
  • Lacks quick-start option

6. TunnelBear

TunnelBear is based in Canada. The service connects automatically on the iPhone and stays connected 24/7. In “Vigilant mode,” a form of disconnect protection, TunnelBear blocks all unsecured inbound and outbound data until a connection is established — in the event of a connection disruption.

This service maintains servers in just over 20 countries. And you can run 5 devices on one account. The free version gives a monthly 500 MB data and grants access to all servers except the one in Australia. To increase your data limit to 1GB for a month, you may Tweet about the company. To earn bandwidth Tweet about them monthly.

With a series of advanced blocking tools and measures for ads and trackers, TunnelBear seems to have one of the most advanced online track-blocking and ad-blocking VPN technology. This may be well suited for researchers who need to ensure they aren’t being tracked online.

TunnelBear says that their ‘blocker protects you from online tracking that other “adblockers” ignore.’ They block email tracking, fingerprinting, ultrasonic tracking, and exploits that use Adobe Flash. The service protects from DNS leaks.

Pros:

  • Intuitive interface
  • Impressive download speeds
  • Five simultaneous device connections
  • 256-bit AES
  • No logging
  • Disconnect protection
  • Unlimited bandwidth
  • Ad and tracking blocker

Cons:

  • No P2P or BitTorrent
  • Few Locations supported
  • Can’t select protocol
  • No specialized servers

7. CyberGhost

CyberGhost maintains 601 servers in 30 countries. In Romania, where CyberGhost is based, EU’s data retention law was voted unconstitutional. So this service doesn’t log your data and browsing behavior.

Setup is easy and they have tracking blockers, along with the 256-bit AES that’s the industry standard for best security. CyberGhost generates fresh password and username for users to log in with — this should raise the security on each user’s account.

Pros:

  • Free version available
  • Zero-log policy
  • 256-bit AES
  • Unlimited bandwidth and data
  • Anti-fingerprinting system
  • Accepts Bitcoin for payment

Cons:

  • No available data in Asia and Latin America
  • iPhone customer support is for paid plans only
  • Bad experience with Netflix
  • Poor video streaming
  • Displays ads on the free version

FAQs

Now you have a list of the best 7 VPNs for your iPhone. But you have questions on choosing a VPN, wondering why you’d use one at all on your “already secured” iPhone, you love Netflix so wondering which ones should you use; your chosen VPN service doesn’t have an OpenVPN protocol (which happens to be the most secure protocol), so you are considering your options. No worries, I’ve addressed your concerns here. Read on.

Why use a VPN for my iPhone?

Yes, valid question.

Known for its intact security when it was first launched, the iPhone has since faced an ever-growing number of privacy and cybersecurity issues. The glory days of the invulnerable iPhone have since passed. Even the FBI might have hacked the terrorist’s iPhone that Apple refused to unlock.

In droves, iPhone users have turned to VPNs for protection. In effect, encrypting all inbound and outbound data traffic from their device. This secures them from government eavesdropping, ISP privacy issues, and cyber criminals.

In addition, iPhone users benefit from using VPNs to unblocking websites, bypass geo-restrictions, improve their online gaming experience, prevent privacy invasion, stream restricted videos and content, use location-based internet services within the countries their VPN service has servers, and lots more.

What should I know before using VPNs for my iPhone?

You can use VPNs on your iPhone and all data should go through the VPN. However, mobile apps by individual publishers would usually send a lot of personal data back to the publishers. Data sent to publishers could include your Global Positioning System (GPS) location data, International Mobile Equipment Identity (IMEI) number, your iTunes ID, your contact list, and lots more.

In order to enjoy using a VPN on your iPhone, you should turn off or avoid using apps from individual publishers. In fact, the best privacy option would be to access all online services via web pages or web interfaces using VPN protected mobile browsers.

How do I setup a VPN on my iPhone?

To set up VPN on your iPhone, do these:

  1. Decide which of the listed VPNs here fits your needs
  2. Visit the website of that VPN service and subscribe there. A year’s subscription is usually better for cost savings (it could save you over 50 to 70 percent costs)
  3. After you’ve subscribed, log in using your password. From your user account, download the VPN software. Following instructions, select and download the iOS software or iPhone software — depending on the VPN service.
  4. Once installed, run the software and choose your preferred security protocol. The best is usually OpenVPN, alternatively use IKEv2, or LPTP/IPSec. As for PPTP, it has known security vulnerabilities.
  5. From the list of VPN servers, choose the one from the country/city you’d like for an exit location, and then click Connect.
  6. Your iPhone VPN would turn green once your software has made a connect, indicating that it’s worked. Now, surf the web to your freedom!

My VPN doesn’t have an OpenVPN protocol, what are my options?

If your VPN service doesn’t have inbuilt OpenVPN, you’ll need an OpenVPN from the iTunes store. Here’s how to get it:

  1. In the iTunes Store, get the OpenVPN Connect App.
  2. Install it onto your iPhone
  3. Now, go to the VPN service’s website and download the OpenVPN configuration files (.OVPN files). You should see this in their download area.
  4. Unzip the downloaded files, and then email them to yourself.
  5. Open the email on your iPhone, and then download the files.
  6. Head over to the OpenVPN Connect app, click “Import.” Select the file you’d downloaded to your iPhone.
  7. Once imported, choose the server you want to connect to, enter your username and password.
  8. Once the app connects, you now have OpenVPN security protocol activated and can browse as you want using your new IP address.

