Securing your WordPress blog or site might not be high on your agenda, as you feverishly strive to build your site’s content and focus on its design aspects. However if you don’t want to run the risk of all your efforts going down the drain in a few weeks or months down the line, I suggest you spend some time considering the security aspect of your site.
By its nature, WordPress is a secure system with well-crafted code. Despite this, no software is perfect, and security holes are found even in WordPress every so often. When such vulnerabilities are discovered an update is immediately released. Hopefully you can see this as being one of the primary reasons why you should always keep your WordPress site updated to the latest version.
Have you got that covered already? Excellent! You’re already one step ahead than many bloggers in the security of your site, however there are a few more steps you can take to secure your site.
Unless you are extremely confident in the WordPress internals and are a security conoissieur, I suggest taking advantage of the following WordPress security plugins which will take you a long way in securing your blog.
We will take a look at WordPress security plugins sorted by their area of specialisation:
- All-Rounder Security Plugins
- Login area access
- Anti Virus
- Comment spam
- User permissions
All-Rounder Security Plugins
We can start our security plugin review by mentioning some great plugins that give you an overview of the security status of your WordPress blog and also fix some possible weak spots.
Plugin: Better WP Security
This is a really excellent plugin that not only accurately detects security issues with your blog, but also offers you the ability to fix the issues one by one. It combines many security features and techniques in one plugin. Its interface is clean and uses the WordPress styling. Better WP Security is my favourite all-rounder security tool, and it is a great idea to run it before launching a new WordPress site in order to detect any possible weaknesses that need patching up. I advise taking a backup before applying any fixes though, that way if any fix goes awry you can quickly get back your site as it was before.
Plugin: Ultimate Security Checker
Rather than fixing the security issues itself, Ultimate Security Checker lists the issues and then explains the cause of the issue and how to fix it in another tab. For this reason it is a great learning tool if you want to actually learn about the issues and know how to fix them yourself. It has a clean interface and works by running a test and listing its results, with suggested fixes in a separate tab.
Part of any security strategy is the backing up of your database and website files. It’s all good to secure your blog as much as possible, however you can never be perfectly secure, and if something happens, you will want a handy backup to turn to and restore your blog to an earlier (hopefully very recent) state.
BackWPUp is a truly excellent plugin that can back up both your files and database, then send them to multiple locations such as Amazon S3, FTP, Dropbox etc. You can select exactly what folders and tables you want to backup, and also schedule automatic backups. A truly handy plugin that is amazingly free.
This is a lighter plugin in the sense that it only takes care of backing up your database. The nice thing about this plugin is that it also incorporates database optimisation and repair functionalities, making an excellent plugin to have, even if you will just use it for its database management properties.
Login Area Access
The easiest way into your WordPress site is the way you use yourself in order to enter the admin section. You already know that you should use secure passwords, let’s see what else can be done to make this aspect of your site more secure. Before I examine any plugins I’d like to point out that one security method that has been tried out in the past is obfuscating the admin url. This basically makes it harder for hackers to gain access by changing the location of the admin login page. Unfortunately there is currently no plugin that pulls this off, older plugins have either been abandoned or tend to break the site’s functionality, so it is best to avoid them for the time being. Other plugins were used to enable administrators to log in to their site using SSL, but again most of these plugins are a bit shaky, it is best to use the WordPress in-built functionality for administration over SSL. Right, on to a plugin which does work:
Plugin: Limit Login Attempts
A pretty standard trick in a hacker’s book is to try to log into your blog by using thousands of password combinations until one does the job, otherwise known as brute-forcing. By default WordPress allows unlimited login attempts either through the login page or by sending special cookies. This allows passwords (or hashes) to be brute-force cracked with relative ease. The ‘Limit Login Attempts’ plugin makes this task impossible by locking out users after a pre-set number of attempts.
A firewall is normally implemented at server level, however not all servers are well maintained. Especially if you are using shared hosting, it does no harm to insert another layer of protection for your WordPress blog. A firewall plugin for your site can do just that.
