Security is always top priority.
Because hackers are now everywhere and it pays to be cautious as well as protected and prepared.
I am reading in forums about so many people where their sites are being hacked, so don’t wait till your site is hacked but start protecting your site right now.
Here are some of the best WordPress Security Plugins and tips that can help you in securing your own personal space, which is your site. You would not want anyone destroying it, right?
1. Secure WordPress.
This is a very useful plugin because it does a lot for your wordpress blog. It removes error-information on login-page, hides your wp-version in backend-dashboard and much more.
Download Link: http://wordpress.org/extend/plugins/secure-wordpress/
2. WP Security Scan
This plugin will scan your entire WordPress installation and will suggest improvements regarding security vulnerabilities like passwords, database security, file permissions, admin security.
Download Link: http://wordpress.org/extend/plugins/wp-security-scan/
3. Login Lockdown
It takes note of the IP address and timestamp of every failed WordPress login attempt. If more than a certain number of attempts are detected within a short period of time from the same IP range, then the login function is disabled for all requests from that range. This helps to prevent brute force password discovery. Currently the plugin defaults to a 1 hour lock out of an IP block after 3 failed login attempts within 5 minutes. This can be modified via the Options panel. Administrators can release locked out IP ranges manually from the panel.
Download Link: http://www.bad-neighborhood.com/login-lockdown.html
4. AskApache Password Protect
From the name itself, it is a plug-in that protects your wordpress blog password. It protects everything from your wp-admin directory to your wp-content, plug-in and much more. You can always edit it right from your own WordPress Admin Panel.
Download Link: http://wordpress.org/extend/plugins/askapache-password-protect/
This is one of the plugin that is most widely used to optimize database, repair database, backup database, restore database, delete backup database, drop/empty tables and run selected queries. WP-DBManager also supports automatic scheduling of backing up and optimizing of database.
Download Link: http://wordpress.org/extend/plugins/wp-dbmanager/
An extremely powerful anti-spam plugin for WordPress that eliminates comment spam, including trackback and pingback spam. It works invisibly without CAPTCHA’s, or other inconvenience to site visitors. The plugin includes spam-free contact form feature as well. Finally, you can enjoy a spam-free WordPress blog!
I recently installed this plugin and I hardly get any spam nowadays
Download Link: http://www.hybrid6.com/webgeek/plugins/wp-spamfree
7. Angsuman’s WordPress Guard Plugin
Angsuman’s WordPress Guard Plugin is a WordPress security plugin that protects the vulnerable areas of your blog from outside access with an additional layer of security.
Download Link: http://taragana.com/products/free-wordpress-plugins/wordpress-guard-plugin/
Make sure you create a password that is made up of lowercase, UPPERCASE and symbols. If you have kept the password that was generated for you when you installed WordPress, CHANGE IT NOW. There have been many cases where hackers have gained access to sites via the passwords which are generated by the hosting company.
Change your Administrator username from “Admin” to something else. Most hackers realize that for 99% of blogs, the username is ‘admin’. Make it harder for them and change it.
10. WordPress Versions
Keep your WordPress version up to date. Especially when WordPress issue a minor upgrade from within a version. For instance, if you are on version 2.8.4 always upgrade to WordPress 2.8.5 and 2.8.6.
When WordPress 2.9 came out recently, I didn’t upgrade as it was a major upgrade i.e. 2.8 to 2.9. I always wait until WordPress issue the minor upgrade i.e. 2.9.1 to the major upgrade. There could be security and other problems within the major version. I am now on version 2.9.1.
Remember to backup your blog before upgrading.
11. Plugin Versions
Keep your plugins up to date. Often plugins are updated due to security reasons. But before you upgrade, ensure the latest version is compatible with the version of WordPress you are using?
It is very important to keep your blog secure. Thirty minutes work now can stop you having to experience many hours of frustration of recovering from a hacked blog.
What experiences have you had with these plugins and are there other security tips you’d recommend. Share your views in the comments below.
