• Blog

    Latest from our Blog

  • Tools

    Our Favourite WP Tools

  • Hosting

    Recommended Web Hosts

  • Coupons

    Get great money off deals

  • Themes

    WordPress Theme Directory

  • Plugins

    WordPress Plugins Directory

  • Promote

    Your WordPress Product

WordPress is an easy to use, quick to learn, and secure content management system. However, just like any popular software, it is also targeted by hackers looking for security vulnerabilities in the software. Most such vulnerabilities get quickly patched by the WordPress community, if a threat is of more serious nature, WordPress team can also release a security update. Still the most commonly reported WordPress hacks can easily be stopped by strengthening your WordPress Security settings.

WordPress Codex has an excellent article on how to strengthen WordPress Security by following best practices. Some of them are:

  • Strong Passwords, use passwords that contain letters, symbols and alphabet. Use strong passwords not just for your WordPress Admin section but also for FTP, Webhosting control panel, and Database.
  • Check File Permissions. Make sure that files on your website are not publicly writeable.
  • Clean up plugins and themes you are not using. This will help you save so much time in case you ever get affected by malicious scripts injected into your website.
  • Security through obscurity not only makes your websites more secure but also slow down unwanted spam.

There are also some WordPress security plugins that can help you make your website secure.

Better WP Security

Better WP Security is a free WordPress plugin that claims to be the best WordPress security plugin. However, the plugin author scares the users by warning them that this plugin makes complex changes to their settings and things might break if they used this plugin. It is highly recommended that you backup your website before installing this plugin. In fact the plugin itself asks you to create a backup of your database you visit the settings page after installing it.

Better WP Security offers a comprehensive set of features. However, unlike other WordPress security plugins it can make changes to your website. You will have to approve actions before it executes them. On the first run it shows you the current possible security vulnerabilities of your website and suggests action.

  • It can create regular automated database backups and sends them to user’s email address.
  • Can make several changes to your WordPress powered website’s settings to make it secure. This includes changing table prefix, changing admin username, enforcing strong passwords, removing information from meta tags and hiding information from the login screen.
  • Ban illegal and potentially dangerous requests to your website.
  • Allows you to turn off your site’s admin area for specific hours.

Better WP Security »

WordPress Exploit Scanner Plugin

Exploit Scanner plugin is a well maintained, trusted, and awesome plugin to check your WordPress powered website’s posts, comments, files and directories for potential exploits, malicious scripts, injections, and suspicious activities. As it is obvious from the name that it is a scanner and even though it does recommends changes when run but it does not make any changes to your WordPress database or files. If you think there is some malicious code on your website then Exploit Scanner is the first tool you should run to find it.

  • Searches your WordPress files and databases for exploits.
  • Makes no changes to your files or data.
  • Recommends actions and explains each warning.
  • You can search your entire website at once (This usually takes sometime) or you can check particular files, or database.
  • Easy to use, well maintained and well documented.

Exploit Scanner »

Cloudsafe365 – Extreme Web Protection

Cloudsafe365 is a cloud based WordPress Security plugin that provides an array of features to secure your website. It is currently in beta stage but in perfect working condition to deploy on any commercial or personal website. Currently, Cloudsafe365 is offering their basic package for free. It has basic protection and right-click prevention for a single website for free on a monthly subscription basis. The unique and interesting cloudsafe feature is that it has added data theft and content protection features in the plugin.

  • Provides automatic encrypted backups and recovery for your Website’s database.
  • Detects and stops illegal requests to your website to prevent SQL injection, Meta Injections, Brute force attack and anti site-hacking techniques.
  • Right click prevention to stop people from copying your content.
  • Stops data mining by stopping unrecognized bots, programs, and scripts to prevent automated content theft.

Cloudsafe365 »

WordPress – Security Ninja Plugin

Security Ninja Plugin combines highly advised security best practices into one plugin and then checks your website for those standards. It runs tests on your website and then provides you with results and detailed analysis for each check. In case a test fails on your website you can see how to resolve that issue in the details and tips tab for that test. Remember just like most other security plugins, Security Ninja does not make any changes to your website, in case there is something wrong with your website it will report it and provide you with instructions to solve it on your own.

