Although there are many security elements you can implement to tighten security on your WordPress blog, there are also many great WordPress Security Plugins available.
WordPress Security plugins can help find web server vulnerabilities, scan for malware, block IPs, make backups, track system events, control comment spam, etc.
These security plugins are easy to download and install without the need for technical knowledge.
Keep in mind, I'm not suggesting that you install a bunch of security plugins and your WordPres site is safe from malicious hackers. There is no “set it and forget it.” These can only help enhance security and must be maintained.
I, myself, sometimes add over 100 security elements when securing an individual site. My average is over 60 security elements per website, which may include up to 16 security plugins (if needed).
I'd love to get you input on which WordPress Security Plugins you find useful.
What are your favorite WordPress Security Plugins and why?
Please share with us by leaving your comment below.
I look forward to your feedback.
Securely yours,
Regina Smola
WordPress Security Specialist
Follow on Twitter @WPSecurityLock
Become a Facebook Fan
There are only a few WP security plug-ins that I set up on every site, these include:
Login Lockdown(Stop those crackers), Secure WordPress (remove common information), BBQ (no long exploit strings). This is all, other than routing all traffic to my site through the CloudFlare content delivery network.
Hi Andy,
Very nice! I love Login Lockdown too. I use it on every site.
BBQ – another nice one. Have you checked out WordPress Firewall 2?
Secure WordPress is another great one.
I did try CloudFlare but there was an issue with routing when it was at it’s early stages. I’ll have to revisit that.
Thanks for sharing!
Hi Regina,
I’m still a fan of the SEO Egghead’s original WordPress Firewall plugin. I asked them a while back if they knew about WF2 and they said yes and in fact that “new” plugin author never even contacted them about basically copying their plugin.
It is to my understanding, however, that it is a legit thing to do to “fork” someone else’s plugin, but surely they could of had the decency to contact SEO Egghead. After all, they did put SEO Egghead’s name down as one of the authors. I know if I spent months of hard work and possibly a ton of money into a plugin’s creation only to find that someone later on skimmed something new off of what all I had done… I’d be pretty upset. But again, I guess it’s legit so what are you going to do?
To me that’s kind of a crummy thing to do, so I’ve been sticking with the original plugin.
Hi John,
Thanks for your comment. You have a good point. As far as being legit, I would have to question an attorney and find out. And ask Jonathan Bailey at http://www.plagiarismtoday.com.
We work way to hard to have others copy us. Let’s just hope their kind enough to ask permission to use things.
Have a great day!
~ Regina
I think it’s legit because of the GPL. But then again (and like you referenced), I’m no attorney.
I hear ya John. But… it’s still unethical.
P.S. You and I need to do a JV together soon.
I totally agree. Let me get this one project I’m doing out of the way and I’ll get in touch with you.Sound good?
Sounds fantastic!
Once security plugin I will not live without is AntiVirus For WordPress, after reading Matt Keegan’s blog earlier this year (2010), this one specifically http://www.matthewkeegan.com/2010/03/13/antivirus-for-wordpress-detects-mischief/
I have been using this plugin on all my WP sites, as well as all the our clients sites.
Nothing found thus far, but it isnt “if” something will be found, but “when”.
Thanks for your info Roy. I use AntiVirus myself. I always have to remember to do a manual scan if I change something in my theme so I don’t get the “alert.”
I also like Exploit Scanner so I can check the rest of the installation. I just wish it was automatic.
Plus, I have “Sucuri” running 24/7.
I guess I have a lot of scanning going on 🙂
I forget which plugins I’ve got, but there’s a 6 line homebrew script I’ve got running that sends me emails if the md5 hash on any of the files I have it watching change.
Works well, except I tend to freak out 5 minutes after updating cause I get a “Hack Warning – File Changed” email >_<
Hi Eric. Thanks for your comment.
I can understand the “Panic” when you get a warning. You can image how many I get on a daily basis watching so many peoples sites for them. Whew!
Interested you have a home brew script. Did you write it yourself?
I just recently discovered http://wordpress.org/extend/plugins/bulletproof-security/ and like it a lot because it automatically creates an .htaccess file with security rules to my site.
However, http://wordpress.org/extend/plugins/login-lockdown/ is another great one.
Is it possible to use too many wordpress security plugins?
Hi Matt,
I was just checking out BulletProof Security. Very nice features. I’m going to try it and see how it works out. Thanks for the suggestion.
Good question. We always want to try and limit the amount of plugins we use on our sites. This will reduce backup size, conflicts, extra database options and duplicating the same settings from other plugins. I hope that helps.
Regina,
It seems that Bullet Proof Security functions in the same way as WP Security Scan but does even more (in the fact that it creates an .htacess file to protect your blog.
So therefore I’m going to uninstall it as I don’t want too much overkill.
Keep me apprised of your thoughts on the plugin please.
Matt
Thank Matt.
BTW, I am going to write a review post on it soon, but you have to check out Defensio. Comment anti-spam on steroids! You can have 5 sites free before you pay. I’ve been testing it for the last month and it rocks!
