Is it secret? Is it safe?
With WordPress, security is all about hiding the obvious.
WordPress has become one of the most popular open source platforms for both blogs and websites. It’s really no wonder as it has a simple, easy to use admin area with a plethora of dynamic templates and customizable skins which make it ideal for both web designers and novice bloggers. When Google’s Guru of Search, Matt Cutts, said that WordPress was set up to deliver 87% of what the search engine was looking for in respect to organic rankings right out of the box. . . well, let’s just say people listened.
More and more people flocked to WordPress as their chosen web development tool. The unfortunate downside to any popular open source platform like WordPress is that hackers, spammers and other internet ass-bandits are on a continuous mission to seek and exploit its weaknesses for there own malevolent purposes. Many WordPress website owners aren’t even aware that their site is at risk. Just to clarify, if you have a WordPress blog or website it’s at risk! My company is frequently asked, “how can I protect my site against spam injection attacks and hack attempts?” Thankfully, there are a some really good and really easy plug-ins that can help you secure your WordPress site.
The default WordPress installation leaves quit a few loopholes and points of exposure for hackers and spammers to attack. Leaving the default “wp-” prefix, database names, admin login, and .htaccess location are the primary points of weakness.
The following five very quick and easy plug-ins will help lock down your WordPress site and protect your “back end” so to speak.
1. BulletProof Security ~ WordPress Plug-in
By Edward Alexander
I Love BulletProof Security! This plug-in makes a complicated process of renaming and protecting critical root files and folders super easy.
BulletProof Security protects your WordPress website against XSS, RFI, CRLF, CSRF, Base64, Code Injection and SQL Injection hacking attempts. One-click .htaccess WordPress security protection. Protects wp-config.php, bb-config.php, php.ini, php5.ini, install.php and readme.html with .htaccess security protection. One-click Website Maintenance Mode (HTTP 503). Additional website security checks: DB errors off, file and folder permissions check… System Info: PHP, MySQL, OS, Server, Memory Usage, IP, SAPI, DNS, Max Upload… Built-in .htaccess file editing, uploading and downloading.
BulletProof Security uses .htaccess website security files, which are specific to Apache Linux Servers. The BulletProof Security WordPress Security plugin is designed to be a fast, simple and one click security plugin to add .htaccess website security protection for your WordPress website. Activate .htaccess website security and .htaccess website under maintenance modes from within your WordPress Dashboard – no FTP required. The BulletProof Security WordPress plugin is a one click security solution that creates, copies, renames, moves or writes to the provided BulletProof Security .htaccess master files. BulletProof Security protects both your Root website folder and wp-admin folder with .htaccess website security protection, as well as providing additional website security protection.
2. Login LockDown ~ WordPress Plug-in
By Michael VanDeMar
Login LockDown is an easy way to block repeated hack attempts by Limiting the number of login attempts from a given IP range within a certain time period. When used in conjunction with BulletProof Security this is very effective.
Login LockDown records the IP address and timestamp of every failed login attempt. If more than a certain number of attempts are detected within a short period of time from the same IP range, then the login function is disabled for all requests from that range. This helps to prevent brute force password discovery. Currently the plugin defaults to a 1 hour lock out of an IP block after 3 failed login attempts within 5 minutes. This can be modified via the Options panel. Administrators can release locked out IP ranges manually from the panel.
3. WordPress Database Backup ~ WordPress Plug-in
By Austin Matzko
This is a great plug-in to use as as a security protocol, not necessarily as a preventative measure, but more as a security precaution in case something did happen to your WordPress site like a spam injection you would at least have a back up of your core files. Losing all your pages and posts isn’t fun. WP-DB-Backup allows you easily to backup your core WordPress database tables. You may also backup other tables in the same database.
4. WP Security Scan ~ WordPress Plug-in
Always watch your back end! WP Security Scan checks your WordPress website/blog for security vulnerabilities and suggests corrective actions such as:
- File permissions
- Database security
- Version hiding
- WordPress admin protection/security
- Removes WP Generator META tag from core code
5. WordPress Firewall 2 ~ WordPress Plug-in
By Matthew Pavkov
Completing your defensive line-up is this updated version of the popular WordPress Firewall plugin, with fixes for all known bugs and a few new features!
This WordPress plugin investigates web requests with simple, WordPress-specific heuristics, to identify and stop the most obvious attacks. There are a few powerful, generic modules that do this; but they’re not always installed on web servers, and usually difficult to configure.
This plugin intelligently white lists and blacklists pathological-looking phrases, based on which field they appear within, in a page request (unknown/numeric parameters vs. known post bodies, comment bodies, etc.). Its purpose is not to replace prompt and responsible upgrading, but rather to mitigate 0-day attacks and let bloggers sleep better at night.
So, there you have it, 5 great plug-ins that you can have set up in under 20 minutes that will help protect your WordPress website and your back end.