No matter how hard anyone tries I think WordPress will never be 100% secure, simply because of it’s popularity and the way it is used. Therefore, we as users need to put some extra security steps in place. Here are my favourite tips that anyone can install and understand.
WPS Hide Login (WPServeur) An essential first level of security, enforced upon me really after my blog had suffered a 18 hours of brute force hacking attempts. This one ‘confuses’ hackers. It’s safety through obscurity, which some people argue isn’t a good idea. However, to me if it adds another layer of security it must help.
Download and activate this plugin and then click Settings. At the bottom of the settings page is a new box: “Login url”. Change the name in that box to something that you can remember but isn’t obvious. Hackers will use bots to try to find admin systems, so keep the name obscure.
Now, if anyone tries to access your login or admin pages they see your 404 page instead. Certain logins will still get through, but it should reduce the plague of a brute force attack.
Should you forget your new admin URL, then either use FTP to delete / rename the plugin or access your database and the new name is within the options there.
Limit Login Attempts (Johan Eenfeldt). First on the list as it is one of my favourites and one I am never without. Hackers will attempt to take control of your blog by brute force – attempting obvious passwords in bulk using robots. However, these attempts will frequently come from the same IP address.
So this marvellous little plugin simple sits there and watches for failed login attempts. If there are 4 failed attempts in 12 hours (defaults, you can change them) then the IP address is prevented from logging in for 20 minutes. Another set of failed attempts will produce another lockout and after four lockouts it’s full 24 hour lockout.
OK, hackers can switch IP address. But if you have a secure password that’s going to take a million guesses to work out (let’s face it, 1,000,000 passwords can normally be tried in a few hours at just 100 per second) if you are blocking IP addresses after 16 failed attempts then to try 1,000,000 passwords they need access to > 60,000 IP addresses.
The plugin can be set to inform you when users are blocked so if you are on the end of a really bad attack then you can do as I have been known to do and move the wp-admin folder until the hacker goes elsewhere.
You can set this to record all failed logon attempts (Activity Monitor, Logged Hooks, tick wp_login_failed, select Activate then Apply). However, this could be dangerous and give hackers information that they need so do read on!
With the above set all failed logon attempts are recorded in detail – IP address, attempted userid and attempted password. That’s great, but if you fail to logon as Peter using Password and Pete using Password1 then anyone discovering this could well guess that Peter and Password1 and the desired combination.
So it is vital that after any failed logon attempts of your own you delete them immediately you logon – Activity Monitor from the side bar, select your failed logons, change Bulk Actions to Delete and then Apply.
But now you can see when hackers are about and the userid / passwords they are trying. If they are trying random combinations then you are fine. However, if they start to try whatever you have setup as your Admin userid then you have a warning that it’s been discovered and can change it.
Changing a UserId is difficult in WordPress, but not impossible (more information). Go to Users and create a new user with Administrator permissions, giving it a secure userid and using the same nickname as you have previously used. Sign off and back on again as this new id. Then delete the old user id, or downgrade it to Subscriber.
Be careful if deleting your old userid that you don’t delete it’s posts. Either leave them orphaned or move them to the new userid.
If somehow the hackers are starting to attempt to break into the site with passwords that look like they are getting close then you must take that as a huge hint that your password is not strong enough and immediately change it. If it was a reasonably secure password and they are guessing it also ask yourself why. Have you been compromised in some way – virus, spyware or whatever?
WordPress Database Backup (Austin Matzko) – a lesson here for me in watching for similarly named plugins as I initially set this blog up with a different plugin, thinking I was getting this one and it wasn’t quite as good.
If all goes wrong on your blog then you need backups. No matter how well you protect the site, if someone still gets in and litters it with junk posts or deletes posts then your backup is where you will fall back to.
However, some backups store the backup on the server. This is great, unless the server itself is hacked. Then what might happen to the backups? I prefer to have the backups emailed to me. For this purpose I create a standalone email address that receives the various backups. Every few weeks I will logon and check that the backups are arriving and delete the oldest copies.
By using a separate email address you don’t clutter your own email with backup files. You do need to remember to logon regularly, but if they were being sent to your own email you’d still need to check they are arriving.
You can set this plugin up to do backups as often as you like – from hourly to twice a month. Extra tables on the database can be included and you can trigger a backup whenever you want to manually.
The files are quite small and email friendly. Hopefully you’ll never need them, but they are always worth having.
WP Captcha Free (iDope). Looking through similar lists other blogs prefer to go into highly technical plugins that move wp-content and so on. However, I believe that part of the protection of your site is protecting the comments.
Akismet is great, but it lets too many spam comments through for my liking. I know when I’ve only used Akismet I’ve seen a stream of junk arriving in my comments folder. Yes, it’s supposed to learn. But you still have to get rid of all of these junk comments.
I think that junk comments are very dangerous to a blog. If just a few get through to a post then it spoils the whole site. Your reputation for not caring is gone. Sometimes it can also be difficult to see if a simple comment is just a simple, but well meaning, compliment or a lazy link build attempt.
That’s where WP Captcha Free excels. There’s no captcha for the comment leaver to use and they probably won’t even realise there’s protection going on in the background. Instead it uses algorithms to protect your site from spammers.
It can differentiate between people who have arrived on your site and read the post before commenting and automated spam robots that are just trying to fill your comments with junk. Best of all, you don’t see these junk comments!
Well, that’s my 5 essential WordPress security plugins. I’m sure other people have their favourites, so why not let me know or share this post so that more people can be protected? There are also other Security Best Practice tips that you should remember when using WordPress, so don’t forget them.