If you’ve been following my blog for awhile I’m sure it’s clear to you that I like toying with WordPress; unfortunately, there are those out there who like toying with other people’s WordPress as well.
People’s blogs get hacked on a daily basis. A simple Google search for my blog was hacked returns 2,620,000 results.
I tend to think of blog security like the progression of driving a car through the years.
At 16 when you’re new to driving a car, you know driving a car safely is good, but you don’t do it. Instead, teens tend to drive more carelessly than older more seasoned drivers. However, the one time one of these teens get in a serious car accident, all of a sudden a light bulb turns on and they realize just how dangerous it is to drive carelessly.
The problem is, the process keeps washing its hands and repeating itself. As that teen ages, new teens begin driving and take to the roads, and can you guess how they drive?
The same holds for blogging. When newbies begin blogging either they don’t know the statistics of blog security or they don’t think it’ll ever happen to them. Then one day if they do get hacked, all of a sudden blog security becomes an issue. If, however, they are lucky enough to not get hacked early on (i.e. as they age), they begin to realize blog security is becoming more and more important since they have a lot more to lose (posts, comments, design, etc.).
2 WordPress Security Plugins You Should Consider
1. Chap Secure Login
In order to log into WordPress, you need to enter in a username and password. The problem is, unless you log in through a SSL connection (tutorial post coming soon), this information is sent through the Internet unprotected and can be seen by snooping eyes.
That’s where the Chap Secure Login plugin comes in.
Chap stands for Challenge Handshake Authentication Protocol and what it does is encrypt your password through the use of the MD5 hashing algorithm in JavaScript so that it is sent to your web host in a secured manner.
Whenever possible, I suggest logging into your WordPress blog through SSL, but if that’s not an option for you, I highly suggest using this plugin; and the best part is, there’s no configuring, just upload and install the plugin and you’re all set.
2. WordPress File Monitor
Securing WordPress is great, but as I’ve mentioned before it’s impossible to completely secure WordPress 100%. Just as important as securing your WordPress from being hacked in the first place is knowing when your blog has been hacked.
Matt Walters developed an excellent file monitoring plugin, called WordPress File Monitor, which will monitor all your files for any alterations made to them.
Many times WordPress crackers will attempt to insert vicious viruses or spam links directly into your WordPress files. These viruses can be designed to do just about anything they want, including downloading viruses to your website’s visitor’s computers.
The WordPress File Monitor plugin monitors each of your files for changes that occur inside them. So, say for example, someone uploads malicious code to your footer.php file, the WordPress File Monitor plugin would capture that change and email you that a change has occurred. There’s also notification in your Dashboard.
Once notified, you can head over to that file and check for anything suspicious.
As a bonus, this plugin can also be configured to monitor and report changes to files outside of your WordPress directory. This is a huge bonus for those of you who run a static HTML website for your home page and have WordPress installed in a separate directory, like /blog.
Here’s a couple screen shots from this plugin:
Have you thought about blog security lately?
How would you feel if one day you found your blog has been cracked into?
Would you be prepared to deal with the problem and make your blog right?
If you’re interested in keeping up to date with the latest in blog security, WordPress, and my own personal blogging tips, you can subscribe to my RSS feed here. Also, if you’re interested in locking down your WordPress blog and add some security features to it, I can do that for you.
October 19th, 2009 at 5:20 am
Hi John – Are these two plug-ins part of the security features you typically install for your clients? It seems they cover the most vulnerable points of entry (the WP login and the file/database system). Are there any others we should guard? Thanks.
Betsy Wuebker´s last blog ..LOCAVORES, MORE AND MORE
October 19th, 2009 at 9:35 am
Hi Betsy, I’ve recently discovered these plugins so I don’t think these were installed on your blog. If you like, I’ll plug ‘em in for you. Just let me know. In fact, your comment has inspired me to email other clients to inform them as well, too.
As far as other guards, even better than the Chaps plugin is if you login and connect to your Dashboard through SSL, that way your entire session is encrypted. Areas which you might want to include are the login page, users and profile page, where a user will change a password. I’ll talk more about that soon.
