Best Security Plugins for WordPress

Securing your WordPress blog or site might not be high on your agenda, as you feverishly strive to build your site’s content and focus on its design aspects. However if you don’t want to run the risk of all your efforts going down the drain in a few weeks or months down the line, I suggest you spend some time considering the security aspect of your site.

By its nature, WordPress is a secure system with well-crafted code. Despite this, no software is perfect, and security holes are found even in WordPress every so often. When such vulnerabilities are discovered an update is immediately released. Hopefully you can see this as being one of the primary reasons why you should always keep your WordPress site updated to the latest version.

Have you got that covered already? Excellent! You’re already one step ahead than many bloggers in the security of your site, however there are a few more steps you can take to secure your site.

Unless you are extremely confident in the WordPress internals and are a security conoissieur, I suggest taking advantage of the following WordPress security plugins which will take you a long way in securing your blog.

We will take a look at WordPress security plugins sorted by their area of specialisation:

  • All-Rounder Security Plugins
  • Backups
  • Login area access
  • Firewall
  • Anti Virus
  • Themes
  • Comment spam
  • User permissions

All-Rounder Security Plugins

We can start our security plugin review by mentioning some great plugins that give you an overview of the security status of your WordPress blog and also fix some possible weak spots.

Plugin: Better WP Security

This is a really excellent plugin that not only accurately detects security issues with your blog, but also offers you the ability to fix the issues one by one. It combines many security features and techniques in one plugin. Its interface is clean and uses the WordPress styling. Better WP Security is my favourite all-rounder security tool, and it is a great idea to run it before launching a new WordPress site in order to detect any possible weaknesses that need patching up. I advise taking a backup before applying any fixes though, that way if any fix goes awry you can quickly get back your site as it was before.

Download Better WP Security

Plugin: Ultimate Security Checker

Rather than fixing the security issues itself, Ultimate Security Checker lists the issues and then explains the cause of the issue and how to fix it in another tab. For this reason it is a great learning tool if you want to actually learn about the issues and know how to fix them yourself. It has a clean interface and works by running a test and listing its results, with suggested fixes in a separate tab.

Download Ultimate Security Checker Plugin

Backups

Part of any security strategy is the backing up of your database and website files. It’s all good to secure your blog as much as possible, however you can never be perfectly secure, and if something happens, you will want a handy backup to turn to and restore your blog to an earlier (hopefully very recent) state.

Plugin: BackWPUp

BackWPUp is a truly excellent plugin that can back up both your files and database, then send them to multiple locations such as Amazon S3, FTP, Dropbox etc. You can select exactly what folders and tables you want to backup, and also schedule automatic backups. A truly handy plugin that is amazingly free.

Download BackWPUp

Plugin: WP-DBManager

This is a lighter plugin in the sense that it only takes care of backing up your database. The nice thing about this plugin is that it also incorporates database optimisation and repair functionalities, making an excellent plugin to have, even if you will just use it for its database management properties.

Download: WP-DBManager

Login Area Access

The easiest way into your WordPress site is the way you use yourself in order to enter the admin section. You already know that you should use secure passwords, let’s see what else can be done to make this aspect of your site more secure. Before I examine any plugins I’d like to point out that one security method that has been tried out in the past is obfuscating the admin url. This basically makes it harder for hackers to gain access by changing the location of the admin login page. Unfortunately there is currently no plugin that pulls this off, older plugins have either been abandoned or tend to break the site’s functionality, so it is best to avoid them for the time being. Other plugins were used to enable administrators to log in to their site using SSL, but again most of these plugins are a bit shaky, it is best to use the WordPress in-built functionality for administration over SSL. Right, on to a plugin which does work:

Plugin: Limit Login Attempts

A pretty standard trick in a hacker’s book is to try to log into your blog by using thousands of password combinations until one does the job, otherwise known as brute-forcing. By default WordPress allows unlimited login attempts either through the login page or by sending special cookies. This allows passwords (or hashes) to be brute-force cracked with relative ease. The ‘Limit Login Attempts’ plugin makes this task impossible by locking out users after a pre-set number of attempts.

Download Limit Login Attempts plugin

Firewall

A firewall is normally implemented at server level, however not all servers are well maintained. Especially if you are using shared hosting, it does no harm to insert another layer of protection for your WordPress blog. A firewall plugin for your site can do just that.

Plugin: Firewall 2

This WordPress plugin investigates web requests with simple, WordPress-specific heuristics, to identify and stop the most obvious attacks. There are a few powerful, generic modules that do this; but they’re not always installed on web servers, and usually difficult to configure.

