Just finished compiling several articles and WP plugins that will make you
aware of your sites vulnerability.
There are three free plugins at the end of the article that we recommend.
Top 10 Latest Powerful WordPress Security Plugins and
Tips & Tricks
into your WordPress website or blog, its now time to secure and protect
it from outside enemies and general bad guys: hackers, spammers and all
round tossers.
If
your WP development knowledge is limited, your best option is to
download and install plugins. They are easy to install and
manage and will give you all the power and security you could ever hope
for. Of course, no plugin is powerful enough to protect you from
everything, we can only minimize the possible intrusions. Below, we have
twenty plugins that will help you protect your WordPress installation.
1)
WP Security Scan
Link:
http://wordpress.org/extend/plugins/wp-security-scan/
Description: Scans your WordPress
installation for security vulnerabilities and suggests corrective
actions.
- passwords
- file permissions
- database security
- version hiding
- WordPress admin protection/security
- removes WP Generator META tag from core code
2) Secure
WordPress
Link:
http://wordpress.org/extend/plugins/secure-wordpress/
Description: Little help to
secure your WordPress installation: Remove Error information on login
page; adds index.html to plugin directory; removes the wp-version,
except in admin area.
- removes error-information on login-page
- adds index.php plugin-directory (virtual)
- removes the wp-version, except in admin-area
- removes Really Simple Discovery
- removes Windows Live Writer
- remove core update information for non-admins
- remove plugin-update information for
non-admins - remove theme-update informationfor non-admins
(only WP 2.8 and higher) - hide wp-version in backend-dashboard for
non-admins - Add string for use WP Scanner
- Block bad queries
This plugin requires the worlds #1 web server,
Apache, and
web
host support for .htaccess files.
3) Chap
Secure Login
Link:
http://wordpress.org/extend/plugins/chap-secure-login/
Description: Whenever you try to
login into your website, you can use this plugin to trasmit your
password encrypted. The encryption process is done by the Chap protocol;
this is particularly useful when you can’t use ssl or other kinds of
secure protocols. By activating the ChapSecureLogin plugin, the only
information transmitted unencrypted is the username; password is hided
with a random number (nonce) generated by the session – and opportunely
transformed by the MD5 algorithm. In the first login there will be an
error, but don’t worry is only a tecnical error. Indeed in the next
login’s operation, if the values are correct, there will not be errors,
but you give mind because the password will sended in unencrypted way.
4) Invisible
Defender
Link:
http://wordpress.org/extend/plugins/invisible-defender/
Description: This plugin protects
registration, login and comment forms from spambots by adding two extra
fields hidden by CSS. This approach gave me 100% anti-spam protection on
one of my sites. The idea behind this plugin is simple: SPAMBOTs either
fill every form field they find (generic spambots) or fill
WordPress-specific fields only (spambots which will recognise WP or are
targeting WP only). Therefore it is sufficient to add two extra text
fields to form (one empty and one with predefined value), and check
theirs values after form is submitted. 1st field (empty one) will be
filled by generic spambots, and 2nd one will not be filled by spambots
targeting WP only. With these two simple checks probably all spambots
can be easily detected, so WP can return error “403 Forbidden” for them.
These two extra fields are hidden with CSS rule, so they will not be
visible for most users. Only users with text-based browsers (and very
old ones which not support CSS) will see them, but don’t be afraid –
plugin has special message for them. Not surprisingly, some spammers
found Invisible Defender too and updated their spamming software to
detect and bypass this plugin. Therefore I started adding new protection
methods. First one is blacklist for heavy spammers; more will be added
soon. Invisible Defender also shows number of blocked spammers in
Dashboard, so you can see that it really works.
5) AskApache
Password Protect
Link:
http://wordpress.org/extend/plugins/askapache-password-protect/
Description: This plugin doesn’t
control WordPress or mess with your database, instead it utilizes fast,
tried-and-true built-in Security features to add multiple layers of
security to your blog. This plugin is specifically designed and
regularly updated specifically to stop automated and unskilled attackers
attempts to exploit vulnerabilities on your blog resulting in a hacked
site. You can set up Password Protection for your blog using HTTP Basic
Authentication, or you can choose to use the more secure HTTP Digest
Authentication. The power of this plugin is that it creates a virtual
wall around your blog allowing it to stop attacks before they even reach
your blog to deliver a malicious payload. In addition this plugin also
has the capability to block spam with a resounding slap, saving CPU,
Memory, and Database resources. Choose a username and password to
protect your entire /wp-admin/ folder and login page. Forbid common
exploits and attack patterns with Mod_Security, Mod_Rewrite, Mod_Alias
and Apache’s tried-and-true Core Security features. This plugin requires
the worlds #1 web server, Apache, and web host support for .htaccess
files. Has a user-contributed attack signature system modeled after the
Snort Intrusion Detection and Prevention system, Nessus Vulnerability
Scanner, and the Web Application Firewall ModSecurity.
