Close
Close

10 Essential WordPress Security Plugins For 2013

This guest post is by of The WordPress Security Checklist.

Now that we have left 2012 behind, we can start planning 2013. And there is no better time to review the security plugins you use on your WordPress site.

Last year important new security plugins were released, and some of the existing plugins were updated.

The great challenge when it comes to WordPress Security Plugins is to find the magic combination which gives you optimal cover without conflicts or overlapping functionality.

Here we bring you the winning combination for a prosperous (and safe) 2013.

Let the party begin!

Make sure only invited guests pop in

When you throw a big party, you’d best think about who you let in. Otherwise the party might get out of hand.

These clever little plugins are your broad-shouldered bouncers. And they mean business!

WP Login Security 2

This is a personal favorite of mine. It’s very clever.

If an unknown guest arrives at your party your bouncer will ask for ID, but you can walk straight in.

Similarly, the plugin will send a verification email to the registered email address of the user if he tries to log in from an unknown IP address. Only if he validates the IP address by clicking on a link in the email will he be allowed in.

This is a very effective way of stopping brute force attacks. Even if someone does guess your userid and password, they still can’t get in.

If, on the other hand, you log in from a known IP address, you are let in straight away.

Resources:

Semisecure Login Reimagined

At your party, the bouncer will make sure no one eavesdrops when you whisper the secret password in his ear.

Ideally you would want to send your login information over SSL when you access your WordPress administration panel. However, there is a cost involved in obtaining a SSL certificate and if you are on a shared server you would also need a dedicated IP address.

This plugin is the next best thing for those of us who’d rather spend our money on party hats.

It will automatically encrypt your login information so it is much more difficult for an outsider to steal your credentials.

Resources:

Login Security Solution

This is the mother of all bouncers. He will only accept photo ID, he can check the expiry date and you can tell him that library cards are no longer accepted. He can even throw out people who fall asleep on the premises.

Or, in technical terms: with this plugin, password strength is enforced, password aging is an option, and password resets for all users can be forced. And you can even log out idle sessions automatically.

Another clever feature of this plugin: instead of locking out IP addresses of brute force attackers it will slow down the response times gradually. This means that you can get your own password wrong without being locked out, and it will still make brute force attacks almost impossible.

Resources:

WordPress Firewall 2

This is the wall around your house that makes sure no one sneaks in through your backdoor or a window, bypassing your bouncers. It’s very important.

Windows Firewall 2 inspects all incoming traffic to identify if anyone sends you malicious requests or tries to inject data into your database.

Resources:

Block Bad Queries

This plugin is like the barbed wire or the broken glass on top of the wall. Yes, the internet is really a bad neighborhood!

BBQ extends your firewall and helps filter incoming traffic to stop known bad guys.

Resources:

Keeping tabs on what goes on in your house

Once your party is going you want to keep an eye on what is happening. If someone breaks your TV you’d like to know who’s responsible and how much damage was caused.

These plugins are your eyes and your ears. And they are awake!

WordPress File Monitor Plus

This is like having surveillance cameras in every room of your house and taping all the action. If anything goes down you can see exactly what happened.

WordPress File Monitor Plus tracks changes to your file system. If any files are added, removed, or changed you will be notified by email. Neat. Could be an invaluable help in cleaning up after you have had visitors!

Resources:

WP Security Scan

Although you love opening up your house for the big party, there are still some rooms you do want to keep away from your guests. Locking a few doors will make sure the cats can only play where you want them to.

WP Security Scan checks your file and folder permissions and a few other things to make sure everything that should be locked down is locked down.

Resources:

Curing the hangover

Depending on the success of your party you might end up with a bit of a hangover the day after. But we’ve got the cure for you.

Update Notifications

This good old trick could save you from getting a hangover in the first place: take a couple of headache tablets before you go to bed.

By using Update Notifications you’re stopping the headaches before they begin. Keep your WordPress site updated at all times and you won’t see the bulk part of the threats circulating the net. This plugin automatically sends you an email when there is an update for your plugins, themes, or core WordPress files.

Resources:

Wordfence

If you are not feeling well, knowing why can make the difference between recovering quickly or suffering for a long time. If you know you are dehydrated you can drink some water. If you know you have got an infection, penicillin might be the remedy you need.

