Our Lists Of WordPress Security Plugins
Since we believe security for WordPress comes in a few flavors, we also put the plugins into a couple of sections.
Must Have Plugins: are those plugins that should be mandatory to all WordPress installations. This can be both specific, ex use this plugin, or in general, ex. use this type of plugin. In either case, you should have some basic security measures in place.
Option But Recommended: these plugins are very useful for understanding your blog security. These often include security scanners, file checkers, and other utilities that come in useful but may not be required on a day to day operation.
Strictly Optional: these are plugins that we often use on a limited or per-proect basis. Not all blogs or users will benefit from these plugins, but you may find them as useful as we have.
Must Have Blogging Security Plugins:
WordFence Security: http://wordpress.org/plugins/wordfence/
This has become one of our go to security plugins. WordFence is a top notch security plugin which offers these features: Firewall, Core File Scan, Two Factor Authentication, Blocking, Login Restriction, DNS Monitoring and Live Traffic views just to name a few.
This plugin is great for blocking and throttling bad bots and crawlers from causing too much trouble on your website. User access and admin restrictions include such cool features as blocking “admin” from being registered if your not using it (and you really should be using admin as a username),
This has replaced OSE Firewall as our preferred Firewall application as of the recent OSE updates, see these posts:
- Potential Plugin Issues With OSE Firewall
- Updated Versions Of OSE Firewall
- OSE Firewall Updates – 2.2.1 – 2.2.5
Better Wp Security: http://wordpress.org/plugins/better-wp-security/
Better WP Security puts forth the claim of being the #1 WordPress Security Plugin and we are inclined to agree, well at least in part. With 12 different pages of Security sections this is one of teh better Security plugins we have used. (we have not yet tested them all). This plugin covers sections that we feel definitely help against “script-based hacks” such as changing content folders, hiding login pages, and Backend Access Limiting. Better WP security is pretty straight-forward and user-friendly, making this one of our top choices.
This has become our favorite Captcha option. Usable on all forms and easily implemented. This plugin uses some math skills, but is much easier to read by humans than hard to read images.
Bad Behavior: http://wordpress.org/plugins/bad-behavior/
At first glance you might not think that this is a security plugin because it deals with spam. However, in many cases this plugin can actually stop those spammy sites from actually getting to your blog in the first place. Any plugin that can help eliminate threats before they get to your site to become larger problems becomes almost automatic in our book
Backup WordPress: http://wordpress.org/plugins/backupwordpress/
While not technically a Security plugin, having a viable backup solution is a requirement for dealing with your site security. Proper backups allow you to restore the site in the event something goes wrong. We find this plugin is easily installed, has workable settings out of the box, and easily used manually when doing major changes such as system upgrades like the recent WordPress 3.7 Release.
Aryo Activity Log: http://wordpress.org/plugins/aryo-activity-log/
This should be a must have tool for any administrator that likes to know what is going on in their blogs. The Aryo Activity log tracks changes being made to your blog by:
- Tracking User activity / Login / Log Out / Registrations
- Tracking Plugin Activations / changes
- Tracking Theme Changes
- Trackiong Content / Widgets / Media and more
We use this plugin to keep track of admin as well as user activity. This means when something goes wrong, like a securty breech, we can look back into the log and see when and who was on the system. If Admins screw something up cuasing a site outage then we know what changes were made.
Optional Highly Recommended Plugins
BulletProof Security: http://wordpress.org/plugins/bulletproof-security/
BulletProof Security is an enigma of a plugin. It has a primary purpose of being a security plugin, however, it does so in a manner that to us leaves it slightly lacking in some areas. For instance, compared to Better Wp Security above it does not offer similar functions.
You might wonder why it is not in the Must Have category and the answer lies in how it handles security, the use of HTACCESS.
We like this plugin, however many of the options available within this plugin are either handled by other plugins, such as login protection, or can be done directly with htaccess edits. This means that advanced users who are good with editing htaccess may not need the overhead of the actual plugin.
The features we look for in this plugin are mainly the htaccess rules for blocking, securing the admin area, and securing the htaccess files themselves.
We also find that this plugin can be confusing to new users and that means people are less likely to use and configure it properly. We do use this plugin from time to time depending on the site being managed.
