In Part 1, we saw the basic security concerning wordpress which we can implement without using any plugin just by tweaking and editing some files. Part 2 will discuss about how to make your blog more secure by using some of the advanced security based plugins. Though there are thousands of plugins available for this, I will discuss only the plugins which are good and effective.
Securing WordPress using plugins
Listed below are methods to enhance security of your blog with use of plugins (All Plugins work on WordPress 2.7 and 2.8):
- Comment Security: Listed below are some of the plugins which implement security in your blog’s comment sections:
- Akismet: This is one of the most basic comment security plugins. Akismet needs a API Key to function which can be accessed from WordPress.com. Akismet is a self learning plugin which detects spam by their pattern and blocks it from showing.
Alternative: Defensio – Works in same way as Akismet. Deactivate Akismet to use Defensio.
SpamTask – Works same as above but does not require API Key. You can check stats by registering.
- reCAPTCHA Form Plugin: It is based on reCAPTCHA technology which is an hardened and effective form of a simple captcha.
Block-Spam-By-Math – Math Based Captcha.
trymath Math (in form of ASCII Art) based captcha.
VidoopCAPTCHA – Image Based Captcha
Geo Captcha – Shows Captcha only to users from specific countries.
WP Clickcha – Clicking based Captcha instead of typing.
Search for Captcha Based Plugins – You will find the one most suitable for your purpose.
- NOSpamNX: It adds a hidden comment field which spambots 99.9% fill and get blocked. Normal users leave it empty and are let through. For WordPress 2.7.1 and below use Yawasp – Yet Another WordPress Anti Spam Plugin
- Antispam Bee: It is a plugin which replaces comment field to catch spammers.
- WP Captcha-Free: It is a plugin which works by validating a hash based on time and other parameters while submission of comment using AJAX.
- IP/Behaviour Blocking Based Plugins:
- Bad Behavior: It blocks IPs and bots from being your blog served based on their pattern, behaviour and IP Addresses. It can work with other Anti-Spam Plugins to secure your blog and saves bandwidth too.
- AVH First Defense Against Spam: It blocks your blog from spammers by checking IPs from a public spammer database, your blacklist and by blocking wp-post-comments.php file(a method without plugin is also there for this).
- WordPress Firewall: It blocks spammers from using common parameters into the blog’s url to hack and even blocks sql injection type attacks. It can also block file uploads. Learn more about its filters.
- Login/Registration Based Protection:
- Invisible Defender: It protects registration, login and comment forms by including 2 hidden fields which spambots will fill but not a user.
- Limit Login Attempts: It limits the number of retries on failed logging by checking IP or cookies. It can log login attempts and notifies administrator.
- Admin SSL: It forces SSL Admin on Login, Admin, Posts, Pages and everywhere with both Private and Shared SSL. WordPress 2.8 Download link.
- Stealth Login: It allows you to change the login link and prevents access to wp-login.php directly from spammers.
- Restrict Login by IP: It restricts the WordPress login to certain limited ips and gives a error for everybody else.
- Invalidate Logged Out Cookies: It invalidates data hold onto the cookies once a user logs out thus preventing the data from being used even if the cookie gets stolen. You need to logout manually for making this protection work.
- Chap Login: Encrypts your login details on login page using Chap protocol.
- Simple LDAP Authentication: It allows wordpress to authenticate users against a LDAP Server.
- WordPress Monitoring Based Protection:
- WordPress File Monitor: It monitors wordpress installation for added/deleted/changed files and notifies the administrator on detecting a change.
- TAC (Theme Authenticity Checker): It scans all themes for malicious or unwanted code or even static links.
- WordPress Security Scan: It scans wordpress installation for vulnerabilities and suggest corrective actions. It also removes WP version information, removes wordpress generator tag and protects wordpress admin and database.
- Audit Trail: It keeps track of what goes on inside your blog. It records many types of actions and maintain its log. It can record full content of posts/pages which you can restore to anytime.
- General Security Based:
- Antivirus for WordPress: It protects blog against Exploits and Spam Injections.
- TTC WordPress Security Tool: It blocks cross-site script elements, bad ip addresses, bots and bad user-agents.
- Secure WordPress: It implements many of the tweaks mentioned in part 1 like removes error information from login page, removes rsd, wlw and version tag from header, remove core/plugin/theme update information for non-admin and adds index.html to plugins directory.