As I recall, you have these set up, but it’s important to have the WordPress Security Keys set up as well. Those basically help to encrypt passwords stored in session “cookies” so people who intercept them on the Internet can’t see your password.
October 19th, 2009 at 10:31 am
Useful. Thanks!
vered | blogger for hire´s last blog ..A Beautiful Winter Poem, and a Rant on SEO
October 19th, 2009 at 10:40 am
Hi Vered, no problem.
Also I wanted to say that was a beautiful poem on your latest blog post. I’m not all that much into poems, but that one was real good.
October 19th, 2009 at 11:21 am
Hi John
I think that you may have scared me into looking at security.
As you say it is the newbies like me who are easy prey.
The Chap Secure Login plugin looks about right for me…. if all you have to do is upload and activate.
P.S. Good to see that you are fully up to date with the “MD5 hashing algorithm”!
Keith Davis´s last blog ..easy peasy!
October 19th, 2009 at 11:42 am
Hi Keith, didn’t mean to scare you – but I’m glad I did. It is a big issue and I don’t think enough people worry about it until it’s too late. The risk for me is that by blogging about this stuff it might make people actually “try” to hack my site.
Oh well, what are you gonna do? People need to know about this stuff, right? You don’t even want to know how many backups and protected/restricted mirror sites I have for my blog LOL.
October 19th, 2009 at 9:30 pm
Great analogy with the car accidents. Unfortunately, most people are teen drivers on the information superhighway. (Do they still call it that?)
These look like terrific plugins. I’m telling everyone I know about them.
Hunter Nuttall´s last blog ..Finding Your Primary Color, And Making The Leap
October 19th, 2009 at 9:49 pm
Hi Hunter, thanks for stopping by. Hmm…information superhighway, no I don’t think the young’ens call it that. Now days they call it MySpace.
Thanks for spreading the word, I think these plugins are excellent plugins for added security.
October 20th, 2009 at 7:56 am
Have you thought about blog security lately? All time time. With open-source software, its a real shame that people try to break into such a great application.
How would you feel if one day you found your blog has been cracked into? I’d have a “fun” time trying to fix it.. thats for sure!
Would you be prepared to deal with the problem and make your blog right? Most likely, I can’t have a broken website!
I’ll have to look into those two useful plugins..
BTW – Do you know how to edit .htaccess files? I’m trying to get two things to happen:
Add Expire Headers to my images, javascript and stylesheets
AND
Use zlib to compress CSS and JS to the user
Let me know if you have any knowledge on the subject. Thanks.
Brad Ney´s last blog ..Bouncing Higher than 80%? Heres 7 Ways To Reduce Your Blog’s Bounce Rate
October 20th, 2009 at 2:46 pm
Hi Brad. There are two ways to edit your .htaccess file.
1. Open up your File Manager in your web hosting control panel and navigate to your WordPress directory, it should be the one with the /wp-content, /wp-admin, and /wp-includes folders in it. There you should see a .htaccess file, if you don’t, simply create a “New File” and save it as .htaccess
If the file is there, tick a check mark next to it and using your control panel’s File Editor, open the file so you can edit it.
In this video about setting up FeedBurner, I give an example of how to open and edit your .htaccess file in this way (watch Video 3 at about 1:30 into it).
2. The other way to edit the file is to download it to your computer (or create a new file using a word processor and name it .htaccess), edit it as you like, and upload it to your WordPress’ directory.
As for Future Expires, here’s some code I’ve used before (can’t remember what website I found it from):
# Add future Expires to headers
<ifModule mod_expires.c>
ExpiresActive On
ExpiresDefault "access plus 1 seconds"
ExpiresByType text/html "access plus 1 seconds"
ExpiresByType image/gif "access plus 2592000 seconds"
ExpiresByType image/jpeg "access plus 2592000 seconds"
ExpiresByType image/png "access plus 2592000 seconds"
ExpiresByType text/css "access plus 604800 seconds"
ExpiresByType text/javascript "access plus 216000 seconds"
ExpiresByType application/x-javascript "access plus 216000 seconds"
</ifModule>
# Add Cache-Control headers
<ifModule mod_headers.c>
<filesMatch "\\.(ico|pdf|flv|jpg|jpeg|png|gif|swf)$">
Header set Cache-Control "max-age=2592000, public"
</filesMatch>
<filesMatch "\\.(css)$">
Header set Cache-Control "max-age=604800, public"
</filesMatch>
<filesMatch "\\.(js)$">
Header set Cache-Control "max-age=216000, private"
</filesMatch>
<filesMatch "\\.(xml|txt)$">
Header set Cache-Control "max-age=216000, public, must-revalidate"
</filesMatch>
<filesMatch "\\.(html|htm|php)$">
Header set Cache-Control "max-age=1, private, must-revalidate"
</filesMatch>
</ifModule>
October 20th, 2009 at 4:25 pm
Thanks for pasting that code in there.. Its just when I download the .htaccess file and add the code to it, and then reupload to the webserver, it returns a 500 Internal Server error.
