With security issues like Heartbleed and hackers breaking into even what we thought to be the most secure areas of the Internet, we all need to start taking some more precautions when it comes to the security of our websites. I know I felt like I needed to take a look at my own security practices and decided to put together a list of tools I’ve used for preventing hacks, security issues, and spam. Most of these are WordPress specific, but some can be applied to any site.
When looking to put a list like this together, I usually reference Annie Cushing’s Must-Have Tools Doc, which has a Spam/Hacking tab. Some of these tools have now been added to that list and you should probably check out not only the security related tools but all of the other great tools in there for marketers and webmasters.
WordPress Firewall blocks hacking attacks on your site by investigating suspicious-looking web requests, detecting SQL injection attacks, and having an option to email you attack reports upon blocking potential hacks. The plugin allows you to set up whitelists for pages and IP addresses that you know can be trusted. You can also set WordPress Firewall up to send a user to a different page if the plugin detects an attack.
Pro tip: Setting up this plugin worked best for me when I uploaded the file to the FTP server, then activated it from the WordPress user interface.
2 – Login Lockdown
Login LockDown records the IP address and timestamp of every failed login attempt. The plugin locks down access to your WordPress site for a range of IP addresses if login attempts exceed a certain number. This helps to prevent brute force password discovery. Administrators can release locked out IP ranges manually from the admin panel.
3 – iThemes Security
IThemes Security fixes security holes, stops automated attacks, and strengthens user credentials. The tool blocks users deemed as harmful and increases the security of vital information such as passwords and login information. IThemes Security also makes regular backups of your WordPress database and detects hidden 404 errors in your site that can negatively affect your site’s visibility to search engines.
4 – Akismet
Akismet automatically detects comment and trackback spam. Each time a new comment, trackback, or pingback is added to your site it would be submitted to the Akismet web service which runs hundreds of tests on the comment and returns a thumbs up or thumbs down. They have 20 other plugins for users not on WordPress that also work against comment spam. You can also access Akismet directly through their API, without the use of a plugin.
Pro tip: When registering for an API key, you can choose a personal subscription and set the money paid monthly to $0. The plugin is free for personal use.
BulletProof Security protects your site from various kinds of hacking attempts by using .htaccess WordPress security protection. The tool uses .htaccess files because they are processed first before any other code on your website. Ergo, hackers’ malicious scripts are stopped by .htaccess files/Firewalls before they even have a chance to reach the php code in WordPress. Some of the hacking attempts that this plugin protects against include XSS, RFI, CRLF, CSRF, Base64, Code Injection and SQL Injection.
6 – Sucuri SiteCheck
Sucuri SiteCheck will check your site for malware, blacklisting and other security issues like .htaccess redirects, hidden eval code, and other issues. The plugin detects SPAM injections, website errors, disabled sites, database connection issues and code anomalies that require special attention. Sucuri SiteCheck also has an option to verify all WordPress core files for changes, which can be useful to detect hidden backdoors.
You can also check for malware, blacklisting, and overall security status without a WordPress account by scanning a site for free at SiteCheck.Sucuri.net. If you need a more extensive recovery plan because your site has already been hit, or need a more comprehensive non-WordPress solution, you can buy a plan with Sucuri.
7 – MX Toolbox
MX Toolbox allows users to check the status of a submitted URL, IP Address, or host name to see if it was blacklisted, check its MX record, DNS servers, and SMTP diagnostics. There are also a number of other services that can be requested via commands before the submitted text. If you click the “Other tools” link below the list of commands you can use any of the command functions’ individual search bars. Links in the results will guide you to other relevant tools and information.
Google’s Safe Browsing Tool will let you know if your site is hosting any malicious software. Add your site to the end of the URL (replacing mysite.com) and get the current listing status of your site, what happened when Google visited the site, and other history records. The tool also reports when the last time Google visited the site was and whether or not suspicious content was found in the last 90 days.
9 – BackWPUp
BackWPUp allows you to download a backup of your site with one click. However, it provides options to customize your backup too, such as adding a WordPress XML export, choosing what files get backed up, selecting your preferred backup file format, and specifying where the backup is stored. The plugin can also be used to save your complete installation including /wp-content/ and push them to an external backup service such as Dropbox, S3, FTP and more.
10 – VaultPress
VaultPress provides daily and real-time syncing of all your WordPress content. The tool performs security scans daily and allows users to review and fix threats. Options are available to view all of your past backups and restore your site back to any of its previously saved versions. Users are also able to set up multiple sites with VaultPress and manage them all from one tool.
Unfortunately, this is the only plugin listed here that doesn’t have a free option, but it was created by the same people who created and manage WordPress, so it’s a high-quality tool.
What website security tools are you using? Feel free to share in the comments!