I love watching Netflix on my iPhone, what’s the best VPN for this?

Almost all top VPNs for iPhones do not work well with Netflix. Most don’t work at all, and some have outrightly given up on trying. Netflix is directly blocking VPNs IPs. However, Canada’s TunnelBear maintains a good reputation when it comes to streaming Netflix effortlessly. So if you’re considering Netflix as a motivation for getting a VPN service, then I’d recommend giving TunnelBear a try.

Final Thoughts

Choosing the best VPNs for your iPhone just got easier. Depending on your most pressing needs, concerns or the nature of your work, you can easily choose from this list of the best.

All 7 VPNs on this list reportedly maintain a zero-log policy. So your security should be intact. Spammers shouldn’t reach you, geo-restrictions should be lifted, you should enjoy freedom from repressive governments and government policies, eavesdropping and intellectual property theft shouldn’t rouse fear anymore — in short, your iPhone’s VPN should bring you peace of mind.

I invite you to tell us, in the comments section below, what the best VPN for your iPhone is, and why. If you enjoyed this article, please share it with a friend you care about.

7 Fastest VPNs of 2019

Top 3 VPNs

bestvpn choice badge
  • check
    Fastest and most reliable VPN
  • check
    User-friendly
  • check
    148 server locations
  • check
    24/7 customer support
  • check
    Good speeds
  • check
    Intuitive software
  • check
    Accepts Bitcoin
pure vpn desktop
  • check
    Awesome add-ons
  • check
    Easy to use
  • check
    Affordable

Net neutrality legislation (passed in 2017) settled the issue: You no longer own your data. Your clicks, searches, and purchases belongs to your Internet service provider (ISP). ISPs who once hesitated to broker personal information are now trading the burdens of privacy protection for profit. In response, many consumers are turning to VPNs—virtual private networks — to protect their privacy while preserving access to the Web.

What a VPN is... and what it isn’t

First of all, you still have to keep your regular ISP. Using a VPN will not replace your ISP’s dollars-per-month bill, but a good VPN will act as a cloaking device. All your ISP will see is you accessing whatever your VPN decides to display while you connect to your desired Internet destination.

Second, most reputable VPNs will charge a subscription fee for a reason. You use their services, often referred to as a tunnel to the Internet. They now own your data, so you’re paying them to protect your privacy.

Next, your VPN essentially becomes your encrypted proxy. Wherever your VPN is, that is also where the Internet considers you to be. All roads tracking your Internet activity will lead back to your VPN.

Finally, because a VPN uses encryption, you can file-share and download securely to heart’s content—even from public WiFi hotspots—as long as your VPN supports peer-to-peer (P2P) file-sharing.

The trade-off to all of this, of course, is that all that encryption and additional layers of security can slow Internet access. That’s why it pays to know exactly which VPNs are most likely to keep you not only safe and secure but also up to speed. Here are our top picks, some need-to-know specs and a few nods to what makes them special.

Choosing a VPN

Political, societal and technological shifts only increase the importance of security, anonymity, data usage, P2P file-sharing and torrenting capabilities, and bandwidth and speed. Subscription prices vary from the free—and often slow, insecure and risky—to the pricey. However, quality VPN providers tend to differ by only a few dollars. When looking for your plan, be sure to consider the following:

  • Security—at least 256-bit encryption.
  • Compatibility with hardware and software.
  • Server and IP address availability and location.
  • Country of registration and data retention laws.
  • Bandwidth or data restrictions, including throttling.
  • Servers specified for P2P file-sharing, torrenting or other designations.
  • Firewalls.
  • Proxies like SOCKS5.
  • Kill switches.
  • Split tunneling and capabilities for manual configurations.
  • Customer service and support.

Considering speed with VPNs

When it comes to speed, remember that a VPN simply puts a different license plate on your carload of data in the flow of traffic. The best VPNs won’t slow you down by much. However, you may sometimes have to weigh security against speed, and any VPN still relies on the underlying download and upload speeds that your ISP allows.


1. ExpressVPN

ExpressVPN is a great first pick in a test of VPN speed because we can start with its VPN Speed Test. This convenient menu tool sorts the servers and assigns each a speed index based on two critical factors:

  • Latency — the milliseconds’ data travels between your device and a VPN server
  • Download speed — how many kilobits per second or Kbps.

Based in the British Virgin Islands, Express supplies more than 1,000 servers in 145 VPN server locations in 94 countries. Just run your speed test and star your favorites.

