You are here: Home » Website security » More WordPress Simple Security: 5 Plugins to help you lock out unwanted visitors

More WordPress Simple Security: 5 Plugins to help you lock out unwanted visitors

by Dr Wordpress! on July 3, 2009 · 1 comment

(Reading time: 7 – 12 minutes)

Do a quick search on “WordPress Security Plugins” you are going to get a boatload of results, most of which aren’t going to tell you too much more than what you can read in the plugin’s documentation. Seriously, check this out: 57 security wordpress plugins. WTF? Seriously, go check that out. If it serves your needs, cool. If not, come back and we’ll dig into what, where, how, why and all that other happy horsepuckey you really need to learn at some point.

Some are complicated. Some make you jump through hoops as well. What we’re really looking for is plugins that are simple to use and understand, yet powerful enough to catch our blunders and any script kiddies who come knocking.

By the way, if you don’t already know, anyone that wants into your blog bad enough, will probably find a way in. We can’t do anything about people like that. But they’re few and far between unless you’re in the easy/fast money businesses of sex/drugs/gambling. You know, easy money stuff the state wants to tax. But you’re not… so no worries.

I’m going to take a slightly different stance here and expose myself… ah… I mean, I’m going to list and discuss only the plugins I find useful here on Website In A Weekend… which means if any of these plugins have a security flaw, Website In A Weekend goes up in smoke! Anything for my readers!

Let’s get started.

WP Security Scan

Michael Torbert’s WP Security Scan is absolutely the first security plugin you should install. Go install it right now in fact. I’ll wait.

Here’s how WP Security Scan helps protect your blog:

  1. Helps prevent SQL injection attacks by warning about default WordPress database table prefix. Even if you don’t fix your database table prefix on your current blog, you will be sure to specify a custom prefix on your next WordPress installation.
  2. Flags incorrect and dangerous file system permissions. Once you fix your permissions correctly, the plugin lists the corrected as well.
  3. Provides a way to evaluate your password strength, and suggests very strong passwords if your imagination for random letters, numbers and punctuation runs dry.
  4. Checks for appropriate .htaccess files where you need them. This is big deal, which is little discussed.

Every item in the list above is very simple. There is no reason NOT to get WP Security Scan installed immediately

BlueTrait Event Viewer

The BlueTrait Event Viewer (BTEV) implements custom login and email functions to keep track of what’s happening at a lower level on your WordPress blog. BTEV is slightly more complex than the other plugins discussed here, so you may want install it after you master the others first.

BTEV is really useful when you need to find out the following:

  1. Who registered, from where, and when. If you’re getting a lot of bogus registrations, this will help.
  2. Who is currently logged in, useful for checking for malicious users.
  3. If you write plugins, there is an advanced feature that logs PHP events. This is fantastic, so much easier than dealing with server logs.

BETV works by monitoring all of the following WordPress actions: password_reset, delete_user, wp_login, lostpassword_post, profile_update, add_attachment, wp_logout, user_register, switch_theme, and activation/deactivation of other plugins.

Saving the best for last: BETV provides an RSS feed… subscribe to your event feed, and you’ll be on top of breaking security issues immediately. RSS feeds are critically important when you’re operating more than one WordPress installation.

Login LockDown

Login LockDown rains contempt on spammers

Login LockDown rains contempt on spammers

Have you ever tried to log into a website where you had forgotten perhaps your username, or your password, or both?

Then been locked out for “Too many retries.”

That’s the kind of pain and suffering you want to visit on spammers, and other jerks who rob your bandwidth with stupid linkbaiting schemes offering… well… I won’t dignify what they purport to offer by putting it into words. Let’s just say, when you’re clickthrough rates are less than 1/100,000… you have to resort to massive spam.

The WordPress Login LockDown plugin from Bad Neighborhood SEO helps rain contempt on spammers and scammers by preventing them from using brute force attacks to compromise your login security. Actually, they can still brute force attack you, but they get three tries (you set this number) before you send them off for an hour to cool their jets.

