Yet another long and boring article for you! :D
Most of the plugins I mention in this article are used by me personally. There are also a few that I don’t use personally but feel that they may help you; I list them separately in this same article. Note that not every plugin I mention here is used on this blog; I have a few other blogs as well where I use them. ;)
Backup Plugins
Security Plugins
Spam Control Plugins
1. Backup Plugins: Regardless of what your blog is about, the very first thing you need to install is a database backup plugin which automatically backs up your database to a selected location at regular intervals. Thus if anything goes awry with your blog database you can easily restore your old blog with one click! ;)
How frequently you backup your blog is up to you; personally I backup my blog database every week, but there is no hard and fast rule about it. You can, if your hosting space permits, backup your blog database everyday! :D
Personally I use the WP-DBManager most of the time. There was a time in the past when I did not like the plugin, but it has come a long way since then. Right now it is probably the best (local) backup plugin you can have for WordPress. ;)
NOTES: Just downloading a cool plugin is not enough. It is also important that you setup the plugin properly on your server:
a) This is a given, but a lot of people make this mistake so I would mention it anyway. Inside the plugin archive you will find a file called htaccess.txt. You should NOT upload this file to your plugin directory; rather, you should rename this file to .htaccess and upload it to your backup directory in order to protect it from prying eyes!
b) The default backup directory generated by the plugin is an easily guessable name: "backup-db". Even though the folder contains the .htaccess file I am still not fully confident that it would help secure the backup folder from hackers. The kind of paranoid guy I am, I would go a step further and rename the backup folder to something cryptic. I will then update the "path to backup" in the "DB options" section of the plugin.
Like if the original path was:
/home/username/public_html/wp-content/backup-db
And the name of your new backup folder is:
backup-dbxx5ty
Then the new "path to backup" would be:
/home/username/public_html/wp-content/backup-dbxx5ty
Immediately after you update the path, you may get an error message saying that the path does not exist. As long as your backup folder path is correct and the backup files are being stored there just fine, you can safely ignore this message and it should vanish when you re-visit the plugin page later on! ;)
c) This is another given, but since I got to make this article long and boring, I would mention it anyway: don’t forget to CHMOD your backup folder to 777! If you don’t know how to do the CHMOD, please check out my FTP tutorial.
d) Optionally, WP-DB-Manager can also optimize your database periodically along with backing it up! Optimization helps keep your database clean from broken tables and all other junk! ;) I use this option as well as another plugin called WP-Optimize to manually optimize my database once in a. ;)
e) If you want to backup your database immediately, just click on "Backup DB" link. :D
f) Here we have such terrible internet connection that I cannot really imagine downloading a 100MB SQL database with no disconnection in-between! ;) So I always choose to Gzip my blog database; this makes the backup file smaller (and thus easier to download) for me! I would also suggest that you download the database directly from your server via FTP instead of using your browser download; this would ensure that your database file is fully downloaded with no issues. ;)
To open a .gz file, I use WinRAR.
On one of my blogs however, WP DBManager did not work right (might be an issue of "plugin conflict") so I installed the classic WP-DB-Backup plugin there instead! It is not as versatile as WP DBManager, but pretty simple to use.
WP-DB-Backup plugin automatically creates a random backup folder (unlike WP-DB-Manager) in order to keep it secure from hackers. Nevertheless, I still suggest that you upload this .htaccess file (I "stole" it from the WP-DB-Manager plugin :D ) into your backup folder; unfortunately the plugin author does not provide you with this file in the plugin package.
2. Security Plugins: Please note that most of the plugins discussed here merely offer you what is known as preventive security. When it comes to WordPress security, I basically try to follow the silence is golden philosophy. :D
WP-Security-Scan is the very first plugin I install on a virgin blog to check its security. It offers you a lot of information, but best of all, it tells you about the key vulnerable points of your blog through which hackers may gain an unauthorized entry into your blog. Immediately after installing the plugin, browse to the "Security" and "Scanner" sections of the plugin to check what is wrong with your blog.
Few things you may want to do to make your blog secure:
a) Use a strong admin password: Ideally, your password should contain both uppercase and lowercase alphabets, as well as numbers and symbols; in addition, your password should also be minimum 8-10 characters long. If you own Roboform you can use its password generator to auto-create unique passwords of any strength; if not then you can set it up manually. Make sure that you DO NOT use any easily guessable names or dictionary words as passwords, and don’t forget to change your WordPress password often – first immediately after installing it and then at regular intervals (at least every once 1 month or so).
b) Make sure your server’s file permissions are correct: Secure File Permissions Matter. Unless otherwise required, all files of your server should have 644 permissions and all folders should have 755 permissions by default. Also take a look at Hardening WordPress. ;)
c) Turn off PHP error display: If you are on shared hosting you may not be able to do this unless your host is smart enough to have done it on his own; but if you are on a VPS or dedicated server, you can edit the php.ini file of your server and set display_errors to ‘Off‘. Note that you should do this only on a production site and not a test server, because this setting will stop showing you any and all php errors on your browser (you can however still check the errors by logging into your web hosting control panel and accessing the "error log" there). More info here.