This VPN is known for its balance of HD streaming capabilities, P2P file-sharing, and security measures. It supports all devices, from mobiles and desktops to routers, and any connection— wired Wi-Fi or cellular. It allows three simultaneous connections, making it the most limited of our top picks (however, one of those can be a router). As for its other features, you can count on:

  • Compatibility with Windows, Mac, iOS, Android, Linux, and routers.
  • Protocols OpenVPN TCP/UDP, SSTP, L2TP/IPsec and PPTP.
  • AES-256-bit encryption ingoing and outgoing.
  • Unlimited bandwidth, speed, and server switches.
  • DNS Leak Test tool and Express support to eliminate any leaks.
  • Network Lock, ExpressVPN’s kill switch for Windows and Mac.
  • Shared IP addresses.
  • Split tunneling and inverse split tunneling to protect specified connections.
  • Supports VoIP.
  • P2P and torrent-friendly.
  • Zero logging, with traffic mixing. Terms of service state that they do track connection dates, server and quantity of data strictly for analytics.
  • A full menu of payment options including credit card, Bitcoin, PayPal and more.
  • Intuitive website with plenty of informative screenshots and help.
  • Round-the-clock customer support via live chat or email.

2. NordVPN

Like the other six on our list, Nord uses AES-256-bit encryption for all traffic, both incoming and outgoing. However, this VPN adds a second layer to act as a double VPN, encrypting data flowing between your device and your first DNS server and then again at a second server before the traffic meets the Internet. Incoming simply reverses the process.

Just five years old and based in Panama, NordVPN has about 1,000 servers in 59 countries. It is one of the most generous of our picks, allowing an impressive six simultaneous connections. However, each must use a different protocol. You have four options—OpenVPN TCP/UDP, L2TP and PPTP—so basically, if you want to use all six devices at once, you’ll have to split between two or more servers. Nord does support routers—which count as one—as well as all other mobile and desktop devices. As for the features rundown, NordVPN offers:

  • Compatibility with Windows, Mac, Android and iOS, with custom software available.
  • Protocols OpenVPN TCP/UDP, L2TP and PPTP; limited IKEv2/IPsec. IPv6 support anticipated for 2017.
  • AES-256-bit double-layer encryption ingoing and outgoing.
  • Unlimited bandwidth and speed.
  • Automatic kill switch for Windows, Mac and iOS.
  • Identified double VPN, Onion over VPN, anti-DDoS, dedicated IP, standard VPN and P2P servers.
  • Ultra Fast TV and P2P-optimized servers; allows torrenting.
  • Supports VoIP.
  • Supports SOCKS5 and HTTPS proxy servers.
  • Smart Play secure proxies to circumvent geoblocking and allow content streaming.
  • Option for add-on dedicated IP server and static IP address in U.S., U.K., Germany or Netherlands.
  • Zero logging. 
  • Full menu of payment options including credit cards, Bitcoin, PayPal and more on Paymentwall.
  • Well-maintained website with helpful FAQs page and supplements.
  • 24/7 customer support via live chat, email, Nord’s ticket system, Facebook or Twitter.

3. IPVanish

IPVanish is based in Florida’s Orange County. IPVanish is known for its speed and being torrenting- and P2P-friendly—making it a favorite for gamers. The company boasts more than 750 servers in at least 60 countries, with more than 40,000 IPs total and at least 10 unique—often more—shareable IP addresses per server.

IPVanish allows five simultaneous connections on multiple devices—including routers—on the four protocols—OpenVPN TCP/UDP, L2TP and PPTP—as well as IPSec and IKEv2 for iOS. IPVanish includes SOCKS5 in all its plans, which means that you have the option of passing traffic—downloading torrents, for example—through an anonymous high-speed, offshore proxy. In addition, the service includes:

  • Compatibility with Windows, Mac, iOS, Android, Linux Ubuntu and Chromebook.
  • Protocols OpenVPN TCP/UDP, L2TP and PPTP; IPSec and IKEv2 for iOS and IPv4.
  • AES-256-bit encryption ingoing and outgoing.
  • Unlimited bandwidth and server switching.
  • SOCKS5 proxy.
  • IP address cycling.
  • Support of VoIP.
  • Unlimited P2P supporting BitTorrent.
  • NAT firewall.
  • Kill switch for Mac OS X and Windows.
  • No traffic logs.
  • Extensive payment options including credit card, Bitcoin, PayPal and many others.
  • Extensive website. Technical information, however, can be hard to find.
  • Support available through email. When we checked, there was a wait of about 36 hours.

4. PureVPN

Celebrating “10 years of security,” PureVPN claims more than a million users and promises them “complete freedom” and “world-class” security on both a personal and business scale. The company is based in Hong Kong, which has no mandatory data retention laws—why many individuals choose a VPN in the first place.

Meanwhile, PureVPN is a connectivity maven. Its network covers 141 countries with 180 locations and more than 750 servers. It allows five simultaneous connections for more than 20 different devices. Its virtual router feature allows you to turn any Windows laptop or desktop into a virtual router for up to 10 devices. On top of that, PureVPN writes its own code for all the major platforms and uses no third parties for actual data transfer. PureVPN covers all the major desirables like:

  • Compatibility with Windows, Mac, iOS, Android and Linux.
  • Selection of protocols—OpenVPN TCP/UDP, PPTP, L2TP, IKEv2/IPsec and Stealth.
  • IPv6 leak protection for Windows and Mac.
  • AES-256-bit encryption ingoing and outgoing.
  • Unlimited bandwidth, data transfer and server switching.
  • Split tunneling for Windows and Android.
  • File-sharing limited to designated servers.
  • Kill switch for Windows and Mac.
  • Optional add-on dedicated IP and static IP address.
  • Zero logs. 
  • Extensive payment options—credit cards, PayPal, Alipay, assorted Bitcoin businesses, Paymentwall and Cashu.
  • Very user-friendly, intuitive website with search option.
  • 24/7 live chat pop-up for support.

