WordPress Security IV

WordPress Security IV

Welcome to the exciting 4th installment of my ever expanding 3 part WordPress Security Tutorial. In this lesson you will be relieved to find that we are not going to discuss simplistic notions about why complex Passwords are a good idea or esoteric server file architecture and access permissions neither of which have that much to do with WordPress. No, this lesson is going to be great… Just the really cool WordPress Security plugins you probably were expecting in the first post. One caveat though, if you didn’t read those posts and your passwords are not secure or your computer still has that nasty little key logger reporting everything you type to a bot net then non of these excellent WordPress Security plugins will do any good.

OK, the sad truth is, no matter what you do to ensure that your site will never get hacked or corrupted sooner or later, it will. So the very first thing you have to do is prepare for the inevitable by having a backup plan. Now if you read the first article in this series… You should recall that I recommended you choose a good quality host with “REGULAR BACKUPS” that way should anything go askew you can recover both your site files and data. Unfortunately, some of you may not have that option, e.g. you’re managing a site in which you don’t have control over the hosting provider (a not so good situation… but hey, it happens.) For you, there is a plugin solution for WordPress Backups. These may cost more and be not as elegant in some ways as a server based one, but they work.

BackUp Plugins

vaultpress-logoVaultPress – Best of the Bunch Costs $$$

Pros : It sends you alerts, scans your site for FTP uploads, and offers “concierge” service.
Cons : It costs money…

blogvault-logoBlogVault

Pros : It’s cheaper than VaultPress.
Cons : It costs money, and it’s not as good as VaultPress

backwpup-logoBackWPup – Best of the Free Solutions

Pros : It doesn’t cost money… Backups up your site to multiple external locations AWS, Google Drive, etc. etc.
Cons : It doesn’t scan your site or have “concierge” service.

backup-logoBackup

Pros : Popular, Simplest Name, & It doesn’t cost money…
Cons : It backs up to Google Drive and locally but not much else

WP-DB-Backup – Don’t Bother

Pros : There really aren’t any
Cons : It does what it says, but it only backs up the database. Seriously, if your not backing up your files as well as your database what is the point? I can understand occasionally optimizing the database but anything that purports to be a backup solution that doesn’t store a copy of the site files and database in an external location ain’t worth the time it takes to install.

In conclusion, there are many different backup solutions out there, but my initial recommendation still stands, any professional hosting company worth their salt will include daily, weekly, and monthly backups of both your site and data.

Spam Plugins

Akismet – Recommended and it comes with WordPress
WordPress comes with it right out of the box… Recognizes the great majority (but not all) spam comments and circular files them to the spam folder on your site before you see them. But you have to sign up for an account and that can cost anything from 0 to $50 a month… Click here to get yours.

Bad Behavior – Takes a more preemptive approach to spam blocking than Akismet
Not only does it rejects spam bots, but it also blocks many e-mail address harvesters, brute force, and automated Web site cracking attacks. Bad Behavior analyzes the HTTP headers, IP address, and metadata of the request to determine if it is malicious. This approach isn’t perfect either but it works a surprising amount of time since spammers tend not to be cognizant of good coding practices.

In addition to the above plugins there are numerous other plugins for screening comments and posts. If you are still getting a significant amount of automated comment spam there are a plethora of captcha plugin options of which I recommend you consider ReCaptcha

Login Lockers

Login Lockout & User Locker are both simple solutions that block multiple login attempts from brute force attacks. I use User Locker on this site FYI.

Security Plugins

OK here the 800 lb gorillas of plugin security these guys are the top WordPress plugins to help secure your website.

Better WP Security – A Great General Security Solution For WordPress. Recommended
WP Security combines various WordPress security techniques into a single plugin in order to patch as many security holes as possible without having to worry about conflicting features or the possibility of missing anything on your site.

Here is a list direct from the plugin directory on wordpress.org, and it is pretty extensive…

  • Remove the meta “Generator” tag
  • Change the urls for WordPress dashboard including login, admin, and more
  • Completely turn off the ability to login for a given time period (away mode)
  • Remove theme, plugin, and core update notifications from users who do not have permission to update them
  • Remove Windows Live Write header information
  • Remove RSD header information
  • Rename “admin” account
  • Change the ID on the user with ID 1
  • Change the WordPress database table prefix
  • Change wp-content path
  • Removes login error messages
  • Display a random version number to non administrative users anywhere version is used
  • Scan your site to instantly tell where vulnerabilities are and fix them in seconds
  • Ban troublesome bots and other hosts
  • Ban troublesome user agents
  • Prevent brute force attacks by banning hosts and users with too many invalid login attempts
  • Strengthen server security
  • Enforce strong passwords for all accounts of a configurable minimum role
  • Force SSL for admin pages (on supporting servers)
  • Force SSL for any page or post (on supporting servers)
  • Turn off file editing from within WordPress admin area
  • Detect and block numerous attacks to your filesystem and database

screenshot-1

BulletProof Security – An effective way to secure you site through .htaccess protection.
BulletProof Security focuses on .htaccess security solution that protects both your Root website folder and wp-admin folder with .htaccess website security protection, as well as providing additional website security protection of wp-config.php, bb-config.php, php.ini, php5.ini, install.php and readme.html files.

bullet-proof-security

Wordfence – Scans, Repairs and monitors your site’s content, traffic and most importantly WordPress core, theme and plugin files.
This service is unique among security plugins by checking the integrity of your WordPress core, theme and plugin files against what is stored in the WordPress repository rather than simply keeping it can let you know if anything is infected even if . So if you’re already infected when you install these plugins, they will never alert you.

110812_1459_WordfenceSe12

Conclusion

Since this the last article in my series on WordPress Security (for now.) I would like to emphasis being secure does not mean you have to take precautions against every single possible threat out there, and while it’s nice to have renamed every database table and obscured your login and admin folders etc. You don’t have to, really. As long as you’ve made sure to update your software regularly, have secured passwords, an independent hosting plan and antivirus/malware software on the computer that accesses your site. You are doing pretty good. If you want to be more secure then by all means consider some of the software I recommend but DON’T GO OVERBOARD! Some of these options will cause you more trouble than they are worth, especially the stuff that fools around with .htaccess and database file names. So be conservative in how cautious you are. And remember if it all goes sideways, you’ve always got a backup. Or at least you should if you learned anything from these articles.

Note while this is the last article in this series I will continue to be publishing related articles on the subject, e.g. web site monitoring and scanning, optimization, etc. If you’ve found these articles or have a suggestion please feel free to contact me with suggestions.