Top 21 WordPress Security Plugins for Hacker-Proof Blog

| More

Lots of bloggers or website administrators fail to recognize the importance of securing the blog. What will you do if your website with which you were earning thousands of dollars per month gets hacked or attacked by deadly hidden iFrame injection (Trojan) virus or someone hack the password and tries to blackmail you? Google takes it very seriously if your site is spreading malware content (which you may not know beforehand) and post an advisory to such sites in search engine. If visitors see the message “This site may harm your computer” when they try to access your website/blog, they may not visit your blog. This may have a cascading effect on the search engine rankings, resulting in low traffic and money. Advertisers may not show interest on your website.


Use the following link to see what google thinks about your website (input your blog name instead of


Below is the list of 21 WordPress Plugins to make your site or blog secured.


TAC (Theme Authenticity Checker)

This security plugin will scan all of your theme files for potentially malicious or unwanted code. Currently, TAC searches the source files of every installed theme for signs of malicious code. If such code is found, TAC displays the path to the theme file, the line number, and a small snippet of the suspect code. Very useful if your site is hacked with hidden iFrame injection attack (Trojan Infection).


Stealth Login

Hackers use wp-login.php file to access your blog to inject malicious content. This plugin allows you to create custom URLs for logging in, logging out, administration and registering for your WordPress blog. For example you can set your login url to to login to your website. Enable “Stealth Mode” to prevent users from being able to access ‘wp-login.php’ directly. You can then set your login URL to something more cryptic. This won’t secure your website perfectly, but if someone does manage to crack your password, it can make it difficult for them to find where to actually login.


Ask Apache Password Protect

This WordPress security plugin add multiple layers of security to your blog. It protects your blog from being hacked by automated attackers by creating a virtual wall around it and allowing it to stop attacks before they even reach your blog to deliver a malicious content. Password can also be set on the blog using HTTP Basic Authentication, or you can choose to use the more secure HTTP Digest Authentication. The plugin saves a lot of CPU, Memory, and Database resources by blocking spam.


WP Security Scan

This plugin scans your WordPress installation for security vulnerabilities and suggests corrective actions. You can set password, set file permissions, add security to your database. You can change the name of the database tables that usually starts with ‘wp_’. You can rename the DB tables with any prefix of your choice which makes your database more secured. In WordPress themes under the <head> section, you will notice WordPress version that you are using which helps the hacker to identify what exploit to use to hack into your site. WP Security Scan also removes WP Generator META tag from core code. There are many other features available to make your blog more secured to keep the hackers away.


WordPress Firewall

This WordPress plugin identify and stop attacks. It easily detects suspicious-looking parameters and respond with an innocuous-looking 404, or a home page redirect. You can configure the plugin to send an email to you with details upon blocking a potential attack.

With WordPress Firewall you can-

  • Turn on or off directory traversal attack detection.
  • Turn on or off SQL injection attack detection.
  • Turn on or off WordPress-specific SQL injection attack detection.
  • Turn on or off blocking executable file uploads.
  • Turn on or off remote arbitrary code injection detection.
  • Add white listed IPs.
  • Add additional white listed pages and/or fields within such pages to allow above to get through when desirable.

WordPress Login Lockdown

WordPress passwords can be cracked with brute force password discovery method. When anybody tries to login your wordpress account, Login LockDown records the IP address and timestamp of every failed WordPress login attempt. If more than a certain number of attempts are detected within a short period of time from the same IP range, then the login function is disabled for all requests from that range. This helps to prevent brute force password discovery.


If 3 login attempts fails within 5 minutes then login screen will not be available for next 1 hour. This can be modified via the Options panel. Administrators can release locked out IP ranges manually from the panel.


Safer Cookies

When you login to your blog WordPress creates a session cookie that is used for authentication. If someone was to steal the cookie they would be able to use it to get full access to your blog without having to know your password. This plugin prevents that from happening – it makes the cookie specific to your IP address, so it won’t be usable from a different computer.


Safer Cookies ties the WP session cookie to your IP address so that it cannot be used to get access to you blog from another computer.  It is advisable to use this plugin if you have a static IP. If you have a dynamic IP address you will get logged out frequently.


Admin SSL

The plugin secures your WordPress Login page, Admin area, posts, pages and encrypts cookie content using Private or Shared SSL. Admin SSL works with both Private and Shared SSL.