5. VPNArea

Based in Bulgaria, VPNArea opened shop in 2012, with its headquarters servers and email hosted in Switzerland. The company is committed to maintaining a speedy customer-to-server ratio, citing a server for every 250 customers. It’s now up to more than 200 servers in 68 countries and more than 10,000 IP addresses.

Another generous VPN provider, VPNArea allows you six simultaneous connections for your favorite devices, including routers, through OpenVPN TCP/UDP, PPTP or L2TP. It also offers its own Chameleon app for Windows. Like a number of other providers—but not all—VPNArea’s service includes a kill switch system; if your VPN service drops for some reason, your IP address will remain protected. VPNArea’s service also provides:

  • Compatibility with Windows, Mac, Android, iOS and Linux.
  • Protocols OpenVPN TCP/UDP, PPTP or L2TP.
  • IPv6 and WebRTC leak protection.
  • Chameleon OpenVPN software for Windows.
  • AES-256-bit encryption ingoing and outgoing.
  • Unlimited bandwidth and server switching.
  • Shared IPs, with adjustable auto random IP changer.
  • Speed test with ping and download as well as users online server load monitor.
  • Kill switch system.
  • P2P permitted on specified servers.
  • Account sharing.
  • Custom business accounts available.
  • Optional add-on private VPN server with dedicated IP address $15 a year.
  • No logs. 
  • Payment options limited to Visa, MasterCard, PayPal, Payza and Bitcoin.
  • 24/7 support available through live chat, email and Skype.

6. Buffered

Buffered VPN is the youngster in our seven. Registered in Budapest, Hungary, in 2013, it has servers in 37 countries and promises that if you don’t see the one that you need, they just might be able to get one for you. This VPN is passionate about preserving freedom of speech and access to information no matter where you are. Buffered not only says that it’s torrent-friendly but also is noted for being so.

Buffered allows users five simultaneous connections and homes in on the need for secure speed without the limitations of throttling. It provides many of the services you would expect with a few limitations:

  • Compatibility with Windows, Mac, Linux, iOS, Android as well as DD-WRT and Tomato routers.
  • Exclusively OpenVPN TCP/UDP protocols.
  • Supports IPv4.
  • 256-bit Blowfish encryption.
  • Friendly to P2P file-sharing, torrenting, gaming and streaming.
  • Unlimited bandwidth, speed and server switching
  • Optional add-on dedicated server with static IP address.
  • Supports VoIP and Skype.
  • NAT Firewall.
  • Dynamic IP addresses.
  • Will establish servers upon request.
  • Does not allow split tunneling. No kill switch.
  • No logs policy. 
  • Salesy website. All the technical information—everything you really want to know—is in the website’s FAQs section and tutorials.
  • Payment menu includes the major credit cards, Maestro, JCB and PayPal.
  • 24/7 support via live chat with Knowledge Center.

7. VyprVPN

VyprVPN is actually a Golden Frog creation incorporated in Switzerland, which—as the Golden Frog site explains—has established safe harbors with the EU, the U.S. and other countries. These folks take their security seriously. Their own inhouse engineers write their code. They own and manage all their own hardware and software and keep their operation inhouse, with no third parties. They’ve got more than 700 servers and 200,000 IP addresses spanning the globe, providing end-to-end privacy.

If you want a pro bono download of a GB to try out the VPN, you can sign up for VyperVPN Free. Just choose your app on the website—it works for desktops as well as iOS and Android. You can have two simultaneous connections and access to the Cypher encrypted messaging app. It’s a one-time deal, but you can easily upgrade to a subscription.

A lot of confusion exists over the feature of split tunneling, and Vypr is no exception. At its simplest, the practice allows users to include or exclude certain devices or programs, placing some under VPN protection while allowing others to interface or stream directly from your ISP. Not all VPNs even offer it. The configuration that VyprVPN uses allows split tunneling by app. In addition, a subscription comes with:

  • Compatibility with Windows, Mac, iOS, Android, Linux, TVs, OpenELEC smart devices, routers and more.
  • Protocols OpenVPN TCP/UDP, L2TP/IPsec, PPTP and Chameleon.
  • 256-bit encryption.
  • Unlimited bandwidth, speed and server switching.
  • Golden Frog-optimized code for modern broadband connections.
  • NAT Firewall.
  • SOCKS5 proxy supported.
  • Dynamic server switching.
  • Kill switch in Windows and Mac.
  • Split tunneling for apps but not servers or devices.
  • Desktop and mobile apps, including Blackphone and Anonabox.
  • Chameleon proprietary metadata scrambler for Windows, Mac, Android and routers.
  • Zero-knowledge VyperDNS service preserves privacy and geolocational access, defeats censorship and geoblocking.
  • User-friendly, highly informative website with everything in the right place—just where you’d put it.
  • No logs. 
  • End-to-end code, ownership and management.

