20 Wordpress Security Plug-ins And Tips To keep Hackers AwayBy Angsuman Chakraborty, Gaea News Network
Thursday, November 13, 2008
Wordpress is the leading blogging software for pro-bloggers as well as amateur bloggers around the world. So, be it latest news (Wordpress 2.7) or tweaks, we cover it. The Achilles heel of WordPress is its security, which they try to continuously address by frequent patches after every major release similar to Microsoft Windows. If you are a Wordpress user, you must be very concerned with security issues and for good reasons. In this world of growing intrusions, hacking, cracking and data-thefts, security is of major concern for a starter as well as for a pro. Here are 20 Plugins and tips for you to help you get a good sleep at night assuring you that your blog is in safe hands (read WordPress security plug-ins).
(Numbers do not indicate any preference order)
AskApache Password Protect is a simple plugin which adds some password protection to your WordPress Blog using .htaccess file. It not only protects your wp-admin directory, but also your wp-includes, wp-content, plugins, etc.
Choose an username and password and you are done. It writes the .htaccess file, without messing it up. It also encrypts your password and creates the .htpasswd file, as well as setting the correct security-enhanced file permissions on both.
You can change the settings whenever you want right from your WordPress Admin Panel.
- However many users faced problems while using it and got out of their own blog! If for once you don’t get that authentication window and receive a 404 File not found message, you will need to log in to your host via FTP and then manage the public_html folder.
- Also AskApache works only with Apache servers. It will not work with, for example, IIS web server, nginx or Lighttpd. This can be a problem because many popular websites are switching to nginx or Lighttpd for better performance and lower memory footprint than Apache.
- Ask Apache restricts your wp-content folder too. But there may be other plugins for you who need to access wp-content folder for their features to work. And with Ask Apache running, it would pose a problem.
- Ask apache modifies your htaccess file (which is rather sensitive to errors) which may contain your custom settings and changes. Even if there is a small mistake, your will be unavailable.
WordPress Guard Plugin (explained below) addresses some of the concerns above and works on all web servers.
Angsuman’s Wordpress Guard Plugin is a must-have Wordpress security plugin (compatible with all versions of Wordpress and tested upto version 2.6.3) that protects the vulnerable areas of your blog from outside access with an additional layer of security.
- Double Security For Wordpress Administrator Panel
- Protection over wp-admin directory
- Protection Against Future Vulnerabilities
The free Authenticated WordPress Plugin (compatible with all versions of Wordpress) makes your blog content (posts, pages, categories etc.) accessible to registered users only. This allows you to display paid-content to your users. It also allows private blogging i.e. makes your blog accessible to selected people only (like family and/or friends and/or business associates).
It is a must-have plugin for paid-content publishers and privacy concerned bloggers. It is a simple zero configuration plugin, install it and forget it. As the author says, “even your grandma can use it”.
Authenticated Plugin Pro (not free) is the next generation of Authenticated Plugin from the same author. It has all the features of Authenticated Plugin.
Additionally it allows you to restrict/enable access to your blog feed. In Authenticated Plugin your blog feeds are inaccessible toall. In Authenticated Plugin Pro, you can either make your blog feeds accessible to all or you can restrict access of your blog feed to registered / authenticated users only. You can configure either of the three options from the single click of a button from the options panel.
For one time payment of 30$ you get 6 months of free support and lifetime of free updates.
4. Bot Block
Bot Block helps keep bots from registering on your website. It logs all registration attempts and tells you why it bounced any bots (or humans, if it made a mistake). You can block any (source) domain, user or by IP address.
It will automatically block anyone whose IP shows up more than once, who is listed in spamhaus blacklist, or who you’ve blacklisted. I don’t like its idea of blocking anyone whose wants to use the same IP address to register as that of a previous users simply because users from corporate sites are normally behind a proxy and all users trying to register from behind a proxy or gateway will appear to be from the same IP address. Many ISP’s also route users through a small set of IP addresses by using a gateway.
The interesting part is, anyone pretending to be a browser but whose ‘accept’ line is wrong will also get bounced.