Install Login Lockdown to escalate your security quickly and easily. It’s super simple to set up and operate. Just using the default parameters should be enough for most people.

Captcha

ST Captcha even looks good!

ST Captcha even looks good!

Those little boxes where you type in numbers or letters which are twisted or distorted are called “captcha” boxes. The letters and numbers used to be very easy to read… it turns out that image analysis algorithms can figure out plain old text really fast. Naturally, spammers and scammers are always up on the latest techniques.

But captcha is a proven technology. Users don’t mind it too much, provided the letters and numbers are easy enough to read.

And ST Captcha really nails it. Check out the screen shot. This captcha box even looks good!

Installation is simple. Operation is simple: choose whether you want captcha shown on comments, or on registration, or both. That’s about it. This captcha plugin plays well with AWeber Super Simple too, so you can ask people to sign up for your AWeber newsletter at the same time they register.

Redirection and Drain Hole

Redirection and Drain Hole are incredibly useful plugins, and very powerful as well. This review is going to focus on just a couple of the capabilities of each.

Drain Hole allows you to set up your download archive outside your web directory. This means that you can provide files, movies, images, whatever you want, from a location that’s not directly accessible to your web server… which means it’s not directly accessible by casual web surfers. Once you set up a “drain hole,” you provide a link people must use to access the files, and you can monitor the traffic. Using Drain Hole is an excellent “next step” in securing your content. Read more about setting up your first Drain Hole for securing downloadable content.

Redirection is so powerful, it would require a 5000 word article to fully explain how to use all the capabilities. The compelling security reason you need Redirection is for monitoring your HTTP 404 Error logs. The HTTP 404 Error means the web server could not find the page asked for by the browser, so it returns error code 404, and possibly an explanatory web page to help the reader. Here’s a screenshot showing some of the features of Redirection:

Redirection has powerful HTTP 404 Error monitoring

Redirection has powerful HTTP 404 Error monitoring

The default installation of Redirection provides specific 404-related features that benefit you:

  1. You can easily ban spammers because each 404 error is logged with page/url requested, domain name and IP address.
  2. Redirection’s RSS feed for the 404 module allows to monitor several different blogs from the convenience of a single RSS reader, which saves you massive amounts of time.
  3. You’re alerted to bad plugins because ou can see, by name, which plugins have security compromises. For example, Website In A Weekend periodically gets a string of requests for the “Wordspew” plugin. Doing a search for the Wordspew plugin led to information warning about security risks.

Redirection has more powerful features, many of which will be discussed in future articles. Make sure to subscribe so you won’t miss any information.

A message from our “Sponsor”

Long time Website In A Weekend readers know I rarely miss a chance to flog my current musical obsession or marketing book-du-jour… so you’re not done yet!

Check this out: for about a $1.35 (what it cost me), you can get a good condition, used copy of Benjamin Suarez’s 7 Steps to Freedom II: How to Escape the American Rat Race

This book is worth far, far more more than $1.35.

Put Suarez’s advice to work, it will save you time and make you money. But the key is work…

What he does is lay out the entire business operation for producing and distributing consumer products marketing by direct mail. He lays out every single procedure. All 70 procedures. It’s work.

But here’s the cool thing: you don’t have to be a direct mail marketer to benefit from this book! The principles of product selection, consumer testing, advertising, all of it translates right straight to the internet. If you wondered where all these internet “Big Boys” learned their chops, big hunks of it are right out of this book. Get your “7 Steps to Freedom” now! (For $1.35.)

Similar Posts:

Share and Enjoy:
  • Facebook
  • Twitter
  • StumbleUpon
  • Digg
  • Google Bookmarks
  • email
  • del.icio.us

Tagged as: Content protection, File permissions, Plugins, Security

{ 1 trackback }

Advanced WordPress Security Tips | Website In A Weekend
July 20, 2009 at 4:05 pm

{ 0 comments… add one now }

Leave a Comment

You can use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong> <pre lang="" line="" escaped="">

CommentLuv Enabled

Previous post: How To Know When To Write A New Blog Post

Next post: Configuring Email On Localhost For Running WordPress Offline