I was fortunate enough to be able to moderate a panel of WordPress experts a week ago at OfficePort here in Kansas City. We were discussing security issues, fixes, and plugins and I’ve rounded up the presentation notes and links here for you!
Add your own plugin suggestions in the comments!
Baby Steps
1. Keep WordPress updated.
2. Make sure your computer is protected, you have a reputable hosting company and use secure passwords.
3. Report security issues when you see them.
There are more Advanced Options…
1. Consider hiding your indexes
2. Change table prefixes
3. Create a whitelist with your IP address
Back that Stuff Up – Manually or with WP-DB-Backup – easily backup your core WordPress database tables and other tables in the same database – http://wordpress.org/extend/plugins/wp-db-backup/
Known Threats
- SQL/link Injection (text is hidden with CSS)
- Tim Thumb Vulnerability – Acular script is uploaded to the cache directory. Check for it. http://wordpress.org/extend/plugins/timthumb-vulnerability-scanner/
Admin SSL – encrypts admin panel/post/etc w/ SSL (Secure Sockets Layer) – http://wordpress.org/extend/plugins/admin-ssl-secure-admin/
Monitoring Plug-ins
AntiVirus -Malware protection for your blog – http://wordpress.org/extend/plugins/antivirus/
WordPress File Monitor – Monitors your WordPress installation for added/deleted/changed files; alerts you via email – http://wordpress.org/extend/plugins/wordpress-file-monitor/
Status Plug-ins
WP Security Scan – checks your WordPress website/blog for security vulnerabilities and suggests corrective actions – http://wordpress.org/extend/plugins/wp-security-scan/
Exploit Scanner – searches the files on your website, and the posts and comments tables of your database for anything suspicious. It also examines your list of active plug-ins for unusual filenames – http://wordpress.org/extend/plugins/exploit-scanner/
Login Plug-ins – (btw, login error messages on WP are telling)
Login Lock – (User Locker also recommended) Enforces strong password policies; provides emergency lockdown features; monitors login attempts; blocks hacker IP addresses; and logs out idle users – http://wordpress.org/extend/plugins/login-lock/
Limit Login Attempts (like LoginLock but w/ forward and reverse proxy) – Blocks an Internet address from making further attempts after a specified limit on retries is reached, making a brute-force attack difficult or impossible. – http://wordpress.org/extend/plugins/limit-login-attempts/
Comment Spam
Akismet – checks your comments against the Akismet web service to see if they look like spam or not and lets you review the spam it catches under your blog’s “Comments” admin screen – http://wordpress.org/extend/plugins/akismet/
Keypic – checks forms against the Keypic Web Service to see if they look like spam or not and lets you review the spam it catches under your blog’s “Comments” admin screen – http://wordpress.org/extend/plugins/keypic/
Untested
BulletProof Security – protects your website from XSS, RFI, CSRF, Base64, Code Injection and SQL Injection hacking attempts. One-click .htaccess WordPress security protection. Protects wp-config.php, bb-config.php, php.ini, php5.ini, install.php and readme.html with .htaccess security protection. One-click Website Maintenance Mode (HTTP 503). Additional website security checks: DB errors off, file and folder permissions check… System Info: PHP, MySQL, OS, Memory Usage, IP, Max file sizes… Built-in .htaccess file editing, uploading and downloading. – http://wordpress.org/extend/plugins/bulletproof-security/