WordPress security plugins can be effective tools to help keep your site secure. Here are the specific security plugins I am currently using with my WordPress 3.0.1 (current version) installation and some things I have learned along the way about using them.
#1 – Akismet – Current version of the plugin is 2.4.0 and it is fully compatible with WordPress as you would expect since the plugin comes native with WordPress and is the most widely used security plugin.
Is Akismet difficult to install?- The plugin is very easy to install all you need to do is register for a unique API key via email to activate the plugin.
Why do you need Akismet? – Akismet is extremely effective, I have not had a single SPAM message since activating it and do not believe other spam related plugins are necessary at this time.
#2 – Login Lockdown - Current version of the plugin is v1.5. It is compatible with the latest version of WordPress.
Why do you need Login Lockdown? – Provides an additional level of security by locking out an account that has had a certain # of failed login attempts within a specified time frame (both settings are user customizable).
What settings do I use for Login Lockdown? - I altered the defaults to lock my account out after 3 failed attempts from a given IP address in a 30 minute time period and it remains locked out for 1440 minutes
What is the risk of using Login Lockdown? - The biggest risk you face using Login Lockdown is not being able to access and administer your own site from a certain IP address. To mitigate this risk make sure you set the settings explained above at the right level for you and it also helps to have a secure alternative IP address that you can use to access the site (perhaps a relative’s house). It is also possible to edit your database directly to free a locked IP address if your IP address becomes locked out.
#3 – WordPress Firewall 2 – Current version of the plugin is v1.3 and works fine with WordPress 3.0.1
Why do you need WordPress Firewall 2? – Provides an additional layer of security to your site by protecting against web related directory traversal, database injection and other WordPress specific attacks. The verdict is still out there on this one for me as I have not seen any alerts after a few weeks of install so I am either low on the radar or it has not done much thus far.
How to configure Wordpress Firewall 2? – I installed the plugin with the default settings and the only change I made was to configure the alerts to go to my email address.
#4 – Secure WordPress – Current version of the plugin is 1.0.6
Why do you need Secure WordPress? – Tweaks a variety of security settings primarily those related to excessive information disclosure. Click here for a list of security functions performed by the plugin.
#5 – WP Security Scan – Current version of the plugin is 18.104.22.168
Why do you need WP Security Scan? – Provides a variety of useful security functions including looking for password, database, and directory permission vulnerabilities. Helps provide an automated way to regularly check these items.
#6 - WordPress Database Backup – Current version of the plugin is v2.2.2 and it is compatible with the latest version of WordPress. Although it is technically backup software vs. true security software, backup is such an essential component of information security I have included it on this list.
Why do you need WordPress Database Backup? – There are a few other WordPress Database backup plugins available but this is the one I use to perform my daily backups which are automatically emailed to my account. One recommendation I have is to make sure to save your backups somewhere else if your email account is hosted by the same company as your site as this gives you additional protection if they have a catastrophic failure.
How often should I test my WordPress Backups? – Testing your backup and validating it is recoverable the first time is the biggest hurdle. After that I recommend retesting every 6 months and either more or less frequent makes sense depending on the value of your site.
Two other WordPress Security Plugins I am interested in but do not yet have installed:
1. Better WP Security – Disclaimer says it is only in testing stage and it is not recommended for production sites. I will be testing this on a development site soon so I can take a look and check out the tool. I agree with the creator that you should never use a non production plugin on a production site.
2. Ultimate Security Check – Claims to be the #1 Security Plugin for WordPress so I am always intrigued by those type of grandiose claims and would like to check out whats under the hood.
Lastly, I will mention that I have played around with Admin-SSL a good bit as I really want to encrypt administrative traffic but have not had much luck getting it to work with the latest version. Anyway who has a good workaround or a better plugin to perform this function please drop me a line.