How does this help, you may ask. Let us say a hacker visits your blog, and guesses the URL of a plugin whose vulnerability he knows very well. If the plugin is indeed installed on your blog, and the hacker accesses it as a visitor, the plugin would obviously display an error message to the hacker.
This would convince him that the plugin is indeed installed on your blog and then he would proceed to hack your blog through that plugin’s vulnerability! On the other hand, if he sees nothing except an empty page, he would be dumbfounded and leave your site. As in all matters of life, silence is golden. ;) (interestingly the author also has a plugin by the same name which I am using on one of my blogs).
d) Hide WordPress version from both meta tag and footer: This is important, once again to keep the hacker guessing about your site. If the hacker becomes aware of the version number of your WordPress blog, and if he is aware of even just one of the security vulnerabilities in that version he might use it to the fullest extent to gain access to your blog. For me it is done automatically by my WordPress theme (I use the free semiologic theme which is too good for me to switch to anything else); however, there are also a number of plugins you can use to achieve the same effect (see below).
e) Change user "admin": In my option this is not really required as long as your password is strong and cryptic. Even if your admin username remains "admin", the hacker won’t be able to access your blog unless he knows your password as well! Yet, if you want to change your admin username, you can do it by manually editing your database via PHPMYadmin or using a plugin (note that I have not used either method). Be sure to backup your database before you take this step! If you install WordPress via Fantastico then you get to choose your custom username and password; however, since Fantastico ‘s softwares usually tend to be old you may need to do a manual/automatic upgrade of WordPress after installing it.
f) Change your database table prefix: Yet another thing that you MUST do in order to secure your WordPress installation. By default your WordPress database table prefix is wp_. You can change "wp" to anything you want, such as "wphfjf7_" or "ppplo_", etc. You should do this at the time of installation (and NOT after it) by editing the wp-config.php file (inside that file you will find a section called "// Change the prefix if you want to have multiple blogs in a single database")
Anyway these tips are nothing new. I already mentioned some of these things in an older article of mine. In that article I also mentioned how you can secure your "wp-admin" folder through WP padlock pro (and you can even download it free from there). CAUTION: WP padlock pro plugin is great if your blog does not accept user registrations (such as mine ;) ). BUT…
…if your blog is set to accept registrations from everyone, and if you install WP Padlock Pro there, then the users would have to jump through a few hoops in order to login to your WordPress blog each and every time, and they may not appreciate it. In case of such blogs I recommend two alternative solutions:
Solution#1: Use Theme My Login and Theme My profile to not only hide the admin dashboard completely from non-admin users but also make it look unique. In fact, if you are tired of seeing the same old boring Admin dashboard of WordPress and want to give it a cool look then too these plugins are perfect for you. Best of all, they are very easy to configure!
WARNING: From my own tests on a WP 2.9 blog, I can confirm that the Theme My Profile plugin is incompatible with both the WP-User-Online and TPC-Memory-Usage plugins.
Solution#2: Use WP Hide Dashboard – it hides the whole dashboard from non-admin users except the link to their profile; so that they easily update their profiles easily and at the same time be unable to gain access to your admin area. However, it does not hide the footer links in the admin area; so if you wish to hide them then you should also use the Admin trim interface along with it. The disadvantage of "Admin trim interface" is that it does not offer you a "Per role" configuration option, meaning that anything you choose to hide would be hidden globally – not just from the users but also you!
However the advantage is that it is very easy to use, thanks to the helpful screenshots offered by the plugin author (a more complicated plugin that does the work of both "WP-Hide-Dashboard" and "Admin-trim-Interface" is the Adminimize plugin; however, due to its complicated setup as well as lack of proper documentation in English I had to refrain from using it).
Solution#3: In case solution#2 does not work for you, you can try out DDHideAdmin. It is not as powerful as WP Padlockpro, but it serves one big purpose: it hides the entire admin panel from non-admin users (make sure you are okay with that), thus hiding your WordPress version number as well as other sensitive information from prying eyes! ;)
Another MUST-HAVE plugin for security reasons is Limit Login Attempts (You won’t however need this if you use the WP pad Lock pro software/don’t allow user registrations on your blog). I cannot describe the plugin any better than Vladimir, from whose blog I came to know about it actually! ;) In short, here is how the plugin maybe helpful:
By default, WordPress allows unlimited login attempts to all users, a very good setting for making brute force attacks successful! Mr. Hacker visits your blog and tries to login as an admin using different passwords, to see which one clicks. In theory he might eventually be successful if your chosen password is short and weak and there is no limit to the number of login attempts per visitor/user.