  • Checks for exploits on your website.
  • Checks for obscurity best practices recommended by many experts such as changing the default username from admin to something else, removing generator tag, etc. It only provides you details on why and how you should change these settings.
  • Checks file permissions on your website.
  • Checks PHP and Apache for not sending unnecessary information in headers.
  • Doesn’t slow down your website, easy to manage, safe and secure plugin. It will also help you learn a thing or two about securing your website even without plugins.

WordPress Security Ninja Plugin »

WordPress Safer Admin Plugin

As the name says WordPress Safer Admin plugin changes your wp-admin directory to something else which only you know. This reduces the chances of automated attempts to login, people trying to access wp-admin section. It also saves you from malicious scripts that look for files in wp-admin folder to inject malicious code or make changes to your files. This plugin is particularly useful for WordPress users who are noticing unexplained activity or login attempts on their websites. The plugin requires you to make .htaccess writeable. I believe this is unnecessary and once the plugin has written changes to .htaccess file you can change file permissions.

  • Keeps a log of login activity on your website. It also logs IP addresses, Date Time , URL accessed , POST & GET Data.
  • Logs will also keep you informed about who activated or deactivated a plugin on your website and when.
  • The logs also show you when someone has updated a plugin.
  • Logs can be turned off if you want.
  • When the plugin is uninstalled or deactivated, your website falls back to default settings and you can access wp-admin directory.

WordPress Safer Admin Plugin »

Backup Buddy

We have previously published Backup Buddy tutorial on WPLift. As a comprehensive automated cloudbased backup solution, Backup Buddy is a great plugin to keep your website and data secure all the time. BackupBuddy not only makes it easier for you to make backups it also helps you quickly restore your website from backups.

Backup Buddy »

End Note:

Securing your WordPress installation is not a difficult task. If your website has never faced trouble that does not mean that it is immune to malicious attacks. It is wiser to be cautious than to be sorry. Making these best practices part of your website maintenance routine can save you from hours of frustration and may be loss of valuable data as well.


Noumaan is a blogger and social media expert. He loves Quora, Facebook, Wordpress, OpenSource Software and The Sims.

Leave Yours +

8 Comments

  1. Wow, really comprehensive list.

    I wrote an article with 10 WordPress security tips ( http://www.codeforest.net/10-wordpress-security-tips-that-could-save-your-site ) and am using Secure WordPress plugin which is great.

    Also, Login Lockdown is usefull.

  2. Bridges2610

    Noumaan, thanks for sharing your tips!  Never knew about Better WP Security. 

  3. Jay

    Nice list. Thank you for sharing.
    BTW you should also try the WP FireWall. 

  4. Securing WordPress by using more Plugins? That really hurts. While some of the checks are good, adding more Plugins simply opens up more holes. Other suggestions for hardening WP include changing wp-content folder location, limiting file upload types using Apache’s Directory switches and changing the default media upload location for starters. Please, don’t suggest security by adding Plugins. It’s just bad practice.

  5. Mohamed Shajid

    End Note is not a quite big security plugin but it’s best :) Linked Influence

  6. Thanks for the informative list, Noumaan! However, we noticed one important layer of protection missing:

    Hackers and bots love to inject malicious code into your comment boxes and form fields, so it’s important to secure your WordPress blog and the vulnerable holes in your themes against damaging content injections and cross-site scripting (XSS) attacks.

    SmartFilter is a free plugin that does this for you so you never have to worry about losing your data or harming your visitors with malware. It has the same technology we use to protect large enterprise sites.

    Try it out at http://wordpress.org/plugins/smartfilter/ and let us know what you think!

  7. Greetings from Ohio! I’m bored to death at work so I decided
    to browse your site on my iphone during lunch break.
    I really like the info you present here and can’t wait to take a look
    when I get home. I’m amazed at how quick your blog loaded
    on my mobile .. I’m not even using WIFI, just 3G ..
    Anyways, fantastic site!

  • Comments are Closed

Search

Our Sponsors