A while back I posted “secure your WordPress installations. really.” and since that time, I’ve been making additional recommendations to the list of WP security plugins I listed in that post, so it’s time for an update.
In that post, I recommended, the following plugins: Login LockDown, Secure WordPress, WP-Malwatch, and WP Security Scan. Ditch Login LockDown, keep the rest. Why get rid of Login LockDown? It hasn’t been updated since 2009, and it’s only reported by its creator to work up until version 2.8.4 of WordPress.
A better replacement, with a lot more features is Login Lock. It still lets you set the number of incorrect login attempts prior to locking out an IP address, but it gives more options like enforcing strong password policies, forcing a password change every 30 days, disallowing the use of old passwords once they’ve been changed, and more.
I addition to the 3 recommended plugins above, I recommend adding the following:
- Bad Behavior: This, along with Akismet, can help keep your comments link spam free.
- Block Bad Queries (BBQ): This plugin helps protect WordPress against malicious URL requests. It just quietly does its job.
- Ultimate Security Checker: This is a very extensive plugin that will alert you to potential issues, and provide you with the info you need to fix them.
A heads-up, that Ultimate Security Checker doesn’t seem to recognize when you have Block Bad Queries installed, and will recommend that you install it, or rather copy the BBQ code it will provide, and create a file with it. The code it provides is identical to the code in the BBQ plugin file, so I suspect that it can’t read the folder the BBQ plugin is in. It’s a minor inconvenience, but not a serious conflict.
- WordPress Firewall 2: This plugin is sort of like a visual version of BBQ, in that it identifies and blocks certain types of attacks. Unlike BBQ, it actually notifies you when an attack has been detected and blocked, and tells what type of attack it was. It also provides the IP address the attack originated from, so you can take additional steps to deal with it.
None of these plugins is a substitute for keeping your WordPress core, plugins, and themes up-to-date.