WordPress Security Plugins

By Dan Nedelko

April 23, 2009

Last Updated on July 30, 2017 by Dan Nedelko

When you use WordPress for a corporate or business website, security always comes up as an issue and for good reason. In what has turned into an ongoing series on WordPress Security I’m going to review a few very useful plugins which will add an additional layer of security to your WordPress or WordPress MU site.

In addition to this article, you might find the two other posts in this series useful:

Blocking Spam with WordPress

Recovering from a WordPress Injection (You are labeled an Attack Site)

So here is the added list of extremely useful WordPress plugins, all of them work well with both WordPress and WordPress MU (on my sites at least):

  1. http://wordpress.org/extend/plugins/restrict-login-by-ip/ – Restricts WordPress admin login by IP address. This is extremely useful since you will likely not want just anyone having access to the authentication login.
  2. http://wordpress.org/extend/plugins/limit-login-attempts/ – limit login attempts and records IP address.’Nuff said.
  3. http://wordpress.org/extend/plugins/wordpress-file-monitor/ – monitors WP file changes and notifies by email upon a change.
  4. http://wordpress.org/extend/plugins/wp-security-scan/ – scans the server for known security issues – this is a definite old standby and should be added to your WordPress site
  5. http://wordpress.org/extend/plugins/invisible-defender/ – provides protection against SpamBots
  6. http://wordpress.org/extend/plugins/audit-trail/ – tracks changes to the site by user. I find this to be less of a security issue but it is extremely useful if you’ve got numerous authors on your blog. At the very least you know who to smack around if they make changes to your site. 🙂

Now keep in mind that these will not ensure that you will never have a security issue on your blog or website. But as the saying goes an ounce of prevention is worth a pound of cure (Benjamin Franklin was a pretty smart guy so I’m going with it).

I hope you’ve found these plugins useful. Let me know if you’ve got any additional plugins or techniques you use to secure your sites and ensure smooth sailing!


Dan Nedelko

Reblog this post [with Zemanta]

Dan Nedelko

About Dan Nedelko

A human being spinning around on this big blue marble with the rest of you, interested in Digital Marketing // Music // Art // Family // Business // Founder of http://hny.pt

  • Great points here and also don’t forget to upgrade to the latest version of WordPress. Usually exploits or malware injections happen to some security hole left unguarded by WP.

  • Another great security suggestion that I follow is to try and remove any reference to WordPress on your pages, in your code, and in urls. Of course someone who knows what they are looking for will be able to tell if it is a WordPress blog or not, but they will have to make a little extra effort to figure it out.

    • I totally agree with that one. It definitely would cut out a good number of scripts and injection attacks that aren’t sophisticated.

  • Thanks, Dan, for these security suggestions. We will be installing some of these plugins!

    • @Dr Laraine – anytime I hope these help you out. Let me know how they work for you. Some have likely been updated, I’m thinking this post might also need a refresh since it seems pretty popular.

  • I also have a WordPress blog and I use to have a big problem with the huge number of spam comments. I will try to add WP Security Scan and Invisible Defender.

  • A specially crafted URL could be requested that would allow an attacker to bypass a security check to verify a user requested a password reset. As a result, the first account without a key in the database (usually the admin account) would have its password reset and a new password would be emailed to the account owner. This doesn’t allow remote access, but it is very annoyin, luckily there are new security plug ins being developed to prevent this.

  • My WordPress blog has been attacked by spambots recently. Do you have any other suggestions in addition to #5 above, or will that be enough protection?

  • {"email":"Email address invalid","url":"Website address invalid","required":"Required field missing"}

    Want a FREE Membership to Marketer Knows?