Those in the WordPress world understand that security is a key concern of any online application, and that includes with WordPress. After all, the majority of updates released by the WordPress team involve hardening – or securing – the WordPress platform against continuous ingenious attacks and vulnerabilities that are discovered.
No site is ever safe from being hacked, like in the real world, if someone really wants to break in they can, it’s just a matter of making yourself a much harder target so it’s not worthwhile.
You should check out the following ten plugins to harden WordPress to defend your blog.
- Login Lockdown: when someone attempts to access restricted areas of your blog by logging in, Login Lockdown records the attempt and its associated IP address. If multiple failed login attempts are detected that come from a group of similar addresses, Login Lockdown will deny further attempts from those addresses. This is an important tool that can protect your blog from dreaded brute force password attacks.
- WordPress File Monitor: check the files that run WordPress for anything that has been changed, deleted, or added. When an event has been detected, the plugin sends an email alert to a user-defined address. This plugin can be vital to bloggers defending themselves against SQL injection.
- Bot Block: harden your WordPress installation by preventing multiple registrations from the same IP address. It also compares new registrations with blacklisted IP addresses to make sure no known troublemakers are signing up. This is an effective tool in the fight against automated WordPress user registrations.
Even better, if there is no reason for you to allow user registrations, prevent this by going to Settings > General and under Membership unchecking the box that says “Anyone can register”. - Admin Renamer Extended: everyone knows what the default administrative user name for WordPress is. That give hackers half the information they need to access your site. This plugin will change your administrator user names including the default admin and any other admin logins that have been created. It checks the validity of user names, user names that are unfilled, and for user names that already are present in the system. Keep attackers off guard by making them have to guess your admin usernames.
- HTTPS for WordPress: a plugin that forces users to login over secure connections. By sending authentication information over SSL, login information is encrypted between a user’s browser and the Web host. This eliminates the risk of interception associated with unsecured logins. This is an essential tool that will help prevent login credentials for your site from being compromised, however can be difficult to configure and is not always compatible with your web server or the latest version of WordPress, so be careful!
- WordPress Security Scan: finds vulnerable areas of your blog and recommends specific actions to take to harden it. Because there is so much involved in security, this is a great tool to help make sure you don’t miss anything.
- AskApache Password Protect: protects important folders like wp-admin, wp-include, and wp-content, guarding against automated and manual attacks against your WordPress blog.
- WordPress Exploit Scanner: this plugin will look through all the code in your posts, comments, and plugins looking for something suspicious. Often attacks on WordPress enter through these three paths, so take the time to guard against exploits by installing this plugin. Don’t worry about the plugin making any mistakes either because it relies on the blogger to take any necessary action.
- The WP-Scanner: scans for weaknesses within your WordPress installation, checks to make sure you have changed your table prefixes (you did, didn’t you?) and a variety of other important steps that need to be taken to harden your blog.
- Stealth Login: create unique URLs that are used when logging in and out of your blog. This plugin can also be used to keep registered users from logging in using the wp-login.php file. By making it difficult for attackers to find your login page, you have just made your blog more secure.
Finally you may want to check your wp-config.php file has file permissions of 644 and not higher – this has been the cause of the latest “security scare”.
This was a guest post by Tom Walker who is the lead editor of the CreativeCloud blog, which he runs on behalf of a leading supplier of franking machine ink based in the UK. Old school print ads, book art and modern print design are among the topics he most enjoys writing about.
If you’d like to write a guest post for Blog Tech Guy, get in touch here.