6) Admin SSL
Link:
http://wordpress.org/extend/plugins/admin-ssl-secure-admin/
Description:
- Forces SSL on all pages where passwords can
be entered. - Works with both Private and Shared SSL.
- Can be installed on WordPress MU to force SSL
across all blogs (only works if you have a Private SSL certificate
installed) from WPMU 1.3 upwards. - Custom additional URLS (e.g. wp-admin/) can
be secured through the config page. - You can choose where you want the Admin SSL
config page to appear! - Works on WordPress 2.2 – 2.7; it will not
work on previous versions.
7) HTTP
Authentication
Link:
http://wordpress.org/extend/plugins/http-authentication/
Description: The HTTP
Authentication plugin allows you to use existing means of authenticating
people to WordPress. This includes Apache’s basic HTTP authentication
module and many others.
8 ) Login
LockDown
Link:
http://wordpress.org/extend/plugins/login-lockdown/
Description: Login LockDown
records the IP address and timestamp of every failed login attempt. If
more than a certain number of attempts are detected within a short
period of time from the same IP range, then the login function is
disabled for all requests from that range. This helps to prevent brute
force password discovery. Currently the plugin defaults to a 1 hour lock
out of an IP block after 3 failed login attempts within 5 minutes. This
can be modified via the Options panel. Admisitrators can release locked
out IP ranges manually from the panel.
9) Akismet
Link:
http://wordpress.org/extend/plugins/akismet/
Description: Akismet checks your
comments against the Akismet web service to see if they look like spam
or not and lets you review the spam it catches under your blog’s
“Comments” admin screen. Want to show off how much spam Akismet has
caught for you? Just put in your template.
10) TAC –
Theme Authenticity Checker
Link:
http://wordpress.org/extend/plugins/tac/
Description: TAC stands for Theme
Authenticity Checker. Currently, TAC searches the source files of every
installed theme for signs of malicious code. If such code is found, TAC
displays the path to the theme file, the line number, and a small
snippet of the suspect code. As of v1.3 TAC also searches for and
displays static links. Then what do you do? Just because the code is
there doesn’t mean it’s not supposed to be or even qualifies as a
threat, but most theme authors don’t include code outside of the
WordPress scope and have no reason to obfuscate the code they make
freely available to the web. We recommend contacting the theme author
with the code that the script finds, as well as where you downloaded the
theme. The real value of this plugin is that you can quickly determine
where code cleanup is needed in order to safely enjoy your theme. I hope
above list will help you to protect your blog 100%. Please provide your
thoughts and comments in comment section.
WordPress Security Best Practices & Plugins
Technology | January 13th, 2012
of plugins and themes.
Timthumb.php was a file that was included in many wordpress themes
and plugins. Many developers use timthumb.php
to resize images to fit their website. Since the vulnerability on
TimThumb was released last year, it is estimated that a
couple of million wordpress sites got compromised. This
vulnerability would allow the arbitrary upload of files to a site. One
of my websites was compromised so I moved security to the top of my list
of priorities when making a site.
Best PracticesUpdate WordPress and any plugins asap – not
updating is the biggest vulnerability
Change the admin default login name
Change the login path (plugin)
Include a custom database prefix on install
Always do your updates
Use as few plugins as possible
Make sure your plugins are safe (only download from known sources – like
www.wordpress.org)
Don’t just disable plugins. Remove them.
Use strong passwords
Remove/replace wordpress version.
Hold comments for moderation in discussion settings or
User must have an approved login before making any comments
Use an anti-spam tool (Akismet,
Captcha)
If others have access make sure they use strong passwords
Do not use the same password
Change passwords periodically
Backup site regularly (I use Backupbuddy for auto backups)
Site Malware and Blacklist Scan
Sucuri Scanner – online scanner.
They also sell a 9.99
plugin scanner.
