After putting in all of the time, and perhaps money, into your WordPress website or blog, its now time to secure and protect it from outside enemies and general bad guys: hackers, spammers and all round tossers.
If your WP development knowledge is limited, your best option is to download and install plugins. They are easy to install and manage and will give you all the power and security you could ever hope for. Of course, no plugin is powerful enough to protect you from everything, we can only minimize the possible intrusions.
Below, we have twenty plugins that will help you protect your WordPress installation.
This plugin protects registration, login and comment forms from spambots by adding two extra fields hidden by CSS.
The idea behind Invisible Defender is simple: SPAMBOTs either fill every form field they find (generic spambots) or fill WordPress-specific fields only (spambots which will recognise WP or are targeting WP only). Therefore it is sufficient to add two extra text fields to form (one empty and one with predefined value), and check their value after the form is submitted. The first field (the empty one) will be filled by generic spambots, and the second will not be filled by spambots targeting WP only. With these two simple checks, all spambots can be easily detected, so WP can return error "403 Forbidden" for them.
Requires WP 2.7 or higher, compatible up to WP 2.8.4.
The powerful Maximum Security plugin for WordPress is packed with strong protection that makes your site extremely secure. It guards against intrusion; tracks a plethora of events; blocks malicious content that could harm your readers and your search engine ranking; and includes a strong Web application firewall along with a full blown intrusion prevention system.
WP Security Scan Homepage & Download »
The regularly updated WP Security Scan scans your WordPress installation for security vulnerabilities and suggests corrective actions.
It checks for vulnerable passwords, file permissions, database security, it hides the WP version, WordPress admin protection/security and it removes the WP Generator META tag from the core code. Powerful plugin.
Requires WP 2.3 or higher and is compatible up to WP 2.8.
AskApache Password Protect Homepage & Download »
This plugin doesn't control WordPress or mess with your database, instead it utilizes fast, tried-and-true built-in Security features to add multiple layers of security to your blog. This plugin is specifically designed and regularly updated specifically to stop automated and unskilled attackers attempts to exploit vulnerabilities on your blog resulting in a hacked site.
The power of this plugin is that it creates a virtual wall around your blog allowing it to stop attacks before they even reach your blog to deliver a malicious payload. In addition this plugin also has the capability to block spam with a resounding slap, saving CPU, Memory, and Database resources.
Requires WP 2.6 or higher and is compatible up to WP 2.9-rare.
Admin SSL secures your login page, admin area, posts, pages – anything you want – using Private or Shared SSL. The plugin forces SSL on all pages where passwords can be entered and it can also work with both Private and Shared SSL.
A great feature of this plugin is that it can be installed on WordPress MU to force SSL across all of the blogs (only works if you have a Private SSL certificate installed).
When installing this plugin, please, make sure you set your Shared SSL URL correctly, or you will render your blog admin pages inaccessible.
Requires WP2.2 or higher and is compatible up to WP 2.7.1.
Secure WordPress Homepage & Download »
As the title says, Secure WordPress, helps to secure your WordPress installation by removing error information on login pages, adds index.html to the plugin directory; removes the WP-version, except in the admin area.
Requires WP 2.6 or higher and is compatible up to WP 2.9-rare.
ChapSecureLogin Homepage & Download »
Whenever you try to login into your website, you can use this plugin to process your password encrypted. The encryption process is created by the Chap protocol; this is particularly useful when you can't useSSL or any other kinds of secure protocols. By activating the ChapSecureLogin plugin, the only information transmitted unencrypted is the username, the password is hidden by using a random number generated by the session – and transformed by the MD5 algorithm.
In the first login there will be an error, but don't worry this is only a technical error. In the secong login's operation, if the values are correct, there will not be any errors, and you will achieve a smooth login.
Requires WP 2.5 or higher and is compatible up to WP 2.7.1.
TAC – Theme Authenticity Checker Homepage & Download »
TAC stands for Theme Authenticity Checker. Currently, TAC searches the source files of every installed theme for signs of malicious code. If any bad code is found, TAC displays the path to the theme file, the line number, and a small snippet of the suspect code. As of v1.3 TAC also searches for and displays static links.
The real value of this plugin is that you can quickly determine where code cleanup is required.
Requires WP 2.2 or higher and is compatible up to WP 2.8.
The HTTP Authentication plugin allows you to use existing means of authenticating users for WordPress. This includes Apache's basic HTTP authentication module and many others.
Requires WP 2.5.1 or higher and is compatible up to WP 2.8.4.
Login LockDown WordPress Security Homepage & Download »
Login LockDown records the IP address and timestamp of every failed WordPress login attempt. If more than a certain number of attempts are detected within a short period of time from the same IP address, then the login function is disabled for all requests from that range.
This helps to prevent brute force password discovery. Currently, the plugin defaults to a one hour lock out for any IP address block after three failed login attempts within a 5 minute period. Admisitrators can release locked out IP ranges manually from the panel.
Requires WP 2.5 or higher and is compatible up to WP 2.8.4.
This plugin allows you to create custom URLs for logging in and logging out of the WP administration area. Instead of displaying your login url on the homepage, you can create a url of your choice that can be easier to remember than wp-login.php, for example you could set your login url to http://www.myblog.com/login for an easy way to login to your website.