6 Best Free VPNs to Use in 2019

Top 3 VPNs

bestvpn choice badge
  • check
    Fastest and most reliable VPN
  • check
    User-friendly
  • check
    148 server locations
  • check
    24/7 customer support
  • check
    Good speeds
  • check
    Intuitive software
  • check
    Accepts Bitcoin
pure vpn desktop
  • check
    Awesome add-ons
  • check
    Easy to use
  • check
    Affordable

Virtual Private Networks (VPNs) are the best anonymity tools that can help you secure the privacy of your communication, browse anonymously as well as help you access your business data remotely. A VPN is a network technology that provides a secure tunnel for the transmission of your data over private and public networks.

How does a VPN work?

A VPN hides your true IP address by allowing you to connect to the internet through a server run by the VPN service. The entire data passing between your device and the VPN server is encrypted. Thus, a VPN will:

  • Will guarantee your privacy by hiding your internet activity from snooping parties such as your ISP or government
  • Help you to evade censorship
  • Enable you to “geo-spoof” your location and access geo-restricted content
  • Protect your data from hackers while on public Wi-Fi hotspots

Free VPN services – are they safe?

It's natural that we love free stuff. However, any free service has a hidden monetizing angle, and free VPN services are no different. Since running a VPN has costs, some free VPNs might sell your information to third parties, insert scripts to your computer device for advertising purposes, use insecure protocols, or provide lower speeds and unstable connections.

But not all free VPN services are risky to use. A few are operated by reputable companies. Though they can’t match the service offered by paid VPNs, using a free VPN service is better than using none -- however, you should remember to take the following into consideration:

  • Find out how the VPN makes its money. Running a VPN has associated costs. They could be selling your data to third parties.
  • Ask yourself why you need the VPN service. If you’re looking to unblock websites, then, a free VPN service is okay, but if you’re concerned about your security and privacy, you’d better upgrade to their paid service or subscribe to a high quality paid VPN service.

How to set up a free VPN

  1. Go to the website of your desired VPN and click through
  2. Subscribe and download the VPN client for your particular platform
  3. Install the VPN on your device
  4. Run the app and select your preferred protocol
  5. Choose the server location that you would like to connect from
  6. Done! You just spoofed your location.

1. Tunnelbear

TunnelBear is a Canadian based multiplatform VPN provider that offers an excellent service with a sense of humor. It is easy to set up and works on Windows, Mac, OS, Android, and iOS.

TunnelBear’s free plan “little” provides you with 500 Megabytes of free data every month. The plan is a competitive edge as many other VPNs offer instead a 30-day money back guarantee or a limited trial period. Before we forget, tweeting about TunnelBear will earn you an extra GB.

To access their premium services, you need to upgrade to their “Giant” plan for $9.99/month or their ‘Grizzly’ plan for as little as $ 4.99/month paid yearly.

Security wise, TunnelBear does great with OpenVPN protocol, strong AES-256 bit encryption for data retention and SHA256 for data authentication.

The VPN service has servers spread across 20 different countries, including the UK, the US, Canada, Sweden, France, Brazil, Singapore, and Japan. The Australian based server is a preserve for the paid users.

Other great features are the VigilantBear (Kill Switch) that stops any unencrypted data from leaking should the VPN connection drop and the GhostBear (Stealth mode) that is invaluable for bypassing firewalls.

On the downside, TunnelBear’s base in Canada is something to worry about as Canada has strict data retention laws.

Pros:

  • Great design
  • Fun and easy to use
  • Suitable for beginners
  • Suitable for beginners
  • Strong encryption
  • Allows five simultaneous connection

Cons:

  • Limited usage
  • No peer-to-peer (P2P)
  • No peer-to-peer (P2P)

2. CyberGhost

CyberGhost is a great anonymizing tool that’s based in Romania. The VPNs popular free service is available on Windows, Mac, and Android. CyberGhost also supports Raspberry Pi, Linux, and Chrome OS but they require manual configuration. It’s easy to set up and has a user-friendly client.

CyberGhost is fast, reliable and offers protection against privacy invasion. The VPN can help you to browse the internet anonymously, and also spoof your location to unblock restricted websites. They have a strictly no logs policy and their base in Romania, a country with strict privacy protection laws plays well for your privacy.

With CyberGhost, you get access to over 830 servers across 29 countries. The VPN uses OpenVPN protocol, a strong 256-bit encryption for your data protection coupled with a 2048-bit RSA key for authentication. They also allow peer-to-peer file sharing.

You can easily upgrade to their premium plan for only $5.83/month billed annually. The plan is five times faster compared to the free service and gives you more than 600 servers in 30 countries. They also have a premium plus service that goes for $9.16 and offers simultaneous usage on up to 5 devices.

On the downside, the free plan has limited locations and in-app advertisements. We are still wondering why their most popular premium plan allows for only one connection.

Another disturbing issue is the acquisition of CyberGhost by the Israel-based Crossrider. Israel is known to practice extreme surveillance.

