WordPress, like any other popular script or online service, is heavily targeted by malicious users who try to get access to it to use the high-jacked blogs or services to execute malicious activities. This includes spamming ads to the blog’s visitors or placing links to their sites on the blog’s pages.
WordPress administrators can improve the security of their blog with several standard practices like selecting a secure password, changing the admin username or disabling features in the blog (like preventing registration or remote publishing).
But there are also WordPress plugins that can increase the blog’s security tremendously. The following list contains five WordPress plugins that improve a blog’s security.
1. Login Lockdown
Login Lockdown increases the protection against so called brute force attacks. The plugin will log every login attempt and blog attempts from IP addresses that. The login retries, the retry time interval and the length of the lock out can be configured in the plugins’ options.
The list of blocked IP addresses can also provide the webmaster with information about undergoing attacks.
2. WP Security Scan
WP Security Scan scans several key elements of the blog. The plugin checks the WordPress version, table prefix, if the WordPress version is hidden, if DB errors are turned off, if the ID Meta tag has been removed, if a user admin exists and if a .htaccess file has been placed in wp-admin for extra security.
It can furthermore scan the file permissions of the core WordPress folders (showing what it suggests and the actual permissions), change the WordPress table suffix to protect the blog from zero day attacks and provides access to a password strength checker. Does not need to be active all the time.
3. Antivirus for WordPress
Antivirus for WordPress scans the active theme folder for malicious injections. It protects the blog against certain forms of exploits and spam injections. Runs in the background and can be configured to notify the admin if a scan finds an anomaly in the theme files.
4. WordPress File Monitor
The plugin monitors the files of a WordPress blog and notifies the webmaster if any of them have been changed. It can check the file modification date or compare hashes to find modified files.
Folders can be excluded from the scan, important for cache folders for instance with files that change regularly.
5. Secure WordPress
The plugin performs a series of one-time operations on the WordPress blog, specifically:
1. removes error-information on login-page
2. adds index.php plugin-directory (virtual)
3. removes the wp-version, except in admin-area
4. removes Really Simple Discovery
5. removes Windows Live Writer
6. remove core update information for non-admins
7. remove plugin-update information for non-admins
8. remove theme-update informationfor non-admins (only WP 2.8 and higher)
9. hide wp-version in backend-dashboard for non-admins
10. Add string for use WP Scanner
11. Block bad queries
Secure WordPress can be downloaded from the official WordPress Plugin repository.
Related Articles:
WordPress 3.1.1 Released, Fixes Security IssuesComputer Worm Attacks Not Updated WordPress Blogs
WordPress 3.1.3 Security Update Released
WordPress one click installation of plugins and themes
WordPress 3.03 Security Update Released
Enjoyed the article?: Then sign-up for our free newsletter or RSS feed to kick off your day with the latest technology news and tips, or share the article with your friends and contacts on Facebook, Twitter or Google+ using the icons below.
Martin,
Good article. Interestingly Login LockDown seems to not be updated to the latest version of WordPress. I also think it might be of value to suggest admins use SSL (https) for all their admin activity. Unfortunately a lot of hosting services don’t support it.
What are your thoughts on plugins like Admin SSL?
can u suggest a plugin where i can block an IP basis the no of clicks or time spent on the site. so if an ip comes to the site and does x number of clicks in a given time frame then it will be blocked automatically.