You can also enable "Stealth Mode" which will prevent users from being able to access 'wp-login.php' directly. You can then set your login url to something more cryptic. This won't secure your website entirely, but if someone does manage to crack your password, it can make it difficult for them to find the actual login page.
Requires WP 2.3 or higher and is compatible up to WP 2.7.1.
AntiVirus for WordPress Homepage & Download »
AntiVirus for WordPress is a smart and effective solution to protect your blog against exploits and spam injections. Some of its features include: monitors possible platform vulnerabilities, virus injections, malicious links, etc. It can also send you email notifications and whitelisting.
Requires WP 2.6 or higherand is compatible up to WP 2.8.4.
NoSpamNX is the successor of Yawasp (Yet Another WordPress antispam plugin) and is a plugin to protect against automated comment spam (spambots). While Yawasp changed the names of the form fields in the comment template, NoSpamNX works without these modifications, but is equally effective. By eliminating the need for modifications within the form field maximum compatibility with other WordPress plugins or browsers is ensured.
When calling the comment form NoSpamNX adds extra fields (hidden before the “normal” user) automatically to your comment template. When a comment is saved, these fields are checked. For additional protection, the order and the values of these fields change periodically, so that no spambot can adapt to a specific blog adapt.
Requires WP 2.7 or higher and is compatible up to WP 2.8.4.
Akismet Homepage & Download »
Akismet is quite possibly the most important and useful plugin you will ever install. It has been developed by the actual team behind WordPress, if that is not enough of a seal of of approval and a guarantee, I don't know what is.
In a nutshell, Akismet checks your comments against the Akismet web service to see if they look like spam or not and lets you review the spam it catches under your blog's "Comments" admin screen.
Requires WP2.0 or higher and is compatible up to WP 2.8.4.
SI CAPTCHA for WordPress Homepage & Download »
SI CAPTCHA adds CAPTCHA anti-spam methods to WordPress on the comment form, registration form, or both. In order to post comments, users will have to type in the phrase shown on the image. This prevents spam from automated bots. It works great with Akismet.
Requires WP 2.6 or higher and is compatible up to WP 2.8.4.
AntispamBee for WordPress Homepage & Download »
AntispamBee protects blogs from digital rubbish. It is made up of sophisticated techniques and analyzes comments including pings. Also, for reasons of data privacy, the use of AntispamBee is a safe solution, as it is anonymous and registration-free.
Requires WP 2.1 or higher and is compatible up to WP 2.8.4.
BackUpWordPress is a Backup & Recovery Suite for your WordPress website. This Plugin allows you to backup database tables as well as files and comes with a rich set of options.
You can choose from either EasyMode or AdvancedMode, depending on your level of WP knowledge.
Requires WP 2.1 or higher and is compatible up to WP 2.3.1.
WordPress Database Backup Homepage & Download »
WordPress Database Backup creates backups of your core WordPress tables as well as other tables of your choice in the same database. Once the database is backed up you have the option of either emailing the backup to yourself, saving it your hard drive or saving it on the server.
This plugin is not as feature rich as BackUpWordPress (above), but if you want a quick backup, this is for you.
WordPress EZ Backup Plugin Homepage & Download »
WordPress EZ Backup is an easy to use plugin that allows you to quickly create Backup Archives of your entire Site (not just WP Installations, any part of your site or webspace) and allows backup archives of any MySQL Database you choose.
Requires WP 2.8.2 or higher and is compatible up to: 2.8.4.
This is a simple plugin, not necessarily for security, but certainly for privacy, that allows for access-restricted posting, allowing bloggers to discuss sensitive subjects without Google or the world finding the post.
After plugin activation, an administration panel is added to your "Users" and "Plugins" tabs, allowing you to create user groups and manage WP Sentry's other options. The creation of user groups is completely optional, although it does make things a little easier.
Requires WP 2.5.0 or higher and is compatible up to WP 2.8.4.
This article focuses on defending the administration area of WordPress, meaning all those pages in the wp-admin folder (or http://www.yourblog.com/wp-admin/) that are displayed after a user is verified. It should be explicitly understood that only a simple query stands in the way of an evil hacker and the powerful admin area of your whole blog. The latter is only as strong as the passwords that are generated.
To help make an attack more difficult, this article outlines ten steps to follow to protect your WordPress installation. These solutions do not guarantee 100% security, but you can create an effective wall on a hacker’s way to the administration area.
10 Steps To Protect The Admin Area In WordPress »
WordPress being open source means that the chances of malicious attacks being successful are higher because the project’s source code can be easily obtained and studied for vulnerabilities.
However, the good news is that there are steps that you can take to give your WordPress sites an extra layer of security.
This article highlights several tips and hacks that you can use to secure and lock down your WordPress site and to fortify it from attacks.
12 Essential Security Tips and Hacks for WordPress »
In this article there are 10 security tips that are very easy to implement, but very important, tips and hacks on your WordPress blog.
WordPress Security Tips and Hacks »
Spam is a nuisance, and as bloggers, we have all experienced a flood of spam every now and then. Not only is it a pain, but it can slow down your blog and use up your resources. In this post you’ll look at ten ways to combat spam.
Top 10 ways to stop spam in WordPress »