Make Money from Blogs » Block

WordPress security tips (part 9) – Plugins to secure your blog

ashish — Thu, 03 Dec 2009 14:22:53 +0000

In continuation of an earlier series of posts towards making your WordPress installation more secure, here are some more plugins and steps to increase the security of your WordPress installation. An important plugin that can help in ensuring that you are able to detect the security leaks in your WordPress installation is called “WordPress scanner”.

WordPress scanner (learn more at this link).
Running it is fairly simple, you have to move a plugin to your plugins directory and activate it. The plugin will add a link to your WordPress template. Once you are done, you need to disable the plugin (and be sure to do so). Once you have activated the plugin, you need to go to the wpscan page (link) and enter your blog details.

In addition to plugins, you need to evaluate the following.
- Check with your web hosts about whether directory browsing is allowed by default, if no index.html file is present. A lot of hosts have turned that off by default, but if it is on, then you should add an index.html file in your plugins directory; you don’t want people to know which plugins you are using
- Keep your WordPress installation updated, and one way to do the automatically is by using the “WordPress Automatic Upgrade plugin” (link) – Also, WordPress 2.7 onwards has an integrated update feature which you should use.
- Check for the security levels on your Forms / Comments input page. Use a more secure mailer for WordPress (Secure Form Mailer Plugin For WordPress)
- Don’t use plugins without reading a bit more about them. Plugins are made with the best of intentions, but it is quite possible that a plugin can lead to a security hole.

WordPress security tips (part 8) – Plugins to secure your blog

ashish — Sun, 29 Nov 2009 15:14:23 +0000

In continuance of an exploration of a series of articles that explore how to increase the security level of your WordPress blog, I will be presenting information on 2 more plugins in this post. These deal with increasing the security level of the Admin section of your blog (very important) through the use of SSL; this increases the security of the connection between your client and the Admin section of your blog by adding a higher level of encryption for the transmission of information (thus ensuring that it is more difficult to intercept this password).

Admin SSL:
This plugin enhances the security level of the admin and wordpress login pages. Read more at this link.

- Supports All SSL Setups (Private and Shared)
- Encrypts cookie contents
- Compatible with all versions of PHP 4 and 5
- Easy to install (1 file uploaded)

Force SSL Plugin:
This plugin ensures a much higher level of security for your entire blog, forcing your users to use SSL. However, you will need to get a certificate for your blog, and that can be somewhat expensive, from a 3rd party certificate provider. This method ensures that your interaction between the client and the server is free of interception.

WordPress security tips (part 7) – Plugins to secure your blog

ashish — Sun, 29 Nov 2009 14:30:38 +0000

In the search to find more ways to secure your WordPress blog, using Plugins to ensure that you can increase the security level of your blog should form an important part of your strategy. These plugins can help in working through various needs that you may have, whether it is for fixing some flaws you have, and or even when you provide premium content, and are looking for a way to ensure that only those users who are paying customers get a chance to view these entries.
For ensuring only premium customers can view content: “Authenticated WordPress Plugin”
Read more about this content at this location (link).

This WordPress plugin (tested on 1.5.x & 2.0) will make your blog accessible only to logged in users. A must-have for paid-content publishers and privacy concerned bloggers. This is a simple zero configuration plugin. It allows you to view any content, if and only if you are logged in. No configuration is required. Just activating the plugin is all you need to do and if you followed the installation steps above then you have already done that.

As part of a higher level of security, it is also important to know which of your files allow applications to write to them, even if it is only WordPress that can write to these files. For this purpose, you should know which of your files are writable, and which of your files are totally locked down. But how will you know this until you do a scan of your files. And for this purpose, you have a File Scanner called “WP Security Scan” (learn more)

Scans your WordPress installation for security vulnerabilities and suggests corrective actions.
-passwords
-file permissions
-database security
-version hiding
-WordPress admin protection/security
-removes WP Generator META tag from core code

WordPress security tips (part 5) – Plugins to secure your blog

ashish — Thu, 26 Nov 2009 14:14:29 +0000

There is a huge amount of information available on the internet for helping to secure your WordPress blogs, including using plugins that have been shared by helpful people. What is required is for you to be vigilant, read up current WordPress security issues, and keep your blog updated to the latest WordPress version.

Limit Login Attempts Plugin:
Wordpress currently allows anybody to attempt trying to login multiple number of times, and this can be seen as a problem in terms of security. Major ecommerce, banking and other such sites have restrictions that accounts get locked if people try to use a wrong combination of account ID and password, and this is very useful since it prevents people from trying to do a brute force attack. However, with WordPress not having such a restriction, it becomes difficult to prevent this type of attack if somebody is trying to attack you. However, there is a Plugin that allows you to restrict the number of login attempts. This is the “Limit Login Attempts” plugin available at this location (link).

Features
- Limit the number of retry attempts when logging in (for each IP). Fully customizable
- (WordPress 2.7+) Limit the number of attempts to log in using auth cookies in same way
- Informs user about remaining retries or lockout time on login page
- Optional logging, optional email notification
- Handles server behind reverse proxy

Semisecure Login Reimagined Plugin:
This plugin needs JavaScript to work, and if JavaScript is enabled, it will encrypt the password from the client end before it is sent to the server, and is then decrypted at the server end. If no JavaScript, then the password is sent in clear text. Available on this site (link)

Is this really secure?
Short answer: No, but it’s better than nothing.
Without SSL, you’re going to be susceptible to replay attacks/session hijacking no matter what. What this means is that if someone is able to guess or learn the session ID of a logged-in user (which would be trivial to do in an unprotected wireless network), then essentially they could do anything to your WordPress site by masquerading as that user. The point of this is to prevent your password from being transmitted in the “clear.” If someone is in a position where they can learn your session ID, under normal circumstances, they’d also be able to learn your password. The proper use of this plugin removes that possibility.

WordPress security tips (part 4) – WordPress Guard Plugin

ashish — Tue, 24 Nov 2009 18:38:02 +0000

Part of guarding your WordPress Installation is by adding an extra layer of security around your Admin area; and you can bet that a number of people do not even think about the Admin area being a vulnerable area in terms of security. Fortunately, WordPress has an extensible plugin structure that allows users to extend its functionality, just like this security plugin – the ‘WordPress Guard Plugin’ does. This is a plugin created by Angsuman, who has created many other WordPress Plugins. This Plugin can be downloaded from this location (link), and you can get Readme, Installation Instructions, etc from this location.
What does the Plugin claim ?

Angsuman’s WordPress Guard Plugin gives you an extra layer of protection over the usual authentication in WordPress? login page. If you try to enter the administrator panel, you will be prompted for an username and password even before you can access the wp login page or any other page in the admin panel. This protects against known as well as yet unknown vulnerabilities in WordPress administration scripts.

Of course, just getting a Plugin is not enough; if you are a serious user of WordPress and have an active blog, then it makes sense for you to protect your blog against attack.