WordPress has became an extremely popular web publishing platform and as such – an extremely attractive target for idiots. While I will not be getting into their motivations behind attacks – I want to share with you 3 plugins that you might want to consider implementing on your blog to ensure your blog safety.
Important Note: These plugins by themselves will not secure your blog and if you are serious about your protection I recommend following my “Triple “P” Of Total WordPress Security” guide or access Free Video Tutorials at Lock Your Blog.
3 WordPress Security Plugins I will discuss in this post can be a great addition to your overall efforts, just pick and choose what works best for you and your particular situation….
Consider this plugin your security adviser. It scans your blog files as well as database entries for your blog posts, pages and comments and evaluates them for any unusual or suspicious code and then presents you with list of results.
It does a great job but you have to have some technical knowledge to understand the results presented to you as in my case it gave me:
- Level Severe (64 matches)
- Level Warning (49 matches)
- Level Note (297 matches)
All of those are false positives OR to be exact – known and fully legitimate use of code by plugins. I guess my actions to secure my blog so far help me stay protected but if you choose to use this plugin – be advised not to start hacking and whacking unless you understand the results presented to you.
WordPress Firewall 2 Plugin
I’m going to use an official description from plugin repository as it describes its functionality clearly and to the point:
This WordPress plugin investigates web requests with simple, WordPress-specific heuristics, to identify and stop the most obvious attacks. There are a few powerful, generic modules that do this; but they’re not always installed on web servers, and usually difficult to configure.
This plugin intelligently whitelists and blacklists pathological-looking phrases, based on which field they appear within, in a page request (unknown/numeric parameters vs. known post bodies, comment bodies, etc.). Its purpose is not to replace prompt and responsible upgrading, but rather to mitigate 0-day attacks and let bloggers sleep better at night.
An excellent functionality to add to your blog:
Bulletproof Security WordPress Plugin
This plugin works by adding .htaccess protection to your blog and obviously relies on standard Apache web server. Since I have migrated all my production sites to nginx and use Apache only on my testing hosts – I haven’t personally tested the plugin but it could be a life saver for many. Here is just short description of what it does, read the rest on official page:
Protects your website from ALL XSS & SQL Injection hacking attempts. Base64_encode code injection blocked. BPS protects wp-config.php, php.ini and php5.ini files with .htaccess protection. One-click .htaccess security file activation. One-click website under maintenance mode activation (HTTP 503). Hide your WordPress version – WP Generator META tag removed, Check and ensure WP DB errors are off, Check WordPress file and folder permissions, Extensive system info (PHP, MySQL, OS, Memory Usage, IP, Max file size info, etc.). Security Status checking.
Plugin has very extensive options and information on your blog overall security and comes with solid explanations on what you need to know, so I highly recommend you check it out!
All of the listed above plugins can’t guarantee your complete security and don’t replace updating and upgrading your blog, plugins and themes in timely manner. Any popular application or CMS as WordPress has become is bound to have security holes but resilient community always comes forth and closes them quickly, you just need to act just as quick and do your upgrades!
Also important to know that NO MEASURE you will take can protect you against poor security practices by your host. I have just recently read a blog post by a freelancer Vladimir Kolesnikov (he is the gentleman who gave heads up on security issue that led to WordPress 3.0.2 security upgrade) in which he details some problems with Dreamhost configuration and how they could be exploited. Post is in Russian but for Unix savvy users with a bit of machine translation, it presents a very clear picture of the problem (I’ll be willing to translate it if he gives me permission, hint… hint).
However! If you are on one of the hosts that has an issue similar to one described by Vladimir, you can still be timely notified on your site being compromised if you followed our Lock Your Blog guide.
Stay Safe, Keep Your Blog Secure and Share Your Thoughts!