Now listen up WordPress blog owners. According to a recent USA Today report, hackers are hammering websites with up to 450,000 SQL Injection attacks a day. A day! They do it to infect sites, which in turn infect their visitors to turn their computers into attack bots or virus drones. It’s getting nasty out there.
WordPress is the number one blog software around and therefore the number one target for these and other types of attack. No-one is immune, regular Ferret readers will remember we got zapped last summer, and very sordid and painful it was too. So here, in the cause of better security for all, is our list of 16 Essential WordPress Plugins To Protect Your Blog From Hackers. Please pass this info around to fellow WP bloggers, so we can fight this nastiness together!
First things first – go read this article on WordPress.org about hardening your WP installation. Don’t put it off, do it today. Then you’ll have a better idea about the issues you need to deal with. Of course the number one form of protection you can have is to keep your WordPress installation updated to the most recent version. We learned this the hard way last year! Once you’ve done that you can use some of these cool plugins to provide added protection. Good luck, and remember peeps, it’s a war out there.
- Maximum Security for WordPress. Strangely we’re going to begin by recommending a product which isn’t actually out yet. It is in private beta, but from the looks of the feature list, once it launches this will be the WordPress security plugin to beat. Bookmark or sign up for the alerts.
- WordPress Guard Plugin. Yet another cool free plugin from Angsuman. This one adds an extra layer of password protection to your wp-admin directory, panel and login.
- AntiVirus for WordPress. Scans your WordPress files for malware code and warns you by email if it finds anything suspicious. (See also http://tinyurl.com/aby7he – German version)
- WordPress Firewall. Detects, intercepts and blocks suspicious looking attempts to upload code to your WordPress installation or server. Comprehensive cover.
- Login Lockdown. Logs all failed attempts to log in to your blog. Too many tries result in the offending IP being blocked for a customisable amount of time (default 1 hour).
- Secure WP. Masks your blog’s directories, removes version info and plugin information to make it hard for hackers to identify what’s installed.
- AskApache Password Protect. Brutally efficient password protection for all areas of your blog installation. Be careful, potent plugin.
- WordPress Security Plugin. Block rogue script attempts, blacklists IPs. More hands-on than some of the other plugins, but worth keeping in mind.
- WP Prefix Table Changer. Secure your database by changing the table prefixes (e..g. wp_) to make them more obscure.
- BlogSecurify. Plugin allows you to remotely check your blog for security vulnerabilities on demand. A little fiddly.
- WordPress Exploit Scanner. Scan your WordPress install for signs of suspicious activity. Searches through both files and the database. Be wary of the server load if you have a heavy traffic blog.
- WP Security Scan. Scanner plugin looks for vulnerabilities in your install and recommends action to cure the possible danger/s.
- WP-Scanner. Measures your WordPress security level with a remote scan. May not work with some themes.
- Secure Form Mailer. Implement a secure form on your WordPress blog with capcha and protection against malicious attacks (e.g. email header injection etc).
- SABRE. Anti-Bot registration plugin. Includes capchas and maths test. Ultimately the safest form of registration for your blog is to switch it off completely, but if you must have user reg, then do it securely.
- Block Long Query. Tiny plugin stops potential XSS exploits using long URL queries. A little obscure but could still be a useful tool.
Our top 3 tips:
- Keep your WordPress install updated to the latest version.
- Disable user registrations.
- Mask your blog directories and protect your wp-admin folder.