How to Secure WordPress Part 2 – The Plugins
In Part 1 of this series we took a look at how you can better secure your WordPress files during, and after, the installation of the software. But once you have the files hardened against different threats, it is time to start looking at some of the different plug-ins available that can help you further protect and secure your WordPress site.
WordPress Firewall 2
Having worked with a company that deals with web application firewalls, I can tell you from firsthand experience that these are by far one of the best security tools you can use to protect against vulnerabilities in web applications like SQL injections, cross-site scripting and PHP injections.
Ideally, this should be the first plug-in you activate on your WordPress site because not only will it protect WordPress against directory traversal attacks, SQL injections, remote code injection and executable file uploads, but it will also help stop any of these attacks from being launched against most other plug-ins.
AskApache Password Protect
Many attacks nowadays are automated using robots that exploit the different known security holes that exist in web applications, like WordPress. The robots are programmed to seek out vulnerable websites and launch their specific attack. They continuously scour the Internet looking for new targets. When they come across a 403 Forbidden status they move on to the next available target because they know their exploit will not work here. To achieve this, a .htpasswd file needs to be created with a username and password can be created to protect your wp-admin, wp-includes, wp-content, plugins, etc. from these bots.
The AskApache Password Protect plug-in creates this file for you and encrypts the password. It also offers you the flexibility of managing security modules right from the WordPress Admin Panel.
WP Security Scan
A security audit can easily cost over $40,000 to have professionals run automated scans against your website looking for vulnerabilities and then test each piece of exploitable code that is found by hand. Most web developers don’t have an extra forty grand laying around to spend on a security audit.
Luckily, the WP Security Scan plug-in can help them find possible vulnerabilities that exist in:
- File permissions
- Database security
- WordPress admin
This plug-in also removes the WP Generator META tag and hides the version of your WordPress software1.
This post isn’t just about keeping the bad guys out but also about protecting what you have. That’s why I included this plug-in.
BackUp WordPress will backup up everything on your WordPress site protecting all of your files and the database using either a zip file or mysquldump. By default the backup will run once a day and store the last 10 days of files in the wp-content/backups directory. You also have the option to instruct the plug-in to send the backup files to you via email for more secure storage.
While this plug-in is extremely simple to configure and use, it also has plenty of options for more advanced users as well.
One thing to note – regularly test your backups by restoring your files on a test server or dummy WordPress installation. There is nothing worse than having to restore data only to find out that the backups were not configured properly.
From the makers of the WP Security Scan plug-in comes the last of our essential security add-ons for any site running WordPress.
Secure WordPress removes all of the extra information and services that can give a human attacker too much useful information about your site and the software you are running. Some of the things that this plug-in disables are:
- The error-information provided at the login page
- The wp-version1 on the frontend and in the dashboard for non-admins
- Really Simple Discovery
- Windows Live Writer capabilities
- Any reference to the version on URLs from scripts and stylesheets in the frontend
- Plug-in and theme update information to non-admins
There are many other plug-ins that can be used in addition to, or in place of, the ones mentioned here. Just remember that with any plug-in, make sure you trust the developer. You could be installing something that promises to be the panacea of blog protection only to later find out it was nothing more than malware designed to open your site to attack.
1. Removing the current version of WordPress from your site is a security tactic that is the cause of some really interesting debate. The theory behind it is that it makes it harder for a human attacker to know what vulnerabilities exist on your site. In theory this makes sense, but security through obscurity should not be the only line of defense.
Additionally, you should be running the most recent version of WordPress on your blog to ensure that vital security patches are in place so it should be rather easy for an attacker to guess what version you are running.