6 WordPress Plugins that Protect Your Blog from Hackers
Ever since my own WordPress site’s were hacked last year, I’ve researched into various ways to protect WordPress Blogs. I’m by no means an expert on the matter, but after much research and experimentation, here are my top WordPress Plugin recommendations (that I have installed and use):
1: Secure WordPress
This plugin has some simple yet powerful functions that is easy to use and will just run in the background for you. The plugin does the following:
- removes error-information on login-page
- adds index.php plugin-directory (virtual)
- removes the wp-version, except in admin-area
- removes Really Simple Discovery
- removes Windows Live Writer
- remove core update information for non-admins
- remove plugin-update information for non-admins
- remove theme-update informationfor non-admins (only WP 2.8 and higher)
- hide wp-version in backend-dashboard for non-admins
- Add string for use WP Scanner
- Block bad queries
- Validate your site with a free malware and vulnerabilities scan with SiteSecurityMonitor.com
[info from the author site]
Visit the download site here.
2: WP Security Scan
This plugin scans your WordPress installation for security vulnerabilities and suggests corrective actions:
- passwords
- file permissions
- database security
- version hiding
- WordPress admin protection/security
Visit the download site here.
3: WordPress Exploit Scanner
This plugin searches the files on your website, and the posts and comments tables of your database for anything suspicious. It also examines your list of active plugins for unusual filenames.
Download the latest version here.
4: WordPress Firewall Plugin
This plugin searches the files on your website, and the posts and comments tables of your database for anything suspicious. It also examines your list of active plugins for unusual filenames.
This WordPress plugin investigates web requests with simple WordPress-specific heuristics to identify and stop most obvious attacks. There exist a few powerful generic modules that do this; but they’re not always installed on web servers, and difficult to configure.
It intelligently whitelists and blacklists pathological-looking phrases based on which field they appear within in a page request (unknown/numeric parameters vs. known post bodies, comment bodies, etc.). Its purpose is not to replace prompt and responsible upgrading, but rather to mitigate 0-day attacks and let bloggers sleep better at night. Its features include:
- Detect, intecept, and log suspicious-looking parameters — and prevent them compromising WordPress.
- Also protect most WordPress plugins from the same attacks.
- Optionally configure as the first plugin to load for maximum security.
- Respond with an innocuous-looking 404, or a home page redirect.
- Optionally send an email to you with a useful dump of information upon blocking a potential attack.
- Turn on or off directory traversal attack detection.
- Turn on or off SQL injection attack detection.
- Turn on or off WordPress-specific SQL injection attack detection.
- Turn on or off blocking executable file uploads.
- Turn on or off remote arbitrary code injection detection.
- Add whitelisted IPs.
- Add additional whitelisted pages and/or fields within such pages to allow above to get through when desirable.
[info from the author site]
Download the latest version here.
5. Block Bad Queries (BBQ)
This script checks for excessively long request strings (i.e., greater than 255 characters), as well as the presence of either “eval(” or “base64” in the request URI. These sorts of nefarious requests were implicated in the September 2009 WordPress attacks.
[from the Author site]
Download the latest version here.
6. Login Lockdown
Login LockDown records the IP address and timestamp of every failed login attempt. If more than a certain number of attempts are detected within a short period of time from the same IP range, then the login function is disabled for all requests from that range. This helps to prevent brute force password discovery. Currently the plugin defaults to a 1 hour lock out of an IP block after 3 failed login attempts within 5 minutes. This can be modified via the Options panel. Admisitrators can release locked out IP ranges manually from the panel.
[from the WordPress site]
Download the latest version here.
Bonus: WordPress Database Backup
I don’t think any plugin can make your blog 100% hacker-proof, however, if all else fails make sure you continually and automatically backup your databases:
WordPress database backup creates backups of your core WordPress tables as well as other tables of your choice in the same database.
Download the latest version here.
I know of other plugins such as AskApache Password Protect, but this is for the more advanced WordPress user in my opinion. I set it up and it continually locked me out of my own admin panels, for example!
Have you tried any of the plugins above? If you know any more more great security plugins out there which are worth a try, please let me know in the comments section below…
Any thoughts or experience on site performance once you have all these installed?
Andrew → Well, I suppose it can’t be a good thing having too many plugins, but I think the trade-off is worth it. I think I recall my blog being a little slower than normal once I installed them, so I deleted a couple of others that weren’t absolutely essential to counteract the new installations.
Things have been a little quite on your own blog lately. Are you keeping yourself busy down-under??
Helpful and comprehensive list there Andrew and I’ll be sure to check these out, guess you can never have enough protection, so to speak.
I think I need to switch off a few plugins and look at the speed side of my site as a persons just commented on Twitter that it’s a little slow…
Interesting post, Andrew, I’m going to check out Security Scan. I didn’t know you had a spot of bother in the summer. Sorry to hear about that.
Gareth → Yeah, I visited your site a few days ago, and I had to switch tabs and come back. This happened twice. Do you have the W3 Total Cache plugin stalled? This should help speed things up a bit 🙂
Rob → Basically, some nutter installed a load of code into my WordPress database, although apparently, the exploit wasn’t because of weak passwords, but because my web server was compromised and many blogs were effected. However, I learned to be more security-aware since!!
Cheers for the recommendation Andrew, appreciate that, I’m on the case right now!…
“Things have been a little quite on your own blog lately. Are you keeping yourself busy down-under?”
You’re not kidding, I haven’t done a post in over 2 months 🙁
We’re renovating our house at the moment, between that and a bit too much work I just haven’t been able to find the time.
I have 6 or 7 half finished posts I’m hoping to complete over the next two weeks, as we should be finishing the house work by then. That’s the plan anyways.
P.S. I’m never painting a house again…
Andrew → I don’t envy you; painting isn’t my bag either! I took “a break” last year when I built a brick wall near my garden and blockpaved my driveway. Never again.
I hope you get back into the blogging-groove soon enough 🙂
Thanks for the heads up on the security plugins — will go check them out now. I have been using Paranoid911 on some client sites and I also scan the code for eval and base64 stuff — even the JavaScript.
I’m sure the above plugins cover this, but the htaccess part of your site is a very important security strong point.
Cheers,
Lee
Lee → Ive never heard of Paranoid911, but there’s another “all-in-one” plugin soon to be released which should do away with having 6 plugins installed. Can’t remember what it’s called, though. Its in beta at the moment.
I’ve been using htaccess hacks, too. It’s a great solution.
Thanks for commenting 🙂
These are really helpful plugins! Thanks for the vital list.