Tuesday, 5 April 2011

Important Plugins For WordPress Security

WordPress Security is important! A lot of attention is required towards your wordpress blog for making it safe from hackers which many people doesn’t cares or doesn’t take necessary steps for making it safe.
It’s required that bloggers pay attention towards their blog security by not leaving any doors open for the hackers. If a hacker is absolutely determined to get into your blog then they’re probably going to succeed. But you can protect your wordpress quite much by using many plugins out there for wordpress.
Today I am writing about 15 Very important handpicked plugins which can help you to increase your wordpress blog security Level.

1. WP Security Scanwp-security-scan

This highly popular Plugin shows two most over looked vulnerabilities in WordPress – the admin username and the table prefix. Both vulnerabilities are fixable and this plugin shows you how to do it. Other than that this plugin removes the WP ID META tag form WordPress core which could help a hacker also it turns off WordPress DB Errors. It have one scanner which brings up a list of files and directories on your server which it checks that they all have the correct permissions rules or chmod.

2. AskApache Password Protect

AskApache Password Protect adds some serious password protection to your WordPress Blog. Not only does it protects your wp-admin directory, but also your wp-includes, wp-content, plugins, etc. as well. In simple words this plugin creates a big wall to protect your wordpress with the use of username and password protection.

3. Stealth Login

This plugin allows you to create custom URLs for logging in, logging out, administration and registering for your WordPress blog. For example you can use URL like “http://www.myblog.com/lol” for logging into your administration panel. This plugin won’t secure your blog absolutely, but if someone does manage to crack or find your password then it can make it difficult for them to find where is login page.
IMPORTANT NOTE: Suppose you are freely allowing people to register and submit guest post then what in that case? The answer to this I recieved was that you give them the special URL that you created if you trust them enough. For the most part, guest authors should not even be allowed in the admin panel unless they are authors of your site. If someone has written multiple posts for your blog then they can be trustable so you can give them the special url you created for login. Most top blogs take guest posts via email and if those guest authors become regular authors, only then they are allowed in the admin panel.

4. WordPress Exploit Scanner

Sometimes from the server side or from your PC(while using FTP programs), virus gets uploaded automatically which makes your blog unfavorable to visit. It also did happen to me many times on my affiliate blogs and the result was that Google Shows a Malware Warning Page whosoever visits it.
See one example screenshot to see how Google shows a warning page. In this case actually it didn’t harm my wordpress but my PC was having some junk file which was resulting in this fake page appearance.
But you can solve it easily as most of the times iframe viruses inserts there code into many files of your wordpress blog. WordPress Exploit Scanner searches the files and database of your website for signs of suspicious activity. It will not stop someone hacking into your site, but it may help you find any uploaded or compromised files left by the hacker. Make sure you use your brain and also take a backup of your database before doing anything.

5. Login LockDown


Login LockDown tracks the IP address and timestamp of every failed WordPress login attempt. If more than a certain number say 3 attempts are detected within a short period of time from the same IP range, then the login function is disabled for all requests from that range for specified time. This helps to prevent brute force password discovery.

6. Secure WordPress

If you use above plugin i.e Logic Lockdown then I think you should also install Secure WordPress Plugin as it removes error-information on login-page (Logic LockDown will generate error when username-password entered is incorrect).
This plugin can prove important because if a hacker gets one thing wrong, the error message will help him identify it and correct it. Other than this plugin have many other features like:
  1. Adds an index.html file to plugin-directory
  2. Removes the wp-version, except in admin-area
  3. Removes Really Simple Discovery
  4. Removes Windows Live Writer
  5. Remove core update, plugin-update and theme-update information for non-admins

7. Admin SSL

This plug-in will work with both the private and shared SSL connections and it will force a SSL connection in every page where password can or has to be entered like while logging into your wordpress dashboard i.e It will use “https://” instead of “http://”. It is very helpful to protect the admin area, posts and all the pages of your WordPress installation and secure the login page.
NOTE: This plug-in works only from WordPress 2.2 to 2.7.1.

