Killer Tech Tips

Software, Websites, Hacks You can Use

3 WordPress Security Plugins To Keep Hackers Out In The Cold

with 7 comments



This is a guest post by fellow blogger Thomas Frank. Thomas is a junior at Iowa State University studying MIS and speech communication. In his free time, he runs his own blog that focuses on college tips. You should follow him on Twitter!

Out of all the blog platforms and content management systems jockeying for position in the world today, WordPress has established itself as the most popular one. If you’re a WordPress user, this is a very good thing; the platform’s popularity ensure that it has plenty of willing developers, timely updates, and lots of plugins and themes to choose from. However, always keep in mind that popularity is a double-edged sword. Just as many legitimate bloggers, developers, and webmasters are using WordPress for their own purposes, there are also plenty of hackers and other non-legit, shady characters out there trying to exploit it in order to destroy your work or steal your stuff.

These hackers are kept at bay pretty well, thanks to all the time and effort that WordPress developers put into making WordPress a secure platform and releasing frequent updates. Still, the platform isn’t perfect, and hacks do happen. So what can you do to avoid being a victim?

There are actually a lot of great things you can do to secure your site, ranging from trivial to technical. If you’re not an experienced coder or webmaster, you may have trouble performing some of the recommended security upgrades to your site; however, there is one thing literally anyone can do, and that’s installing plugins.

Fortunately, there are a lot of great plugins available that can help you batten down the hatches and protect your site. In this article, I’d like to take a look at three of my favorites.

Limit Login Attempts

The Limit Login Attempts plugin is easily my most recommended plugin for security; in fact, you’d be a fool not to have it or something like it. The plugin’s functionality is pretty easy to guess from its name; it simply limits the amount of times a certain IP address can attempt to log in to your WordPress dashboard.

The plugin operates by issuing two types of lockouts – I’ll just call them Level 1 and Level 2. Level 1 lockouts are the first to be issued, and then a Level 2 lockout will be issued after a certain amount of Level 1 lockouts has been reached. When you install the plugin, you can go to its options page and set the amount of failed attempts it takes to be issued a lockout, as well as how long the lockout lasts. My lockout setup looks like this:

  • After four failed login attempts, a Level 1 lockout of 120 minutes will be issued.
  • After four Level 1 lockouts have been issued to the same IP, that IP will be issued a Level 2 lockout of two weeks.
You can set the plugin to be as strict and unforgiving as you like, but I’ll give you one word of advice: make sure you allow some room for your own legitimate typing mistakes. You never know when you’ll need to log in to your site at 3AM. While you could technically just FTP into your site and delete the plugin in the event that you lock yourself out, it’s best to just allow yourself some room for error. The difference between two and four allowed tries isn’t much for a hacker who has to completely guess your password, but it’ll help for that one time you realize that your fingers were accidentally shifted over a row ;)
Limit Login Attempts also logs each IP that gets issued a lockout, and you can set the plugin to email you when one is issued as well. It a good way to monitor what’s going down at your site, both when you’re there and when you’re away.

So why is this plugin so important to have? Well, easily the most common attack that your WordPress site will have to deal with is password-guessing bots. These bots simply roam the net searching for WordPress blogs, and when they find one, they head over to wp-admin.php and start trying to log in. If you’ve got this plugin installed, your site will send these bots packing after just a few tries, instead of letting them sit there and literally go through the dictionary.

Of course, you can further thwart these password-guessing bots by making sure your WordPress administrator account isn’t named “admin”, as that’s the username 99% of these bots will use in their guesses.

SI CAPTCHA Anti-Spam

Ah, the classic CAPTCHA! This piece of spam-killing technology is embedded into almost every website you go to these days. There’s a reason why, though – it’s really effective at stopping bots. SI CAPTCHA Anti-Spam is a plugin that can put a CAPTCHA field on any part of your site that allows for user input. This plugin is especially useful at your wp-admin.php page, as it puts one more step in between the bots and your site’s backend. Of course, putting a CAPTCHA up won’t stop a human hacker, but it definitely helps keep the bots away. One nice thing to know is that failing the CAPTCHA will cause your Limit Login Attempts plugin to register a login failure – even if the username and password are right. That’s why these two plugins work really well in tandem.

This plugin can also be used in other parts of your site, such as your comment form. While Akismet should be pretty effective at taking care of spam comments, this can provide an extra layer of spam protection if you really need it. Of course, if you’re using a different commenting solution, this may not be applicable.

One thing to note here: when you set up this plugin, I’d recommend setting the CAPTCHA difficulty to the highest setting. Even at this setting, the CAPTCHAs that the plugin issues are still pretty readable. Since they’re easy to read, you might as well make it as hard for bots to get in as possible and crank up that difficulty.

Audit Trail

While it doesn’t actually help prevent unwanted intrusions into your site, Audit Trail is great security plugin nonetheless. This plugin basically logs any activity that happens on your site’s backend, including logins, changes to posts and pages, and more. Each time an action is taken, the plugin will record what the action was, the target page/post of the action (if applicable), the time and date of the action, the user who did it, and their IP address.

This is a great plugin to use in order to keep tabs on what’s happening in your site, and it’s also essential for looking into any incidents that do happen. For example, if you have a multi-author blog and something bad happens, you can easily find out what user did it. Furthermore, you can check the IP address to determine whether it was actually the user assigned to that username, or a hacker who had figured out the password.

These three plugins make WordPress an even more secure platform, and I highly recommend that you look into them. If you’re interested in making your site even more secure, check out this article on WordPress security over at Quick Online Tips.

This is a guest post by fellow blogger Thomas Frank. Thomas is a junior at Iowa State University studying MIS and speech communication. In his free time, he runs his own blog that focuses on college tips. You should follow him on Twitter!

Written by Killer Tech Tips

September 26th, 2011 at 7:30 pm

Posted in wordpress

Tagged with

  • Oldgoat1957

    Good stuff, thanks. Simple and effective suggestions.

  • http://smartphonesentry.com Stephen

    Really useful plugins. I didn’t realize I could implement CAPTCHAs in WordPress. And Audit Trails are always a good thing. I will be installing these on my own wordpress site! If you’re looking for more security tips, especially with regard to the mobile web, check out SmartPhoneSentry.com 

  • http://collegeinfogeek.com/ Thomas Frank

    You can indeed! That’s one of the things I love so much about WordPress – there’s so much you can do with it.

  • http://twitter.com/dhpatel82 Dhaval Patel

    Thanks, Kudos Man,

    Its really helpful article for WordPress developer as well users.

  • http://www.thenorba.com/en/ TheNorba

    Good advices, I’ll follow them. :)

  • Rajat Gupta

    I am using limit logon attempts and si captcha

  • gman

    Brilliant stuff there. Blows me away that WP cant build in better security. Shame on them.