Enter Limit Login attempts! It stops the hacker dead by locking him out right after the 4th unsuccessful login attempt. Poor hacker would now have to wait for another 20 minutes before he could make another attempt. However, if he is locked out for 4 times, then he may have to wait for a whole day before he could make another login attempt. Of course, all these settings are customizable. ;)
WARNING: You, the admin, should remember your passwords really well if you don’t want to be locked out by Limit Login Attempts (if you do get locked out, the only way you can gain access to your admin area is by deleting the plugin from your blog’s plugin directory via FTP). Hmm, let me take this opportunity to shamelessly promote Roboform once more! ;)
Noindex Login plugin adds the "noindex" tag to your WordPress login page. Thus, if a hacker searches for all WordPress login pages, your page won’t feature in the search results. More information on how SEO meta tags work.;)
3. Spam Control Plugins: Can any WordPress blog ever be spam-free? Yes if you close comments and trackbacks. pingbacks, but then, that would defeat the very purpose of blogging and you might as well be happier building static, plain HTML sites instead! ;)
Okay, let us discuss some anti-spam plugins I personally use.
One of the very first plugins you should install on your blog is the bad behavior plugin. The uniqueness of this plugin is that it stops spambots from even visiting your site, thus saving your precious server bandwidth. In short, it works like your blog’s doorkeeper. The default settings of the plugin work very well for me. Be sure to UNCHECK the "Display statistics in blog footer" option, in keeping with the silence is golden philosophy! :)
[UPDATE: Things might change later; however, right now it seems that WP Spam free is no longer maintained and (probably for that reason) has also been removed from WordPress’s official plugin repository. As such, I am striking out the next two paragraphs where I recommended the plugin. There are many other antispam plugins you can choose from: some of which are recommended here and others can be found in the official plugin repository.]
Akismet is installed by default so no use discussing it here. If you are not moderating each and every blog comment manually, then I would suggest you also use the WP Spam free plugin. This would help you get rid of most of the initial spam you would be getting, and Akismet can manage the rest. Again, in keeping with the silence is golden philosophy, you should disable the "Help promote WP-SpamFree?" option. I know it is not very ethical to do but something you HAVE to do if you don’t want your blog to be the target of moronic WordPress hackers! :P
Because WP Spam free is known to get quirky sometimes, it is also recommended that you check the "Blocked Comment Logging Mode" option, so that you can check out the "false positives", that is, legit comments getting caught as spam, if any! Immediately after you enable this option you will see a red message like "The log file may not be writeable. You may need to manually correct the file permissions.
Set the permission for the "/wp-spamfree/data directory to 755 and all files within to 644." This is not exactly an error message but rather a presumptuous warning. ;) In my case I had to CHMOD all files inside the "data" folder to 666 in order for the plugin to work properly; your case maybe different however!
For your own good, I suggest that you DO NOT use plugins like AskApache Password protect, WP-Hashcash, Cookie for Comments, etc., if you are using WP Spam free because they don’t play very well together (and on another note you won’t need to use them, anyway). More Known Plugin conflicts. ;)
WP-Spam-Free cannot however protect you from innocuous, discreet spam comments like the one discussed here, and neither can CAPTCHA, unlike what the OP proposes there. So if this is your problem you can use the Minimum Comment Length plugin to set a minimum length for the comments; comments shorter than this would be automatically disapproved without needing further intervention from you (sorry, does not seem to work on my 2.9 blog; do you know of an alternative?). Along with this you may also want to use Greg’s comment length limiter if you don’t want comments to reach the length of full-blown articles (in my opinion such comments are usually posted in an attempt to overshadow the author of the original article, and mostly found on political blogs).
Would you like to put a stop to email harvesters? Well then use Cryptx, the ultimate email obfuscation plugin. It is designed to obfuscate any mailto: links you use in your articles, as well as the mailto: links posted by users in their comments. ;)
On my blog (no, not this one okay? :D ) I have the following options of Cryptx checked:
i) Presentation: Text for link
ii) General:
-Apply CryptX to: Content, Comments
-Type of decryption: Use Unicode to hide the Email-Link
-Add mailto to all unlinked email addresses.
Hope it helps you with the initial setup, though these are not hard and fast rules! I chose Unicode over JavaScript for obfuscation for the simple fact that I hate JavaScript and also it might not work for users with JavaScript turned off in their browsers.
Is a certain spammer bothering you too much? How about banning his IP permanently? WP-Ban helps you with that and more. If you have WP-Spam-Free installed, then you may not need it; still worth a look! WARNING: WP-Ban does not play very well with WP-Super-Cache, in case you use it; more information can be found here. :)
To be continued…
Disclosure: ArindamChakraborty.com is affiliated to WinRAR and Roboform.