Top WordPress Security
Plugins
Bulletproof Security (locks .htaccess
files)
WordPress Website Security Protection: BulletProof
Security protects your WordPress website from XSS, RFI, CRLF, CSRF,
Base64, Code Injection and SQL Injection hacking attempts. One-click
.htaccess WordPress security protection. Protects wp-config.php,
bb-config.php, php.ini, php5.ini, install.php and readme.html with
.htaccess security protection. One-click Website Maintenance Mode (HTTP
503). Additional website security checks: DB errors off, file and folder
permissions check… System Info: PHP, MySQL, OS, Memory Usage, IP, Max
file sizes… Built-in .htaccess file editing, uploading and downloading.
WordPress Firewall 2 (locks .php files, tracks ip addresses of
attach)
This plugin intelligently whitelists and
blacklists pathological-looking phrases, based on which field they
appear within, in a page request (unknown/numeric parameters vs. known
post bodies, comment bodies, etc.). Its purpose is not to replace prompt
and responsible upgrading, but rather to mitigate 0-day attacks and let
bloggers sleep better at night.
Ultimate Security Checker (best scanner – seeks out malicious code)
Our plugin identifies security problems with your
WordPress Installation. It scans your blog for hundreds of known
threats, then gives you a security “grade” based on how well you have
protected yourself. You can fix the problems yourself, or you can use
our
help to do it for you automatically.
Login LockDown records the IP address and
timestamp of every failed login attempt. If more than a certain number
of attempts are detected within a short period of time from the same IP
range, then the login function is disabled for all requests from that
range. This helps to prevent brute force password discovery. Currently
the plugin defaults to a 1 hour lock out of an IP block after 3 failed
login attempts within 5 minutes. This can be modified via the Options
panel. Admisitrators can release locked out IP ranges manually from the
panel.
WP Email Guard protects your email addresses
included on any post or page from being crawled by spammers. It converts
every email written within your post body into a JavaScript code, so the
emails is readable and can be clicked by humans only.
Monitors your WordPress installation for
added/deleted/changed files. When a change is detected an email alert
can be sent to a specified address.
This plugin will add a client side generated
checkbox to your comment form asking users to confirm that they are not
a spammer. It is a lot less trouble to click a box than it is to enter a
captcha and because the box is genereated via client side javascript
that bots cannot see, it should stop 99% of all automated spam bots.
Live a Secure Life
1Password – secure password storage software
Password for Mac can create strong, unique
passwords for you, remember them, and restore them, all directly in your
web browser. You can also securely store Secure Notes, Software
Licenses, Credit Cards, Attachments, and much much more.
Run Malware/Virus scans often on your system
Hardening WordPress – WordPress document on securing a
site.
very least, if you run WordPress blogs, I would recommend you
download and install these F.REE plugins:
– http://wordpress.org/extend/plugins/timthumb-vulnerability-scanner/
Timthumb Vulnerability Scanner
Scans your wp-content
directory for vulnerable instances of timthumb.php, and
optionally upgrades them to a safe version.
peterebutler
The recent Timthumb.php vulnerability
(discussed
here) has left scores of unsuspecting bloggers hacked. It’s
the perfect combination of not so easy to fix for the
technically disinclined, and easy to find and exploit for the
malicious – resulting in a disastrous number of compromised
sites.
The Timthumb Vulnerability Scanner plugin
will scan your entire wp-content directory for instances of any
outdated and insecure version of the timthumb script, and give
you the option to automatically upgrade them with a single
click. Doing so will protect you from hackers looking to exploit
this particular vulnerability.
After new, lesser vulnerabilities were
found, it became apparent that the plugin needs to be dynamic –
able to keep you up to date with the latest version of timthumb,
without requiring a plugin upgrade. The plugin now checks for
the latest available version of timthumb routinely (each time
you visit the scanner page, but no more than once a day), and
can download and install the latest version, rather than the one
included with the plugin. Scans are run daily (unless you
disable them via the options link on the scanner page) via
wp-cron to keep up with any new plugins or themes you’ve
installed.
More info at
CodeGarage.
Special thanks to
Jacob Gillespie
for help with the bulk upgrade feature.
BulletProof Security
WordPress Website Security
Protection. Website security protection against: XSS, RFI, CRLF,
CSRF, Base64, Code Injection and SQL Injection hacking…
Author:
AITpro
WordPress Website Security Protection:
BulletProof Security protects your WordPress website against XSS, RFI, CRLF,
CSRF, Base64, Code Injection and SQL Injection hacking attempts. One-click
.htaccess WordPress security protection. Protects wp-config.php,
bb-config.php, php.ini, php5.ini, install.php and readme.html with .htaccess
security protection. One-click Website Maintenance Mode (HTTP 503).