Plugin: Firewall 2
This WordPress plugin investigates web requests with simple, WordPress-specific heuristics, to identify and stop the most obvious attacks. There are a few powerful, generic modules that do this; but they’re not always installed on web servers, and usually difficult to configure.
This plugin intelligently whitelists and blacklists pathological-looking phrases, based on which field they appear within, in a page request (unknown/numeric parameters vs. known post bodies, comment bodies, etc.). Its purpose is not to replace prompt and responsible upgrading, but rather to mitigate 0-day attacks and let bloggers sleep better at night. It can be set to issue email alerts whenever an attack is detected, helping you monitor and discover the most common attacks on your blog.
Did you think that only your laptop or desktop needed an anti-virus soution? Think twice, viruses, worms and malware exist for WordPress and could easily attack your WordPress installation.
An anti virus plugin installed within WordPress can scan your system for any malicious code. This is exactly what this plugin does. monitoring malicious injections and warning you of any possible attacks. You can either run a scan manually or schedule a daily scan, with results being mailed directly to an email address of your choice.
There are a bazillion WordPress themes, and it’s a bad idea to assume that all of them are well coded and ideal for usage on your blog. Badly coded themes abound, but most worrisome are those which have malicious code inserted, providing hidden backlinks to the creator or even backdoors to your site. Luckily, there are plugins which can help you decide whether a theme is safe or not. One of them is the AntiVirus plugin which we mentioned earlier, and the other is TAC (Theme Authenticity Checker).
Plugin: Theme Authenticity Checker
This nifty plugin adds an extra item named ‘TAC’ under the ‘Appearance’ menu in the WordPress admin section. Clicking this item will trigger a check of the source files of every theme you have installed on your site. If any malicious code is found, TAC displays the path to the theme file, the line number, and a small snippet of the suspect code.
Comment forms are another typical entry point for hackers and spammers. By inserting malicious code into forms hackers will try to cause your site to malfunction and thus gain entry or at least glean valuable information about your server setup, giving them working material for trying another exploit. Spammers on the other hand can populate your site with unsightly spam comments. Weeding out spam comments by hand is nobody’s favourite job, so we’ll enlist two plugins to help us out.
Akismet is probably the world’s most popular spam filter, and is free for personal use. It works by connecting to Akismet’s servers and comparing a comment’s content to identify patterns that reveal a spam comment. It is a very reliable plugin and is a definite must on all WordPress sites which accept comments. Akismet is installed by default on a new WordPress blog.
Plugin: Bad Behaviour
Bad Behaviour is an open source solution for eliminating link spam, and is available natively for multiple platforms including WordPress. Providing plug and play functionality (just install and activate), it will complement Akismet and act as a gatekeeper by preventing spammers from even gaining access to your site. This keeps your site’s load down, makes your site logs cleaner, and can help prevent denial of service conditions caused by spammers. It does not only analyse the comment content to identify whether it is spam or not (as Akismet does), but goes one step further and analyses the delivery method, which many times can unmask a spam comment.
Some of the most common security threats come from within, and therefore if you have a multi-user blog, you would do well to take precautions and fine-tune each user’s permissions. The principle to keep in your head is that each user should start with no permissions, then you should start giving him access to the functions he needs to work with. A user who is only contributing articles to your blog, does not need access to the ‘Settings’ section of the admin, for example.
Plugin: Role Scoper
With Role Scoper, you can gives CMS powers to WordPress when it comes to roles and user access to functionality. This plugin lets you create custom user profiles that only have access to the exact functions you want them only. This way non administrative users cannot dabble with things that they shouldn’t be seeing. Very useful plugin.
Plugin: Audit Trail
Audit Trail helps you keep track of specific events that happen on your blog. Each action is recorded in Audit Trail’s logs with the username, time of event, IP address, the action taken, and the results of the action.
I hope that the above plugins can give you a kick-start in protecting your WordPress blog or website. If you know of any other WordPress security plugins that we’ve missed out, we want to hear from you!