Matt,
Just finished testing BulletProof on my test site. I have to say “WOW” to the plugin. It is a time saver (especially for the .htaccess) and does many of the things I do manually. I can’t wait to see what else they have in store for the Pro version.
You’re right, I don’t have to have WP Security Scan, ServerBuddy, or WP-ServerInfo anymore. It replaces 3 plugins for me.
One I’m keeping for sure is WP FireWall 2. It just found a malicious script on one of my comment authors URLs.
Regina,
Glad to hear you like the plugin. I’m going to remove wp security scan, that being said, I’ve been working at securing my site over the last few days and realized I possibly had some loop holes, I ran the Exploit Scanner and it detected 187 issues including a base 64 malicious code error. Not sure what to do. May need your assistance.
That being said, do you use Bad Behavior or is it unnecessary with these other plugins?
Matt
Matt,
Ouch, 187 issues. Base64 can be false positives.
Yes, I use Bad Behavior integrated with http://projecthoneypot.org (script manually installed, I don’t use the extra plugin for that).
Yes, securing websites takes time. I’m glad you’re being proactive. I’d be glad to help. I just sent you an email. 🙂
Regina,
I thought I’d mention that you can read some of the developers comments here:
http://wordpress.org/support/topic/plugin-bulletproof-security-unsolicited-positive-review-for-bullet-proof-security-plugin?replies=6#post-1819048
Ed put over 300+ hours into this plugin as it was designed for a clients site and then he decided to use it to contribute to the community.
I’m not a WP Security Expert, but I’d say this thing locks up your blog like fort knox.
I will read his post for sure and check out the plugin thoroughly and give you my thoughts.
Regina,
Would it be beneficial for a wordpress plugin to have the kind of functionality that this Joomla extension has?
http://extensions.joomla.org/extensions/access-a-security/site-security/login-protection/12254?qh=YToxOntpOjA7czo3OiJqc2VjdXJlIjt9
Matt
Matt,
I checked out the Joomla extension. From what I can tell is it gives you a access key for the admin section before it will load. It would be great to have something like this built into WP, but I don’t know of anything available.
For WordPress, you can restrict access to your wp-login.php by IP address (.htaccess), or move your installation to a different folder to make it a little more difficult to find, rename your wp-admin folder (.htaccess) — but has some drawbacks, or password protect your wp-admin folder (cPanel — easy or AskApache Password Protect Plugin — can be tricky).
I have mine restricted via IP addresses. Anyone that attempts to access my wp-login.php or wp-admin gets a 404 error.
Regina,
Thanks again for your feedback.
I think that the functionality of the jooma extension built into a wordpress plugin would be beneficial to people like me who do not have a static ip address. My ISP issues dynamic ip’s to all residential customers and static ips to business clients. Static IPS are a lot more $$$ which I do not have to invest in my business.
That being said, perhaps it could be incorporated into the Bullet Proof Security Pro plugin.
What other features would you add to this plugin?
Having the ability to change the .htacess file from within the WP Dashboard is one I know Ed has in mind as well as the ability to upload/download files, however I was curious as to what features/additions you would implement?
Matt
P.S.
I’m going to do the next best thing and use SSL to encrypt my wp login page.
Matt
Excellent idea Matt!
I will have to think about it more when I have a chance to really examine the plugin. However, one thing I noticed is that it doesn’t protect the .htaccess files themselves or .svn for those who use it.
# protect .htaccess, .svn
order allow,deny
deny from all
I’d also like to see the ability to blacklist some IPs from the plugin as well.
Regina,
There is an wordpress plugin that does do that, it is Stealth Login, however the developer has all but abandoned it as it hasn’t been updated in over two years. That being said, I am having my own plugin that will hide my wp admin login screen from the general public designed as we speak. I’ll let you know when it is done. 🙂
Hi Matt,
Awesome!!! Yes, please let me know when it’s ready so I can review and promote it.
~ Regina
I like Login Lockdown, WP Security Scan, Secure WordPress, TAC and Ultimate Security Checker.
Hi Carole,
Thanks for listing your favorite WordPress security plugins! I have not tried Ultimate Security Checker or TAC yet. What does TAC stand for?
~ Regina Smola
Hi Regina,
I run a wordpress blog too. I use Bulletproof Security,CloudFlare and Codeguard(For DB backup’s). I assume my blog is now BombProof ^^
However there is one thing that bothers me. “Daily Backups”
I tried using WpBackUp but it just broke my Installation once. Is there any Plugin or a web based backup system that generates WXR and SQL files for backup and stores them in Cloud Storages like Box.net, Symform,Dropbox
If you have any suggestions in Daily BackUP’s, please let me know.
Hi Sameer,
Thanks for your comment and great question. In regards to your blog being “BombProof,” there is no way that can be done. For every WordPress site, I do 110 security checks/procedures. That’s not to say that WordPress isn’t safe, it’s all the extra stuff we add to it like our hosting, plugins, themes, etc. that make it more vulnerable. Just one plugin won’t do it, but it certainly helps.
Backups: I would suggest you look into getting the BackupBuddy plugin, it does a great job, they offer excellent support, and I use it on all my sites. I store my backups on several secured offsite locations with it.