I never thought about hackers getting into my blogs until I saw your site. I also wasn’t aware that most people used admin. for a user name. I am going go back in and secure my blogs a little more effectively now.
Thanks for dropping by. I would certainly make your site as secure as possible. It’s certainly worth the effort.
Hackers take great joy in bypassing passwords, I’ve done it myself.
– Your job is to make passwords unpredictable.
It is wrong to tell people that passwords can be broken without explaining the proper way to choose one that will be more difficult to break.
– Given enough time every password can be broken.
You should choose a password that is seven or more characters long. Don’t use a word that is found in a dictionary – a program can be written to check every word in a dictionary.
Once you use a password that you consider good, don’t use a sequence of that password (Tolkien1, Tolkien2, Tolkien3)
Try making up an acronym – JDwfLTismf (“Jack Daniels whiskey from Lynchburg, Tennessee is my favorite”). Unless you know me well enough to know that I like Jack there would be no reason to consider that phrase. If you did know my like for Jack there is still no reason to consider this as a possible password.
Try and misspell a word using one or more special characters in the center of the word, like Disné#Land.
Since many passwords are case sensitive, use upper and lower case.
When it comes time to change passwords, I take the local newspaper and choose a word. The word for today is Doonesbury, which I modify to be D00n3sb_r. Or take the word lightbulb and spell it 1igh+b_1B. It is actually very simple, once you get the hang of it.
Take the word “automated” and on a US keyboard type one character to the right “siyp,syrf” and doing this means that you can use your family name if you want to.
For sites that do not have any money related information I use one password. I take an unnatural word combination, like an adverb and a noun (an adverb, broadly defined, is a word which modifies any word other than a nouns), combine them the make a word that does not exist in the dictionary. SlowlyTruck is a combined word that does not appear when searched on the internet. Slightly change the spelling and you really have a wonderful password – how about Sl0w1yTruck
I only use one password for sites like blogs. For sites that have money related things I use the ideas referenced above, but since I have a good memory I really screw the text up. I have also taken a text file and just typed a dozen or so characters, and whatever came out was a password.
Change your password at work every two months and personal passwords as often as you feel necessary.
Change your password now. Don’t wait for the prompt.
Thanks for taking the time out to write such great advice and sharing your tips/ideas. I’m sure many of us will benefit.
I‘ve faced such type of problem in one of my e commerce site. Every month I was facing hacking problem. But first time I am hearing that hackers are hacking blog.
Anyway thanks for alert, I will try to protect my blog.
You are welcome, Chris. It’s certainly worth adding some security.
I’ve often wondered if writing these posts was a good idea. What better target for a smart-ass hacker? 😉
Thanks man, good plugins. 🙂
.-= Dennis Edell´s last blog ..Blog Move Is Immanent! I’m Looking For Launch Partners… =-.
That thought went through my head as well, Dennis, as I was pressing the ‘publish’ button. If you don’t hear from me for a few days, you know why – I’ve been hacked!
Andrew – thanks this is a very useful guide and one I will make use of. Other things I have read about security go into technical stuff that’s beyond me. What I do for passwords is have a file on a flash drive that I keep passwords on (the file itself has a bland name and non of the passwords are identified as such of course) – all totally random characters. I copy and paste them as required. This stops any hacker reading you keystrokes. I think it was Kevin Riley who recommended this. It can be a pain having to plug in the flash drive, but it “feels” more secure!
.-= David Rogers´s last blog ..Build Self Confidence Fast =-.
We all have different ways and what works for some do not work for others. You’ve found a method that works for you!
I hope the plugins help.
The first plugin on your list “Secure WordPress” makes a fair number of back-end security upgrades to your wordpress blog, particularly if you’re granting access to multiple users. Even if the Secure WordPress plugin is a bit more than a single-user wordpress blogger might want, I’d recommend creating a blank “index.php” in the plugin-directory, which the plugin would do for you. Having this file in the plugin directory, keeps people from being able to determine which plugins you’re running on your blog.