Pros:

  • Free Service
  • High speeds
  • Unlimited Bandwidth
  • Zero logging policy
  • Uses perfect forward secrecy
  • Accepts Bitcoin
  • Automatic Kill Switch, DNS, & IP leak protection
  • Transparent

Cons:

  • Premium plan only available on one device
  • Limited locations
  • In-app advertisements

3. ExpressVPN

Express VPN is a leading premium VPN service with a proven track record of providing high-quality service. Though not entirely a free service, they offer a 30-day money back guarantee which means that if you’re not satisfied with their service, you get your money back in seconds.

Express VPN features an elaborate, well-designed website and a user-friendly dedicated VPN client with impressive features. The VPN has blazing fast speeds and is available on Windows, Mac, iOS, Android, Routers, Linux, and gaming consoles. Their plans begin at $8.32 per month and all come with a 30-day money back guarantee.

Express VPN features an elaborate, well-designed website and a user-friendly dedicated VPN client with impressive features. The VPN has blazing fast speeds and is available on Windows, Mac, iOS, Android, Routers, Linux, and gaming consoles. Their plans begin at $8.32 per month and all come with a 30-day money back guarantee.

Express VPNs unlimited Bandwidth and ultra-fast speeds will enable you to stream your favorite TV shows and movies in high definition devoid of the annoying buffering. The VPN avails to you the option to choose from 145 VPN locations in 94 countries, which is perfect for unblocking geo-restricted content. Express VPN works with Netflix and is among the few VPNs that can bypass the Great Firewall of China.

Express VPN protects your data using AES-256 military grade encryption. They provide UDP-OpenVPN, TCP/UDP, SSTP, L2TP/IPsec, and PPTP protocols. What’s amazing is that the VPN can choose the VPN protocol automatically for you or you can do it manually. Express VPN run their own private encrypted DNS on every server which makes your connections faster and safer.

Express VPN never logs your traffic data, accepts Bitcoin and allows you to use Tor to browse Express VPNs hidden .Onion site. Above all, Express VPN has a highly acclaimed 5 – star customer support.

Pros:

  • Easy to use
  • Strong encryption
  • Works on all devices
  • Unlimited Bandwidth
  • Many server locations
  • Five-star customer support

Cons:

  • Not strictly free

4. hide.me

Hide.me is an impressive VPN with good performance and strong privacy protection. The VPN is a subsidiary of the Malaysian-based Eventure Limited. It's easy to install, configure and use. They have an active community that can prove valuable in solving any problems you encounter. Support is also fast and efficient.

The free plan offers 2GB of data which seems reasonable compared to CyberGhost’s 500MB. You are not required to add a credit card or even signup to access the free plan. It comes with limited protocol support and one simultaneous connection.

You can get more than 30 locations with unlimited bandwidth by upgrading to their Plus service at $4.99/month or the Premium plan at $9.99/month for unlimited data transfer, five simultaneous connections, and port forwarding.

It is a free log VPN so that even if they are requested to disclose your online activities, they won’t have any to give. It works with BitTorrent client, and you can get best results if you enable port-forwarding and bind your VPN client with their SOCKS proxy to the VPN connection.

On the downside, free users bandwidth is limited from time to time to give priority to paid customers, what they call “best effort” bandwidth.

Pros:

  • Well-designed client
  • Strong encryption
  • Excellent download speeds
  • No logging policy
  • Active community

Cons:

  • Pricey Premium plan
  • Limiting Bandwidth for free users
  • Limited to 2GB/month

5. SurfEasy

SurfEasy is a free Canadian based VPN service that’s associated with the Opera software company. The VPN will help you to browse anonymously, access blocked streaming services, and bypass firewalls. The free plan (starter) offers 500MB of data transfer, but you can get more data by recommending them to your family and friends. They also allow up to five devices on their free plan and locations in 16 countries.

SurfEasy supports Windows, Mac, OSX, Android, iPhone, iPad, Amazon, Opera, and Chrome. They provide you with more than 1000 servers in 28 different countries. SurfEasy has built-in Add Tracker Blocker Algorithm that prevents annoying advertisers from following you online.

The VPN protects torrenting on their Ultra plan by hiding your information without compromising your downloading speeds. The premium plans “Total” and “Ultra” include a seven-day money back guarantee.

They have zero logging policy and categorically state that they don’t store your originating IP address when you connect to their service or the applications, websites or the services you access while connected. However, the following statement on their privacy policy got us a little worried.

“We may collect and disclose personal information, including your usage data, to governmental authorities or agencies, including law enforcement agencies, at their request or pursuant to a court order, subpoena or other legal process, if there is a good faith belief that such collection or disclosure is required by law.”

The statement could as well mean that law enforcement agencies need not get a court order to get hold of your data...

They also lack a good number of locations which might result in congestion and slow speeds.

Pros:

  • Good speeds
  • Compatible with all the operating systems
  • Strong encryption
  • Low prices
  • OpenVPN protocol default on Windows, Mac, and Android

Cons:

  • Not compatible with Linux
  • No refund

6. Hotspot Shield

Hotspot Shield is a VPN service developed by AnchorFree. The VPN provides carefree web browsing, online security, and privacy. Hotspot Shield is an entry level VPN service that offers an unlimited free VPN service for everyone.