I’ll let you know the results of the above code though.
Brad Ney´s last blog ..Bouncing Higher than 80%? Heres 7 Ways To Reduce Your Blog’s Bounce Rate
October 20th, 2009 at 7:35 pm
Hi Brad, I sent you an email.
October 21st, 2009 at 1:27 pm
Okay this is probably going to sound dumb but what does SSL stand for? And I’ll pick this post up again from there.
Jannie Funster´s last blog ..Rose DesRochers: Just how Great IS She?
October 21st, 2009 at 4:52 pm
Hi Jannie.
SSL stands for Secure Sockets Layer and basically what it does is allow for transfers of information over the Internet, such as your username and password, to be done in an encrypted manner.
When I connect to my WordPress Dashboard, it’s done through SSL which means my username, password, and a lot of what I do through WordPress admin is done with a secured connection which makes it hard for someone to swipe my login information by watching data transferred over the Internet.
You know when you go to a website to buy something and you see that little lock box in the status or URL bar (depends on your browser)? That means you’re on a site that is encrypted with SSL. Most credit card processing pages use SSL so your credit card info is sent over the Internet encrypted.
I don’t have my blog’s front end encrypted because there are some aspects of it which are not sent through an encrypted manner, like images I’ve linked to. Because of this, some browsers like IE will pop up a warning that parts of the site is encrypted and parts aren’t. I don’t want my visitors seeing that confusing pop up every time they come to my blog.
Here, you can view this article through my SSL secured connection by putting https:// in the URL instead of http://
https://wpbloghost.com/blog/wordpress-security-plugins/
Ok so that’s a really quick thing about it. I’ll be drafting up a post about it soon.
For WP Blog Host customers, the process is pretty easy because we set most of it up for you…but again, more on that later.
November 14th, 2009 at 10:47 am
Nice one, John. CHAP secure login is the perfect alternative for those without SSL. Just started using it. Thanks for covering
November 14th, 2009 at 11:32 am
Thanks for informing about these two plugins
I would like to ask you few questions:
1.Will the use of CHAP plugin slow down the loading speed of my blog??
2.The File Monitor will just notify for the changes ,is there any plugin which removes the that particular changes made to the files???
Sunny Bhasin´s last blog ..List of Best PDF Search Engines
November 16th, 2009 at 5:06 pm
Joseph
No problem Joseph. Glad my post has helped you make your blog a little more secure. SSL isn’t all that expensive to set up. You should look into it. It’s much better because it encrypts password changes, creation of new users, etc.
Sunny Bhasin
Thanks for stopping by and leaving a comment. Here are some answers to your questions:
1. Will the use of CHAP plugin slow down the loading speed of my blog?
I didn’t design the plugin and haven’t examined every aspect of it, however I can say that I use that plugin on other blogs I own and as far as I can tell nothing has changed. Do keep in mind, though, that every plugin you add to your site will slightly slow down the load time of your blog. The bigger and more complex you make your site, the slower it will load.
I think the security feature of the plugin outweighs the negativity of adding yet one more plugin to your blog.
2.The File Monitor will just notify for the changes ,is there any plugin which removes the that particular changes made to the files?
The closest I know of would be the WordPress Firewall plugin. See this article here.
The firewall plugin will limit who can edit certain files contained inside your WordPress installation – including widgets; however, it doesn’t cover every file on your hosting server.