Before you read on, you need to know about Checklist to Improve WordPress Security
- Encrypt your login
- Stop brute force attack
- Use a strong password
- Protect your wp-admin folder
- Remove WordPress version info, WordPress Error-Messages
- Hide your plugins folder
- Change your login name
- Upgrade to the latest version of WordPress and plugins
- Do a regular security scan
- Backup your WordPress database
- Define user privilege
There are many WordPress Plugins which help you in securing your Blogs, I will share some tips, tricks and resources which will surely help you to secure and lock down your WordPress site and to fortify it from unwarranted attacks.
Scan security holes
The way to determine if your site is at risk is to use a plugin which can scans for weaknesses in your WordPress blog.
- WP Security Scan is very easy to use plugin will sort out some of the basic security issues with WordPress – it’ll change your database’s name and alert you to flaws in your installation’s security, among other features.
- InspectorWordpress: Prevent possible attacks on your wordpress blog by monitoring each request to your wordpress blog and based on conditions you defined in the options panel it interrupts the attacker’s action and logs it.
- SecurePress Website Security Analyzer: SecurePress is a “Live” patent pending security system for WordPress.
With the introduction of SecurePress, WordPress owners now have a clear choice in website protection. No more piece-meal security patches and plugins. The SecurePress widget installs enough free features to get you started towards securing your site. The ability to see and record your attacks is an excellent starting point. The free reports and statistics available in the dashboard help you to better understand the level and magnitude of these attacks. The free price tag is another good reason to download immediately and get started. When you are ready and after familiarizing yourself with the dashboard, you may want to upgrade to the full version to enable the vast blocking capabilities of SecurePress Pro and turn this application into a monster security shield.
- TTC WordPress Tripwire Tool: This is not a very useful security plugin indeed as it will only provide you with a list of all files changed on your WordPress site in the last 1-99 days. You need to choose how many days back in time you wish to go and it will list all files changed in that time frame for you.
- TAC (Theme Authenticity Checker) This security plugin will scan all of your theme files for potentially malicious or unwanted code. Currently, TAC searches the source files of every installed theme for signs of malicious code. If such code is found, TAC displays the path to the theme file, the line number, and a small snippet of the suspect code. Very useful if your site is hacked with hidden iFrame injection attack (Trojan Infection).
- Safer Cookies: Normally when you login to your blog WordPress will create a session cookie that is used to authenticate you. If someone was to steal the cookie they would be able to use it to get full access to your blog without having to know your password. This plugin prevents that from happening – it makes the cookie specific to your IP address, so it won’t be usable from a different computer.
Back up your MySQL database regularly
Taking backup of database is always advisable. In the event of crash either by your fault or from hackers, you can restore your WordPress blog from the backup file. Perhaps for some of you, backing up a database could mean a troublesome technical chore but you can do it easily. “Make backups, and made it often”
- WP-DBManager allows you to optimize database, repair database, backup database, restore database, delete backup database , drop/empty tables and run selected queries. Supports automatic scheduling of backing up and optimizing of database.
Limit login attempts to revert brute force attacks
Making smart choices that effectively lower the possible entry points available to a malicious person. WordPress passwords can be cracked with brute force password discovery method. To prevent that from happening, you can install the login lockdown plugin. This plugin records the IP address and timestamp of every failed WordPress login attempt. Once a certain number of failed attempts are detected, it will disable the login function for all requests from that range.
- The Login LockDown plugin will lock out users if they enter their password wrong too many times. You can choose how many times users can enter their password and how long they’re locked out for via a neat options page. It’s obvious that if your password is the name of your blog or something like “secret”, brute force can easily find your password. The first thing to do is to use a very strong password, with tiny, capital letters, numbers and special characters. You can also rely on the generator password included in WP Security Scan.
- Limit Login Attempts blocks an Internet address from making further attempts after a specified limit on retried is reached, making a brute-force attack difficult or impossible.
- User Locker locks user account after given number of incorrect login attempts, and can be unlocked only by requesting new password (using Lost Password option) or asking Admin for help (he/she can do it too). This makes brute force and dictionary attacks nearly impossible.
Add a 2nd layer of security to your Dashboard
You can greatly enhance the security of your blog by adding more access control to your /wp-admin/ folder. This forces an attacker or bot to attack this 2nd layer of protection instead of your real admin files. Most of the time WordPress attacks are carried out autonomously by a malicious software bot.
- AskApache Password Protect adds some serious password protection to your WordPress Blog. Not only does it protect your wp-admin directory, but also your wp-includes, wp-content, plugins, etc. plugins as well. Imagine a HUGE brick wall protecting your frail .php scripts from the endless attacks of automated web robots and password-guessing exploit-serving virii. Forget spam, these millions of zombie bots are too outrageous to ignore, they are attempting known (but strangely outdated) exploits looking for known vulnerabilities against blogs and other Internet software. Sooner or later some poor blogger is going to miss an upgrade and become a victim to this type of video-game-like-attack.
- Restricted Site Access plugin limit access your site to visitors who are logged in or accessing the site from a set of specific IP addresses. Send restricted visitors to the log in page, redirect them, or display a message. A great solution for Extranets, publicly hosted Intranets, or parallel development sites.
