5 WordPress Plugins To Help Keep Your Blog Secure

Filed in Blogging, Featured by Matt McGee on January 14, 2011 8 Comments

wordpress-logoTo be clear: I am not a blog/website security expert. Far from it.

Oh, you’re not, either? Perfect. Let’s share what we know and make each other smarter. Deal?

I’ll go first. Here’s a list of five WordPress plugins that I always install on new blogs to help secure the blog and keep the bad guys away. Have a look through my list and then let me (and other readers) know in the comments what other/different plugins and tactics you recommend.

Matt’s List of WordPress Security Plugins

1. Block Bad Queries (BBQ)

WordPress repository | Plugin home page

This plugin “checks for excessively long request strings (i.e., greater than 255 characters), as well as the presence of either ‘eval(‘ or ‘base64’ in the request URI.” It also protects “against CONCAT and UNION+SELECT requests.” (I have no idea what any of that means, by the way.)

2.) Login Lockdown

WordPress repository | Plugin home page

This plugin “records the IP address and timestamp of every failed WordPress login attempt. If more than a certain number of attempts are detected within a short period of time from the same IP range, then the login function is disabled for all requests from that range. This helps to prevent brute force password discovery.” (By the way, this plugin is written by Michael VanDeMar, whose WordPress security services I can personally recommend.)

3.) Secure WordPress

WordPress repository | Plugin home page

This plugin takes care of about a dozen little things at once — tweaks that can help keep your WordPress install secure. One of those involves the same function that Block Bad Queries (#1 above) does. It does things like add an index.php file to your plugins directory so that snoops can’t easily see what plugins you’re running.

4.) WordPress File Monitor

WordPress repository | Plugin home page

This plugin monitors your WordPress installation and sends you an alert when it detects that any files have been added, deleted, or changed. This is good because hackers may break into your install and upload new files or start modifying existing files for their own purposes. If that happens, you’ll get an email. That also means you’ll get an email when you do things like use the WordPress file uploader — so, for example, when I publish this post and upload an image to go with it, a couple minutes later I’m gonna get an email notifying me that images were added to my install. If you publish a lot of blog posts, that might get annoying. But I think it’s a small price to pay for some peace of mind.

5.) WordPress Security Scan

WordPress repository | Plugin home page

This plugin scans your WordPress install looking for a variety of things like whether or not the WordPress version is hidden, if you have an .htaccess file in your wp-admin directory, and so forth. I think some of it might duplicate what Secure WordPress (#3 above) does, but not positive. (This is another one where I don’t understand all the details!)

One More Smart & Secure Thing To Do

Backup Your Database — In addition to those plugins (and hopefully more that readers will suggest in the comments), you absolutely must backup your WordPress database regularly. I use a plugin called WordPress Database Backup which is as easy as pie to setup. I have the plugin create a backup of my database every night and send it to a dedicated Gmail account that I don’t use for anything else but database backup storage.

Okay, now it’s your turn: Tell me what’s wrong with the plugins I’m using or add others that I should be using. The floor is open!

Comments (8)

Trackback URL | Comments RSS Feed

  1. Kris says:

    I’m going to use this once I get my new WP-based website up and running (Monday, I hope). Bad bots be gone!
    Also a simple thing is to put WP in a directory with a funny name.

  2. Stever says:

    Matt, one little security thing I like to do is hide the WP version number from displaying in your meta data in html source code.

    Add this line of code to your functions.php file in your theme folder;

    remove_action(‘wp_head’, ‘wp_generator’);

    Hiding your version number, especially if using an older version, makes any hacker have to guess which exploits to try. Most auto hacker bots are likely looking for version numbers to try their attacks on WP sites they already know how to exploit.

  3. @Matt – Thanks for the recommendation. 🙂

    @Stever – a couple of points. First of all, there are several other places someone can get your WordPress version, such as the readme.html most people don’t delete:


    Secondly, you personally are just asking to get hacked running a version that old. The bots don’t bother looking for the version, they merely test and see if the exploits work. If they do (which on older WordPress versions, they will) then the bot just does the hacking. Hiding the version doesn’t really help.

  4. As a WP guy, these are decent plugins and do well to secure parts of your site.

  5. Stever says:

    @Michael VanDeMar


  6. Mark says:

    Hey, when we talk about wordpress security, the first thing that comes to mind is Akismet. I think this a basic secure plugin of any WordPress site. Another hit by Automattic, the time savings is well worth installing. While it may throw some good comments into spam (and you should periodically check for false positives), all in all still does a fine job.

  7. Secure WordPress and WordPress Security Scan is really very useful plugins. However these plugins take more CPU uses.

  8. William Rose says:

    Thanks for this informative security post. I have many wordpress blogs and see all sorts of strange queries and traffic in my logs that concerns me slightly. I’ll be checking these things out.

Leave a Reply

Your email address will not be published. Required fields are marked *