Top 10 Ultimate WordPress Security Plugins

Another security related post. I know, too many too close together. Don’t worry. I have many good non security posts ready to.. erm.. post.

All the WordPress security plugins in this list are ones I have used and tested over the years. They complement good .htaccess and server security practices. That means don’t rely on a plugin to secure your site.

Many plugins that audit WordPress for vulnerabilities look for specific lines of text in a specific format in the files they scan. When those lines are not discovered, the plugins report a vulnerability. This means one plugin might not detect that another plugin has added .htaccess directives to protect sensitive files from being viewed when those directives are in an unexpected format. When you know a security measure exists but a vulnerability scanner says it doesn’t, follow what you know to be true.

Without further ado, and in no grand order, here are my top 10 WordPress security plugins. Click the titles to go to a plugin’s WordPress page.

Top 10 WordPress Security Plugins

Ultimate Security Checker

Checks WordPress and your server for known security vulnerabilities that could give hackers access to your site and its hosting space. The plugin provides a security rating based on what it finds and offers advice for fixing discovered holes.

Ultimate Security Checker works well to find vulnerabilities but cannot always determine the security improvements added manually or by other security plugins. Double-check what it tells you before you act on its advice.

Web Security Tools

Automatically scans files in your site’s server space for PHP viruses and .htaccess infections then cleans any compromised files.

Web Security Tools scans for infections using virus definitions stored on your server. You can add your own definitions to these directories if you discover an infection that the plugin does not automatically recognize and clean.

The virus definitions directory is in

wp-content/plugins/web-security-tools/phpwebsectools/modules/virus_clean/definitions/

The .htaccess definitions directory is in

wp-content/plugins/web-security-tools/phpwebsectools/modules/htaccess_clean/definitions/

Manual scans can be started from the WebSec Scan page of your WordPress Tools menu. This page can take a few minutes to load on first access while the plugin performs its first security screening.

A function of the plugin I don’t completely agree with is its auto shutdown feature for sites with infections it is unable to remove. It disables a site by renaming its .htaccess files. This feature cannot be disabled from the plugin’s control panel. I expect setting .htaccess file permissions to 444 (read only) will prevent the plugin renaming the file. A disabled site can easily be re-enabled by renaming its .htaccess file back to .htaccess.

Because this file contains real virii in its list of virus definitions, make sure you render file execution impossible within the definitions directory. Create an .htaccess file with the following content in the plugin’s /virus_clean/definitions/ directory:

DirectoryIndex index.txt

## Deny executable file uploads
RewriteCond %{REQUEST_METHOD} ^PUT$ [OR]
RewriteCond %{REQUEST_METHOD} ^MOVE$
RewriteRule (.*)\.(php|pl|py|jsp|htm|html|shtml|sh)$ [F,NS,L]

## secure directory by disabling script execution
AddHandler cgi-script .php .pl .py .jsp .asp .htm .html .shtml .sh .cgi .*
Options -ExecCGI

And create a text file called index.txt in the same directory.

I prefer this plugin to the VirusScan plugin.

WordPress File Monitor Plus

Why use a remote service to scan your website for file changes when can use a plugin to scan your website and every file hosted alongside it in its server space?

WordPress File Monitor Plus scans all files in your site’s root directory and below it. It monitors for added, deleted and changed files based on file hash, time stamp and/or file size differences. It’s pretty much like Tripwire, the server software that does same thing.

This plugin stores scan results for comparison with subsequent scans.

Very useful for checking that a file hasn’t been hacked and for discovering files introduced to a server via an RFI attack.

TimeToCome Tripwire Plugin

This plugin does similar to WordPress File Monitor Plus but it only scans when manually asked to scan a site’s folders and it only checks whether a file has been created or modified since a set number of specified days relative to the scan date.

This is a lightweight tool that only consumes resources when you ask it to scan.

Secure WordPress

Copied and pasted directly from the plugin’s download page:

1. Removes error-information on login-page
2. Adds index.php plugin-directory (virtual)
3. Removes the wp-version, except in admin-area
4. Removes Really Simple Discovery
5. Removes Windows Live Writer
6. Removes core update information for non-admins
7. Removes plugin-update information for non-admins
8. Removes theme-update information for non-admins (only WP 2.8 and higher)
9. Hides wp-version in backend-dashboard for non-admins
10. Removes version on URLs from scripts and stylesheets only on frontend
11. Blocks any bad queries that could be harmful to your WordPress website

This is an easy plugin to use. Install it, set it and forget it. Ideal for anyone who doesn’t know what he’s doing.

Firewall 2

Blocks suspicious URL requests and sends an email report to the specified admin whenever an access request is blocked. Its full blocking options are:

1. Block directory traversals (../, ../../etc/passwd, etc.) in application parameters.
2. Block SQL queries (union select, concat(, /**/, etc.) in application parameters.
3. Block WordPress specific terms (wp_, user_login, etc.) in application parameters.
4. Block field truncation attacks in application parameters.
5. Block executable file uploads (.php, .exe, etc..).
6. Block leading http:// and https:// in application parameters.

Firewall 2 is easy to use. Blocking WordPress specific terms (option 3 in the list) prevents some plugins from working and prevents plugins from being installed. You will know when it’s working too well because your site’s backend will inexplicably become a wormhole to your site’s homepage. Just deactivate option 3 when installing plugins. Option 6, blocking leading https? in application parameters, is another one that sometimes conflicts with plugins. Activating option 2 also interferes with plugin upgrades.

When using this plugin, deactivate options 2, 3 and 6 during WordPress, theme and plugin upgrades and installations.

