Top 10 Ultimate WordPress Security Plugins

Another security related post. I know, too many too close together. Don’t worry. I have many good non security posts ready to.. erm.. post.

All the WordPress security plugins in this list are ones I have used and tested over the years. They complement good .htaccess and server security practices. That means don’t rely on a plugin to secure your site.

Many plugins that audit WordPress for vulnerabilities look for specific lines of text in a specific format in the files they scan. When those lines are not discovered, the plugins report a vulnerability. This means one plugin might not detect that another plugin has added .htaccess directives to protect sensitive files from being viewed when those directives are in an unexpected format. When you know a security measure exists but a vulnerability scanner says it doesn’t, follow what you know to be true.

Without further ado, and in no grand order, here are my top 10 WordPress security plugins. Click the titles to go to a plugin’s WordPress page.

Top 10 WordPress Security Plugins

Ultimate Security Checker

Checks WordPress and your server for known security vulnerabilities that could give hackers access to your site and its hosting space. The plugin provides a security rating based on what it finds and offers advice for fixing discovered holes.

Ultimate Security Checker works well to find vulnerabilities but cannot always determine the security improvements added manually or by other security plugins. Double-check what it tells you before you act on its advice.

Web Security Tools

Automatically scans files in your site’s server space for PHP viruses and .htaccess infections then cleans any compromised files.

Web Security Tools scans for infections using virus definitions stored on your server. You can add your own definitions to these directories if you discover an infection that the plugin does not automatically recognize and clean.

The virus definitions directory is in

The .htaccess definitions directory is in

Manual scans can be started from the WebSec Scan page of your WordPress Tools menu. This page can take a few minutes to load on first access while the plugin performs its first security screening.

A function of the plugin I don’t completely agree with is its auto shutdown feature for sites with infections it is unable to remove. It disables a site by renaming its .htaccess files. This feature cannot be disabled from the plugin’s control panel. I expect setting .htaccess file permissions to 444 (read only) will prevent the plugin renaming the file. A disabled site can easily be re-enabled by renaming its .htaccess file back to .htaccess.

Because this file contains real virii in its list of virus definitions, make sure you render file execution impossible within the definitions directory. Create an .htaccess file with the following content in the plugin’s /virus_clean/definitions/ directory:

And create a text file called index.txt in the same directory.

I prefer this plugin to the VirusScan plugin.

WordPress File Monitor Plus

Why use a remote service to scan your website for file changes when can use a plugin to scan your website and every file hosted alongside it in its server space?

WordPress File Monitor Plus scans all files in your site’s root directory and below it. It monitors for added, deleted and changed files based on file hash, time stamp and/or file size differences. It’s pretty much like Tripwire, the server software that does same thing.

This plugin stores scan results for comparison with subsequent scans.

Very useful for checking that a file hasn’t been hacked and for discovering files introduced to a server via an RFI attack.

TimeToCome Tripwire Plugin

This plugin does similar to WordPress File Monitor Plus but it only scans when manually asked to scan a site’s folders and it only checks whether a file has been created or modified since a set number of specified days relative to the scan date.

This is a lightweight tool that only consumes resources when you ask it to scan.

Secure WordPress

Copied and pasted directly from the plugin’s download page:

  1. Removes error-information on login-page
  2. Adds index.php plugin-directory (virtual)
  3. Removes the wp-version, except in admin-area
  4. Removes Really Simple Discovery
  5. Removes Windows Live Writer
  6. Removes core update information for non-admins
  7. Removes plugin-update information for non-admins
  8. Removes theme-update information for non-admins (only WP 2.8 and higher)
  9. Hides wp-version in backend-dashboard for non-admins
  10. Removes version on URLs from scripts and stylesheets only on frontend
  11. Blocks any bad queries that could be harmful to your WordPress website

This is an easy plugin to use. Install it, set it and forget it. Ideal for anyone who doesn’t know what he’s doing.

