Plugin Recommendations

If you already have a theme installed, you might want to run a security scan, or have a security-minded developer look through the theme code. Ditto for any plugins you might have.

After you’ve selected your theme, the next step is to start picking plugins. When it comes to plugins, you need to be just as careful as you were with picking a theme. Even popular plugins can contain vulnerabilities, and developers can sometimes be slow to fix them (or perhaps put them there themselves). For that reason, I recommend using as few plugins as possible to get the job done. That said, from a security perspective, here are the plugins I highly recommend:

  • Better WP Security – This is sort of an all-in-one security option. It handles a variety of tactics covered in this post. Can overlap with other plugins, so be careful. Free.
  • Limit Login Attempts – Exactly what it says, and a phenomenal way to deter brute-force hacking attempts on a site. Free.
  • Akismet – Great way to filter out a lot of crap before it ever touches your site. If your site is easy to spam, it might also be easy to hack, so make it a hardened target on all fronts. Paid.
  • Sucuri Security – When you pay for this service, you get a plugin to install on your site that helps with the monitoring and hardening process. It has overlap with other plugins though, such as Limit Login Attempts and Better WP Security, so you don’t want to use all of them at once. Paid.
  • CodeGuard – Great backup service that lets you easily roll back if you ever do get hacked. Also, people don’t back things up nearly as often as they should, so doing it automatically is handy. Paid.
  • CloudFlare – CloudFlare is a CDN, but also so much more. It has some great security features built in, and comes in both free and paid versions.
  • Google Authenticator – Enables two-factor authentication on WordPress, which is awesome. I use two-factor wherever it’s offered, because it rocks. Free.
  • Stealth Login Page – You can’t crack what you can’t find. This plugin hides your login page without needing to edit .htaccess files. Free.
  • WordPress SEO by Yoast – Not only does this have great SEO benefits, but it allows you to easily edit your .htaccess file from within the WordPress admin, which is very handy. Free.

If you opt to use WP-Engine for your hosting, be aware that they are very strict on what plugins they do and don’t permit. I find this pretty annoying, and while I understand their reasons, I really like some of the plugins they don’t permit.

Tagged: