After putting in all of the time, and perhaps money, into your WordPress website or blog, its now time to secure and protect it from outside enemies and general bad guys: hackers, spammers and all round tossers.
Without a doubt, for a self-hosted blog, WordPress is the best blog CMS that you can get. Though it comes packed with security features, being a popular and open source software, it also means that hackers have full access to the code which they can scrutinize to find any exploits they can use to hack into any WordPress-enabled site.
On the good side, one of the best things about WordPress is its plugin system that allows anyone to install any plugins or create your own plugins to extend its functionality, including improving security.
Here, I have listed some wordpress security tips and plugins that you can use to secure WordPress blog.
1. Nobody should be allowed to search your entire server.
- WPdesigner advices us to NOT use this search code in the search.php
<?php echo $_SERVER ['PHP_SELF']; ?>
Nobody should be allowed to search your entire server, or? Use this one instead:
<?php bloginfo ('home'); ?>
- Block WP- folders from being indexed by search engines, the best way to block them in your robots.txt file. Add the following line to your list:
2. Directories should not be left open for public browsing
There is a potential problem letting people know what plugins you have, or what versions they are. If there is some known exploit that is linked to a plugin, it could be easy enough for someone to use it to their advantage. Make an empty wp-content/plugins/index.html file or just add this line in your .htaccess file in your root:
Options All -Indexes
3. Drop the version string in your Meta Tags
A large number of WordPress themes have the WordPress Meta Tag that show the version of WordPress that is running on your blog which is an easy way to get your blog prone to hackers if you didn’t upgrade to the security-enhanced file permissions on both which is pointed out by Matt Cutts. Another solution involves a plugin that sets up a secondary new version.
This tag is in the header.php file that displays your current version of wordpress.
<meta content="WordPress <?php bloginfo(’version’); ? />" name="generator" />
4. Stay Updated
You need to keep your on your plugin/widget, theme, and WordPress versions updated. Also, subscribing to the plugin/widget/theme Author’s RSS feeds makes keeping up with them much easier.
5. Take regular backups of your site and Database
You always have to take regular backups of your file directories as well as the database. WordPress Database Backup plugin creates backups of your core WordPress tables as well as other tables of your choice in the same database.
6. Use SSH/Shell Access instead of FTP
If someone gets a hold of your FTP login information (which is usually not encrypted and easy to get), they can manipulate your files and add spam to your site without you even knowing about it! Using SSH, everything is encrypted including the transfer of files, etc.
7. Stop worrying about your wp-config.php file
Keep your database username and password Safe by adding the following to the .htaccess file at the top level of your WordPress install:
<FilesMatch ^wp-config.php$>deny from all</FilesMatch>
This will make it harder for your database username and password to fall into the wrong hands in the event of a server problem.
8. Block WP- folders from the Search Engines
There is no need to have all of your filesWordpress files indexed by Google, so it’s best to block them in your robots.txt file. Add the following line to your list
9. Block access to WP-Admin folder using .htaccess
There is an article written Reuben that talks about how you can protect your WordPress admin folder by allowing access to it from a defined set of IP addresses. Everything else will bring up a Forbidden error message. So if you only access your blog from one or two places routinely, it’s worth implementing. Also, you’re supposed to create a new .htaccess file inside your wp-admin folder, not replace the one at the root of your blog
10. Don’t Use Default Passwords
Are you still logging into your wp-admin page with the same default password that was emailed to you? If so, CHANGE IT! You can follow the instructions given in the article “Hack Proof Password” posted by us earlier to imrove the strength of your password.
11. Change database table prefix
The default prefix used by WordPress is “wp”. You can easily change the prefix to other terms that are difficult to guess using the WP-Security-Scan. More detail on this plugin below.
12. Don’t use (or better yet, remove) the default “admin” username
When you install WordPress, it automatically generates a user with Administrator-level permissions called admin. It is strongly recommended that you do not use this username to make it harder for the hacker to guess your username and password via Brute force attacks. Even if you downgrade its permission role, it’s still a better idea just to remove this user altogether.
You can use the Change Username Plugin to change the Username of Admin Account.
13. Secure WordPress
It will help secure WordPress installation by removing miscellaneous items after the installation process which may aid hackers. It will remove error information from the login-page and also remove or change the WP-version data but leave it unchanged in the admin area. It is suggested to remove any unwanted information to the non-admin for security reasons so it will remove update information about plugins, themes and core update information. Secure WordPress will add a blank index.html to the plug-in directory such that if anyone is trying to view the contents of the directory they will be viewing a blank page instead of the contents.
14. Force SSL
Having a secure SSL connection to communicate with your users is beneficial. To enable this, your site must be SSL enabled first. To implement this, you need to buy the SSL certificate. By installing this plug-in it will force your user browser to connect to your site via a SSL connection. This eliminates any third party attacks between the connection and all the data that is transmitted to and from the site will be encrypted for better security.
15. Chap Secure Login
If you are not having a secure connection like SSL to protect your password , then you can use this plug-in for encrypting passwords. It will use the Chap protocol to hide the passwords and transmit it encrypted. The only information that is transmitted unencrypted is your username. Protecting password will give full security because password leaks will enable the hacker the gain full control of your WordPress blog.
16. HTTP Authentication
The HTTP Authentication plugin allows you to use existing means of authenticating users for WordPress. This includes Apache’s basic HTTP authentication module and many others.
17. Anonymous WordPress Plugin
All the WordPress versions 2.3 and above have the feature to get automatic updates for plugins. During this process it will send some of your information like your blog’s URL, version number, list of installed plugins and activated plugins to WordPress.org. This information could be of potential use for hackers. So to avoid this, installing Anonymous WordPress plug-in is a feasible option. It will strip off your blog’s URL and version number and empty the activated plugins list. This plug-in is compatible with WordPress 2.3 and above.
18. Login Encrypt
19. Admin SSL
This plug-in will work with both the private and shared SSL connections and it will force a SSL connection in every page where password can or has to be entered. It is very helpful to protect the admin area, posts and all the pages of your WordPress installation and secure the login page. This plug-in works on WordPress 2.2 to 2.7.
20. AskApache Password Protect
It will block the bots and creates a safe wall for any vulnerability your WordPress blog may have. It will protect your password as well as your WordPress directories like the wp-includes, wp-content, etc. It is like placing your WordPress blog behind a security wall.
21. TAC (Theme Authenticity Checker)
TAC stands for Theme Authenticity Checker. Currently, TAC searches the source files of every installed theme for signs of malicious code. If such code is found, TAC displays the path to the theme file, the line number, and a small snippet of the suspect code. As of v1.3 TAC also searches for and displays static links.
22. Invisible Defender
This plugin protects registration, login and comment forms from spambots by adding two extra fields hidden by CSS. This approach gave me 100% anti-spam protection on one of my sites.
23. Semisecure Login Reimagined
24. Stealth Login
This plugin allows you to create custom URLs for logging in, logging out, administration and registering for your WordPress blog. Instead of advertising your login url on your homepage, you can create a url of your choice that can be easier to remember than wp-login.php, for example you could set your login url to http://www.myblog.com/login for an easy way to login to your website.
25. WordPress File Monitor
Monitors your WordPress installation for added/deleted/changed files. When a change is detected an email alert can be sent to a specified address.
26. WordPress Firewall Plugin
This WordPress plugin investigates web requests with simple WordPress-specific heuristics to identify and stop most obvious attacks. There exist a few powerful generic modules that do this; but they’re not always installed on web servers, and difficult to configure.
It intelligently whitelists and blacklists pathological-looking phrases based on which field they appear within in a page request (unknown/numeric parameters vs. known post bodies, comment bodies, etc.)
27. WordPress Guard Plugin
Angsuman’s WordPress Guard Plugin is a must-have WordPress security plugin that protects the vulnerable areas of your blog from outside access with an additional layer of security.
wp-dephorm protects your users from the prying eyes of phorm. This is achieved by setting a cookie to opt out of the phorm information mining. Your blog viewers will not have their information stored and used in marketing campaigns whilst viewing your site.
29. WP Security Scan
Scans your WordPress installation for security vulnerabilities and suggests corrective actions.
-WordPress admin protection/security
-removes WP Generator META tag from core code
AntiVirus for WordPress is a smart and effective solution to protect your blog against exploits and spam injections. AntiVirus protection for your blog.
31. WordPress Exploit Scanner
This plugin searches the files on your website, and the posts and comments tables of your database for anything suspicious. It also examines your list of active plugins for unusual filenames.
It does not remove anything. That is left to the user to do.
Paranoid911 checks your wordpress installation for changes and sends you an email when changes occur.
33. Defensio Anti-Spam
Defensio is an advanced spam filtering web service that learns and adapts to your behaviors and those of your readers. Defensio aims to be an all-in-one anti-spam solution. Therefore, using it along with other anti-spam plugins WILL cause problems. PLEASE deactivate Akismet and other similar plugins before activating Defensio.
34. Simple Trackback Validation
Simple Trackback Validation Plugin performs a simple but very effective test on all incoming trackbacks in order to stop trackback spam.
NoSpamNX is the successor of Yawasp (Yet Another WordPress antispam plugin) and is a plugin to protect against automated comment spam (spambots). While Yawasp changed the names of the form fields in the comment template, NoSpamNX works without these modifications, but is equally effective. By eliminating the need for modifications within the form field maximum compatibility with other WordPress plugins or browsers is ensured.
When calling the comment form NoSpamNX adds extra fields (hidden before the “normal” user) automatically to your comment template. When a comment is saved, these fields are checked. For additional protection, the order and the values of these fields change periodically, so that no spambot can adapt to a specific blog adapt.
36. SI CAPTCHA Anti-Spam
SI CAPTCHA adds CAPTCHA anti-spam methods to WordPress on the comment form, registration form, or both. In order to post comments, users will have to type in the phrase shown on the image. This prevents spam from automated bots. It works great with Akismet.
37. AntiSpam Bee
AntispamBee protects blogs from digital rubbish. It is made up of sophisticated techniques and analyzes comments including pings. Also, for reasons of data privacy, the use of AntispamBee is a safe solution, as it is anonymous and registration-free.
Akismet is quite possibly the most important and useful plugin you will ever install. It has been developed by the actual team behind WordPress, if that is not enough of a seal of of approval and a guarantee, I don’t know what is.
In a nutshell, Akismet checks your comments against the Akismet web service to see if they look like spam or not and lets you review the spam it catches under your blog’s “Comments” admin screen.
The reCAPTCHA plugin is one you’ve probably seen around on sites such as Facebook, Twitter and StumbleUpon. It isn’t just your average CAPTCHA (an image containing some letters that are designed so only humans can read them), it uses words from old books, so every time you enter a reCAPTCHA, you’re helping digitise books. At this point, you’re probably thinking but if I’m telling it what the words mean, does that mean I can enter anything? How does that stop spammers? The answer is simple – there are two words, one of which the CAPTCHA knows. The second, it doesn’t and you’re helping digitise it.
40. WordPress EZ Backup
WordPress EZ Backup is A Administrators Plugin to allow the easiest most feature rich method for creating Backup Archives of your entire Site (not just WP Installations but Any part of your site or webspace) & allows backup archives of any MySQL Database you choose & More
41. WordPress Database Backup
WordPress database backup creates backups of your core WordPress tables as well as other tables of your choice in the same database.
Allows you to optimize database, repair database, backup database, restore database, delete backup database , drop/empty tables and run selected queries. Supports automatic scheduling of backing up and optimizing of database.
BackUpWordPress is a Backup & Recovery Suite for your WordPress website. This Plugin allows you to backup database as well as files and comes with a rich set of options.