WordPress LogoWordPress is huge. It is currently the most popular blogging system in use, and it manages 22% of all new websites. We use it for our site, and I would personally recommend it to anyone thinking of creating a new website.

However, because it is so popular, it becomes a target for hackers. Right now, automated bots are crawling the web looking for WordPress sites to attack. If you take some time to protect yourself, you can greatly reduce your chances of having a problem.

With that, I decided it would be useful to share some of the tips and tricks I have learned to protect our site. There is too much for one blog post, so I will release others over time, but I will start with the most important ones.

So, here are my recommendations for the 4 best WordPress security plugins. All WordPress plugins are easy to install, but some may take some time to configure correctly.

  1. WordPress File Monitor Plus. This plugin is used to alert you anytime a file on your site changes. When a WordPress site gets hacked, what actually happens is the attacker adds one or more files to your site, or they alter one that is already there. A WordPress installation consists of hundreds of files, so it’s very easy to blend in and not be noticed. But with just one file, attackers have the ability to change your site however they want, including attacking your site’s visitors with malware, and eventually getting you banned from Google.

    WordPress File Monitor Plus will regularly check your WordPress installation for new files, deleted files, and changed files. If it finds anything, it will send you an email with details. It is your responsibility to read these emails to see if any changes are unexpected. For example, uploading a new image, or upgrading a plugin will cause an alert. If you see something you can’t explain, investigate it immediately. This plugin will not stop you from being hacked, it will only let you know when you are attacked, and help you clean it up.

    Out of the box, this one is pretty easy to set up. You just tell it how often to scan your files. But most likely, you will want to tell it which files to not scan. For example, if you have a caching plugin, it will cause the File Monitor to tell you things over and over. The best plan is to set it up with no excludes, and when the alerts start coming in, you can identify which directories to not pay attention to anymore. Eventually, it will only tell you about important changes.

  2. Limit Login Attempts. This plugin protects you from automated password guessers. If you install this plugin, it will let you configure how many tries someone gets at logging into your WordPress site before they are locked out for some amount of time. The guess count and lockout time are configurable. If someone guesses incorrectly too many times, you will be sent an email about it, and they will be stopped from trying again for some amount of time.

    So how useful is this? You would be surprised. Once you install this plugin, you will find out that there are automated bots that will find WordPress sites, and try to brute force the password. Without this plugin, they will eventually guess it. Depending on the speed of your server, they could guess hundreds of passwords a second. With this plugin installed, they may get 6 guesses every 2 days.

    This plugin is simple to install and configure. So you have no excuse.

  3. Secure WordPress. This plugin is more of a hardener. It does a lot of little things to make an attackers life harder. While none of these things make it impossible to be hacked, they will make hacking your site harder than hacking someone else’s, and that is usually enough.

  4. TimThumb Vulnerability Scanner. There is a library called TimThumb that people use to dynamically create thumbnail images for websites. It is used by millions of sites. In 2011, a vulnerability was discovered in it that allowed attackers to easily take over any site using it. The vulnerability has been corrected, but sadly old versions are still out there years later. This vulnerability is probably still the most common way WordPress sites get hacked. This plugin will automatically determine if you are using an out of date version of TimThumb, and if so, it will upgrade it for you.

Please let me know if these recommendations helped you, or if you know a WordPress plugin that belongs on this list.