Firewall 2

Blocks suspicious URL requests and sends an email report to the specified admin whenever an access request is blocked. Its full blocking options are:

  1. Block directory traversals (../, ../../etc/passwd, etc.) in application parameters.
  2. Block SQL queries (union select, concat(, /**/, etc.) in application parameters.
  3. Block WordPress specific terms (wp_, user_login, etc.) in application parameters.
  4. Block field truncation attacks in application parameters.
  5. Block executable file uploads (.php, .exe, etc..).
  6. Block leading http:// and https:// in application parameters.

Firewall 2 is easy to use. Blocking WordPress specific terms (option 3 in the list) prevents some plugins from working and prevents plugins from being installed. You will know when it’s working too well because your site’s backend will inexplicably become a wormhole to your site’s homepage. Just deactivate option 3 when installing plugins. Option 6, blocking leading https? in application parameters, is another one that sometimes conflicts with plugins. Activating option 2 also interferes with plugin upgrades.

When using this plugin, deactivate options 2, 3 and 6 during WordPress, theme and plugin upgrades and installations.

Mute Screamer

Have your very own personal PHP Intrusion Detection System courtesy of Mute Screamer. It uses PHPIDS to recognize attacks through PHP scripts and, on detection, sends an email alert, redirects the attacker and/or bans the attacker’s IP address.

The option to “Enable Mute Screamer for the WordPress admin” could see you blocked from your own site if you use plugins like Zemanta which monitor posts as you create. If that happens, clear your cookies, wait a few minutes then log back in.

Better WP Security

Billed as the “Number 1 WordPress Security Plugin” in its description. This is my current favorite.

  1. Scans your site security then recommends improvements
  2. Protects WordPress from query string exploits
  3. Protects against remote SQL injection attacks (it protects your database)
  4. Does most of what Secure WordPress does and more
  5. Hides the login, register and admin URLs by rewriting them and providing a security key
  6. Can change the WordPress database prefix, the WP admin username and the name of the wp-content directory
  7. Lets you force users to use strong passwords
  8. Lets you disable the backend theme and plugin editor

Changing the name of your wp-content directory is inadvisable for old sites because it can break links to images, mp3s and other media content referenced within posts. On the plus side, it will break any hotlinks too! You could use Search Regex to locate and amend broken links within your site but do you want to take the risk?

Also, changing the name of the wp-content directory will lower your security score with the Ultimate Security Checker plugin because it won’t be able to find the directory. This is not important unless you just want to reach a perfect score; though you could – just for the sake of it – create an empty wp-content directory with an empty index.php file, a secure .htaccess file, a themes directory and a plugins directory within it. But it’s not essential.

Disabling the backend theme and plugin editor prevents some plugins from functioning. One of them being Quick Cache. I don’t know why it does it. Took me a while to work out.

Bulletproof Security

I can think of only one name better for a security plugin; and I’m keeping that to myself for when I develop the plugin to match the name (I’m working with a security plugin developer at the moment). In any case, Bulletproof security offers a well rounded set of protections from hackers.

Until recently, I used this on all my sites; only removing it because it didn’t secure my sites as well as I can with my own .htaccess directives and a few of the plugins mentioned above here.

It provides protection against “XSS, RFI, CSRF, Base64, Code Injection and SQL Injection hacking attempts”. The plugin’s admin panel is easy to navigate and comes with detailed explanations for each setting.

People without .htaccess knowledge might feel overwhelmed by the plugin on first use because of the way it presents the .htaccess file.

Bulletproof Security overwrites any existent .htaccess file when its .htaccess security directives are saved. The .htaccess file created by BPS does not change according to whether a site is a single install or a multi-site install or whether the site is in a subdirectory. It’s for the user to edit the BPS .htaccess file’s WordPress rewrite directives as required for the site.

TimThumb Vulnerability Scanner

The TimThumb vulnerability provoked the most aggressive surge in attempts to hack WordPress websites that I have ever witnessed in all my years as a webmaster. Every one of my sites and the sites I manage was targeted from the day the vulnerability was made public several months ago. Those attacks continue to this day. Thankfully my .htaccess directives block the attacks so I no longer see the innumerable speculative directory probes.

