Top 10 Latest Powerful WordPress Security Plugins and Tips & Tricks

After putting in all of the time, and perhaps money, into your WordPress website or blog, its now time to secure and protect it from outside enemies and general bad guys: hackers, spammers and all round tossers.

If your WP development knowledge is limited, your best option is to download and install plugins. They are easy to install and manage and will give you all the power and security you could ever hope for. Of course, no plugin is powerful enough to protect you from everything, we can only minimize the possible intrusions.

Below, we have twenty plugins that will help you protect your WordPress installation.

1) WP Security Scan

Link: http://wordpress.org/extend/plugins/wp-security-scan/
Description: Scans your WordPress installation for security vulnerabilities and suggests corrective actions.

• passwords
• file permissions
• database security
• version hiding
• WordPress admin protection/security
• removes WP Generator META tag from core code

2) Secure WordPress

Link: http://wordpress.org/extend/plugins/secure-wordpress/
Description: Little help to secure your WordPress installation: Remove Error information on login page; adds index.html to plugin directory; removes the wp-version, except in admin area.

• removes error-information on login-page
• adds index.php plugin-directory (virtual)
• removes the wp-version, except in admin-area
• removes Really Simple Discovery
• removes Windows Live Writer
• remove core update information for non-admins
• remove plugin-update information for non-admins
• remove theme-update informationfor non-admins (only WP 2.8 and higher)
• hide wp-version in backend-dashboard for non-admins
• Add string for use WP Scanner
• Block bad queries

This plugin requires the worlds #1 web server, Apache, and web host support for .htaccess files.

3) Chap Secure Login
Link: http://wordpress.org/extend/plugins/chap-secure-login/
Description: Whenever you try to login into your website, you can use this plugin to trasmit your password encrypted. The encryption process is done by the Chap protocol; this is particularly useful when you can’t use ssl or other kinds of secure protocols. By activating the ChapSecureLogin plugin, the only information transmitted unencrypted is the username; password is hided with a random number (nonce) generated by the session – and opportunely transformed by the MD5 algorithm. In the first login there will be an error, but don’t worry is only a tecnical error. Indeed in the next login’s operation, if the values are correct, there will not be errors, but you give mind because the password will sended in unencrypted way.

4) Invisible Defender
Link: http://wordpress.org/extend/plugins/invisible-defender/
Description: This plugin protects registration, login and comment forms from spambots by adding two extra fields hidden by CSS. This approach gave me 100% anti-spam protection on one of my sites.

The idea behind this plugin is simple: SPAMBOTs either fill every form field they find (generic spambots) or fill WordPress-specific fields only (spambots which will recognise WP or are targeting WP only). Therefore it is sufficient to add two extra text fields to form (one empty and one with predefined value), and check theirs values after form is submitted. 1st field (empty one) will be filled by generic spambots, and 2nd one will not be filled by spambots targeting WP only. With these two simple checks probably all spambots can be easily detected, so WP can return error “403 Forbidden” for them.

These two extra fields are hidden with CSS rule, so they will not be visible for most users. Only users with text-based browsers (and very old ones which not support CSS) will see them, but don’t be afraid – plugin has special message for them.

Not surprisingly, some spammers found Invisible Defender too and updated their spamming software to detect and bypass this plugin. Therefore I started adding new protection methods. First one is blacklist for heavy spammers; more will be added soon.

Invisible Defender also shows number of blocked spammers in Dashboard, so you can see that it really works.

5) AskApache Password Protect
Link: http://wordpress.org/extend/plugins/askapache-password-protect/
Description: This plugin doesn’t control WordPress or mess with your database, instead it utilizes fast, tried-and-true built-in Security features to add multiple layers of security to your blog. This plugin is specifically designed and regularly updated specifically to stop automated and unskilled attackers attempts to exploit vulnerabilities on your blog resulting in a hacked site.

You can set up Password Protection for your blog using HTTP Basic Authentication, or you can choose to use the more secure HTTP Digest Authentication.

The power of this plugin is that it creates a virtual wall around your blog allowing it to stop attacks before they even reach your blog to deliver a malicious payload. In addition this plugin also has the capability to block spam with a resounding slap, saving CPU, Memory, and Database resources. Choose a username and password to protect your entire /wp-admin/ folder and login page. Forbid common exploits and attack patterns with Mod_Security, Mod_Rewrite, Mod_Alias and Apache’s tried-and-true Core Security features. This plugin requires the worlds #1 web server, Apache, and web host support for .htaccess files.

Has a user-contributed attack signature system modeled after the Snort Intrusion Detection and Prevention system, Nessus Vulnerability Scanner, and the Web Application Firewall ModSecurity.

This plugin requires the worlds #1 web server, Apache and web host support for .htaccess files.

6) Admin SSL
Link: http://wordpress.org/extend/plugins/admin-ssl-secure-admin/
Description:

• Forces SSL on all pages where passwords can be entered.
• Works with both Private and Shared SSL.
• Can be installed on WordPress MU to force SSL across all blogs (only works if you have a Private SSL certificate installed) from WPMU 1.3 upwards.
• Custom additional URLS (e.g. wp-admin/) can be secured through the config page.
• You can choose where you want the Admin SSL config page to appear!
• Works on WordPress 2.2 – 2.7; it will not work on previous versions.

7) HTTP Authentication
Link: http://wordpress.org/extend/plugins/http-authentication/
Description: The HTTP Authentication plugin allows you to use existing means of authenticating people to WordPress. This includes Apache’s basic HTTP authentication module and many others.

8 ) Login LockDown
Link: http://wordpress.org/extend/plugins/login-lockdown/
Description: Login LockDown records the IP address and timestamp of every failed login attempt. If more than a certain number of attempts are detected within a short period of time from the same IP range, then the login function is disabled for all requests from that range. This helps to prevent brute force password discovery. Currently the plugin defaults to a 1 hour lock out of an IP block after 3 failed login attempts within 5 minutes. This can be modified via the Options panel. Admisitrators can release locked out IP ranges manually from the panel.

9) Akismet
Link: http://wordpress.org/extend/plugins/akismet/
Description: Akismet checks your comments against the Akismet web service to see if they look like spam or not and lets you review the spam it catches under your blog’s “Comments” admin screen.

Want to show off how much spam Akismet has caught for you? Just put in your template.

10) TAC – Theme Authenticity Checker
Link: http://wordpress.org/extend/plugins/tac/
Description: TAC stands for Theme Authenticity Checker. Currently, TAC searches the source files of every installed theme for signs of malicious code. If such code is found, TAC displays the path to the theme file, the line number, and a small snippet of the suspect code. As of v1.3 TAC also searches for and displays static links.

Then what do you do? Just because the code is there doesn’t mean it’s not supposed to be or even qualifies as a threat, but most theme authors don’t include code outside of the WordPress scope and have no reason to obfuscate the code they make freely available to the web. We recommend contacting the theme author with the code that the script finds, as well as where you downloaded the theme. The real value of this plugin is that you can quickly determine where code cleanup is needed in order to safely enjoy your theme.

I hope above list will help you to protect your blog 100%. Please provide your thoughts and comments in comment section.

Thanks,
Arpit Shah