I have been a longtime WordPress user. I love the platform and how easy it makes maintaining a blog. Not only is a great blogging platform, but its great for many other types of websites. I have helped friends who are musicians, who own businesses and who need a simple resume site setup and get running on WordPress.
A couple years ago, I discovered a plugin called Sucuri WordPress Security plug-in. It is a free plugin that scans your site for malware and alerts you to changes in the core files that run WordPress. It can alert you to changes in these files which point to a possible hack that has been made on your site. One great feature of this plugin is that it can alert you to brute force login attempts. I thought that was a great feature and I turned it on.
A week later, my eyes were opened to how many brute force attempts were being made on my site and to others who I suggested add the plugin. It was downright scary. In this case, ignorance was bliss, because once I knew about the attempts, I wanted to do something about it.
So, here’s a quick list of security related plugins that I suggest you run on your WordPress sites.
- Akismet – Comment Spam is the probably the most prevalent problem with WordPress that most users will face. Many hackers have devised way to automatically submit hundreds or thousands of comments with links to malicous sites and content to hook and trick users into compromising their system. If you run a WordPress site, I think its your duty to try and prevent this type of comment spam and proliferation of malicious site links across your site. Akismet is a must have. It is made by Automattic, the same company who is responsible for WordPress. This service was formerly free for personal sites, but now works on a donation based system to give you a site key which you can use to active the plugin.
- Sucuri WordPress Security – The mother of all WordPress security plugins, Sucuri has several functions. It scans your site for changes to the core files that make WordPress run. These alerts will show when plugin files or core WordPress files change contents, whether you’ve updated the plugin or a hacker has made a malicous change. Sucuri Security provides a scanner to look for best practices and automatically remediate any problems it finds – like writable directories or showing the WordPress version in the underlying code of your site. It also has a Post-Hack remediation toolkit to help you get back to a healthy state after an attack. Another great feature of this free plugin is the ability to send email notifications when files are uploaded, posts are posted or updated and when pages are posted or updated. This keeps informed when changes occur on the site so you know when someone malicious made a change ‘for’ you.
- JetPack – made by Automattic, the same company that makes WordPress, JetPack is a collection of add-ons to WordPress to increase functionality. One of the add-ons is called Protect. Added earlier in 2015, Protect will help to stop brute force attempts by blocking an IP that has too many failed login attempts in an amount of time. It also leverages a cloud service to block known offending IP’s from accessing your site. There are plenty of other great enhancement in JetPack, all the more reason to run it.
- WP-DBManager – While not specifically security software, WP-DBManager is a great tool to help you create automatic database backups of your WordPress site. As much as it may be possible to cleanup after an attack, capturing a good and clean backup of your database is sometimes critical to fixing the problems created by an attacker.
For the people who want to go a step further, you can consider placing your WordPress site behind a web application firewall. Sucuri, the same company who makes the plugin, offers this service for $9.99 per month and it blocks brute force login attempts, blocks all access to wp-admin except for a specific whitelist of IP addresses, and provide reports and analytics of the types of attacked attempted and blocked by the service. The WAF service also caches your site to make it faster for your audience.