TimThumb is an image thumbnailer script used by lots and lots and lots of WordPress themes. Most themes are not updated by their designers hence the attraction for hackers to probe sites for vulnerable themes. The insecure script allowed an executable file to be uploaded to a server. Hackers exploit this to upload a PHP shell which gives them near full access to a server’s file system.

TimThumb Vulnerability Scanner checks a site for recognizable instances of the TimThumb script and replaces any found with the more up-to-date, secure version. It also scans for signs that a site has been hacked via the TimThumb exploit.

Once the plugin is installed, edit cg-tvs-timthumb-latest.txt (found in /wp-content/plugins/timthumb-vulnerability-scanner/) and replace its contents with the latest timthumb.php script found here.

It is safe to deactivate and delete this plugin after use. In fact, it’s advisable to do that with any unused plugin. All plugins and themes are potentially vulnerable to exploitation.

Top 2 Most Confusing Security Plugins

Exploit Scanner

Scans a site’s database and its files for code indicative of a hack.

Flagged code is not proof of a hack. It will flag any mention of eval, base64_decode, String.fromCharCode, iframe and many other functions. This plugin is not suitable for people with little understanding of scripting languages. It’s only useful when you want to locate vulnerable code and you know what the code actually does.

AntiVirus

Less useful than Exploit Scanner because it only seems to scan files directly connected to the WordPress site and the active theme (as opposed to all themes, active or not).

Every bit as confusing as Exploit Scanner.

Summery

I will update this list as new plugins arrive, old plugins die and preferences change. I prefer to set website security with .htaccess, httpd.conf, virtual host files and wp-config.php edits when I have access to them. Even so, some of the plugins listed above are very useful for vetting a site’s integrity and security internally, for instance, Ultimate Security Checker, Web Security Tools and WordPress File Monitor Plus – though I use remote pentest tools when I really want to audit a site’s security.

If I had to choose between the final 7 plugins to protect against malicious  attacks I would take Better WP Security, Firewall 2 and Mute Screamer, in that order, and use them with the first three file checkers.

As we’re on the subject of security, if you ever need to check a file for viruses, trojans, PHP injections or any other malicious content, visit VirusTotal. It’s a free file upload virus scan facility that uses virus definitions from multiple reputable sources for improved detection rates.

Over to You

Do you have good, hardcore, nobody’s-hacking-me security tips to share with us. We are all webmasters in this battle together. Drop your tips below so we can shower you with lots of praise :)

Comments

  1. Ed says

    Hi Dion,
    You clued me in to a newbie mistake I made years ago when i barely knew .htaccess coding and barely new WordPress. Still appreciate that help that you gave.  ;)  I see that this post is dated to back to November.  So what do you think of the new BulletProof Security .htaccess coding?  he he.  Kind of living up to its name now wouldn’t you say?  Thanks again for your help years ago.  :)  Ed

    • says

      Hello Ed, I was glad to help, still am :)

      I keep meaning to revisit Bullet Proof Security again. I have it installed in WordPress in a development server so I can keep tabs on updates but I’ve not had chance to sample the latest release. Give me a week and I’ll take a fresh look. Thanks for visiting :)

    • says

      Hello Ralph, I’m sorry to learn WordPress has blocked the plugin from being hosted in its repository. Look at my write up of the plugin again. You will find a possible solution in it. Let me know if disabling executable scripts in the virus definitions directory is an issue for the plugin. It shouldn’t be.

  2. Ralph Ritoch says

    Hello Dion. I saw your suggestions and having controls to the plugin was something I was working on but I had some problems finding any documentation on adding controls to the network admin for WordPress multi-user. In multi-user you can’t have your users disabling the virus scanner. As for changing the file permissions to 444, I must be completely honest, I don’t think that will work because most linux systems will allow you to rename a file that you don’t have access to as long as you have write access to the directory. The shutdown is mandatory though because if Google sees a virus on your site you will get temporarily blocked by their anti-malware protections, so technically it is more there as a SEO feature. Ideally I should probably have it also send an email to the admins that the site has shut down. As for the .static files, unless you have a horrible server configuration they are not executable, and will display as text files which are harmless. Worst case you can block access to .static files via .htaccess  .

