You already know to use a decent password for your blog, but brute-force or dictionary attacks aren’t the only attacks used against bloggers. It’s much cheaper and faster to exploit software flaws, and that the hackers do. A programmer’s oversight may allow a hacker to gain access to your blog to insert spyware, adware, or links to various pharmaceuticals you’d prefer not to speak about in front of your mother.
And it’s not just WordPress proper. WordPress has caught some major criticism for its security holes — but lately it’s been a bunch of insecure plugins, not WordPress itself. Matt Mullenweg counters the argument that WordPress is insecure over here. I think he’s totally right — WordPress has a rich “plugin ecosystem” that no other blogging platform can touch.
However, the problem remains. WordPress has some great plugins that are written by people with the best of intentions — but who may not understand the importance of sanitizing data provided by untrusted users, and its relationship with security. Upgrading often, setting permissions, using good passwords, etc. — that all helps a lot — but unless you have the time and ability to painstakingly audit all program code for security vulnerabilities, you’d be best off running one of the WordPress firewalls —
1. WPIDS
The WPIDS offers protection for your Blog from malicious code injections. Any Request considered as malicious is logged into a database for later analysis. You can also set up email notification for attacks with very high impact. The back-end pages of the plugin will notify you if new filter rules are available and you can check a list of latest intrusion attempts.
But the most important feature of the WPIDS is that you can block attackers for some time if they are running wild on your blog. The plugin is built on the 0.3.2 core of the PHPIDS – a version shipped with the coming 0.4 milestone will be released soon.
This hasn’t been updated in a while and only works with PHP5. I’d nag BlogSec guys for an update before using it. More info here
2. Maximum Security
This one looks pretty good. For now it’s vaporware. But I expect it will be good when it does come out, though. It does more than firewall. It also removes version signatures, sets Apache passwords, etc. There are plenty of plugins that do that, but if you like integration, it will probably be a good install.
Link: http://wpsecurity.net/
3. Firewall Script
Firewall Script has a WordPress module that can be installed to protect WordPress. It looks promising, but some of the claims on the web site make me nervous. I think it might be a great product, and I was going to try it — but he claims 100% protection, and that you don’t need to upgrade for security anymore. That was a turn-off for me. In fact, the folks at Maximum Seucurity say “Beware of those guys out there who claim that their so-called security solution can ’stop all attacks’ because that’s a flat out lie based in either deception or shear ignorance.”
Link: http://firewallscript.com/wordpressfirewall.htm
4. WordPress Firewall SEO
Disclaimer: This one’s by my company. While it’s not the most robust, it does what it does well. It basically has a set of hard-coded things that it rejects, prefitted whitelist to make it work out-of-box — so comments don’t blow up when someone types wp_whatever, and a configurable set of extra whitelists. Emails are sent when a bad boy attacks your blog. They look like this —
Link: http://www.seoegghead.com/software/wordpress-firewall.seo
Source: blogsecurity.net
{ 3 comments… read them below or add one }
The information here is great. I will invite my friends here.
Thanks
Very nice Blog, I will tell my friends about it.
Thanks
Your site is actually full of awesome details and also is really great to read through.
Properly done