Lots of bloggers or website administrators fail to recognize the importance of securing the blog. What will you do if your website with which you were earning thousands of dollars per month gets hacked or attacked by deadly hidden iFrame injection (Trojan) virus or someone hack the password and tries to blackmail you? Google takes it very seriously if your site is spreading malware content (which you may not know beforehand) and post an advisory to such sites in search engine. If visitors see the message “This site may harm your computer” when they try to access your website/blog, they may not visit your blog. This may have a cascading effect on the search engine rankings, resulting in low traffic and money. Advertisers may not show interest on your website.
Use the following link to see what google thinks about your website (input your blog name instead of mywebsite.com).
Below is the list of 21 WordPress Plugins to make your site or blog secured.
This security plugin will scan all of your theme files for potentially malicious or unwanted code. Currently, TAC searches the source files of every installed theme for signs of malicious code. If such code is found, TAC displays the path to the theme file, the line number, and a small snippet of the suspect code. Very useful if your site is hacked with hidden iFrame injection attack (Trojan Infection).
Hackers use wp-login.php file to access your blog to inject malicious content. This plugin allows you to create custom URLs for logging in, logging out, administration and registering for your WordPress blog. For example you can set your login url to http://www.myblog.com/login to login to your website. Enable “Stealth Mode” to prevent users from being able to access ‘wp-login.php’ directly. You can then set your login URL to something more cryptic. This won’t secure your website perfectly, but if someone does manage to crack your password, it can make it difficult for them to find where to actually login.
This WordPress security plugin add multiple layers of security to your blog. It protects your blog from being hacked by automated attackers by creating a virtual wall around it and allowing it to stop attacks before they even reach your blog to deliver a malicious content. Password can also be set on the blog using HTTP Basic Authentication, or you can choose to use the more secure HTTP Digest Authentication. The plugin saves a lot of CPU, Memory, and Database resources by blocking spam.
This plugin scans your WordPress installation for security vulnerabilities and suggests corrective actions. You can set password, set file permissions, add security to your database. You can change the name of the database tables that usually starts with ‘wp_’. You can rename the DB tables with any prefix of your choice which makes your database more secured. In WordPress themes under the <head> section, you will notice WordPress version that you are using which helps the hacker to identify what exploit to use to hack into your site. WP Security Scan also removes WP Generator META tag from core code. There are many other features available to make your blog more secured to keep the hackers away.
This WordPress plugin identify and stop attacks. It easily detects suspicious-looking parameters and respond with an innocuous-looking 404, or a home page redirect. You can configure the plugin to send an email to you with details upon blocking a potential attack.
With WordPress Firewall you can-
- Turn on or off directory traversal attack detection.
- Turn on or off SQL injection attack detection.
- Turn on or off WordPress-specific SQL injection attack detection.
- Turn on or off blocking executable file uploads.
- Turn on or off remote arbitrary code injection detection.
- Add white listed IPs.
- Add additional white listed pages and/or fields within such pages to allow above to get through when desirable.
WordPress passwords can be cracked with brute force password discovery method. When anybody tries to login your wordpress account, Login LockDown records the IP address and timestamp of every failed WordPress login attempt. If more than a certain number of attempts are detected within a short period of time from the same IP range, then the login function is disabled for all requests from that range. This helps to prevent brute force password discovery.
If 3 login attempts fails within 5 minutes then login screen will not be available for next 1 hour. This can be modified via the Options panel. Administrators can release locked out IP ranges manually from the panel.
When you login to your blog WordPress creates a session cookie that is used for authentication. If someone was to steal the cookie they would be able to use it to get full access to your blog without having to know your password. This plugin prevents that from happening – it makes the cookie specific to your IP address, so it won’t be usable from a different computer.
Safer Cookies ties the WP session cookie to your IP address so that it cannot be used to get access to you blog from another computer. It is advisable to use this plugin if you have a static IP. If you have a dynamic IP address you will get logged out frequently.
The plugin secures your WordPress Login page, Admin area, posts, pages and encrypts cookie content using Private or Shared SSL. Admin SSL works with both Private and Shared SSL.
With Admin SSL you can-
- Force SSL on all pages where passwords can be entered.
- Install on WordPress MU to force SSL across all blogs (only works if you have a Private SSL certificate installed) from WPMU 1.3 upwards.
- Secure custom additional URLS (e.g. wp-admin/) through the config page.
- Choose where you want the Admin SSL config page to appear.
This plugin acts as a detective for your blog and monitor files under your WordPress installation for changes. Whenever there is any change in the file you will be notified via email. This is very useful to identify if your site is hacked with iFrame virus which generally adds malicious code to the php files. The plugin monitors file system for added/deleted/changed files and have an ability to monitor files for changes based on file hash or timestamp. Plugin can be configured to exclude directories from scan (for instance if you use a caching system that stores its files within the monitored zone).
It is one of the robust WordPress security plugin that do not show password during login on an insecure channel (without SSL). Whenever you try to login into your website, you can use this plugin to transmit your password encrypted. The password is hided with a random number generated by the session and opportunely transformed by the md5 algorithm.
WordPress blogs are normally attacked by automated spambots that fill the comment area of the blog with junk characters. This plugin adds additional form fields to your comment form which is invisible to the users. If a spambot fills these fields blindly (which 99.9% of all spambots do), the comment will not be saved. You can then block these spambots, mark them as spam or put them in moderation queue. The IP address of these spambots can be blocked for 1 hour, 24 hours or indefinitely.
wp-dephorm protects your users from the prying eyes of phorm. This is achieved by setting a cookie to opt out of the phorm information mining. Your blog viewers will not have their information stored and used in marketing campaigns whilst viewing your site. The idea is based upon a system devised by Dephormation.
Taking backup of database is always advisable. WordPress database backup creates backups of your core WordPress tables as well as other tables of your choice in the same database.
This is one of the plugin that is most widely used to optimize database, repair database, backup database, restore database, delete backup database , drop/empty tables and run selected queries. WP-DBManager also supports automatic scheduling of backing up and optimizing of database.
This plugin is similar to NoSpamNX and protects registration, login and comment forms from spambots by adding two extra fields hidden by CSS. 1st field (empty one) will be filled by generic spambots, and 2nd one will not be filled by spambots targeting WP only. With these two simple checks probably all spambots can be easily detected, so WP can return error “403 Forbidden” for them.
If you are receiving spam comments everyday then this plugin will help you in blocking the spam comments that inserts junk characters. WP Hashcash is an antispam plugin that eradicates comment spam on WordPress blogs. It also prevents most trackback / pingback spam making your site user friendly.
This is not a very useful security plugin indeed as it will only provide you with a list of all files changed on your WordPress site in the last 1-99 days. You need to choose how many days back in time you wish to go and it will list all files changed in that time frame for you.
Prevent possible attacks on your wordpress blog by monitoring each request to your wordpress blog and based on conditions you defined in the options pane it interrupts the attacker’s action and logs it.
WP-Adminprotection secures the backend of your wordpress blog. The WP-Backend is secured by an IP Blocker. You can add as many IPs as you want, each one of them is allowed to log in. The rest have no access to the WP-Backend. It is advisable to use this plugin if you have a static IP.
To use this plugin you must have a web server with a proper SSL certificate. Force SSL redirects the requests for pages via http to https, so no one will be able to access the contest through an insecure http connection. No one can’t just remove the “s” from “https” and get the content from outside of a secure SSL connection.