Wordfence is one of the newer security plugins. However it has matured very quickly. One of the great features of Wordfence is that it will compare the plugin, theme, and WordPress core files on your installation with the official version in the WordPress repository. If there are any discrepancies, the plugin will send you an email.

It will also scan your site for known malware, phishing, backdoors, and virus infections.

Resources:

Sucuri WordPress Security Plugin

If you are really out of luck, you might pick up some kind of disease at your party. This is the risk of mingling with many people. In this case, you might have to go to the doctor.

Sucuri is more than just a security plugin. In fact, their WordPress plugin is probably one of their least-known products.

Sucuri is a company that specializes in cleaning up infected websites. If your luck is out and your site is infected, they will clean it for less than it would cost you in coffee if you wanted to figure it out on your own—provided you know what you are doing. And they will keep your site clean for a year after that.

The WordPress plugin adds a web application firewall and malware file scanning. The web application firewall will communicate with Sucuri servers, so if one site is under attack from certain IP addresses they can be blocked across the network immediately.

Resources:

Enjoy 2013!

With a little bit of preparation, you will be able to throw fantastic parties in 2013, and you and your guests can amuse themselves without worrying about accidents or bad guys ruining everything.

Make sure your WordPress site is in good shape and ready to bring you a very prosperous 2013!

Check out ’s free WordPress Security Checklist, which is all about protecting your WordPress assets properly and sleeping well at night.

About Guest Blogger

This post was written by a guest contributor. Please see their details in the post above. If you'd like to guest post for ProBlogger check out our Write for ProBlogger page for details about how YOU can share your tips with our community.

Problogger.net runs on the Genesis Framework

Genesis Framework

The Genesis Framework empowers you to quickly and easily build incredible websites with WordPress. Genesis provides the secure and search-engine-optimized foundation that takes WordPress to places you never thought it could go.

Check out the incredible features and the selection of designs. It's that simple - start using Genesis now!

Comments

  1. Jatin Sharma says:

    Thanks for the list. I am currently using Limit Login attempts and Lockdown WordPress Admin to secure my blog. Will try all of the plugins you have stated above.

  2. Eric says:

    Thanks for sharing this list. I known of a few friends wp that got hacked and it was a complete mess for them. This is a really good information to take that extra step of protection! I will for be looking into some of these you have shared and giving them a shot!

  3. Ravi says:

    I would like to add one more Plugin to the list called as “Login Lockdown.” By the way thank you for the list . I use WordPress Firewall from the list and proves to be very useful for me

  4. From personal experience, I can say this stuff is a MUST. I had two WordPress sites on my server hacked within a week of each other, one of them leading to a series of angry DMCA notices from a bank in Italy that a hacker was phishing customers from through the hack. It was a nightmare and completely unnecessary. Now I update on day one for any new version of WordPress, keep my plugins active and check regularly to make sure there are no risks in there. Great list!

  5. Tony Nguyen says:

    I was looking for some security measures for my wordpress blog, and I arrived at your blogpost. Whoever posted this content, he surely help me. I downloaded the WP Login Security 2 because of its features detailed in the wordpress plugin directory. Do we have plugins that act like antivirus? I heard some websites are crawled by viruses. Thanks!

    • Hi Tony,

      With this combination of WordFence and Sucuri (which will scan your sites for malware) and WordPress File Monitor Plus (which will notify you if any of the files on your website changes) you should be well covered.

      There is an antivirus plugin in the repository, and we do recommend that you scan your site once using that plugin. However because the plugin only scans files there is no need to keep it on your site after the initial scan. You can find our article on this plugin here: http://www.wpsecuritychecklist.com/antivirus/

      • M.D. Creekmore says:

        WordPress File Monitor Plus will not work with Thesis Theme – do you have another suggestion?

  6. Aaron says:

    Thanks for this post! Sucuri is a great company and I would highly recommend them as well. I had 10 sites infected and Sucuri cleaned them all within 4 hours, plus they told me where the security problem was so I could patch it up. I’m a customer for life.

    Has anyone used Infinite WP? It’s great for managing multiple WordPress installations. You can imagine how time consuming it is to manually update 10, 15 or even 100 sites but InfiniteWP can do them all at once. Although it doesn’t like to update Gravityforms for some reason. i love it.

  7. Ogi says:

    Beside mentioned Wordfence, I can also recommend these 2 great plugins that, not sure why, are not recommended in this post:

    BulletProof Security – http://wordpress.org/extend/plugins/bulletproof-security/

    Better WP Security – http://wordpress.org/extend/plugins/better-wp-security/

    • The reason those plugins are not recommended on this list is because their functionality overlaps those plugins mentioned here.

  8. Deepanker says:

    After reading security and hacking news, I always think of my blog’s security. I know there are many security flaws exists after each update. I think i should also try these plugins. I never want to give hackers a single chance. thanks for this nice post :)

  9. sdfds says:

    I was looking for some security measures for my wordpress blog, and I arrived at your blogpost. Whoever posted this content, he surely help me. I downloaded the WP Login Security 2 because of its features detailed in the wordpress plugin directory. Do we have plugins that act like antivirus? I heard some websites are crawled by viruses. Thanks!

  10. mohit says:

    Recently there was a attack on my blog and due to that dates of my all the posts has been changes to 1st Jan’2013 , i don’t know why it is and who has done all this but now i am going to apply some of these plugins to insure that my blog will be safe from those hackers.

  11. Zie Organo says:

    You almost have all the best security plugin on your list. Actually among your list I did use some of them like WordPress Firewall 2, Block Bad Queries, WP Security Scan, Wordfence (not all on the same blog). But due to CPU usage I had to remove them because they are affecting my site’s performance. I am just using capthca now and Activity monitor.

  12. Web designer says:

    Everyone bangs on about security measures but one of the best things you can do is make sure that if the s**t does hit the fan, you could restore your site from a recent backup.

    Regularly backup your database, posts and download your template when you make changes. Simples.

  13. John says:

    Nice list of plugins. I am using Limit Login attempts and Lockdown WordPress Admin as both of them helps a lot. Many time limit login attempts stops the hackers from hacking my blog !

  14. haRiYorBlog says:

    I love the way you talk about the WordPress Firewall 2 plugin, i clicked on the link to download it and use it on my blog http://www.hariyorblog.com but i saw a message that “This plugin hasn’t been updated in over 2 years. It may no longer be maintained or supported and may have compatibility issues when used with more recent versions of WordPress.” What do you do advice i do?

  15. Thanks for sharing these resources and describing how each one works in easily understandable terms!

  16. Lallasue says:

    Fantastic post Anders! I’ve been looking for more ways to beef up security on my site. Thanks again.

  17. Shawn Hoefer says:

    I used to think that because I was a small operator, I was beneath the radar and not worth attacking. I was wrong! I use Sucuri as a free scanner now, lock down my site with Better WP Security, and scan and remove threats with Anti-Malware (Get Off Malicious Scripts). Both are plugins I would recommend, although those listed here work nicely, too.

  18. Melissa says:

    “!This plugin hasn’t been updated in over 2 years. It may no longer be maintained or supported and may have compatibility issues when used with more recent versions of WordPress.”

    it’s notice of “WordPress Firewall 2″

    Do you still recommending it?

  19. Paul Foraker says:

    Not necessary to post this online. Typo in the 2d para of your description of WordPress Firewall 2. You called it “Windows Firewall…”.

  20. Putih says:

    I use Wordfence + Better WP Security. Do i need another one ?

    • Melissa says:

      I think using 2 similar plugins might arise problem/conflict at any point.
      Besides, “Wordfence” does not provide all features in free version. (if u r using pro version, then you don’t need to use “Better WP Security”)

  21. Ian says:

    FYI Better WP just royally messed up my site. Do not use it. It’s a little irresponsible to post such a garbage list on such a reputable website.

    • Anders Vinther says:

      Better WP Security is not recommended in this post.

    • Ian Helle says:

      I just want to retract my comments made for the following reasons. 1) The dev has been extremely helpful in restoring my site to its original state. So kudos. 2) I made an error thinking it was on this list. 3) It should be on this list because it is actually a pretty solid plugin.

