Wordpress Security » Plugins

WordPress Backup

David Turnbull — Mon, 05 Oct 2009 03:26:22 +0000

Wordpress Backup isn’t a plugin I use these days because it doesn’t scale well for large blogs and I figure it’s best to just stick with tools that have continuity. But what it basically does is backup your blogs files (plugins, themes etc) and then send them via email just like the WP DB Backup plugin.

If you aren’t interested in paying for Amazon S3 then this is a suitable alternative, but just be mindful of the fact that it’ll probably stop working if your blog gets too large.

Click here to read more about email backups.

You might also want to read...

WP DB Backup

David Turnbull — Mon, 05 Oct 2009 03:25:15 +0000

WP DB Backup is the premier database backup plugin for Wordpress. Simply install the plugin and then enter the email address you want the backups sent to.

Choose the backup frequency based on your blogs activity. I backup once per day, because I receive a moderate amount of comments. If you receive a greater number of comments throughout the day, or simply post more frequently, then increasing the backup frequency to twice per day is probably a good time.

Click here to read more about email backups.

You might also want to read...

Secure WordPress

David Turnbull — Mon, 05 Oct 2009 03:22:22 +0000

Note: This plugin is not officially associated with this project. The name is simply a coincidence.

Secure WordPress automates a few simple security tasks:

Removes error-information on login-page
Adds index.html to plugin-directory (virtual)
Removes the wp-version, except in admin-area
Removes Really Simple Discovery
Removes Windows Live Writer
Remove core update information for non-admins
Remove plugin-update information for non-admins
Remove theme-update informationfor non-admins (only WP 2.8 and higher)
Add string for use WP Scanner

There is some duplication with other plugins (Login Lockdown removes error information on the login page for example) but features like hiding the version number make it a worthy install.

You might also want to read...

Stealth Login

David Turnbull — Mon, 05 Oct 2009 03:10:56 +0000

Stealth Login makes it easy to change the login address for the WordPress administration area, and prevent users form logging in via wp-login.php (just activate Stealth Mode). Even if someone cracks your username and password they’ll become stuck because there won’t be anywhere to login.

While it may not stop seasoned hackers from getting into your system, it takes just a few seconds to setup and is a worthy precaution to take.

You might also want to read...

WordPress Firewall

David Turnbull — Sun, 04 Oct 2009 23:13:44 +0000

As the name implies, WordPress Firewall is a firewall for your WordPress installation. This is a list of every feature and option:

Detect, intecept, and log suspicious-looking parameters — and prevent them compromising WordPress.
Also protect most WordPress plugins from the same attacks.
Optionally configure as the first plugin to load for maximum security.
Respond with an innocuous-looking 404, or a home page redirect.
Optionally send an email to you with a useful dump of information upon blocking a potential attack.
Turn on or off directory traversal attack detection.
Turn on or off SQL injection attack detection.
Turn on or off WordPress-specific SQL injection attack detection.
Turn on or off blocking executable file uploads.
Turn on or off remote arbitrary code injection detection.
Add whitelisted IPs.
Add additional whitelisted pages and/or fields within such pages to allow above to get through when desirable.

But there’s not fancy configuration needed to get started. Just install it and *BAM* your blog is now protected against a whole bunch of attacks. And just like with the Antivirus for WordPress plugin I recommend that you create an email forwarder to receive emails if your blog is attacked, and then use Gmail filters to make sure these emails are obvious to you, so you can respond quickly.

You might also want to read...

AskApache Password Protect

David Turnbull — Sun, 04 Oct 2009 22:44:42 +0000

AskApache Password Protect adds some serious password protection to your WordPress Blog. Not only does it protect your wp-admin directory, but also your wp-includes, wp-content, plugins, etc. plugins as well. Imagine a HUGE brick wall protecting your frail .php scripts from the endless attacks of automated web robots and password-guessing exploit-serving virii. Forget spam, these millions of zombie bots are too outrageous to ignore, they are attempting known (but strangely outdated) exploits looking for known vulnerabilities against blogs and other Internet software. Sooner or later some poor blogger is going to miss an upgrade and become a victim to this type of video-game-like-attack.

Unfortunately not all servers will support this plugin, mine included, so I haven’t been able to test it personally. But, it comes highly recommended by many people and certainly packs a ton of features. Install the plugin to see if it’s compatible with your server.

You might also want to read...

Antivirus for WordPress

David Turnbull — Sun, 04 Oct 2009 12:27:16 +0000

Antivirus for Wordpress is an amazing plugin that I’m really surprised is available for free. It performs a very simple, yet critical task: scanning your site for viruses, worms, and malware that exist for Wordpress.

After installing the plugin you enter your email address and scans will be performed automatically in the background on a regular basis. If a threat is detected the output will be sent to that email and then you can take the necessary action.

I’d suggest creating a new email forwarder, something like wpantivirus@yoursitename.com and entering that email address into the field on the plugin’s admin page. Then you can use your email program, Gmail for example, to automatically filter emails sent to that address and make them very obvious to you. This means you’ll always be aware of potential threats.

You might also want to read...

Login Lockdown

David Turnbull — Sun, 04 Oct 2009 12:25:42 +0000

Login Lockdown is an ingenious plugin that helps ward off brute force attacks. It works by temporarily blocking users by their IP address if they fail to login X amount of times.

Out of the box the default settings are pretty good but I still recommend you set the Lockout Length to as high as you feel comfortable with. The longer malicious users are blocked from the login page, the better.

It’s also a good idea to limit the Max Login Retries. This is easier if you’re managing passwords with software because you’ll never enter an incorrect combination.

Lastly, there’s a feature to Mask Login Errors, which means you won’t have to add the code to hide login errors manually.

You might also want to read...

One Click Plugin Updater

David Turnbull — Sun, 04 Oct 2009 12:24:17 +0000

Upgrading your plugins is nearly as important as upgrading Wordpress itself, because just like Wordpress, plugins are susceptible to their code being exploited for malicious purposes.

Now, upgrading Wordpress plugins is dead simple out of the box, but what if you could make somehow even simpler? That’s where One Click Plugin Updater comes in handy.

After installing this plugin a yellow striped bar will appear at the top of Wordpress admin pages, listing all the plugins that have updates available, and a single clickable button.

With a single click you can upgrade ALL of your outdated plugins at once. It literally takes just a few seconds and the uber simplicity means you’re more likely to upgrade your plugins as soon as an update becomes available.