However, free users are bombarded with adverts and content restrictions. You can get rid of the annoying ads by upgrading to their Elite plan. The plan has a unique lifetime offer of $109.99, one year plan for $5.99/month, six months at $8.99/month and a one month plan for $12.99/month.

Hotspot Shield will provide you with servers in more than 80 countries around the world. However, USA is the default location, and so you will need an Elite account to switch to other servers.

Hotspot Shield impressively uses the OpenVPN protocol with AES-256 encryption for data protection and SHA1 authentication as well as RSA-2048.

AnchorFree, the owner of Hotspot Shield, is based in California – USA which raises some concerns considering that the USA is a member of the Five Eyes Intelligence Alliance, has strict data retention laws and the presence of the NSA.

Pros:

  • Completely unlimited free version, trial
  • Easy-to-use software
  • Good speeds
  • Allows BitTorrent & P2P
  • Malware detection

Cons:

  • US based
  • Poor support

7 Best VPNs for Linux of 2019

Top 3 VPNs

bestvpn choice badge
  • check
    Fastest and most reliable VPN
  • check
    User-friendly
  • check
    148 server locations
  • check
    24/7 customer support
  • check
    Good speeds
  • check
    Intuitive software
  • check
    Accepts Bitcoin
pure vpn desktop
  • check
    Awesome add-ons
  • check
    Easy to use
  • check
    Affordable

It’s no secret that using a Virtual Private Network can greatly enhance your Internet security and protect your anonymity while online. A good VPN will hide your IP, encrypt incoming and outgoing data, and delete all logs of your activity. With all of the VPN products out there, it can be hard to choose the right one – fortunately, I’ve done a lot of testing and can help you narrow down your options.

To start, you need to make sure the VPN you are looking at is compatible with the operating systems and devices you plan to use it on. For Linux users, a lot of the big names are ruled out right off the bat – but there is still a veritable buffet of quality VPNs to pick from. This is great news, since Linux is the most secure desktop operating system, and use of a VPN can elevate your privacy to even higher levels.

Here, I have picked seven of my favorite VPNs for use with your Linux on your desktop or laptop. While not every feature of these VPNs is supported on Linux – and I’ll make note of what’s missing – they will all work without any hassle, and have customer support to help you navigate anything more complicated.

Not only have I tested each of these out to make sure they install easily and run smoothly on Linux, but I've also broken down the different features of each VPN to help you pick the one that best fits your needs. Some are better for international use (by virtue of thousands of servers worldwide), others have blazing fast connections, and others have top-tier privacy policies that put any doubts to rest.

Finding a Linux VPN Is Easy

With so many options, finding a Linux-compatible VPN is easy. With so many quality products, the hard part is narrowing it down to just one. Still, a good place to start is to make sure you are looking at reputable VPNs that have Linux support. I have tested all of the VPNs on this list, and think that each one has its place – it just comes down to what kind of features you want, your budget, and your specific needs. With the wide variety of options, the right Linux-compatible VPN is out there just waiting for you to find it.


1. ExpressVPN

It shouldn’t be surprising that ExpressVPN makes this list – it is one of the longest-standing and most reputable VPNs out there. On Linux, it has DNS Leak protection and SmartDNS, which will help unblock region-restricted content. Express also has servers in 87 countries, which is great if you like to travel a lot while still keeping your VPN consistently fast and connected.

That being said, ExpressVPN is not as fast as some of the newer services out there, although it should work just fine for normal Internet activity. Aside from that, everything else about ExpressVPN is well above average. Customer support is helpful and responsive, the Linux client is basic but serviceable, and no usage logs are kept. Security is also state of the art, and uses AES-256 encryption.

ExpressVPN is a little bit pricey – $8.32/month for a year of service – but leaves you wanting for nothing. Everything that has helped Express stay at the top of the VPN food chain for so long works just as well on Linux, so this one is easy to recommend.

Pros:

  • Servers in 87 countries
  • Custom Linux client
  • Great customer service and 30-day money back guarantee

Cons:

  • One of the most expensive VPNs – $8.32/month for the cheapest plan
  • Performance and speed are only average

2. Private Internet Access

In the same way that ExpressVPN has been the leader among flashy and costly VPNs, Private Internet Access has dominated the niche of stripped-down and affordable services. The company recently updated its Linux client to work just like its Windows OS version, so you now have access to a VPN service with over 3,000 servers worldwide for as little as $3.33 per month (if purchased annually).

Private Internet Access – as its name implies – has one of the best policies for maintaining anonymity. The company keeps absolutely no usage logs nor connection logs, which is as private as you can get. Three different security protocols are also available, as is simultaneous connection on up to five devices.

Private Internet Access doesn’t have the sleekest interface or the fastest performance, but does provide the full suite of VPN options at a very low cost.

Pros:

  • One of the cheapest VPNs
  • 3,000 servers around the world
  • No usage OR connection logs – great privacy

Cons:

  • Customer service is below average
  • Doesn’t perform well on speed tests

3. AirVPN

AirVPN is best in class when it comes to added features and options. While this can make it difficult to navigate and configure, its Linux GUI does a serviceable job of making it easy to use. If the ability to tunnel OpenVPN through SSH or SSL protocols, a firewall-based kill switch, and port selection mean anything to you – you fall in AirVPN’s target market.

