Useful Plugins

My 5 Essential WordPress Security Plugins; Why And How I Use Them

No matter how hard anyone tries I think WordPress will never be 100% secure, simply because of it’s popularity and the way it is used. Therefore, we as users need to put some extra security steps in place. Here are my favourite tips that anyone can install and understand.


WPS Hide Login (WPServeur) An essential first level of security, enforced upon me really after my blog had suffered a 18 hours of brute force hacking attempts. This one ‘confuses’ hackers. It’s safety through obscurity, which some people argue isn’t a good idea. However, to me if it adds another layer of security it must help.

Download and activate this plugin and then click Settings. At the bottom of the settings page is a new box: “Login url”. Change the name in that box to something that you can remember but isn’t obvious. Hackers will use bots to try to find admin systems, so keep the name obscure.

Now, if anyone tries to access your login or admin pages they see your 404 page instead. Certain logins will still get through, but it should reduce the plague of a brute force attack.

Should you forget your new admin URL, then either use FTP to delete / rename the plugin or access your database and the new name is within the options there.

lockoutsLimit Login Attempts (Johan Eenfeldt). First on the list as it is one of my favourites and one I am never without. Hackers will attempt to take control of your blog by brute force – attempting obvious passwords in bulk using robots. However, these attempts will frequently come from the same IP address.

So this marvellous little plugin simple sits there and watches for failed login attempts. If there are 4 failed attempts in 12 hours (defaults, you can change them) then the IP address is prevented from logging in for 20 minutes. Another set of failed attempts will produce another lockout and after four lockouts it’s full 24 hour lockout.

OK, hackers can switch IP address. But if you have a secure password that’s going to take a million guesses to work out (let’s face it, 1,000,000 passwords can normally be tried in a few hours at just 100 per second) if you are blocking IP addresses after 16 failed attempts then to try 1,000,000 passwords they need access to > 60,000 IP addresses.

The plugin can be set to inform you when users are blocked so if you are on the end of a really bad attack then you can do as I have been known to do and move the wp-admin folder until the hacker goes elsewhere.

failedattemptsPlain view Activity Monitor (Edward Plainview). This one is new to my list, but already I’m a fan. But, you need to be careful on how you use it if you are using it the way I do.

You can set this to record all failed logon attempts (Activity Monitor, Logged Hooks, tick wp_login_failed, select Activate then Apply). However, this could be dangerous and give hackers information that they need so do read on!

With the above set all failed logon attempts are recorded in detail – IP address, attempted userid and attempted password. That’s great, but if you fail to logon as Peter using Password and Pete using Password1 then anyone discovering this could well guess that Peter and Password1 and the desired combination.

So it is vital that after any failed logon attempts of your own you delete them immediately you logon – Activity Monitor from the side bar, select your failed logons, change Bulk Actions to Delete and then Apply.

But now you can see when hackers are about and the userid / passwords they are trying. If they are trying random combinations then you are fine. However, if they start to try whatever you have setup as your Admin userid then you have a warning that it’s been discovered and can change it.

Changing a UserId is difficult in WordPress, but not impossible (more information). Go to Users and create a new user with Administrator permissions, giving it a secure userid and using the same nickname as you have previously used. Sign off and back on again as this new id. Then delete the old user id, or downgrade it to Subscriber.

Be careful if deleting your old userid that you don’t delete it’s posts. Either leave them orphaned or move them to the new userid.

If somehow the hackers are starting to attempt to break into the site with passwords that look like they are getting close then you must take that as a huge hint that your password is not strong enough and immediately change it. If it was a reasonably secure password and they are guessing it also ask yourself why. Have you been compromised in some way – virus, spyware or whatever?

WordPress Database Backup (Austin Matzko) – a lesson here for me in watching for similarly named plugins as I initially set this blog up with a different plugin, thinking I was getting this one and it wasn’t quite as good.

If all goes wrong on your blog then you need backups. No matter how well you protect the site, if someone still gets in and litters it with junk posts or deletes posts then your backup is where you will fall back to.

However, some backups store the backup on the server. This is great, unless the server itself is hacked. Then what might happen to the backups? I prefer to have the backups emailed to me. For this purpose I create a standalone email address that receives the various backups. Every few weeks I will logon and check that the backups are arriving and delete the oldest copies.

By using a separate email address you don’t clutter your own email with backup files. You do need to remember to logon regularly, but if they were being sent to your own email you’d still need to check they are arriving.

You can set this plugin up to do backups as often as you like – from hourly to twice a month. Extra tables on the database can be included and you can trigger a backup whenever you want to manually.

The files are quite small and email friendly. Hopefully you’ll never need them, but they are always worth having.

spamcomments2WP Captcha Free (iDope). Looking through similar lists other blogs prefer to go into highly technical plugins that move wp-content and so on. However, I believe that part of the protection of your site is protecting the comments.

Akismet is great, but it lets too many spam comments through for my liking. I know when I’ve only used Akismet I’ve seen a stream of junk arriving in my comments folder. Yes, it’s supposed to learn. But you still have to get rid of all of these junk comments.

I think that junk comments are very dangerous to a blog. If just a few get through to a post then it spoils the whole site. Your reputation for not caring is gone. Sometimes it can also be difficult to see if a simple comment is just a simple, but well meaning, compliment or a lazy link build attempt.

That’s where WP Captcha Free excels. There’s no captcha for the comment leaver to use and they probably won’t even realise there’s protection going on in the background. Instead it uses algorithms to protect your site from spammers.

It can differentiate between people who have arrived on your site and read the post before commenting and automated spam robots that are just trying to fill your comments with junk. Best of all, you don’t see these junk comments!

Well, that’s my 5 essential WordPress security plugins. I’m sure other people have their favourites, so why not let me know or share this post so that more people can be protected? There are also other Security Best Practice tips that you should remember when using WordPress, so don’t forget them.

Please follow and like us:

Installing Google Analytics To A WordPress Blog

After stumbling across what seemed to be a very easy way to set up Google Adsense in WordPress I was hoping for equal success with Analytics. However, that’s a touch more complicated.

First, Sign Up To Analytics

This really is surprisingly hard. Signing up isn’t too bad but I always think the feature to add a new “property” as it is known is well hidden. On a very old version of Analytics it was easy. Then the new version came out and Google hid the function. Doesn’t seem quite so bad these days. You go to your list of properties and somewhere in the drop down box there it is.

Provide your website name, it’s URL and generate the tracking link. Maybe Google was having bad day but this crashed a couple of times. But finally, I had hold of the UA number.

Add to Your WordPress Installation

You could, if you wanted, simply add the tracking code that Google provide to the theme’s footer. Been there and done it in the past. Also learnt that when the theme gets an update or you decide to change themes that it’s easily forgotten that you need to drop in the tracking code. The first thing you know is that you check the website stats and you’ve had no visitors all week. In a cloud of panic you realise your mistake.

It is far easier to use a plugin that stores the details, creates the tracking code and does everything for you. After trying out a few different plugins the one I went for is simply called “Google Analytics“, by Kevin Sylvestre.

Find, install and activate that plugin and then copy your UA id from when you created the Property over on the Google Analytics site. Within your WordPress settings menu, there is now a Google Analytics link. Simply click on this link and into the relevant box (Web Property ID) paste the UA id.

Job Done

Now, when you want to see if you are getting any hits you can wander over to the Google Analytics website and take a look there. Easy!

Please follow and like us: