Apr 12 2011

Three Must-Have WordPress Security Plugins

Category: bloggingGuest Author


WordPress is widely recognized as the most powerful and most popular blogging platform available, and today there are millions of WordPress blogs inhabiting the massive Internet community. Unfortunately, WordPress’ ubiquity makes it a prime target for hackers. If you maintain a WordPress blog, here are three must-have security plugins that can help keep your blog safe, secure and online:

1 – Login Lockdown

If you install just one WordPress security plugin on your blog, it should be Login Lockdown. Once installed and configured, every time someone tries to log in to your blog’s control panel and fails, that person’s IP address and the exact time of day are logged. If multiple unsuccessful login attempts are made from the same IP address within a given time period, the ability for anyone to login at all is temporarily disabled. You can set the number of failed logins and the time period yourself when you install the plugin. I have Login Lockdown set to disable logins on my blogs for 15 minutes after the system receives three unsuccessful login attempts.

2 – WP Security Scan

There are a number of ways that hackers can gain entry to your WordPress blog’s admin area, and once inside they can wreak all kinds of havoc on your blog installation. WP Security Scan checks your entire WordPress installation for any and all security holes, then provides you with suggestions for closing them.

3 – Remove My Version

Every time a visitor loads a page from your WordPress blog, WordPress puts a line of text in the header showing which version of WordPress your blog is running. Hackers can use this version information to attack your blog using methods that were designed specifically for attacking that version of WordPress. Removing this information makes it much more difficult for hackers to break into your blog and do all kinds of nasty things to (and with) it.

To install any of the these plugins (I recommend that you install them all) simply click Plugins>Add New on the menu of your WordPress Dashboard, then search for the plugin by name. Installation is usually a one-click deal.

Here are a few other tactics you can use to “harden” your WordPress installation:

1 – Use strong passwords, and change them frequently.

2  – Create a new user with Admin privileges, then delete the default “admin” user.

3 – Always update your WordPress core files, themes and plugins as soon as possible after an updated version is released. In this case, delay can mean disaster.

About the author: Rick Rouse is the owner and editor of RLROUSE Infoblog where you’ll find hundreds of articles and information for powering your life.

If you enjoyed this post, make sure you subscribe to my RSS feed! You can also follow me on Twitter here.


9 Responses to “Three Must-Have WordPress Security Plugins”

  1. Paul Salmon says:

    I have used the first two plugins, and currently have the “Login Lockdown” enabled all the time. I enable “WP Security Scan” when I want to perform a security scan.

    I haven’t used “Remove My Version”, but have removed the WordPress version manually as I already have enough plugins loaded.

    I would add one other type of plugin to the list – a backup plugin (or two) to backup your WordPress files and database. If your blog is hacked, it may come down to restoring your blog from a backup.

  2. Rick Rouse says:

    Thanks for the feedback Paul. I really appreciate it. You’re absolutely right about the need for a good backup solution. I use VaultPress for my sites and I highly recommend it, but a good stand-alone plugin is a great way to go as well. As for “Remove my Version”, it’s an extremely light plugin that requires close to zero resources so I use it on all of my WordPress blogs. Just install it and forget about it. Great tip about the Backup!! Thanks again!!

  3. Ben D says:

    Three unsuccessful login attempts from any location will shut down access to your admin panel?

    You’re out of your mind. What will you do in the event of a denial of service attack? All anyone has to do is keep failing to login, and you won’t be able to access your panel indefinitely.

  4. Rick Rouse says:

    Good point Ben, but denial of service attacks are usually tempory, and very often succesful. If a site is going to be down for a period of time it’s better to keep hackers out at the same time. Login Lockdown is very effective at preventing bots from hammering away at your login page until they ultimately “guess” your password. All threats are relative, and in the world of WordPress, hacked/defaced/destroyed websites are a lot more common than ones taken offline by DOS attacks. Just my opinion of course.

  5. Atak says:

    Excellent advices. It is weird that a lot of people still use admin as default user. That certainly can be dangerous, especially in combination with easy to guess passwords. Login Lockdown is a must, for sure.

  6. Smita@Seo Stores says:

    Awesome article. These three security plugins have been very useful for wordpress users. But most of them don’t know that default admin is very risky for their website.
    Smita recently posted..GTranslate WordPress Plugin for Global ReadersMy Profile

  7. melody says:

    This security plugins is very useful.

  8. John says:

    I must admit that security for my WordPress blog is something that I’ve never considered, beyond using a strong password. After reading this post, I’m definitely going to start using the plugins you’ve mentioned.

    With all the different aspects of setting up a WordPress blog it’s easy to overlook such things, although along with backing up it’s got to be the most important thing you can do.

    Thanks a lot for the info.

  9. Home Inspection Marketing says:

    Great tips… I’d might suggest Backup Buddy as well… Great plugin that backs up your wordpress site/files and can send to AmazonS3 for storage (offsite).

    Thanks for the TIPS!
    Home Inspection Marketing recently posted..Google Adwords for Home Inspection CompaniesMy Profile