This plugin intelligently whitelists and blacklists pathological-looking phrases, based on which field they appear within, in a page request (unknown/numeric parameters vs. known post bodies, comment bodies, etc.). Its purpose is not to replace prompt and responsible upgrading, but rather to mitigate 0-day attacks and let bloggers sleep better at night. It can be set to issue email alerts whenever an attack is detected, helping you monitor and discover the most common attacks on your blog.

Download Firewall-2

Anti Virus

Did you think that only your laptop or desktop needed an anti-virus soution? Think twice, viruses, worms and malware exist for WordPress and could easily attack your WordPress installation.

Plugin: AntiVirus

An anti virus plugin installed within WordPress can scan your system for any malicious code. This is exactly what this plugin does. monitoring malicious injections and warning you of any possible attacks. You can either run a scan manually or schedule a daily scan, with results being mailed directly to an email address of your choice.

Download AntiVirus plugin

Themes

There are a bazillion WordPress themes, and it’s a bad idea to assume that all of them are well coded and ideal for usage on your blog. Badly coded themes abound, but most worrisome are those which have malicious code inserted, providing hidden backlinks to the creator or even backdoors to your site. Luckily, there are plugins which can help you decide whether a theme is safe or not. One of them is the AntiVirus plugin which we mentioned earlier, and the other is TAC (Theme Authenticity Checker).

Plugin: Theme Authenticity Checker

This nifty plugin adds an extra item named ‘TAC’ under the ‘Appearance’ menu in the WordPress admin section. Clicking this item will trigger a check of the source files of every theme you have installed on your site. If any malicious code is found, TAC displays the path to the theme file, the line number, and a small snippet of the suspect code.

Download TAC plugin

Comment Spam

Comment forms are another typical entry point for hackers and spammers. By inserting malicious code into forms hackers will try to cause your site to malfunction and thus gain entry or at least glean valuable information about your server setup, giving them working material for trying another exploit. Spammers on the other hand can populate your site with unsightly spam comments. Weeding out spam comments by hand is nobody’s favourite job, so we’ll enlist two plugins to help us out.

Plugin: Akismet

Akismet is probably the world’s most popular spam filter, and is free for personal use. It works by connecting to Akismet’s servers and comparing a comment’s content to identify patterns that reveal a spam comment. It is a very reliable plugin and is a definite must on all WordPress sites which accept comments. Akismet is installed by default on a new WordPress blog.

Download Akismet

Plugin: Bad Behaviour

Bad Behaviour is an open source solution for eliminating link spam, and is available natively for multiple platforms including WordPress. Providing plug and play functionality (just install and activate), it will complement Akismet and act as a gatekeeper by preventing spammers from even gaining access to your site. This keeps your site’s load down, makes your site logs cleaner, and can help prevent denial of service conditions caused by spammers. It does not only analyse the comment content to identify whether it is spam or not (as Akismet does), but goes one step further and analyses the delivery method, which many times can unmask a spam comment.

Download Bad Behaviour

User Permissions

Some of the most common security threats come from within, and therefore if you have a multi-user blog, you would do well to take precautions and fine-tune each user’s permissions. The principle to keep in your head is that each user should start with no permissions, then you should start giving him access to the functions he needs to work with. A user who is only contributing articles to your blog, does not need access to the ‘Settings’ section of the admin, for example.

Plugin: Role Scoper

With Role Scoper, you can gives CMS powers to WordPress when it comes to roles and user access to functionality. This plugin lets you create custom user profiles that only have access to the exact functions you want them only. This way non administrative users cannot dabble with things that they shouldn’t be seeing. Very useful plugin.

Download Role Scoper

Plugin: Audit Trail

Audit Trail helps you keep track of specific events that happen on your blog. Each action is recorded in Audit Trail’s logs with the username, time of event, IP address, the action taken, and the results of the action.

Download Audit Trail

I hope that the above plugins can give you a kick-start in protecting your WordPress blog or website. If you know of any other WordPress security plugins that we’ve missed out, we want to hear from you!

Comments (26)

    • User Locker looks like it may present the opportunity for abuse. Limit Login Attempts locks out by IP Address, but User Locker locks out by WordPress username.

      Do you see the potential problem here?

      All one with nefarious intent has to do is find out someone’s username (something that is generally not difficult to do in WordPress), and then try to login as that person 3 times – and then that user is locked out of his own site.

      • Thanks for your time to explain Chip.