    The future of this plugin is unclear, the library which provides the scanner is somewhat separate from the plugin so I may simply switch to a new blogging platform and re-release the plugin for that platform, though I’ll continue to at least maintain the functionality of the WordPress version as they change the functionality of WordPress. Not to support WordPress but just to help keep the internet safe.

    • says

      Ralph, I read your post about the reasons WordPress blocked the plugin. I hope the repository monitors unblock it soon because it is a very needed plugin. Whether they unblock it or not, please don’t stop updating it (will need to rewrite this post if you do).

      I understand the reason for automatically shutting an infected site down. You are right, that it down is the best approach. Not just from an SEO perspective but also for protecting visitors. An email update would be useful or maybe a private Twitter or Facebook message sent to a site’s admin user (I’ve only just considered those options).

      Will make time to write something about the plugin been blocked by WP. On the plus side, we say the WP repo gatekeepers have overreacted (and they have) but at least we know they are checking plugins for malicious content; this is something they haven’t always done too well and all the more reason for WP to keep your plugin active.

      Do you know what would be really useful: if WP worked with you by providing you the definitions they discover.

      Let me know when you post your petition so I can sign it.

    • Edward Alexander says

      Hey Dion,
      I looked at the coding of this plugin and i think the reason WP rejected it is because it does not implement a lot of the WP built-in security hooks so once the coding is adapted to hook into WP’s security hooks then it will most likely be approved.  ;)

  3. says

    Hey, thanks that is a great post. My question is, which plugin/plugins should I install to protect my wordpress sites?
    I’ve been using Web Security Tools, Bulletproof and a few others. Ideally I’d like just one that does the job as right now they are slowing my load times to 22 seconds to load the homepage!
    I used P£ Plugin profiler from Godaddy to measure it. Web Security Tools is great, but slowed my site load time the most.
    PS I’m an internet marketer, and if anyone has a really good plugin that handles the security issue, I can definitely help sell a few hundred copies. Let me know, thanks, 
    Darren Starr

    • Edward Alexander says

      BulletProof Security does not add any load speed to your website so it is not BPS that is doing that.  And BPS Pro actually speeds up page load speed and overall website load speeds.

  4. says

    Hi Edward, it was actually, Web Security Tools that slowed it down, and I quite like it being as it actually can remove viruses. I wonder, is there an all in one plugin solution or if someone can develop it, I can definitely get someone paid for making it. Thanks, Darren

    • Edward Alexander says

      Currently there is not a free WP security plugin that does it all, but eventually BPS Pro will be that plugin.  BPS Free protects against pretty much everything that a hacker could throw at your site in the form of XSS, RFI, Code Injection, SQL Injection, etc hacking attempts and then you would need an additional plugin that protects against brute force password cracking to protect your WP login. That combination of plugins pretty much locks down your site 100% against hackers. FYI – Also i recently took a look at the Better WP Security plugin’s coding and LMFAO – it is using some very ancient BPS .htaccess code that is very outdated.  ;)

  5. says

    Excellent Edward, I have an idea I would like to put your way. It’ll boost sales and revenue for your company. I left a message on your answering machine. Could we talk? :)

    • Edward Alexander says

      Hi Darren,
      We are locked into an outlined growth plan with BPS Pro for at least the next 6 months until we achieve certain goals that we have set for BPS Pro. Once we achieve those goals then we will then consider combining forces, alliances, partnerships and doing affiliate deals, but until we achieve that set goal we are sticking to our original plan.  Thanks. 

  6. says

    Thanks Edward, I absolutely think you could be selling this on an annual licence as antivirus and other security softwares are sold, as well as having different editions for the amount of sites it is to be used on. With a software like this, especially if it included Login lockdown features surely could be sold to the corporates using wordpress. Everyone who has ever had their site hacked knows what a pain it is to fix it. My one is currently displaying all funny characters on it now hypnotherapistsinlondon-com. 
    Well thanks and please let me know when you’re out of that plan. I’d love to participate. 

