WordPress has been one of the favorite targets of spammers and hackers because of its popularity and huge user base. A lot of those users are not updating regularly too and that is the main reason many WordPress blogs become perfect target for vulnerabilities and exploits. Fortunately, there are WordPress Security Plugins created to prevent vulnerabilities introduced by sloppy or unsecured plugins.
Below is a list of popular and best WordPress Security Plugins in 2011.
I’ve used Akismet since time immemorial and I could say this is a necessity in every WordPress blog that you use. It also works with commenting system like Disqus and IntenseDebate so that you can filter unwanted comments more easily.
Notice how the spam count in my blog dropped to half by May 2011 and by October 2011 almost reduced to no spam at all? Read along and I’ll show you how.
If you have worked on several blogs for a while now, you know that a lot of sploggers are out there. WangGuard not only protect you from sploggers but also cleans your database from them. Right now it is free for everyone but it will be a paid service for businesses soon. It will remain free for individuals. It also works with Akismet.
Stop Spammer Registrations Plugin
The Stop Spammer Registrations Plugin checks against StopForumSpam.com, Project Honeypot and BotScout to prevent spammers from registering in your blog or making any comments. It also works with Akismet just fine.
WP Security Scan
Some WordPress security plugins were created only for specific purpose but this plugin secures your WordPress blog for the top-most security issues like password strength, file permissions, database security, version obscurity, admin access protection and WordPress META tag removal.
You have an option within WP Security Scan to register at Websitedefender.com and scan for vulnerabilities. What I like about this is it shows you actionable alerts. For example, it tells you what vulnerability your WordPress install is susceptible to.
This plugin could be overwhelming at first glance because you have so many options to choose from but it’s really easy to use. BulletProof Security protects your website from XSS, CSRF, Base64 and SQL Injection hacking attempts. It uses .htaccess to protect your WordPress installation and with a single click you can enable or disable protection even without FTP access.
You need strong password policy if you allow registrations;can define the types of characters that can be used in passwords, minimum password length, and the expiry date of the password. It also prevents users from using 3100 common passwords. It monitors login attempts as well and blocks them after too many failed attempts. Then, you can unblock the IP manually any time. You also have an option to log out idle users if they become idle.
Limit Login Attempts
If you are not allowing registration then this plugin is better suited for you. Limit Login Attempts simply limit the rate of login attempts. It prevents brute-force attack just like Login Lock but it does something more important – it also works with reverse proxy.
WordPress HTTPS (SSL)
WordPress admin panel is the heart of WordPress so you have to prevent unauthorized access to wp-admin area at all cost. WordPress HTTPS (SSL) lets you use SSL in admin area as well as on any page such as forms or membership area.
WordPress has a complete guide about Administration over SSL just in case you want to do this manually.
Don’t Forget These If You Are Suspicious
Just in case you are extra paranoid, here are more plugins that you can use to secure your WordPress installation.
If you have been lazy lately in updating your WordPress blog, you may want to use this WordPress security plugin. Exploit Scanner searches the files and database of your WordPress install for signs that may indicate that it has fallen victim to malicious hackers.
Timthumb Vulnerability Scanner
If you have been reading about WordPress Security, the popular image re-sizing plugin TimThumb is one of the most favorite target of Blackhole toolkit. If you don’t update TimThumb, there is a big chance that your blog will be infected. Timthumb Vulnerability Scanner scans your wp-content directory for vulnerable instances of timthumb.php, and optionally upgrades them to a safe version.
TAC (Theme Authenticity Checker)
You can also introduce vulnerability in WordPress by using malignant themes. This is one reason why you should consider buying premium themes directly from theme studios instead of hunting themes in the wild. Those who beg to differ might fall prey to sneaky tactics employed theme distributors.
Theme Authenticity Checker scans all of your theme files for potentially malicious or unwanted code.
One More Thing…
Installing CloudFlare not only gives you access to free CDN but it also gives you another layer of security against a number of online threats. These includes comment spam, sql injection, and DOS attacks. It acts as a reverse proxy, filtering out attacks using the knowledge of a diverse community of websites.
Remember the Akismet statistics screenshot above? Before I used CloudFlare I am getting about 1500 spams each month. The first month I used CloudFlare on May 2011, spams in my blog dropped to 550 and by October 2011 I only got less than 20 spams even though my page view increased consistently since May this year.
This is a testament that the more you use CloudFlare, the more it learns about the attacks and the more intelligent it becomes in protecting your blog.
Security threats are ever evolving. Therefore, as WordPress administrators and bloggers, we are responsible in patching up the vulnerabilities that are being discovered each day. WordPress is tightly secured by itself but just like any software there will be people out there that will try to steal your password or brute-force their way in.
Eternal vigilance is the price of security so be aware of security advisories related to core WordPress components and plugins.
I’m sure there are many more tricks to secure your WordPress installs using other WordPress security plugins so feel free to comment below and share your inputs.