I am using most of the plugins mentioned here. For security purpose even it is important to keep blog updated with new version. Thanks for the great article.
I have never thought about security issues before, I will definately be installing the security plugins now though thanks.
A very good list. I am using some of these plugins and will look at the others.
Ezine Articles recently came out with a new plugin that allows you to submit your posts as articles directly to them from the post>edit page in your WP admin area, whether the post is brand new or already published. It seems that ezine articles has changed their mind about duplicate content.
I installed the plugin on one of my blogs and the only thing I didn’t like was that in the drop down box for submitting what you want in your resource box, you only have the option of choosing one of the resource box configurations you have already set up at ezine. I usually write a custom resource box for each article, so this was an inconvenience.
Do you have any experience with this plugin?
Arindam,
You’re only half right – it’s long, but it’s anything but boring.
Excellent information, particularly for someone as technically-challenged as I am.
Many, many thanks – this page is now part of my reference library.
[…] This post was mentioned on Twitter by Kathy Keefe, Deepak Dutta, chris parsley, topsy_top20k, topsy_top20k_en and others. topsy_top20k_en said: "Huge List of Cool WordPress Plugins-Part 1", http://bit.ly/aQttE9 […]
Very nicely done. I like some others here have not thought a lot about security even though I have been hacked a couple of times.
These are things I need to implement and soon. However, if blogs are so vulnerable is there not anything that resembles a blog that is not so open to being hacked by the those with way too much time on their hands?
I am vaguely familiar with Affiliate Guru and I think it allows for comments to articles. If you know about it, is it also vulnerable in the same was as WP?
Thanks for the tips.
Kathlene
@Kathlene
Virtually anything except a plain HTML is bound to be vulnerable to hackers. It is not just wordpress. Any and all softwares are vulnerable. No matter how much you secure your software, there is no guarantee it won’t be hacked some day or other. WordPress is just more vulnerable than commercial softwares because it is free and opensource, but even commercial softwares do get hacked ;)
I am not familiar with Affiliate Guru. :)
Somehow a hacker recently gained access to my admin account by changing the admin e-mail and then sending himself a password reminder. To avoid this do not use admin as your admin password, rather use something else, also as stated above, use the security plugins, limit login attempts and keep your WP version and plugins up to date.
@Mark
Sorry to hear that your account has been hacked. From what I can tell (and I can tell only about the latest versions) the default admin password issued by wordpress is pretty strong, yet I highly recommend that you change it to something even stronger.
Great article… Even though I preach about backups to all my clients, I have not actually backed up all my sites…. oops.
Thanks.
This post has given me some food for thought and I have already added a couple of these plugins to my list of standard plugins that I install. One item I am not sure of from your text. Do you install both Askimet and WP Spam Free on the same blog
Hi Alec,
Yes I have a niche blog where I have installed both WP spam free and akismet, and so far I don’t have any problems. I did this only after reading the articles of other bloggers and found that many of them have done the same to combat spam because akismet alone is often just not enough. On this blog I have only akismet installed now but if spam gets out of hand then I wud install spamfree too ;)
Akismet takes up where spamfree leaves, so there is very rare possibility of any compatibility issues between them. You would find, as a matter of fact, that WP spam free is blocking 90% of your blog comment spam and akismet is almost sitting idle, only acting up if spamfree occasionally fails to catch a spam comment or two.
Hi,
I’m pretty new to all of this so at this moment most of all the “code talk” is completely over my head ha ha. HOWEVER,
I will definitely check out the security plugins. I’ve never thought of their importance before so thank You!
I’ll be honest, I never installed the security stuff before but then someone just recently came to me with a hacked blog and I started looking into it all… We got the virus off and his blog is all clean, security plugins installed and a warning to him to keep wordpress updated.
The blocking of an IP address is not too effective I found as one spammer I had -had many IP addresses and continued spamming even though I banned on the cpanel, and on WP Spam Free. The best one I found and thanks for your list -was Bad Behavior which was also recommended by my hosting company. It finally put a stop to the bots, and comment spammers. Peace and quiet and no more spam. Thanks Arindam- I always find great information from you.
Forgot to say…. excellent post :)
Thanks Arindam! This is great stuff! I knew I should be worrying more about this kind of thing — but I didn’t know what to do other than worry. Now I have some good things to take action on! Thanks again.
Thank you for another great article. Where else could anyone get that kind of information in such a perfect way of writing? I have a presentation next week, and I am on the look for such information.
This is my earliest time i afflict here. I create so tons absorbing furniture in your blog especially its discussion. From the tons of comments on your articles, I judge I am not the only entire having all the joy here! maintenance up the nice work.
Hi Peter, welcome to my blog :)