      I just was freaking out because of a user error, but I would definitely recommend this plugin.

  22. Scott says:

    I’ve been using these four plugins for over a year on over a dozen websites and feel they have worked well.
    * WordPress Firewall 2
    * Secure WordPress
    * BulletProof Security
    * iThemes Backup Buddy

    I am wondering why Secure WordPress and BulletProof Security are not on the list? It was interesting you included WordPress Firewall 2 since it has not been updated in a couple years — makes me feel better for still using it. iThemes BackupBuddy has been a good tool for me, both to deal with a hack if it ever happens and to migrate and restore sites related to site changes.

    I am considering changing up my WP security approach and am testing Wordfence and Better WP Security. Curious on your thoughts on those (I realize Wordfence is mentioned above, but these two seem to be all-in-one approaches that would probably not work well together).

    Better WP Security seems to be a really good all-in-one security plugin. (It is powerful, so I understand it causing issues for some, especially if they are not as technically capable.) Does anyone have opinions on it? If someone only used Better WP Security, what security holes would they have? It seems to address everything. Is there a reason it was not included on this list?

    Thanks!

  23. William says:

    Since I am an up and coming blogger, I recently found out about Pat Flyns horror story about how he got the DDOS attacks. While its impossible to prevent that, it got me into thinking that I should be more security conscious. As a result, today, I implemented the following two plugins and will also take your recommendations above. Thank you!

    - Better WP Security
    - Wordfence

    Will

    • Scott says:

      Will,

      Better WP Security and Wordfence do very similar things, so I would expect your site to experience plugin conflicts if you use both. Basically, your site may not function or display correctly. My recommendation would be to pick one and delete the other. With that said, I have not used both together so do not have direct experience testing their combination. Separately, both seem to work well.

      Best to you. Glad to see you proactively thinking about security.

      Scott

  24. Okaztle says:
  25. Scott says:

    Hi Will,

    I just had another thought, since I was actually setting this up a few minutes ago for a client. If DDOS attacks are a concern, you could look into something like CloudFlare(.com). It is very easy to setup with a host like MediaTemple. I have this in place for several sites. If you have an ecommerce site and a bigger budget, I would look at something like Yottaa. But for informational, non-transactional, sites, CloudFlare seems to work well for me. This is basically cloud-based security rather than the server-based security mentioned on this post.

    Scott

    • William says:

      Hi Scott,

      Thanks for your recommendation. DDOS attacks are really not a concern but because of what happened to Patt, it made me realize that I needed to lock the doors because up until this point, I hadn’t really implemented anything simply because I didn’t know about the availability of all the cool free security plugins that existed out there.

      Thanks!

  26. Raj Baroda says:

    My website is being hacked almost everyday!! :’( This is happening since the past 5 days. The first two times I was not able to login as the hacker had changed my password. I also realized that the hacker had installed a subdomain on my site through which he was sending spam. Then I installed some plugins listed above. The third day I was able to login and there was not damage to my site and it was running properly. But when I visited my cPanelI found that many contents of the wordpress files had been changed….. The hacker had placed many new files also in my wordpress directory. Is it a wordpress loophole or the host’s server has been hacked? {Is there any backdoor that the hacker is accessing to get to my cPanel or is it just wordpress loophole???} Any insights would be helpful!! Pls help!!!

    Which combination of plugins would you use for the best result and maximum security without any conflicts??

    • Anders Vinther says:

      Hi Raj,

      Sorry to hear that your site has been hacked. There is no 100% safe setup, but if you use the plugins listed here you are in a great position to defend yourself, detect if you get compromised and recover if that happens.

      I’d recommend you use all the plugins mentioned here.

      Once a site has been compromised it is very important to ensure it is completely cleaned. This can be very difficult and time consuming. Therefore we recommend you pay Sucuri to do this. The price is very reasonable and they do a good job.

      It is difficult to establish how a site was hacked. It could be your host, a plugin or theme, weak password, security problem on your local pc or a vulnerability in WordPress.

  27. William says:

    I’d like to report that the security plugins I listed on a previous response has not resulted in any conflicts that I know of. Once again, they are:

    - Better WP Security
    - Wordfence

    Good luck!