A few weeks ago I told you about some security precautions to take when using the open source web platform WordPress to protect your site against brute force attacks. However, those precautions are just the beginning. A website administrator has to be forever vigilant to keep the bad guys away.
Luckily, there are many plugins available to help keep your WordPress site safe and secure. Today we’re going to discuss three security plugins that I think are essential.
Akismet: One of the biggest security problems plaguing website operators is comment spam. One of the first things anyone starting a blog or website discovers is the comments being filled with spam messages–often praising your skills as a blogger in broken English. This is comment spam and it’s an inevitability.
With comment spam there is always a link, or links, involved. Often, the comment itself will contain a list of links to websites. If not, the commenter will have supplied a link, supposedly to his or her own website, when meeting the requirements to place a comment on the site.
These links are the whole purpose behind comment spam. The spammer might be merely trying to create back links in order to gain a better Google ranking–in which case the spam is mainly an inconvenience. Other spammers will place links to send visitors to drive-by malware sites–a more serious security issue.
In the old days, comment spammers were almost always spambots and were a little easier to keep out. These days there is often an actual human being behind efforts to spam your site, which makes keeping them at bay a little more difficult. Again, although they seem like mainly a nuisance, they pose a security danger on several different levels. Even when they’re relatively benign and aren’t out to infect your visitors with malware, the links they leave on your site might easily damage your search engine rankings.
The Akismet plugin should pretty much be the first line of defense against comment spam on any WordPress installation. The folks at Akismet do a commendable job of staying ahead of the spammers and are as good as it gets when it comes to recognizing spam and spammers. How do they do it? I’ll let them explain:
“Each time a new comment, trackback, or pingback is added to your site it’s submitted to the Akismet web service which runs hundreds of tests on the comment and returns a thumbs up or thumbs down. As a result, you don’t have to waste your time sorting through and deleting spammy comments from your blog.”
To run Akismet you’ll need to enter an Akismet API key, which will identify your site to the plugin’s servers.
You can help Akismet do its job by going to your WordPress Dashboard and going to Settings>Discussion. Set “Comment Moderation” to two links, which will hold any comment for your approval if it contains more than a single link. Remember, links are the whole purpose of comment spam.SI Captcha A captcha is one of those annoying challange-response tests that’s meant to make sure that a human being is trying to interact with your site instead of another computer. A captcha uses a distorted image that contains a combination of letters and numbers, which the user reads and then types into an input box. The idea is that computers can’t read the graphic, which isn’t always true anymore.
Captchas are another tool in your security arsenal to use against comment spammers. There are quite a few captcha plugins available for WordPress and I can’t honestly say that one is any better than another. All I can say is SI Captcha is the one I’ve used for years and I’m happy with it. Maybe there’s a better captcha plugin available, I don’t know. I’m sticking with SI Captcha, because if it ain’t broke, I ain’t fixing it.
One of the things I like about SI Captcha is that it’s designed to specifically work alongside the Akismet plugin. It also has a nifty little feature, the “honeypot spambot trap,” that fools spambots into thinking there’s a field to be filled-out that doesn’t exist–at least not for humans. It’s recommended that you not enable this unless you’re having a spam problem. We have it enabled on one of our sites but not any others.
Although captchas remain an essential part of your security arsenal, they’re not nearly as effective as they once were. Again, Spambots are getting better at reading the distorted images and some spammers are now employing real human beings, who can easily get past a captcha.
Apocalypse Meow: Back in April I told you we were testing Apocalypse Meow as a replacement for Login Lock. Both security plugins ban a visitor’s IP address from accessing a site after repeated failed attempts to login. Plugins like this are primarily used to thwart the type of brute force attacks that are currently plaguing WordPress installations, where black hats attempt to gain access to accounts with administrative privileges by continually trying different usernames and passwords.
I’d actually been very happy with Login Lock and had used it for a number of years on quite a few WordPress sites. Several months back I discovered the plugin is evidently no longer being developed. This sent me scrambling to find a replacement plugin, which is how I discovered Apocalypse Meow.
Although Login Lock is currently working just fine on several of our sites, it’s not a good idea to depend on a plugin that’s no longer under active development. Why? For one thing, eventually you’ll update to a new version of WordPress and find the plugin no longer works. There are also security reasons to quit using any plugin that’s no longer being patched and kept safe from hackers. While I doubt that a plugin like Login Lock could ever be easily exploited, why take chances?
We’ve had Apocalypse Meow working on a test site for a little over a month. We’re quite happy with it. Our testing is being done on a site that’s under development, facing the public but virtually unknown with no sites linking to it. However, that bit of obscurity hasn’t kept the hackers from finding us, so we’ve been able to observe the plugin in action while under heavy fire.
Like Login Lock, Apocalypse Meow is simple and doesn’t try to do too much, while still offering plenty of configuration options. When an IP is barred, it’s confined to “Log-in Jail.” You can control the number of failed attempts before it’s jailed, as well as the length of time the offending IP address must spend there. The plugin also enforces strong passwords, which is especially important if you allow visitors to register for accounts on your site.
Another good feature is that the plugin allows you to make specific IP addresses exempt, a helpful way to keep yourself from accidentally getting locked out of your own site. You can also “pardon” someone who’s confined to Log-in Jail, which might come in handy when a writer or editor gives you a call at three in the morning because she’s locked-out of the site and can’t get in with deadline looming.
Wordfence is another security plugin that offers the same sort of protection against brute force attacks as Apocalypse Meow. It also attempts to be an all-in-one security solution, but many of the things it attempts to do, it doesn’t do well. Also, this plugin works through a third party server and by installing this plugin you’re giving the server, and the people behind the plugin, considerable access to your WordPress install. You may be comfortable with that. I’m not.
Some of the features in Wordfence are features of convienence, and probably create a new security risk by being accessible from within WordPress. For example, Wordfence makes it easy for you to block IP addresses, as well as ranges of addresses, directly from its settings menu. However, this function is easily accomplished directly from your server using cPanel, Plesk or whatever control panel you or your host have installed.
We found other problems.
To make sure you haven’t been hacked, Wordfence scans your WordPress files and performs a line by line comparison of all your files, which are then compared against clean files of the same version held on the Wordfence server. In our case, we received results indicating our Akismet plugin had been compromised. That concerned us for a moment, until we investigated and discovered that Wordfence was comparing our up-to-date version of Akismet with a previous version they were misidentifying as the version we had installed.
This later experience is evidently not unique. We found other reviewers online who had similar experiences.