In order to keep your blog safe from hackers there are really only 4 “Plugins” that you need. Now that doesn’t mean that all you have to do is install these 4 plugins and your blog is completely safe. There are some other things that need to be done along with installing these plugins. Follow these steps (article coming soon) to find out the other things you need to be doing in order to keep your blog protected.

But as far as plugins are concerned… these are the 4 that get the job done. Everything else is just wasting your time.

1. Secure WordPress

Secure WordPress is maybe the most popular security plugin for WordPress. It accomplishes many of the most important things you need to do to protect your WordPress blog. Here is a specific list of those things.

1. removes error-information on login-page
2. adds index.php plugin-directory (virtual)
3. removes the wp-version, except in admin-area
4. removes Really Simple Discovery
5. removes Windows Live Writer
6. remove core update information for non-admins
7. remove plugin-update information for non-admins
8. remove theme-update information for non-admins (only WP 2.8 and higher)
9. hide wp-version in backend-dashboard for non-admins
10. Add string for use with WP-Scanner
11. Block bad queries

2. Login LockDown

Login LockDown records the IP address and timestamp of every failed login attempt. If more than a certain number of attempts are detected within a short period of time from the same IP range, then the login function is disabled for all requests from that range. This helps to prevent brute force password discovery. Currently the plugin defaults to a 1 hour lock out of an IP block after 3 failed login attempts within 5 minutes. This can be modified via the Options panel. Administrators can release locked out IP ranges manually from the panel.
Spammers will use automated queries at your login page to continually try and find a password that works with the “admin” user which is also why you want to get rid of the “admin” altogether and create a regular username with administrator privileges.

3. Stealth Login

This plugin allows you to create custom URLs for logging in, logging out, administration and registering for your WordPress blog. Instead of advertising your login url on your homepage, you can create a url of your choice that can be easier to remember than wp-login.php, for example you could set your login url to http://www.myblog.com/login for an easy way to login to your website.

You could also enable “Stealth Mode” which will prevent users from being able to access ‘wp-login.php’ directly. You can then set your login url to something more cryptic. This won’t secure your website perfectly, but if someone does manage to crack your password, it can make it difficult for them to find where to actually login. This also prevents any bots that are used for malicious intents from accessing your wp-login.php file and attempting to break in.

4. WordPress Firewall

This WordPress plugin investigates web requests with simple WordPress-specific heuristics to identify and stop the most obvious attacks. There exist a few powerful generic modules that do this; but they’re not always installed on web servers, and difficult to configure.
It intelligently whitelists and blacklists pathological-looking phrases based on which field they appear within in a page request (unknown/numeric parameters vs. known post bodies, comment bodies, etc.). Its purpose is not to replace prompt and responsible upgrading, but rather to mitigate 0-day attacks and let bloggers sleep better at night.

Conclusion/Final Thoughts:

When you are starting a blog I would recommend installing these plugins right from the beginning. Prevention is so much easier than fixing when it comes to getting hacked.

These are the 4 plugins I installed on this blog because I was getting hacked. I’ve been hacked 3 times by the way and all 3 times have been completely different hacks. I’ve learned that keeping your blog protected from these hacks is an ongoing fight of good vs. evil. Start with these plugins then move on to my other tips and for goodness sakes man… keep your blog updated to the most recent version of WordPress!