    My Best Wishes,

    Darren

    • Edward Alexander says

      Of course we want to make a profit with BPS Pro, but we also want to keep the price ridiculously cheap and affordable to everyone so that regular folks can get BPS Pro. We have kept and will keep the licensing restrictions very lenient for regular folks as well.  We are focused primarily on providing website security to regular folks, but do already have several big brand name Corporate users.  I think the biggest contributing factor to why there is so little piracy going on with BPS Pro is because the price is so reasonable and fair.  ;) Thanks.

  7. says

    Okay I got it :).  Thanks, you’ve been so helpful, I went ahead and bought the pro version, Lol it looks a little tricky to use, would be great if there was a wizard or step by step walk through or something but hey, perhaps in the future. 
    So are you saying with the combination of BPS Pro and say for example Login Lock, that I wouldn’t need any other security plugins?  So I wouldn’t need wordpress Firewall 2 or Cloudflare? That would be great! 
    Thanks Edward! :)

    • Edward Alexander says

      Yep we are still working on improving the automation so yes at this point there are a lot of hoops to jump through on a first time installation. The custom php.ini file set up is a pain at this point, but it is a one time thing that only needs to be done once and it is forever.  ;)  Yep BPS and a brute force password cracking plugin is all you need.  ;) 

      There is one weak point in BPS Pro that i am working on right now and will have completed in 1-2 days.  It is a weakness that is caused by a Server weakness / vulnerability and I am creating a countermeasure to compensate for this Host Server’s possible vulnerability. This is not something i obviously want to expose or talk about.  BPS is designed to prevent against a direct attack, but if a Host Server is compromised BPS has F-Lock protection to compensate for this, but i have found another Server vulnerability that can bypass F-Lock.  BPS Pro 5.1.5, when it is released, will have a countermeasure that will negate this Server vulnerability and render this type of hack ineffective if it exists on a Host Server.  ;)

    • says

      Edward, call me lazy but I’ll ask here instead of checking your web site, is there BPS Pro developer version. My business partner and I develop websites, social media & mobile marketing campaigns. Security is important to our clients so BPS Pro would be very useful to us. You can see more of what we do at http://vizred.com. My real name is Lee, by the way.

    • Edward Alexander says

      The license is geared more towards regular folks:
      The BulletProof Security Pro license does not have a limitation on the number of websites, website domains and website hosting accounts that you can install BulletProof Security Pro on, as long as these websites, website domains and website hosting accounts are either owned directly by you, supported directly by you or managed directly by you on an ongoing basis.The problem we ran into early on is that some folks do Hosting for clients and they felt that the license meant that they could install BPS on the 100′s of client sites that they Host – this is obviously not cool.  ;)The other problem we ran into was people thought that if they built a website for a client as a one time thing they could just include BPS in that package – this is also obviously not cool.  ;)Therefore we had to add these 2 conditions:Conditions That Do Not
      Qualify As “websites supported directly by You or managed directly by You”

      1) If You are a Web
      Hosting service provider or solely providing website hosting services to Your clients
      or customers this does not qualify as websites supported directly by You or
      managed directly by You.  Supported
      directly by You or managed directly by You specifically means that You are
      directly working on, directly maintaining or directly managing any websites
      that You have installed BulletProof Security on, on an ongoing basis.

      2) If You build or design websites
      for clients or customers as a one time sale agreement and You will not be
      continuing to directly support or directly manage Your clients or customers
      websites this does not qualify as websites supported directly by You or managed
      directly by You. Supported directly by You or managed directly by You
      specifically means that You are directly working on, directly maintaining or
      directly managing any websites that You have installed BulletProof Security on,
      on an ongoing basis. 

    • says

      It’s amazing how much you have to watch people. They always take more when they can. $39.99 is incredibly good value for the scope of the plugin. I’ll speak with my partner and see whether we can include it in the price of our packages.

