Press "Enter" to skip to content

WordPress Plugins for Security & Robustness

Yesterday I wrote about how WordPress has evolved into a first rate platform that can be easily customized. One of the ways that WordPress is customized to meet the unique needs of a site is through the use of plugins that add functionality. Most of these functions are visual and offer visitors a richer experience while on your site. Others are never even seen by the visitor and only indirectly affect his or her experience.

During site design, it can be easy to become so blinded by the the former group, the plugins that add lots of gee-whiz bells-and-whistles, that we ignore the later group that does the grunt work to increase our site’s performance. However, judicious use of these behind-the-scenes plugins can make our WordPress sites more secure and help reduce server loads, making for a safer and quicker site and a better experience for our visitors.

These are the unsung and unglamorous essential plugins for WordPress. Some version of these functions should be included in nearly every WordPress install.

Akismet: This is, hands down, the best content and trackback spam killer available for any platform. If you just got here, content spammers are about the stupidest hackers online. They’re mostly an annoyance, but they do have the potential to do damage to the computers of your site’s visitors. You’ll know they’ve found your site when huge lists of links begin to appear as comments to posts. Assume that most of these links point to malware laden sites. You can’t allow these links to appear on your site if you can at all prevent it, and I know of no way, short of closing comments completely, to keep spammers from trying to work the content feature to their advantage. The only way to stop them is at the door.

Akismet works by checking a comment against the Akismet server to determine if it’s probable spam. If so, it will place the comment in quarantine, awaiting your authorization. In my experience, it catches everything, and false positives are so rare as to be nonexistent. You’ll need to get an API key from Akismet, which is all clearly explained in the configuration screen. Every WordPress installation that allows comments of any kind should have this plugin installed and running.

Si Captcha: Captchas, those annoying little boxes containing weirdly drawn letters that you must decipher before you’re allowed to post, are the first line of defense in the battle against content spam, killing most spam attempts right at the door. Captchas are bothersome, I know, but necessary. There are quite a few captcha plugins available from the WordPress repository. I haven’t tried them all, but I can tell you that I’m very happy with Si Captcha. It works well.

WP Super Cache: Modern database driven websites create pages that are dynamically generated. When a visitor clicks on a link to a post or article on your site, the server has to make numerous calls to the database and piece together the web page before delivering it to the visitor’s browser. This creates a lot of work for the server, which can get bogged down and even crash under heavy traffic loads. One of the simplest ways to ease load on the server is by caching the page as a simple HTML file and serve that up for a while.

WP Super Cache is an excellent caching plugin, perhaps best of breed as far as WordPress is concerned. It’s highly customizable, and can be set for varying degrees of caching. I would go ahead and turn on “Super Cache” capabilities and set the cache time at an hour. With this plugin, a page isn’t cached until clicked on by a visitor. After that, the cached version will be served for the time specified or until a change, such as a new comment, is made to the page. The plugin also has an emergency mode that can be activated if your site’s going to be mentioned on The View and get a gazillion hits.

Some say that Super Cache should only be used by advanced users. The program can be a little daunting, and if you don’t feel comfortable there are other easier to use caching plugins available. However, I would advise anyone to go ahead and give it a try. The documentation on the configuration screen is quite clear, and there are ways to test the configuration to make sure that WP Super Cache is working.

WP-Optimize: One of the problems with WordPress is that it never throws anything away. For example, every time you edit a post, WordPress saves a revision, meaning that if you edit a post six times you might have five revisions sitting in you database taking up space.

WP-Optimize is a tool that will let you clean-up your database right from the WordPress back end. It’ll find and remove all old revisions and unapproved comments and let you further optimize your database without phpMyAdmin. The plugin also let’s you change a username, which WordPress will not. This is useful because WordPress installs with the default username “admin,” not a small security risk since hackers know to look for a user called “admin” when looking to gain administrative access to a WordPress site.


  1. Christopher Ross Christopher Ross June 24, 2011

    Christine, don’t forget about Login Lockdown, it’s a great plugin to stop brute force attacks on your blog!

  2. Christine Hall Christine Hall Post author | June 24, 2011

    Thanks for the heads up, Christopher. I’m not familiar with Login Lockdown, but I will be in a moment.

    On Monday we’ll be posting some more WordPress plugins, both social and features. Feel free to comment with you own recommendations!

  3. Christine Hall Christine Hall Post author | June 24, 2011

    Christopher, Login Lockdown is evidently the older version, for older installs of WordPress (up to 2.8.4). For newer installs (2.5 and up) use Login Lock. Evidently you can upgrade without losing your old database entries. Check out the FAQ on the developers’ page.

    It looks like a great plug in. I’m testing it now. If it works as advertised (I expect it to), this will go on my short list of absolutely essential security plugins.

    Again, thanks for the heads up!

  4. I hadn’t heard about WP-Optimize (yet) so I will be checking that one out.

    For security, I also load Wp-Security Scan. It basically reviews your installation and makes recommendations based on what it finds. You can remove it once you get your blog secure (to elminate overhead).

Comments are closed.

Breaking News: