Ever since my own WordPress site’s were hacked last year, I’ve researched into various ways to protect WordPress Blogs. I’m by no means an expert on the matter, but after much research and experimentation, here are my top WordPress Plugin recommendations (that I have installed and use):
1: Secure WordPress
This plugin has some simple yet powerful functions that is easy to use and will just run in the background for you. The plugin does the following:
- removes error-information on login-page
- adds index.php plugin-directory (virtual)
- removes the wp-version, except in admin-area
- removes Really Simple Discovery
- removes Windows Live Writer
- remove core update information for non-admins
- remove plugin-update information for non-admins
- remove theme-update informationfor non-admins (only WP 2.8 and higher)
- hide wp-version in backend-dashboard for non-admins
- Add string for use WP Scanner
- Block bad queries
- Validate your site with a free malware and vulnerabilities scan with SiteSecurityMonitor.com
[info from the author site]
Visit the download site here.
2: WP Security Scan
This plugin scans your WordPress installation for security vulnerabilities and suggests corrective actions:
- passwords
- file permissions
- database security
- version hiding
- WordPress admin protection/security
Visit the download site here.
3: WordPress Exploit Scanner
This plugin searches the files on your website, and the posts and comments tables of your database for anything suspicious. It also examines your list of active plugins for unusual filenames.
Download the latest version here.
4: WordPress Firewall Plugin
This plugin searches the files on your website, and the posts and comments tables of your database for anything suspicious. It also examines your list of active plugins for unusual filenames.
This WordPress plugin investigates web requests with simple WordPress-specific heuristics to identify and stop most obvious attacks. There exist a few powerful generic modules that do this; but they’re not always installed on web servers, and difficult to configure.
It intelligently whitelists and blacklists pathological-looking phrases based on which field they appear within in a page request (unknown/numeric parameters vs. known post bodies, comment bodies, etc.). Its purpose is not to replace prompt and responsible upgrading, but rather to mitigate 0-day attacks and let bloggers sleep better at night. Its features include:
- Detect, intecept, and log suspicious-looking parameters — and prevent them compromising WordPress.
- Also protect most WordPress plugins from the same attacks.
- Optionally configure as the first plugin to load for maximum security.
- Respond with an innocuous-looking 404, or a home page redirect.
- Optionally send an email to you with a useful dump of information upon blocking a potential attack.
- Turn on or off directory traversal attack detection.
- Turn on or off SQL injection attack detection.
- Turn on or off WordPress-specific SQL injection attack detection.
- Turn on or off blocking executable file uploads.
- Turn on or off remote arbitrary code injection detection.
- Add whitelisted IPs.
- Add additional whitelisted pages and/or fields within such pages to allow above to get through when desirable.
[info from the author site]
Download the latest version here.
5. Block Bad Queries (BBQ)
This script checks for excessively long request strings (i.e., greater than 255 characters), as well as the presence of either “eval(” or “base64” in the request URI. These sorts of nefarious requests were implicated in the September 2009 WordPress attacks.
[from the Author site]
Download the latest version here.
6. Login Lockdown
Login LockDown records the IP address and timestamp of every failed login attempt. If more than a certain number of attempts are detected within a short period of time from the same IP range, then the login function is disabled for all requests from that range. This helps to prevent brute force password discovery. Currently the plugin defaults to a 1 hour lock out of an IP block after 3 failed login attempts within 5 minutes. This can be modified via the Options panel. Admisitrators can release locked out IP ranges manually from the panel.
[from the WordPress site]
Download the latest version here.
Bonus: WordPress Database Backup
I don’t think any plugin can make your blog 100% hacker-proof, however, if all else fails make sure you continually and automatically backup your databases:
WordPress database backup creates backups of your core WordPress tables as well as other tables of your choice in the same database.
Download the latest version here.
I know of other plugins such as AskApache Password Protect, but this is for the more advanced WordPress user in my opinion. I set it up and it continually locked me out of my own admin panels, for example!
Have you tried any of the plugins above? If you know any more more great security plugins out there which are worth a try, please let me know in the comments section below…
This post is Copyright Andrew Kelsall, author of the Andrew Kelsall Graphic Design Blog.