With Admin SSL you can-

  • Force SSL on all pages where passwords can be entered.
  • Install on WordPress MU to force SSL across all blogs (only works if you have a Private SSL certificate installed) from WPMU 1.3 upwards.
  • Secure custom additional URLS (e.g. wp-admin/) through the config page.
  • Choose where you want the Admin SSL config page to appear.

Semisecure Login

Semisecure Login increases the security of the login process using client-side MD5 encryption on the password when a user logs in. JavaScript is required to enable encryption. Whenever a user attempts to log in via the WordPress login page. If JavaScript is enabled, the password along with a nonce is MD5-hashed, and the original (unencrypted) password is not sent. The server compares the received version with the expected version. If JavaScript is not enabled, the password is sent in clear text just like normal. This is inherently insecure over plaintext channels, but it is the default behavior of WordPress.


WordPress File Monitor

This plugin acts as a detective for your blog and monitor files under your WordPress installation for changes. Whenever there is any change in the file you will be notified via email. This is very useful to identify if your site is hacked with iFrame virus which generally adds malicious code to the php files. The plugin monitors file system for added/deleted/changed files and have an ability to monitor files for changes based on file hash or timestamp. Plugin can be configured to exclude directories from scan (for instance if you use a caching system that stores its files within the monitored zone).


Chap Secure Login

It is one of the robust WordPress security plugin that do not show password during login on an insecure channel (without SSL). Whenever you try to login into your website, you can use this plugin to transmit your password encrypted. The password is hided with a random number generated by the session and opportunely transformed by the md5 algorithm.



WordPress blogs are normally attacked by automated spambots that fill the comment area of the blog with junk characters. This plugin adds additional form fields to your comment form which is invisible to the users. If a spambot fills these fields blindly (which 99.9% of all spambots do), the comment will not be saved. You can then block these spambots, mark them as spam or put them in moderation queue. The IP address of these spambots can be blocked for 1 hour, 24 hours or indefinitely.



wp-dephorm protects your users from the prying eyes of phorm. This is achieved by setting a cookie to opt out of the phorm information mining. Your blog viewers will not have their information stored and used in marketing campaigns whilst viewing your site. The idea is based upon a system devised by Dephormation.


WordPress Database Backup

Taking backup of database is always advisable. WordPress database backup creates backups of your core WordPress tables as well as other tables of your choice in the same database.



This is one of the plugin that is most widely used to optimize database, repair database, backup database, restore database, delete backup database , drop/empty tables and run selected queries. WP-DBManager also supports automatic scheduling of backing up and optimizing of database.


Invisible Defender

This plugin is similar to NoSpamNX and protects registration, login and comment forms from spambots by adding two extra fields hidden by CSS. 1st field (empty one) will be filled by generic spambots, and 2nd one will not be filled by spambots targeting WP only. With these two simple checks probably all spambots can be easily detected, so WP can return error “403 Forbidden” for them.



If you are receiving spam comments everyday then this plugin will help you in blocking the spam comments that inserts junk characters. WP Hashcash is an antispam plugin that eradicates comment spam on WordPress blogs. It also prevents most trackback / pingback spam making your site user friendly.


TTC WordPress Tripwire Tool

This is not a very useful security plugin indeed as it will only provide you with a list of all files changed on your WordPress site in the last 1-99 days. You need to choose how many days back in time you wish to go and it will list all files changed in that time frame for you.



Prevent possible attacks on your wordpress blog by monitoring each request to your wordpress blog and based on conditions you defined in the options pane it interrupts the attacker’s action and logs it.



WP-Adminprotection secures the backend of your wordpress blog. The WP-Backend is secured by an IP Blocker. You can add as many IPs as you want, each one of them is allowed to log in. The rest have no access to the WP-Backend. It is advisable to use this plugin if you have a static IP.


Force SSL
To use this plugin you must have a web server with a proper SSL certificate. Force SSL redirects the requests for pages via http to https, so no one will be able to access the contest through an insecure http connection. No one can’t just remove the “s” from “https” and get the content from outside of a secure SSL connection.



Blog Widget by LinkWithin

Get Freeware updates just like this one in your email inbox every day - for free! Just enter your email address below:


Comments on this entry are closed.

Binary Head | About us |  Copyright Policy |  Privacy Policy |  Disclaimer |  Subscribe us |  Advertise |  Contact us |  RSS Feed |  Sitemap