5. WP Blogsecurify
WP Blogsecurify is a security plugin from Security group - Gnucitizen, which aims to provide security enhancements for WordPress. The key features are:
- Forcing users to login over a secure communication channel (SSL). This is similar in functionality to Force SSL plugin which is discussed in detail below. As with Force SSL, it requires your server to have SSL enabled which also means it needs a SSL server certificate which doesn’t come cheap and is a recurring expense. This features is obviously not targeted at most shared web hosting users.
- Protecting session identifiers from session leaks & session hijacking.
- Hiding database errors which could be caused by malfunctioning plugins. The caveat is that if you are facing errors, then you will have to disable it to find out what the real error is.
I have looked at the source code of the plugin and except for the session protection section (which I haven’t had the time to fully check), the rest of it works as written above. The code is clean and simple. I would recommend it.
6. Secure Files
You can use Authenticated Plugin Pro to password protect posts, pages and categories etc. in your blog. However it doesn’t protect external files (like images or video) and documents that you may have uploaded. Secure Files protects uploaded files and documents and restricts their access to authenticated users only. Secure Files works by allowing you to create a directory that is outside of your web document root and to upload/download files from it directly from within the WordPress Administrative Interface. It can be used to can restrict file downloads to users that are logged in, or have a certain user level.
7. WP Security Scan
Letting an application (in this case WordPress) have write access to your files is a dangerous thing, particularly in a public environment. It is best, from a security perspective, to lock down your file permissions as much as possible and to loosen those restrictions only for specific cases you need to allow write access, or to create special folders with more lax restrictions for the purpose of doing things like uploading images. A file/directory permission scanner does a world of good to check for vulnerabilities in file/directory permission and notifies you of potential security lapses.
WP Security Scan is a security scanner. This plugin scans your site and checks vulnerable file/directory permission and then recommends corrective actions. It also removes WordPress version information, wordpress generator meta tag from code and provides some database security.
It is currently not compatible with Dagon Design’s sitemap generator plugin out of the box. The fix requires manually editing one of the file but that removes its capability to hide WordPress version.
Force SSL forces your users to use secure connection (SSL) to connect to your site. It requires that your site is SSL enabled in the first place which also means you need to have a valid server certificate from Verisign, Thwate etc. SSL certificates for web servers aren’t free and costs from 250$ to over $570 per annum. It protects your readers from having their communication with your blog from eavesdropping; in other words it prevents man-in-the-middle attack. However it alone will not protect you from the major vectors of attach like cross-site-scripting attack, XML posisoning, malicious AJAX code execution, RSS/ ATom injection, PHP external code / command execution etc.
9. Admin SSL
Admin SSL is yet another useful security plug-in for administrators in Wordpress.
- Secures Wordpress Login and Admin Pages
- Supports All SSL Setups (Private and Shared)
- Encrypts cookie contents
- Compatible with all versions of PHP 4 and 5
- Easy to install (1 file uploaded)
In shared SSL setup it does not reflect the user as logged in on the unsecured site.
10. Login LockDown
Login LockDown helps to prevent potentially harmful bot attackers who try to log in to your site. It records the IP address and timestamp of every failed WordPress admin login attempt. After a certain number of attempts that are detected within a short period of time from the same IP range, the login function is disabled for all requests from that range. You can find out locked out IP ranges manually from the panel.
Though practically it can have some problems, but that will be very rare for a genuine user. Currently the plugin defaults to a 1 hour lock out of an IP block after 3 failed login attempts within 5 minutes. These are configurable from your blog’s administrator panel.
11. Semisecure Login
It is most useful for situations where SSL is not available, but the administrator wishes to have some additional security measures in place without sacrificing convenience.
But having said that, I will always prefer SSL channel for my blog than going for a semi secure login. So anyday, ForceSSL and AdminSSL will be a lot better plugin because they are equipped with a secure channel like SSL already.
12. Spam Protection Plugins
The obvious question arises, why didn’t we talk about comment spam protection plugins yet. It is one of the most serious issues with bloggers to deal with hundreds of spams everyday.