All of these features, plus the company’s no-log policy, make the company an industry leader when it comes to both privacy and security. It will require some work to really take advantage of everything that AirVPN has to offer, but the payoff may be worth it if you are that serious about privacy.

AirVPN also allows for up to 3 simultaneous connections, and comes with a 3-day money back guarantee if it proves to be too overwhelming to use. While certainly not the easiest to install or navigate, AirVPN is certainly a high-quality product, and comes with a friendly price tag of $5.19/month for 12 months.

Pros:

  • No usage logs or connection logs
  • Choice of VPN tunneling protocol and port forwarding for maximum security
  • Linux GUI just as good as clients for other operating systems

Cons:

  • Not for the faint of heart – a complex VPN to install and configure
  • Not as many servers worldwide – only in 16 countries

4. IPVanish

Despite only being around for a couple years, IPVanish is already a well-liked VPN with servers in over 60 countries. It’s supported on numerous platforms, including Linux, with useful tutorials for setting up either an OpenVPN or PPTP connection. IPVanish also has some neat features, like built-in IP cycling for added security, as well as a kill switch and DNS leak protection.

IPVanish also has great speed and performs well on most speed tests. The company maintains a no log policy as well, but be wary of its server locations – almost all of them are in countries with privacy-unfriendly regulations that put you at the mercy of government agencies.

While IPVanish does not have a dedicated Linux UI, all options can be accessed via your Network Manager. While the website is packed full of guides and a lot of other helpful information, customer service can be on the slow side. IPVanish is a good product, but really shines if you already feel confident in using a VPN to the fullest.

Pros:

  • Servers in over 60 countries
  • High performance results
  • IP cycling and advanced security options

Cons:

  • Customer service below average
  • No dedicated Linux UI

5. VPN Unlimited

VPN Unlimited has been around for a while, and has continued to improve its service across all platforms, including Windows, MacOS, iOS, Windows phone, Android and Linux. VPN Unlimited currently comes with OpenVPN protocol, anti-malware, stop tracking, and ad blocking.

VPN Unlimited also has dedicated servers for torrenting, and is above average for accessing content that is usually blocked if you’re connected to a VPN. Servers are located in over 50 countries, and the service has consistently performed well on all of my speed tests.

The company’s privacy policy is middle of the road – they do keep logs on session times and data usage. And while the website provides a lot of instructional material, a big knock is that live chat customer support is not available. Still, at only $3.33/month for 12 months, VPN Unlimited has earned its spot as a high performance, secure VPN – and in the smaller Linux market, performs amongst the best.

Pros:

  • Affordable – $3.33/month for 12 months, and $149.99 for a lifetime subscription
  • Great performance on speed tests
  • Dedicated Linux app, plus compatibility with almost any device

Cons:

  • Less configuration options – only OpenVPN protocol
  • Keeps some connection logs

6. Buffered

Buffered is a newer VPN that is quickly building a reputation for being a secure VPN that is easy to set up on a Linux OS. Servers are currently located in 16 countries – and are a bit on the slow side – but the company is continually adding more. Right now, only an OpenVPN protocol is available, so it might not work on some mobile devices.

Buffered is great for streaming, and on sites like BBC iPlayer and Netflix, you can bypass the usual proxy restrictions by easily connecting to the appropriate server. Buffered is so popular for streaming there there’s actually a page on the website dedicated to Netflix use to help you troubleshoot common issues that VPNs usually have. Add in Buffered’s compatibility with Smart TVs, and you have the best Linux-friendly VPN for streaming content.

While more expensive than the majority of other VPNs, Buffered fills this niche as a fast VPN that is great for streaming.

Pros:

  • Great performance for streaming and torrenting
  • Designed to gain access to Netflix and other streaming sites
  • One of the best Linux clients

Cons:

  • Keeps connection logs
  • Only in 16 countries. Performance may suffer in exotic locations
  • Pricey – $7.25/month for 1 year

7. Mullvad

Mullvad is a Swedish VPN that has a heavy focus on privacy and security. In addition to the company’s no log policy, features like DNS leak protection, a firewall-based kill switch, and port forwarding are definitely appealing. What makes Mullvad truly stand out, despite all of the configuration options, is a great Linux UI that puts you comfortably in control of its more nuanced features.

The company’s dedication to privacy knows almost no bounds. In addition to accepting Bitcoin, you can also mail in payments anonymously. This might sound ridiculous, but if you are going to be paying for privacy, the cost of a postage stamp is actually a pretty good investment. With AES-256 encryption and Ipv6 routing, this is one of the most secure VPNs from a technology standpoint.

That being said, it would be wise to take advantage of their 3-day trial. Performance on speed tests is mediocre, and with a limited server selection (mostly in Europe and North America), your Internet speed may become uncomfortably slow. If you are happy with the results, though, this is a great VPN product with Linux support.

Pros:

  • No user logs, based in Sweden, and anonymous payment – the most privacy available
  • Dedicated Linux UI and support makes it a breeze to configure
  • Packed with security features and extra protection

Cons:

  • Limited server selection means it might not be the best choice in every region
  • Disappointing performance
1 56 57 58 59 60 62