To be clear: I am not a blog/website security expert. Far from it.
Oh, you’re not, either? Perfect. Let’s share what we know and make each other smarter. Deal?
I’ll go first. Here’s a list of five WordPress plugins that I always install on new blogs to help secure the blog and keep the bad guys away. Have a look through my list and then let me (and other readers) know in the comments what other/different plugins and tactics you recommend.
Matt’s List of WordPress Security Plugins
1. Block Bad Queries (BBQ)
This plugin “checks for excessively long request strings (i.e., greater than 255 characters), as well as the presence of either ‘eval(‘ or ‘base64’ in the request URI.” It also protects “against CONCAT and UNION+SELECT requests.” (I have no idea what any of that means, by the way.)
2.) Login Lockdown
This plugin “records the IP address and timestamp of every failed WordPress login attempt. If more than a certain number of attempts are detected within a short period of time from the same IP range, then the login function is disabled for all requests from that range. This helps to prevent brute force password discovery.” (By the way, this plugin is written by Michael VanDeMar, whose WordPress security services I can personally recommend.)
3.) Secure WordPress
This plugin takes care of about a dozen little things at once — tweaks that can help keep your WordPress install secure. One of those involves the same function that Block Bad Queries (#1 above) does. It does things like add an index.php file to your plugins directory so that snoops can’t easily see what plugins you’re running.
4.) WordPress File Monitor
This plugin monitors your WordPress installation and sends you an alert when it detects that any files have been added, deleted, or changed. This is good because hackers may break into your install and upload new files or start modifying existing files for their own purposes. If that happens, you’ll get an email. That also means you’ll get an email when you do things like use the WordPress file uploader — so, for example, when I publish this post and upload an image to go with it, a couple minutes later I’m gonna get an email notifying me that images were added to my install. If you publish a lot of blog posts, that might get annoying. But I think it’s a small price to pay for some peace of mind.
5.) WordPress Security Scan
This plugin scans your WordPress install looking for a variety of things like whether or not the WordPress version is hidden, if you have an .htaccess file in your wp-admin directory, and so forth. I think some of it might duplicate what Secure WordPress (#3 above) does, but not positive. (This is another one where I don’t understand all the details!)
One More Smart & Secure Thing To Do
Backup Your Database — In addition to those plugins (and hopefully more that readers will suggest in the comments), you absolutely must backup your WordPress database regularly. I use a plugin called WordPress Database Backup which is as easy as pie to setup. I have the plugin create a backup of my database every night and send it to a dedicated Gmail account that I don’t use for anything else but database backup storage.
Okay, now it’s your turn: Tell me what’s wrong with the plugins I’m using or add others that I should be using. The floor is open!