Additional website security checks: DB errors off, file and folder
permissions check… System Info: PHP, MySQL, OS, Server, Memory Usage, IP,
SAPI, DNS, Max Upload… Built-in .htaccess file editing, uploading and
downloading.
The BulletProof Security WordPress Security plugin is
designed to be a fast, simple and one click security plugin to add .htaccess
website security protection for your WordPress website. Activate .htaccess
website security and .htaccess website under maintenance modes from within
your WordPress Dashboard – no FTP required. The BulletProof Security
WordPress plugin is a one click security solution that creates, copies,
renames, moves or writes to the provided BulletProof Security .htaccess
master files. BulletProof Security protects both your Root website folder
and wp-admin folder with .htaccess website security protection, as well as
providing additional website security protection.
BulletProof Security allows you to add .htaccess
website security protection from within the WordPress Dashboard so that you
do not have to access your website via FTP or your Web Host Control Panel in
order to add website security protection for your WordPress site.
BulletProof Security Modes: Root .htaccess security protection, wp-admin
.htaccess security protection, Deny All .htaccess self protection, WordPress
default .htaccess mode and .htaccess Maintenance Mode (503 Website Under
Maintenance). In BulletProof Security Mode your WordPress website is
protected from XSS, RFI, CRLF, CSRF, Base64, Code Injection and SQL
Injection hacking attempts.
BPS Maintenance Mode allows you to create your custom
website under maintenance page within BulletProof Security and activate
Maintenance Mode to put your website in maintenance mode. Maintenance Mode
allows website developers or website owners to access and work on a website
while a 503 Website Under Maintenance page is displayed to all other
visitors to the website. Allow access to your WordPress Dashboard for only
yourself or add additional IP addresses to allow mulitple IP addresses
access to your WP Dashboard while in maintenance mode.
WordPress is already very secure, but every website,
no matter what type of platform it is built on should be using a secure
.htaccess file as a standard website security measure. BulletProof Security
provides the additional website security measures and protection that every
website should have.
- One-click .htaccess website security protection
from within the WP Dashboard - Secure .htaccess protection blocks XSS, RFI,
CRLF, CSRF, Base64, Code Injection and SQL Injection hacking attempts - Permanent online .htaccess file backup and
restore - Built-in File Editing, File Downloading and File
Uploading - WordPress readme.html and /wp-admin/install.php
protected with .htaccess security protection - wp-config.php and bb-config.php files protected
with .htaccess security protection - php.ini and php5.ini files protected with
.htaccess security protection - WordPress database errors turned off –
Verification and function insurance - WordPress version is not displayed / not shown –
WordPress version is removed - WP Generator Meta Tag filtered – not displayed /
not shown - The Administrator username ?admin? check – check
WP DB for admin username - System Information Page: PHP, MySQL, OS, Server,
Memory Usage, IP, SAPI, DNS, Max Upload… - Security Status Page – Displays website security
status information - File and Folder Permission Checking – CGI / DSO
SAPI check and display - Help & FAQ page – links to BPS Guide and other
detailed Help & Info pages - Extensive Read Me! jQuery Dialog Help Windows
throughout the BulletProof Security plugin pages - Backup and Restore existing .htaccess files
- Backup and Restore customized / modified
.htaccess files - Add to, Edit, Modify the provided BulletProof
Security .htaccess Master files - Create your own .htaccess Master files or code
and use BulletProof Security as an .htaccess file manager - Website Developer Maintenance Mode (503 website
open to Developer / Site Owner ONLY) - Log in / out of your website while in Maintenance
Mode - Customizable 503 Website Under Maintenance page
- HUD Success / Error message display
Sucuri Sitecheck Malware Scanner
Get free Sucuri SiteCheck scan
results directly in your WordPress dashboard. The best way to know if
your site is infected with malware or blacklist b
This plugin enables full malware and blacklisting scan
capabilities from Sucuri SiteCheck right in your WordPress dashboard. It
will check for malware, spam, blacklisting and other security issues like
htaccess redirections, hidden eval code, etc. The best thing about it is
it’s completely free.
You can also scan your site at
http://sitecheck.sucuri.net.
Sucuri Malware Scanner – http://wordpress.org/extend/plugins/sucuri-scanner/
** Disclaimer ** – I am NOT a
Wordpress (or server) security expert.
Thanks for reading,
Roger
Is Your WordPress Blog
Secure?
