Recently, I woke up one day to find a number of my clients’ websites shutdown by the infamous Google “Reported Attack Page” error. While I successfully defended off the hack attack, I discovered a number of really great WordPress plugins for improving your site’s security that I would like to share. Like most people, security was not a top concern of mine. Most people just go “Eh, it’s gonna happen to someone else” or “I’m a small operation, no one will hack me”, but unfortunately, it is usually the smaller sites that get picked on since they lack the resources necessary for a full security operation. In this article, I will show you the top 5 absolutely essential security plugins for WordPress, where to find them, what they do, and why they’re important.
Security plugins are essential for all sites, no matter how big or how small. While not sufficient alone to completely protect a site, they are a necessary front line that is free and easy to setup. These are an absolute necessity for any business site, membership site, or site operating a credit card payment system. It’s also highly recommended for all site owners who do not want to have their pages replaced with vulgar, racist, or pornographic material every so often. If you do not know how to install a plugin, check out the article How to Install a WordPress Plugin.
List of the Best WordPress Security Plugins
Here is E3’s top recommended security plugins. You should install all of these on to your WordPress site immediately.
Without doubt, “Secure WordPress” by Website Defender is a must have for every site. It automatically takes care of a number of tweaks to your underlying programming code, including:
- Removes error-information on login-page
- Adds index.php plugin-directory (virtual)
- Removes the wp-version, except in admin-area
- Removes Really Simple Discovery
- Removes Windows Live Writer
- Removes core update information for non-admins
- Removes plugin-update information for non-admins
- Removes theme-update information for non-admins (only WP 2.8 and higher)
- Hides wp-version in backend-dashboard for non-admins
- Removes version on URLs from scripts and stylesheets only on frontend
- Blocks any bad queries that could be harmful to your WordPress website
WordPress Secure is absolutely free and requires no initial configuration. It does allow for custom settings, but for the newbie, this is not required. Just install and relax.
This plugin searches the files on your website, as well as the posts and comments tables of your database, for anything suspicious. It also examines your list of active plugins for unusual file names. It does not remove anything, which is left for the user to do. While not as simple as the “plug and go” Secure WordPress, this plugin allows you to run scans of your site and identify any suspicious file names that a hacker may have installed into your site.
The plugin does return a number of false positives, so if you see a file name that looks like something you installed yourself and/or is from a trusted provider you can go ahead and ignore it. This is because it is simply impractical to identify and white list every possible reputable plugin or theme you might have installed. If you see a file name that is shady, just go in and delete those files either by FTP or from the Admin Panel (if possible). All in all this is an extremely valuable plugin and provides a sense of ease when you know there is no malware hidden somewhere in your site.
Automatically blocks the most obvious and typical hacker attempts. Runs completely by itself, no need to initiate scans or configure settings. This plugin intelligently whitelists and blacklists pathological-looking phrases. It will also identify and send you the hackers IP address so you can take steps to blocking their access to your site or notifying law enforcement agencies.
WordPress by default allows for unlimited login attempts into your administrator dashboard. Hackers have written password generating programs that go in and test billions of combinations of letters, numbers, and symbols to try and crack the password into your WordPress site. By installing this plugin, you automatically are protected from such password generator attacks, because the plugin limits the number of times someone can unsuccessfully login.
This plugin automatically notifies you by email of any changes to the files that make up your WordPress site. While sometimes these changes will be made by you, other times you’ll receive a suspicious alert. This program identifies which files were changed and where they are located in your file directory. It lets you know immediately when someone has made an unauthorized change or addition to your site and allows you to go in and delete the infected code.