      Does it work well with mobile sites (using proper mobile themes on ‘m’ domains)?

      We build mobile sites so keeping them as light as possible is a major concern.

    • says

      Good. I bought the Pro version yesterday. Will trial it and write a review. Like what I see so far. What I think is missing is an option to change the wp-content directory’s name. I’ve cut out a lot of automated hack attempts just by making that one simple change. I will amend this post to “top 11″ when I get a bit of quiet time over the next few days.

      One more thing, it took me 20 minutes to find the “Pay Here” link. I was going nutty looking for it ;)

  8. Henrik says

    I have just been reading the text and comments a few times and I am a bit confused. It seems like BPS Pro is a good way to start but which on the plugins on top should I combine it with?

  9. says

    Henrik, you’re welcome and no you won’t. I’ve discovered a lot of them are a complete waste of time, they don’t clean the virus if you get one a lot of times, and some just send you constant annoying reminder virus alerts, I even tried cloudflare that routes traffic through their servers to warn and block attacks, only it slowed my wp site load from 0.5secs to 22 secs!
    Use the P3 profiler to measure the delay that plug ins cause from godaddy, also available in the wordpress plugin repository :)

    • says

      Thanks for sharing your advice, Darren.

      Some of those file monitor warnings can be overwhelming but the File Monitor Plus plugin is essential for detecting when a hacker or bot has injected malicious code into files or by installing PHP shell scripts or other software into the site’s server space by an RFI (remote file inclusion) attack.

      BulletProof Security Pro is good and well worth the investment but you will still need Better WP security to cover the items BPS Pro does not such as renaming the wp-content directory (when possible), changing the admin username and database table prefix, locking the backend file editor and ensuring users register with strong passwords (if registration is enabled). There is not one security plugin that covers all bases but I believe Bulletproof Security Pro and Better WP Security will do so eventually.

      With regard to locking down registration, there is no need for a plugin. Use .htaccess rewrite rules to disable the registration and signup scripts then install a plugin to enable remote authentication. Here is an article about doing just that:

      http://journalxtra.com/websiteadvice/wordpress-security-hardening-htaccess-rules-4025/

      The exact instructions are located at

      http://journalxtra.com/websiteadvice/wordpress-security-hardening-htaccess-rules-4025/#Part_Five_If_Registration_is_Disabled

      Install Disqus or Livefyre to allow users to comment on posts via remote authentication i.e no user signup is required so the WordPress registration can be disabled.

      WordPress Firewall 2 is very good at blocking hacks. Though it does need to be disabled during plugin and theme installation and/or configuration then re-enabled afterwards.

      Use Redirection to help monitor for bad IP addresses by checking for 404s. Add bad IPs to your block list, use Permalink Finder to lower 404 errors caused by bad backlinks and use Hotfix to patch WordPress flaws between WordPress version releases.

      Sometimes you have to accept the notification emails the plugins send in return for the benefits they provide. Personally, I use the plugins mentioned in this comment (I will check my post to confirm they are the ones I recommend in the summary) and the .htaccess rewrite directives I developed and wrote about at the link above.

  10. Henrik says

    I am kind of new to this so just want to be sure. My
    plan is this regarding security and back ups: 

    Security systems: :

    BPS Pro

    login lock

    TimThumb Vulnerability Scanner (already have this)

    (WordPress File Monitor Plus) not sure

     

    Backup systems:

    weekly by e-mail: WordPress database Backup (already
    have this)

     

    FTP server:

    SmartFTP (back up of the WP content folder)

     

    Weekly:

    Save a daily copy from cPanel

     

    Passwords:

    LastPass.com

    Am I missing something here?

    • says

      See my reply to Darren’s message. the Timthumb vulnerability scanner can be disabled and removed once you have used it to replace outdated Timthumb scripts within themes and plugins.

  11. Jason says

    You recommended using Better WP Security, Firewall 2 and Mute Screamer.

    Meaning we can use all 3 of them at once, or just 1 of these.

    But I know you said we can use all 3 the top scanners, right?

Leave a Reply