The listed combination of plugins are recommended to make your WordPress blog more secure. The individual plugins may not be the best available, but the combination works very well for your site.
Word of caution here. My recommendations are based on the following assumptions:
- That what you have is a fresh wordpress installation. This would work on an old installation too but there is a possibility that existing installed security plugins may be in conflict with some of my recommendations. So, please, proceed with caution.
- These installations are not one-offs. The developers usually release updates to keep abreast of new vulnerabilities. Always ensure that you update these plugins whenever the updates are available.
- Ensure your wordpress installation is updated regularly.
- Especially for old wordpress installations, i would suggest you test these plugins on a test server first before deploying it to your production or live site. A test server could be a sub domain on your main site but ,preferrably, an entirely different site.
You may direct issues you encounter through my twitter handle @diaryofageek
I consider this plugin as very key and probably the best defense against hack attacks or other forms of misadventures you may have on your blog. A good backup can return you back online within minutes of your site going offline.
Note: This plugin only backs up your blog site. Any other services available on your site, like emails, would not be backed up effectively. I do recommend you use Google Apps free email services for your email. This ensures that your email is always up, no matter what.
Backwpup comes highly recommended not because it does what it claims to do well, but because you get to enjoy an otherwise premium service for free. This plugin allows you to backup your blog to a local folder, email, remote ftp site (could be another shared hosting account) or, interestingly, a slew of free (and premium) online cloud services like Amazon S3, Google Storage, Microsoft Azure (Blob), RackSpaceCloud, Dropbox, SugarSync, etc.
The plugin can be scheduled to run backups on a regular basis with no input from you.
Most hack attacks are not usually personal. These attacks are usually automated. These website cracking tools seek out blogs that still have known vulnerabilities that have not being patched.
Bad Behavior runs before your software on each request to your Web site, so if a spam bot does visit, it will receive nothing. When Bad Behavior looks at a request, it determines if the request matches a profile of known malicious or spammy activity, which falls outside the bounds of a normal human browsing the web. If so, the request is blocked.
BPS Free covers one very important aspect of website security – secure .htaccess files to block browser based hacking attempts. The best feature of the plugin is that it is designed to be fast, simple and convenient. It helps you to activate .htaccess website security from within your WordPress Blog’s Dashboard.
Login LockDown records the IP address and timestamp of every failed WordPress login attempt. If more than a certain number of attempts are detected within a short period of time from the same IP range, then the login function is disabled for all requests from that range. This helps to prevent brute force password discovery, especially for the admin account. Currently the plugin defaults to a 1 hour lock out of an IP block after 3 failed login attempts within 5 minutes. This can be modified via the Options panel. Admisitrators can release locked out IP ranges manually from the panel.
The plugin has not been updated recently but it still does what it was intended to do very well.
Quite a number of wordpress themes, especially the fancy 3rd party ones, come with a programming code called Timthumb embedded in it. Unfortunately, hackers have exploited loopholes in this programming code to bring down a lot of wordpress blogs. You can read more about this here.
The Timthumb Vulnerability Scanner plugin will scan your entire blog for instances of any outdated and insecure version of the timthumb script, and give you the option to automatically upgrade them with a single click. Doing so will protect you from hackers looking to exploit this particular vulnerability.
In case the undesired happens and someone breaks into your site, they will most likely add files to your site. These extra files can act as backdoors, which can potentially allow hackers to execute files from their own servers. These files can hijack your traffic, place unwanted ads or links on your pages and place malware on your visitors computers. This plugin monitors your WordPress installation for added/deleted/changed files. When a change is detected an email alert can be sent to a specified address.
While no claims are being made that these plugins would make your site “hack-proof”, it would definitely serve as a deterrent to a would-be opportunist hacker.
This list is by no means exhaustive, suggestions and recommendations are always welcome.