Mute Screamer

Have your very own personal PHP Intrusion Detection System courtesy of Mute Screamer. It uses PHPIDS to recognize attacks through PHP scripts and, on detection, sends an email alert, redirects the attacker and/or bans the attacker’s IP address.

The option to “Enable Mute Screamer for the WordPress admin” could see you blocked from your own site if you use plugins like Zemanta which monitor posts as you create. If that happens, clear your cookies, wait a few minutes then log back in.

Better WP Security

Billed as the “Number 1 WordPress Security Plugin” in its description. This is my current favorite.

1. Scans your site security then recommends improvements
2. Protects WordPress from query string exploits
3. Protects against remote SQL injection attacks (it protects your database)
4. Does most of what Secure WordPress does and more
5. Hides the login, register and admin URLs by rewriting them and providing a security key
6. Can change the WordPress database prefix, the WP admin username and the name of the wp-content directory
7. Lets you force users to use strong passwords
8. Lets you disable the backend theme and plugin editor

Changing the name of your wp-content directory is inadvisable for old sites because it can break links to images, mp3s and other media content referenced within posts. On the plus side, it will break any hotlinks too! You could use Search Regex to locate and amend broken links within your site but do you want to take the risk?

Also, changing the name of the wp-content directory will lower your security score with the Ultimate Security Checker plugin because it won’t be able to find the directory. This is not important unless you just want to reach a perfect score; though you could – just for the sake of it – create an empty wp-content directory with an empty index.php file, a secure .htaccess file, a themes directory and a plugins directory within it. But it’s not essential.

Disabling the backend theme and plugin editor prevents some plugins from functioning. One of them being Quick Cache. I don’t know why it does it. Took me a while to work out.

Bulletproof Security

I can think of only one name better for a security plugin; and I’m keeping that to myself for when I develop the plugin to match the name (I’m working with a security plugin developer at the moment). In any case, Bulletproof security offers a well rounded set of protections from hackers.

Until recently, I used this on all my sites; only removing it because it didn’t secure my sites as well as I can with my own .htaccess directives and a few of the plugins mentioned above here.

It provides protection against “XSS, RFI, CSRF, Base64, Code Injection and SQL Injection hacking attempts”. The plugin’s admin panel is easy to navigate and comes with detailed explanations for each setting.

People without .htaccess knowledge might feel overwhelmed by the plugin on first use because of the way it presents the .htaccess file.

Bulletproof Security overwrites any existent .htaccess file when its .htaccess security directives are saved. The .htaccess file created by BPS does not change according to whether a site is a single install or a multi-site install or whether the site is in a subdirectory. It’s for the user to edit the BPS .htaccess file’s WordPress rewrite directives as required for the site.

TimThumb Vulnerability Scanner

The TimThumb vulnerability provoked the most aggressive surge in attempts to hack WordPress websites that I have ever witnessed in all my years as a webmaster. Every one of my sites and the sites I manage was targeted from the day the vulnerability was made public several months ago. Those attacks continue to this day. Thankfully my .htaccess directives block the attacks so I no longer see the innumerable speculative directory probes.

TimThumb is an image thumbnailer script used by lots and lots and lots of WordPress themes. Most themes are not updated by their designers hence the attraction for hackers to probe sites for vulnerable themes. The insecure script allowed an executable file to be uploaded to a server. Hackers exploit this to upload a PHP shell which gives them near full access to a server’s file system.

TimThumb Vulnerability Scanner checks a site for recognizable instances of the TimThumb script and replaces any found with the more up-to-date, secure version. It also scans for signs that a site has been hacked via the TimThumb exploit.

Once the plugin is installed, edit cg-tvs-timthumb-latest.txt (found in /wp-content/plugins/timthumb-vulnerability-scanner/) and replace its contents with the latest timthumb.php script found here.

It is safe to deactivate and delete this plugin after use. In fact, it’s advisable to do that with any unused plugin. All plugins and themes are potentially vulnerable to exploitation.

Top 2 Most Confusing Security Plugins

Exploit Scanner

Scans a site’s database and its files for code indicative of a hack.

Flagged code is not proof of a hack. It will flag any mention of eval, base64_decode, String.fromCharCode, iframe and many other functions. This plugin is not suitable for people with little understanding of scripting languages. It’s only useful when you want to locate vulnerable code and you know what the code actually does.

AntiVirus

Less useful than Exploit Scanner because it only seems to scan files directly connected to the WordPress site and the active theme (as opposed to all themes, active or not).

Every bit as confusing as Exploit Scanner.

Summery

I will update this list as new plugins arrive, old plugins die and preferences change. I prefer to set website security with .htaccess, httpd.conf, virtual host files and wp-config.php edits when I have access to them. Even so, some of the plugins listed above are very useful for vetting a site’s integrity and security internally, for instance, Ultimate Security Checker, Web Security Tools and WordPress File Monitor Plus – though I use remote pentest tools when I really want to audit a site’s security.

If I had to choose between the final 7 plugins to protect against malicious  attacks I would take Better WP Security, Firewall 2 and Mute Screamer, in that order, and use them with the first three file checkers.

As we’re on the subject of security, if you ever need to check a file for viruses, trojans, PHP injections or any other malicious content, visit VirusTotal. It’s a free file upload virus scan facility that uses virus definitions from multiple reputable sources for improved detection rates.

Over to You

Do you have good, hardcore, nobody’s-hacking-me security tips to share with us. We are all webmasters in this battle together. Drop your tips below so we can shower you with lots of praise :)

---

Want to republish this content? Read the copyright notice first.. If you like it, support it.