Actually, we didn’t think that Spam Protection Plugins can be included in WP security plugins. However, we have another detailed article coming up tomorrow about the best Spam protection plugins here. So stay hooked to this.
If you use one or more of these plugins, you will receive ample security. But is that enough? As an admin/user you have some quick but important reminders too. Here they are,
1. Upgrade Wordpress
Uprade your Wordpress as soon as possible. Because other than features, they patch many security loopholes with almost every updates (major or minor) which are essential for your continued protection.
2. Change Default Passwords
That is the first thing to do, if you are still using the default 6 lettered admin password which is sent to you via e-mail. Give a tight and secure password with numbers and letters and symbols jumbled up so that granny’s bruteforcing technique doesn’t cost you your blog. Don’t be too concerned about loosing your password and choose a simple password as you can always change your lost WordPress password.
3. Use SSH instead of Telnet, SFTP instead of FTP
For real security use ssh to access your site instead of ftp which is inherently insecure and open to snooping of your account details as the authorization details (login & password) are transmitted in clear over the internet. With ssh you can use secure ftp protocol like sftp to do anything you can do with ftp. Similarly you can use ssh instead of telnet to securely connect to your Linux / Unix server.
4. Remove the version string from your header.php
Hackers are very tricky and they can sneak into your account sniffing any damn trace. So why not prevent it. The particular blog version you use, can be seen by anyone and then plan their attacks accordingly. Keep the hacker guessing by this
- The tag in your header.php that displays your current version of wordpress.
<meta name="generator" content="WordPress <?php bloginfo('version'); ?>" />
- Hide your wordpress version by
usingAngsuman’s WordPress Header Info Remover Plugin, rename the file to wp-header-remover.php, upload it to wp-content/plugins folder of your blog and activate it from Plugin Management screen. Its so easy.
5. Block wp- folders from search engines
Is there any need to have all of your Wordpress files indexed by search engines like Google? These folders often contain sensitive data and information about your blog like plugins you use etc. So it’s best to block them using your robots.txt file. Add the following line for each bot to your robots.txt:
6. Block access to wp-admin & wp-include folders using .htaccess
This will limit access to this folder by IP address and attempts at accessing any file within this folder from IP address other than your allowed list of IP addresses will be greeted with a Forbidden error message
7. Disable Indexing in any Directory within Wordpress
Doesn’t it concern you that any one can see the indexed files inside any of your blog directories within WordPress? So what do you do to prevent that? Its simple.
Go to the root directory in your WordPress and open the .htaccess file and in the first line, type Options -Indexes. Save it and you are done.
8. Give Extra Protection to Your .htaccess
The first thing you will need to do is create a file called .htpasswd. I know, you might have problems with the naming convention, but it is the same idea behind naming the .htaccess file itself, and you should be able to do that by this point. In the .htpasswd file, you place the username and password (which is encrypted) for those whom you want to have access.
For security, you should not upload the htpasswd file to a directory that is web accessible (yoursite.com/.htpasswd), it should be placed above your www root directory. You’ll be specifying the location to it later on, so be sure you know where you put it. Also, this file, as with htaccess, should be uploaded as ASCII and not BINARY.
Create a new htaccess file and place the following code in it:
AuthUserFile /usr/local/you/safedir/.htpasswd AuthGroupFile /dev/null AuthName EnterPassword AuthType Basic require user username
So here we are at the end of another long article. I hope you have got a wholesome idea of what to use and what to do to secure your wordpress site. Press your words hard, Press the intruders harder. Bye for now.
[Disclaimer: My company Taragana Inc develops and maintains the following security plugins
Tags: Admin SSL, AskApache Password Protect, ASP, Authenticator Plugin Pro, Bad Behavior, Bot Block, Cases, Expense, Force SSL, Friends, Information about, Login LockDown, Lost, Privacy, Secure Files, Secure Form Mailer Plugin, Security plugin, Security Tips, Semisecure Login, So what, The root, Things, WordPress, Wordpress 2, WordPress Plugin, WP Blogsecurify, WP Security Scan, yaCAPTCHA