8. AntiVirus

This plugin is very easy to use and it allows you to do manual testing with immediate result of the infected files. It you can also enable the option to scan your wordpress template daily and send a notification email when something infected is found. It’s just like your AnitVirus Software which you use on your computer.

9. WordPress Firewall

This WordPress plugin investigates web requests with simple WordPress-specific heuristics to identify and stop most obvious attacks. It intelligently whitelists and blacklists pathological-looking phrases based on which field they appear within in a page request (unknown/numeric parameters vs. known post bodies, comment bodies, etc.).
Its purpose is not to replace prompt and responsible upgrading, but rather to mitigate 0-day attacks and let bloggers sleep better at night. It will also give you an option to send an email to you with a useful dump of information upon blocking a potential attack and much more.

10. One Time Passwordsotp

You might have heard about the VeriSign One Time Password for bank cards. Similar to that, this plugin enables you to login to your WordPress blog using passwords which are valid for one session only. One-time passwords prevent stealing of your main WordPress password in less trustworthy environments, like internet cafes, where chances are that anyone, even a noob person can steal your password if he make use of keyloggers programs to capture your information. See How it works.

11. Semisecure Login Reimagined

Semisecure Login Reimagined increases the security of the login process using an RSA public key to encrypt the password on the client-side when a user logs in. The server then decrypts the encrypted password with the private key. JavaScript is required to enable encryption.
It is most useful for situations where SSL is not available, but the administrator of the blog wishes to have some additional security measures in place without sacrificing convenience.

12. WP DBManagerdb-manager

It is required that you should always have a backup ready during bad times because no one can say when the evil will attack. WP DBManager allows you to optimize database, repair database, backup database, restore database, delete backup database , drop/empty tables and run selected queries. It also supports automatic scheduling of backing up and then mailing it to your email ID and optimizing of database can also be done automatically.

13. SABREsabre

Sabre stands for Simple Anti Bot Registration Engine.  It’s a set of counter measures against spam registration on your blog. Your visitors are granted permission to register freely on your blog and now you are plagued by fake users automatically created by spammers? Sabre is the solution to stop definitely these robotized visitors!

14. Invisible Defender

This plugin protects registration, login and comment forms from spambots by adding two extra fields hidden by CSS. Actually almost all the spambots fills in all the fields according to it’s script structure but real humans can’t see these hidden fields thus if all the fields gets filled up then it is considered as a spambot. These two extra fields are hidden with CSS rule, so they will not be visible for most users. Only users with text-based browsers (and very old ones which not support CSS) will see them, but don’t be afraid – plugin has special message for them.

15. WordPress File Monitor

This simple plugin monitors your WordPress installation for added/deleted/changed files regularly. When a change is detected an email alert is sent to a specified address. It also gives you the ability to exclude directories from scan (for instance if you use a caching system like WP Super Cache that stores its files within the monitored zone).


It has been found that wordpress plugins can play a crucial role for hacking any wordpress blog. This is because some people download wordpress plugins from such sources where chances are that the plugin downloaded may contain some bad commands which are meant to take control over your blog through certain commands inputed inside the php file of that plugin.
The Screenshot below shows one secret website which I used during my olden days which I don’t think should be dis-closed here. In the screenshot you can see many listed plugins which are named towards some popular plugins but will cause damage to your wordpress blog.
So Keep these 2 things in mind before downloading and using any plugin:
1. I think you should always try your best to download the plugin from the WordPress Plugin Directory.
2. Many times the plugin maker doesn’t finds time or useful to list his plugin in the wordpress directory. In that case make sure you are downloading from Original source but before doing that first look at the comments made by people on that plugin to know whether or not it’s causing any problem or not. Also completely make sure that it is really the original plugin maker site because sometime what happens that hackers make review of the plugin on their fake blogs and place their download link which contains their bad plugin! So always Keep these things in mind.
Related Posts Plugin for WordPress, Blogger...