.-= will@laser hair removal´s last blog ..Speculating about Tiger Woods’s Groomed Chest: Chest Hair Removal for Men =-.
Thanks for sharing that sound advice.
Gosh, my blog is very vulnerable. I need to install these plugin on my WordPress. Thanks for sharing this. 🙂
.-= Walter´s last blog ..Criticism: the unwanted mentor =-.
I really recommend it. A few minutes effort now can make all the difference. Of course, we can never be 100% secure.
Thanks for sharing these security related wordpress plugins. I have installed few of them right away.
.-= gedet basumatary´s last blog ..Search IFSC code of Any Bank in India Easily =-.
You are welcome. I hope they help.
I’m totally new to the plugins that you listed here Andrew, am going to check out them 1 by 1.
For the username, try to use different username between login username and the name you used to displayed in the post, i.e. “By Andrew Rondeau”. I used to use the same username for both, but I’ve changed it few months ago.
WordPress keep upgrading wordpress version to prevent any spam or virus that may harm our blog, no doubt they really did a great job on that! I’ve yet to upgrade mine to the latest 2.9.1, going to upgrade soon.
Good advice about the username – thanks for pointing that out.
Re: upgrade. Check your plugins still work and backup beforehand.
All the best,
You know, years ago, this post would have really sounded like a ridiculous Sci-Fi movie premise. Blogging and making money online has gained so much momentum that now Blog and website security is a serious issue. I’m glad you posted this because honestly, I had no clue where to even begin. Now I know there are some more measures I should take. Thanks.
.-= Kiesha @ The Affiliate Marketer’s Help Desk´s last blog ..10 tips to getting more retweets =-.
You are welcome – I hope they make a difference.
Well, now I’m nervous. I will go in and have a look at which of these plug-ins to install. Excellent list, Andrew!
.-= Cheryl from thatgirlisfunny´s last blog ..Female UFC Fight Fans Are Hot! Actually, You Do Want to Date These Girls =-.
Thanks, Cheryl. Be safe!
I think the basic stuff is the most important. Keep your installation up to date and specifically, watch out for security updates. Keep a password only you know (and not your host) and make it strong enough. Keep your computer clean of keyloggers.
.-= Anne Moss´s last blog ..Does Skype Owe You Money? They’re Willing to Pay =-.
I agree the basic stuff is important but it is no longer secure enough. I’ve a few blogging friends who have been hacked recently and they only had the basic stuff in place. For a few minutes extra effort I would take more precautions.
Well, security should always be on top of every ones list and must never be taken lightly. My blog was hacked some time ago and it was no joke, lost a lot of information and I was not happy at all.
Totally agree, George.
It’s not nice when you are hacked!
Bit like backing up. A few years ago, I lost all the family photos and some work when my hard disk got corrupted. Now I backup at least once a week.
I’m using wp-dbmanager and show an error message, and then I updrage to 2.9.1 and hope the message still there
You still getting the error message? What is it?
Thanks for your submission to the Seventy Sixth edition of the Blog Carnival: Blogging. Your post has been accepted and its live:
I kinda prefer Limit Log-in Attempts to Login Lockdown as the former sends out an email informing of any attempt to illegally access your dashboard 😉
I use Wp Spam Free too and it’s the best thing that could happen to any blogger in terms of spam control.
Why would I want to see hundreds of emails telling me the person couldn’t get access?
That’s an interesting angle I haven’t looked @ before. hundreds of email alerting me to the situation will only get me in serious panic mode 😉
Good article, and just to add to this list is another plugin which I have found really useful (if you allow people to register on your site) is Stop Spammer Registrations Plugin – http://wordpress.org/extend/plugins/stop-spammer-registrations-plugin/
Basically, anytime someone tries to register on your site, the email is checked against the StopFourmSpam database. If a match is found they are denied registration access.
great share – thanks.
Hackers love to break into innocent and new blogs and put their backlinks in them. Getting your wordpress site hacked can cause drastic drops in rankings. Every method possible to protect and secure your blog should be used to prevent it.