        It does actually bring up a possible improvement to default WP settings options.
        i.e. force users to choose a ‘display user name’ different to their login user name?

        • That wouldn’t help, either, really – because WordPress does everything based on slugs, which for users is the username.

          Setting aside the “admin” username use case (let’s hope everyone is now taking advantage of the non-default admin username, eh?), it is fairly trivial to determine someone’s username, unless the Theme goes to great, explicit lengths to obscure it: author archives, author feed, author posts, author comments, etc.

      • When User Locker locks account, user can unlock it by resetting his/her password. Of course this may lead to DoS attact if someone will repeatedly enter invalid passwords, but is good enough against one-time attackers.

  1. Thanks for the props to my Better WP Security plugin. Thanks even more for pointing out to make a backup before installing. The biggest limit I’ve seen supporting the plugin is due to memory and cpu issues on the host (there’s nothing like having your host cut off your script 1/2 way through renaming the database).

    There’s more to come with the plugin watch for some new features in the coming months!

  2. Hi Chris

    Regarding use of the TAC plugin – you said:

    “Clicking this item will trigger a check of the source files of every theme you have installed on your site.”

    Does this include a check on EVERY theme in EVERY site in a MULT-site installation please?

    A great post BTW.

    Gail

    • Hi Gail, thanks for your comments, I haven’t tested this in a Multisite environment, maybe it’s best to ask this directly to the developers of TAC at the WordPress forums.

    • Yes, it checks every installed theme. On a multisite network the themes are still all stored within the single instance of “/wp-content/themes/*” so while we can assume there will be a lot more themes (and thus theme files) for it to scan, it does effectively scan all the installed themes.

  3. My site was blocked by Google and it is caused by attacker who injecting files in my footer. After I remove the script in footer php and reinstalling wp. I also install web security tool plugin, but this plugin put a link in my footer. I’ll try your suggestion to use Better WP Security plugin. thanks D,

  4. Thanks for the article. I’ve just been looking at security plug-ins and finally opted for Bulletproof Security WP Plug-in…..seems it’s being supported and updated and good reviews/ ratings….I got the free version which is pretty robust but there is a Pro version too….didn’t look into that at this stage

  5. Even with Antivirus, Akismet, Defensio, and Cloudflare CDN Pro protection, I still get tons of spam every day. I’ve upgraded to WP 3.1 and downloaded this plugin. Unfortunately, when I went to the settings to see if there was anything I needed to adjust, I got this error:

    Fatal error: Cannot redeclare _iscurlinstalled() in /home/nofaenet/public_html/wp-content/plugins/ban-hammer/ban-hammer_options.php on line 9

    Fatal errors always make me a bit nervous. Has anyone else come across this issue? Does this look like it could be conflicting with my many other security plugins? Or maybe it’s not compatable with WP 3.1? I’ll deactivate this plugin until I can figure out how to solve this.

    • If you’re still using WP 3.1 no level of security plugins is really going to help you. There are open security holes within WP itself that aren’t addressed until the current version. You should ALWAYS upgrade to the current version of WP as soon as you’ve ensured theme and plugin compatibility – and if some themes or plugins are incompatible you should make every effort to either upgrade to the latest version or even fix them yourself. If that’s not possible, remove the offending themes and plugins and upgrade WP core anyway!

      The version of WP you’re using has more than a dozen known security issues, including remote file uploads, weak authentication checks and more. Installing a security plugin on that to ‘fix’ it’s native problems is roughly equivalent to trying to build a submarine out of cheese graters.

  6. Hi! Your website is very awesome & awesome weblog.Really so outstanding content,things you explaining are awesome, Keep writing a blog, have a awesome day! You have explain more about best protection for house of office. Let me know If you have any problem regarding any kind of Security System at your house. If you need more protected in house with enhance technology safty system Get in touch with me as soon as possible. We will give best an idea about protection in The united states for how can possible to sure in house some time.

    Checkout more information for best safty device for Advance security in America at http://www.securitysystemreviews.com/

  7. I just thought I’d add to this by suggesting the WordPress Simple Firewall plugin… it’s a mix between
    – WordPress Firewall 2
    – Limit Login Attempts
    – And G.A.S.P.

    This plugin, one that we’ve created, even protects against intrusion within itself – that is, you must authenticate a second time in order to use the actual plugin. In this way it is more difficult to circumvent its settings.

    It has 4000+ downloads and has all 5* reviews :)

    Worth checking out: http://wordpress.org/plugins/wp-simple-firewall/

    Thanks!
    Paul.

Participate