Important side note, this plugin is compatible with Better WP security and can be used in conjunction with Better WP Security. It does take a little bit to make sure it is installed properly, as several of the “server tweaks” from Better Wp Security will overlap the htaccess rules here.
Apocolypse Meow: http://wordpress.org/plugins/apocalypse-meow/
A great little security plugin that handles Brute Force login attacks. This is optional depending on the other plugins you have installed, such as WordFence. One item that makes this plugin nice it the Login Jail, which tracks and shows all login attempts made to your blog, both failed and successful ones.
Look See Security Scanner: http://wordpress.org/plugins/look-see-security-scanner/
Look-see Security Scanner is a relatively quick and painless way to locate the sorts of file irregularities that turn up when a site is hacked. This plugin checks for various areas of the blog for problems, such as “extra files in the admin area”, or “hidden php files”. It also tracks files that have changed since your last scan. Making it a lot easier to know if files on your system have changed without your knowledge.
Theme Check: http://wordpress.org/plugins/theme-check/
Even though this plugin is not updated for 2.6-3.7 versions, we still recommend this as a useful tool to see just how many errors may be present in a theme. Some themes, such as the default 2012 and 2013 that come with WordPress will rarely show any issues with this checker tool. Many, many other themes will be missing a lot of “best practices” and this plugin will help you find them.
Ultimate Security Checker: http://wordpress.org/plugins/ultimate-security-checker/
Even from the start there are always going to be “basi” security measures that you can implement in order to make your blog more secure then the majority of people out there. This one plugin helps considerably to recognize and fix those basic issues. Installing and running this plugin gives you a numerical “grade” that gets higher the more problems you fix.
Even though this plugin does not list compatibility up to 3.7, we feel this might be an oversight as the author has made updates as recently as a few months ago. The only issue we encountered with this plugin was “core file check”, which we can use a number of the plugins above to do the same check.
For a plugin that actually comes with WordPress, (1 of only 2), you might be surprised how many people don’t ever turn this plugin on. Let’s review shall we:
COMMENT SPAM BAD
Akismet is good. Enable and get an Akismet key. It is such a simple plugin that you will likely never know it is there. But trust me, if you have a blog that becomes busy this one plugin will make your life a hundred times better.
Additional Plugins that we recommend:
Old Core Files: http://wordpress.org/plugins/old-core-files/
If you are using an older version of WordPress, well upgrade. But if for some reason you cannot do that then make sure you at least check your core files once in a while. This will check your core files and compare them to the WordPress Repository to find files you no longer need. Really though, upgrade if at all possible.
W3 Total Cache: http://wordpress.org/plugins/w3-total-cache/
Caching plugins can prove to be quite useful and sometimes quite problematic to beginners. W3 Total Cache has been around for some time as far as caching plugins go, but many feel that it has become the “old horse” and should be put out to pasture.
But this plugin works. It works well and it is still trusted by many other people, including many WordPress specific hosting companies. This plugin does take a little getting used to and it may do more harm then good, usually in shared host environments. If your using higher end servers or VPS solutions consider this plugin for caching your site as it offers greater flexibility and control over your system.
WP Content Copy Protection: http://wordpress.org/plugins/wp-content-copy-protection/
When many people think of security they worry about someone attacking and hacking into their sites. They often completely forget about “content theft”. The single plugin can go a long way to avoid content theft issues by disabling the browsers ability to copy and paste from the site itself. (does not prevent copying the link). Additionally this plugin disables mouse copy, keyboard shortcuts, and image hotlinking issues.
For more plugins that we recommend check out the Plugin Of The Week section.
This has not been an exhaustive list by any means but are some of our favorite go to security utilities. We also recommend testing any plugins that you are going to install on a separate test site before using on a live production site. We understand this can be a lot of extra work but the effort is well rewarded when you save hours fixing a blog that didn’t upgrade properly or when cleaning out extra plugins.
The security of your blogs is important. Your blog security affects your content, your time involved with upkeep and in many cases your potential livelihood. Take your blog security seriously and learn how different plugins will affect your overall security. The more you understand what can and will happen the better prepared you will be to keep your head when it does.