WordPress is a pretty secure CMS out of the box, but you can always take advantage of adding free plugins for added security. I use all of these plugins on my WordPress installations with HostDime and love it so far. The added peace of mind that comes with locking down your WordPress installation is well worth the little bit of time and research it might take. So, without further ado – here are the best free WordPress plugins for added security!
Block Bad Queries
Block Bad Queries is a free plugin for the latest version of WordPress that examines incoming GET requests against your domain, and filters out the nasty ones. Hackers frequently use MySQL / SQL queries placed in forms on your website, which can tell them a lot about your database based on the responses they receive. Block Bad queries is also an excellent choice for those that use NGINX hosting, and thus don’t have access to the .htaccess file. It’s also extremely easy to use, and requires no configuration on the user’s end to start working immediately. Another nice feature of Block Bad Queries is that as the internet and server architecture continues to evolve, so does the plugin. This is possible thanks to the 5G/6G blacklist directory that publishes and documents malicious request commands, along with recommended ways to prevent your site from becoming victim to one of these attacks.
Limit Login Attempts
Limit Login Attempts is another excellent security plugin that focuses on blocking the time-tested technique of hackers and script kiddies everywhere. That technique would be the art of brute force password guessing. 90% of websites that use WordPress don’t even bother to rename their default “admin” account, so that takes away 50% of the guessing game immediately. From there it’s simply a matter of using a program to read a “password dictionary,” pointing it towards the site, and firing off as many password attempts as you possibly can. While you would think that this method is time-consuming, and it certainly is, the programs themselves are usually multi-threaded and can be run in many simultaneous instances. With a little bit of patience, the hacker will gain access to a WordPress site, and will be free to play from there. Limit Login Attempts simply restricts this activity by blacklisting IP addresses that fail a login attempt too many times. This forces the hacker to pick another target, and will deter a large amount of attackers in a short amount of time.
Force Strong Passwords
In keeping with the idea of locking your WordPress installation down in regards to password guessing, why not even make it even more challenging and require people to use non-lame passwords? While I obviously won’t share my password to this particular site with you, it looks something similar to the following :
Now admittedly, there’s absolutely no way I’m going to remember that from the top of my head, so that’s why I use KeePass – it lets me generate extremely strong passwords, and paste them directly into login forms. That’s a 309-bit, 64 bit password you’re looking at. I don’t even know how much stronger it is in terms of order of magnitude than a typical 6-10 character password, but I assure you, its way up there. What Force Strong Passwords does is requires users that are registered on your WordPress website to meet a sufficiently complex password, based on what you determine to be adequate. For most people, enforcing “3 of the 4″ character sets and length rule is fine. You’ll probably want to set a minimum length of 10 characters, 1 upper case letter, 1 number, and 1 symbol – or some variation of those last 3. When your users have strong passwords, the chance of their account being compromised is greatly reduced, along with the potential risk to your WordPress site.
WordPress File Monitor Plus
WordPress File Monitor Plus is another great plugin for keeping your WordPress installation safe and secure. Essentially, it monitors all the files and folders that comprise your website. When a change is made to a file or a folder, it will email you the details. Hackers frequently attempt to upload customized versions of common PHP files to certain directories, which will then give them control of your website. On Linux, having a folder that is set with the wrong permissions can mean that the directory and it’s contents are wide open to the internet. Hackers are constantly probing the structure of a website and looking for weak points to get in, so this is a really nice plugin for being on top of the ball. It’s also a good plugin to install after your website has been hacked, as there could be files or hidden folders lurking around as a backdoor of sorts. If you don’t find and eliminate those weak points that have been placed there, the hacker could still have access to your system.
Update Notifications is such an incredibly simple plugin that it’s kind of odd that WordPress doesn’t include similar functionality out of the box, but such is life. It’s a basic plugin that does one thing – checks for updates to your core WordPress installation, plugins, and themes. If an update is found, it will send you a notification letting you know that there’s an update, and that it’s time to roll up your sleeves and get to updating. Updates often contain bug fixes, but they also tend to contain security patches that fix vulnerabilities and exploits that enterprising script kiddies and hackers can use to compromise your website. By keeping everything on your site up to date, you’re doing your part to make sure that your site remains absolutely bulletproof.
Of course, if you’re lucky enough to have WPEngine as your WordPress host, you don’t have to worry about updates. They take care of core WordPress updates for you when they’re released. It’s nice waking up to an email notification that my website was updated while I was asleep, and that it’s working perfectly. You get what you pay for, as the saying goes ;)