Hardening WordPress Security: 25 Essential Plugins + Tips
If you are running a WordPress-powered website, its security should be your primary concern. In
most cases, WordPress blogs are compromised because their core files and/or plugin are outdated;
outdated files are traceable and it’s an open invitation to hackers.
(Image Source: Fotolia)
How to keep you blog away from the bad guys for good? For starters, make sure you are always updated with the latest version of WordPress. But there’s more. In today’s post, I’ll like to share with you some useful plugins as well as some tips to harden your WordPress security.
Full list after jump!
Plugins For Better Security
WP DB Backup
WP DB Backup is an easy to use plugin which lets you backup your core WordPress database tables just by a few clicks. Besides it is so easy, it has also been one of the most used plugin to secure your WP-powered website.
WP Security Scan
With this plugin, scanning your WordPress-powered site will be a simple task. It finds the vulnerabilities in your site and offer useful tips on removing them.
Ask Apache Password Protect
This plugin doesn’t control WordPress or mess with your database, instead it utilizes fast, tried-and-true built-in security features to add multiple layers of security to your blog.
The Stealth Login plugin will help you to create custom URL addresses for login, registering and logout of WordPress.
Login Lockdown will help you to lock attempts for a period of time on logging in to your admin panel after a number of attempts.
This is another great plugin which allows you to manage your WP database. It could be used as an alternative to the WordPress Backup Manager.
Admin SSL Secure Plugin
Another plugin for keeping your admin panel secure. It acts on the SSL encryption and is really useful against hackers or people trying to get unallowed access to your panel. It is the rival for the Chap Secure Login Plugin.
If you want to avoid brute-force hacking your site, then the User Locker plugin is right for you. It works on the same system as Login Lockdown, however, it’s a 5-stars rated WP plugin which has a great fame among its users.
Limit Login Attempts
Limit Login Attempts blocks the internet address from making further attempts after a specified limit on retries is reached, making a brute-force attack difficult or impossible.
Login Encrypt is a security plugin. It uses a complex combination of DES and RSA to encrypt and secure the login process to the admin panel.
One Time Password
This unique plugin will help you to set a one-time password for your login, in order to prevent logging of unwanted users from internet cafes or such.
Antivirus is a quite popular security plugin which will help you to keep your blog secured against bots, viruses and malwares.
Bad Behavior is the plugin which helps you fight with those annoying spammers. The plugin will not only help you prevent spam messages on your blog, but also will try to limit access to your blog, so they won’t be able even to read it.
Search the files and database of your WordPress install for signs that may indicate that the files or the database has fallen victim to malicious hackers. Even if it’s another scan plugin, it’s worth a try.
User Spam Remover
The plugin’s name tells its functions, a popular plugin which will help you prevent and remove the unwanted spam messages.
Block Bad Queries
This plugin attempts to block away all malicious queries attempted on your server and WordPress blog. It works in background, checking for excessively long request strings (i.e., greater than 255 chars), as well as the presence of either "eval(" or "base64" in the request URI.
8 Essential Tips
Changing default "wp_" Prefixes
Your website might be at stake if you are using the predictable wp_ prefixes in your database. The following tutorial teaches you how to get them changed via phpMyAdmin in 5 simple steps.
You can also get this done with WP Security Scan plugin.
Hide login error messages
Error login messages may expose and give hackers an idea if they’ve gotten username correct/incorrect, vice versa. It is wise to hide it from unauthorized login.
To hide login error messages, simply put the following code in functions.php
add_filter('login_errors',create_function('$a', "return null;"));
Keep wp-admin Directory Protected
Keeping "wp-admin" folder protected adds an extra layer of protection. Whoever attempts to access files or directory after "wp-admin" will be prompt to login.
Protecting your "wp-admin" folder with login and password can be done in several ways:
- WordPress plugin – Using the WordPress AskApache Password Protect plugin.
- cPanel – If your hosting supports cPanel admin login, you can set protection easily on any folder via cPanel’s Password Protect Directories graphical user interface. Find out more from this tutorial.
- .htaccess + htpasswd – Creating a password-protected folder can also be done easily by setting the folders you want to protect inside .htaccess and users allowed to access inside .htpasswd. The following tutorial shows you how to do it in 7 steps.
Keeping backup copies of your entire WordPress blog is as important as keeping the site safe from hackers. If the latter fail, at least you still have the clean backup files to revert.
Prevent directory browsing
Another big security loophole is having your directories (and all its files) exposed and accessible to public. Here’s a simple test to check if your WordPress directories are well protected:
- Enter the following URL in browser, without the quotes. "http://www.domain.com/wp-includes/"
If it shows blank or redirect you back to home page, you are safe. However, if you see screen similar to the image below, you are not.
To prevent access to all directories, place this code inside your .htaccess file.
# Prevent folder browsing Options All -Indexes
Keep WordPress core files & Plugins updated
One of the safest ways to keep your WordPress site safe is to make sure your files are always updated to the latest release. Here are couple of ways (practices) you can do:
- Login to Dashboard often – A yellow notification will appear at the top of the Dashboard if update is available. Login often and keep yourself updated to the latest copy of WordPress core files.
- Deactivate and remove unused plugins – Unused plugin will eventually get outdated and may pose a security risk. If you are not using it, delete it.
- Subscribe to WordPress Releases RSS.
Pick a Strong Password
Is your password safe? A strong and safe password is more than just something memorable with numbers (e.g., john123). For starters, it should consist of more than 12 characters with the combination of numbers and alphabets in lower and uppercases.
Here are some applications that allow you to generate strong password:
Alternatively you can also check how strong (and safe) your current password is with howsecureismypassword.net.
Remove admin user
A typical installation of WordPress comes with a default user named "admin". If that’s the username to your WordPress site, you are already making hacker’s life 50% easier. Using user "admin" should be avoided at all times.
A safer approach to logging into your admin securely is to create a new administrator and have "admin" removed. And here’s how you do it:
- Login to WordPress admin panel
- Go to Users -> Add New
- Add a new user with Administrator role, make sure you use a strong password.
- Log out of WordPress, re-login with your new admin user.
- Go to Users
- Remove "admin" user
- If "admin" have posts, remember to attribute all posts and links back to the new user.
More Useful Resources:
- Hardening WordPress (WordPress)
- FAQ on WordPress security (WordPress)
- What to do if your site is hacked (WordPress)
- Understand .htaccess and .htpasswd (Apache)
- Protecting the wp-admin directory (nicolaskuttler.com)
- Cleaning hacked WordPress installation (Blogsblogsblogs.com)
Author: Daniel Smeek
Daniel is a web designer and developer who has a huge interest in photography (he takes his camera almost everywhere!). When he's not designing or taking photos, he writes articles for awesome web design blogs.