Since I recently had my old server hacked, this subject is near and dear to my heart. I got a real crash course in WordPress security due to this experience and hope that I can pass some advice on so others don’t suffer my fate. Approximately 15% of the websites on the web are run on the WordPress platform (about 61.9 MILLION sites) . Because of its popularity, one of the negatives about using WordPress is that it is a target for hackers. No site is bulletproof. Gmail, Yahoo, and even Amazon has been hacked. I was told by someone that even the Pentagon gets hacked on a regular basis.
The good news about this, albeit a bit morbid, is that many hacking efforts tend to be automated (through bots and scripts) since they want to affect as many sites as possible. This relegates the hackers to a carpet-bombing approach by attempting to attack the most common vulnerabilities apparent in a fresh WordPress installation. Tweaking some of these basics will give you a huge advantage, statistically speaking. So, in lay-speak, you don’t have to outrun the bear, you just have to outrun the folks around you. Here are some tips for eliminating the most common risks that most folks are completely unaware of and rarely fix. This installment of this multi-part series will focus on what is considered by many to be the easiest aspect of security – plugins.
Plugins are defined by WordPress.org as:
Plugins can extend WordPress to do almost anything you can imagine. In the directory you can find, download, rate, and comment on all the best plugins the WordPress community has to offer.
Another way to look at this is that plugins are bundled code which you can add to your site as modules that are maintained by the developer and not you. This is a good thing. At the time of this post, there are officially 16,609 plugins registered and approved by the official WordPress.org site. There are MANY premium (not free) plugins out there in addition to these. I am going to focus on the free ones here as most of the folks reading this probably want to a) make use of this right now and b) may not be comfortable enough with the platform to commit any financial resources to it. In time, you will find the premium plugins for WordPress that are worth it for you – and that’s fine.
Hackers can get into your site in a number of ways and do some pretty nasty stuff. Their mischief ranges from hijacking your visitors clicks to erasing your site. You want to keep your risks to a minimum and this list of plugins will significantly help with that. I recommend using all of these:
- Akismet – This plugin comes loaded when you install WordPress and helps to protect your blog from comment and trackback spam. This isn’t something a hacker would use to bring your site down, but it’s just good policy to use it. Akismet is also useful to help secure contact forms, which are a common method for hackers to enter and mess with your site.
- Fast Secure Contact Form – Like I just mentioned, hackers can get into your site and send spam messages through your forms if you don’t protect them. If the theme you are using has a contact form built in, STOP USING IT. These are generally the most susceptible. Use Fast Secure Contact Forms at the very least. There are others but this is free and it works great. It’s pretty simple too.
- Bad Behavior – Deny automated spambots access to your site. Works automatically and have very few settings.
- Chap Secure Login – Will hide your password during login in an insecure environment (a public computer or when you are sharing someone else’s Wi-Fi connection.) Adds encryption to the password when sending to your servers.
- Exploit Scanner – Scans your WordPress site for possible exploits. This plugin is a bit more complicated as it will find EVERY kind of exploit by definition. So if you have a good plugin, it could pick up some false positives; but it’s good to error on the side of safety. You will need someone who knows what they are doing to make sure many of the things this plugin picks up are taken care of properly.
- Login LockDown – Adds some extra security to WordPress by restricting the rate at which failed logins can be re-attempted from a given IP range. A nice feature about this plugin is that it guards against brute force attacks on your site. If someone tried to log into your site with an incorrect password, they are locked out.
- Sucuri Security – Basic security checks for securing your WordPress installation. This is one of the best, in my opinion.
- TAC (Theme Authenticity Checker) – Scans all of your theme files for potentially malicious or unwanted code. Themes are something that many security plugins ignore. This was particularly helpful for me.
- Sucuri Security – Excellent. Helps you secure your WordPress installation and suggests corrective actions for: Passwords, File permissions, Database security, Version hiding, and WordPress admin protection/security. This plugin is one of the most useful and easy ways to secure your site.
- WordPress File Monitor Plus – Comprehensively monitors your website for added/changed/deleted files. This plugin can become cumbersome as it will alert you to ANY changes made to ANY files on your servers. This includes updating themes and plugins so be aware of that. However, If somebody else has modified any of your files you will be happy you have this.
I have tested all of these on several different themes and frameworks and I have not been able to detect any conflicts so you can go ahead and install them all with confidence. This list is by no means all inclusive nor is this post a completely comprehensive solution to securing your WordPress site however it is a great start and I did say this was a multi-part post. Look for more on this subject soon.
OK, so that’s my 10. Did I miss any that you think are great?