- HTTP Authentication plugin allows you to use existing means of authenticating people to WordPress. This includes Apache’s basic HTTP authentication module and many others.
Define user privilege for multi-authors blog
This will give you, the blog owner, the ability to control what users can and cannot do in the blog.
- If there is more than one author for your blog, you can install the Capability Manager plugin to define the capabilities for each user group. The Capability Manager plugin provides a simple way to manage role capabilities. Using it, you will be able to change the capabilities of any role, add new roles, copy existing roles into new ones, and add new capabilities to existing roles. You can also delegate capabilities management to other users. In this case, some restrictions apply to this users, as them can only set/unset the capabilities they have.
- WP Sentry allows WordPress authors to grant access to individual private posts to users and groups of users.
- With User Access Manager you can manage the access to your posts, pages and files. You only create a user group, put registered users to this and set up the rights for this group. From now on the post/page is only accessible and writable for the specified group. This plugin is useful if you need a member area or a private section at your blog or you want that other people can write at your blog but not everywhere.
Keep your WordPress and plugins updated
The WordPress developers do not maintain security patches for older WordPress versions. Once a new version has been released or the vulnerability has been fixed then the information required to exploit the vulnerability is almost certainly in the public domain making any old versions more open to attack by a simple script kiddie.
- Upgrading your plugins is nearly as important as upgrading WordPress itself, because just like WordPress, plugins are susceptible to their code being exploited for malicious purposes. Now, upgrading WordPress plugins is dead simple out of the box, but what if you could make somehow even simpler? That’s where One Click Plugin Updater comes in handy.
- Update Notifier:If you don’t check your admin panel on your WordPress install very often (maybe because you prefer to use remote publishing) or you want to make sure that your clients’ WordPress installations are updated, then this is the plugin for you. You don’t have to login to your admin panel regularly, subscribe to an RSS feed, or do anything apart from installing this plugin will notified when an update to WordPress is released.
- WordPress/Plugin Upgrade Time Out Plugin allows you to change the files download time out value (mainly used for upgrade of WordPress and Plugins). No more requiring to change after every WordPress upgrade.
Install WordPress Security Suites Plugins
WordPress Security Suites is a collection of various administration, SEO, maintenance, backup and security related tools.
- Secure WordPress Little help to secure your WordPress installation: Remove Error information on login page; adds index.html to plugin directory; removes the wp-version, except in admin area.
- GD Press Tools: This tools can be integrated into the various WordPress admin panels, can perform maintenance operations, change some aspects of WordPress, see detailed server settings and information. Plugin can also track posts and pages views for various popularity lists. Some of the features don’t work with every version of the WordPress. If you have some suggestion about potential features for this plugin, please leave a message.
- WordPress Firewall plugin investigates web requests with simple WordPress-specific heuristics to identify and stop most obvious attacks. There exist a few powerful generic modules that do this; but they’re not always installed on web servers, and difficult to configure.It intelligently white-list and blacklists pathological-looking phrases based on which field they appear within in a page request (unknown/numeric parameters vs. known post bodies, comment bodies, etc.). Its purpose is not to replace prompt and responsible upgrading, but rather to mitigate 0-day attacks and let bloggers sleep better at night.
- AntiVirus for WordPress is a smart and effective solution to protect your blog against exploits and spam injections.
Protects registration, login, cookies and comment forms
- Invisible Defender: The idea behind this plugin is simple: SPAMBOTs either fill every form field they find (generic spam bots) or fill WordPress-specific fields only (spam bots which will recognise WP or are targeting WP only). Therefore it is sufficient to add two extra text fields to form (one empty and one with predefined value), and check theirs values after form is submitted. 1st field (empty one) will be filled by generic spam bots, and 2nd one will not be filled by spam bots targeting WP only. With these two simple checks probably all spam bots can be easily detected, so WP can return error “403 Forbidden” for them.
- Absolute Privacy turns your WordPress blog into a fully private site where you control who has access. It’s perfect for family blogs, private communities, and personal websites.
- No Disposable Email: This plugin prevent people from registering with a disposable email addresses like the ones provided by Mailinator. It protects your most important asset, your registered user base, by preventing contamination by fake accounts. This plugin working principle is similar to spam blacklists.
- WP-Dephorm protects your users from the prying eyes of phorm. This is achieved by setting a cookie to opt out of the phorm information mining. Your blog viewers will not have their information stored and used in marketing campaigns whilst viewing your site. The idea is based upon a system devised by Dephormation.
Encrypt your login information or Forces an HTTPS connection for security purposes
You can login to the WordPress Admin Panel through encrypted SSL connections. You need to see if your web host service gives you access to an SSL certificate first. Most likely, you won’t, but they’re cheap enough to have and worth spending a few bucks on.
- Admin SSL, and Force SSL secures login page, admin area, posts, pages – whatever you want – using Private or Shared SSL. Those is useful for those who with to enforce a higher level of security regarding the delivery of WordPress content to the browser.
- Chap Secure Login: Whenever you try to login into your website, you can use this plugin to trasmit your password encrypted. The encryption process is done by the Chap protocol; this is particularly useful when you can’t use ssl or other kinds of secure protocols. By activating the ChapSecureLogin plugin, the only information transmitted unencrypted is the username; password is hided with a random number (nonce) generated by the session – and opportunely transformed by the md5 algorithm.