Site Protection Plugins
Used by millions, Akismet is quite possibly the best way in the world to protect your blog from comment and trackback spam. It keeps your site protected from spam even while you sleep.
Where I use it: Everywhere, on every single blog I touch, without fail. No site should be without this important plugin.
Why I use it: Just look at my stats above and you’ll see that I cannot live without this plugin. This is ‘March 28th, 2013’ snapshot of PennyButler.com – without Akismet, I would be getting on average 20,000 spam comments per month. There is not a single site that it hasn’t helped me “save time”. It has saved me from 224,115 spam comments on that one blog alone since 2009, with a 99.94% accuracy rate (59 fake positives in 5 years).
Keep your instances of Timthumb up to date and free from vulnerabilities simply. Bonus – checks for obvious signs of compromised sites.
Where I use it: On every site.
Why I use it: To make sure that my timthumb scripts are using the latest versions to keep my sites & my client sites less-prone to timthumb hackers.
This plugin disables XML-RPC API in WordPress 3.5+, which is enabled by default. It’s a very tiny plugin that basically ads this to your wp_config.php file for you:
Where I use it: Currently only used on a sprinkling of my sites but will soon be activated across all my sites.
Why I use it: Since upgrading to 3.5, WordPress has enabled XML-RPC by default and not given us a way to disable it easily in the backend. Not many users use this API, and I definitely don’t, but having it enabled by default opens up a whole range of potential security issues and makes hackers happy with SSRF (Server Side Request Forgery), Port Scanning, Ping Spamming, the ability for someone to remotely upload media and change data, etc. I just don’t see why they removed the ability to turn it off on sites that do not use it. So in a nutshell, I use this to increase protection from hackers.
Adds some extra security to WordPress by restricting the rate at which failed logins can be re-attempted from a given IP range.
Description: Login LockDown records the IP address and timestamp of every failed login attempt. If more than a certain number of attempts are detected within a short period of time from the same IP range, then the login function is disabled for all requests from that range. This helps to prevent brute force password discovery. Administrators can release locked out IP ranges manually from the panel.
Where I use it: On sites that are proned to login-attempts by “bad people & bots”. And on client sites as an extra security measure.
Why I use it: To help stop people from trying to hack into the site by guessing the usernames/passwords. If they get it wrong 3 times in a row, they are locked-out for an hour. Each time, they are redirected so that they cannot see what the error message is.
Simple Anti Bot Registration Engine
Scenario:Some sites require having members, and as such, they need to register on your website. But there are these robots going around, automatically registering on your blog and then trying to spam the blog.
As a result, if you have any other things setup (like an automatic email “welcoming” these members), it can get chaotic because not only are your server resources getting used while they are registering and attempting their spam attacks, but your mail server goes into overdrive sending out all these welcome messages.
When you have hundreds or thousands of these attacks per day – it also makes your webhost “shut down your site” and force you to turn off registrations for good. This is not a good solution because you still want members to have to register.
Where I use it: On PennyButler.com and other popular sites that I run that have been overrun by spam users automatically registering on the website. You shouldn’t need this plugin “until” the day that these guys start – and once they start, you will know lol.. you will definitely know about it. It starts with 20 or so a day, then 20 or so an hour, then 20 or so per minute.. you will know when it’s time to use this plugin.
Why I use it: Sabre stops almost all of my registration spam. The second I disable this plugin on some of my sites, I have hundreds of registrations per minute try and register, it’s out of control and this is the only thing that has helped (apart from turning registration off completely).
Blocks bad spiders, throttles good ones.
Description: A wordpress plugin that redirects bad bots and redirects spam and scraper bots away from your site as well as throttling good bots so that they don’t scrape/visit your site as much – saving you bandwidth and hack attempts as well as content thieves and spammers – it’s the magic pill for all wordpress users.
Where I use it: On all of my own sites.
Why I use it: I initially got this because I needed to slow-down high resource usage on one of my sites, getting thousands of visits daily by “bad bots”. It’s a plugin that I wish I had years ago. Not only does it allow me to watch traffic and look-them-up on HoneyPot to see if they are a “good guy or a bad guy”, but it allows me to block entire countries from accessing my site – meaning I can stop the majority of bad guys by blocking countries that my blog(s) are not designed for. I can add a note next to each IP address that I block, so that I can remember “why” I blocked it (see screenshot above) and I can let Project HoneyPot automatically block bad guys as well as slow-down crawling from “real bots” like Google that I “want” crawling my site – but maybe not as much as they do.
Good bots/crawlers that I whitelist (like Google, Yahoo, Bing, etc.) gets a request sent back to them with an Apache web server “304 Not Modified” response. When search spiders receive this, they often use their own internal database and won’t scan your site. I’ve set mine at 55% which means that 55% of the time that good spiders visit my sites, they will be sent away with a “304 Not Modified” response.
Bad bots/crawlers I’ve set so that it gets redirected back to them, so when a bad bot comes to my site, they are redirected back to their own IP address. Pretty sneaky huh. Be gone bad guys!
It’s a premium plugin but it’s cheap and I can use the same license across all my sites – and even syndicate all my settings across to all of them in “one click” which is a huge time-saver!
This WordPress plugin monitors web requests to identify and stop the most obvious attacks.
Description: Hasn’t been updated in over 2 years – but still works. It’s a light-weight plugin that stops the most obvious wordpress attacks (Directory Traversal, SQL Injection, Wordpress-Specific SQL Injection, Executable File Upload, Field Truncation, & Remote File Execution) (See full list of what it stops here).
Where I use it: On about half of my own websites and all of my client sites.
Why I use it: It really does block things – even when real users are trying to modify plugin or theme files, it will prevent them from doing it unless their IP address is whitelisted. This is great for client sites because it stops them doing major damages to their own site if they are not sure what they are doing. I use it on a lot of my sites as just an extra barrier against potential hackers, especially on sites that have been hacked in the past.
Backup and cloning tool for WordPress blogs.
Where I use it: On every single site I own.
Why I use it: There are plenty of free and premium backup plugins and I’ve tried most of them. But this is the only one I feel secure with. It works where others fail, even premium plugins like BackupBuddy and WP-Twin have let me down when it comes to migrating and restoring a blog, and BackupBuddy makes you go cross-eyed if you want to try and figure out how to restore to a previous backup. But this one is super-easy to use – one-click simple.
It allows me to backup automatically to:
- Amazon S3
And it allows me to migrate to other servers without having to download the backup file – meaning, I can within 2 clicks, restore a site on a new domain with a server-to-server file transfer (ftp or amazon), saving me hours of time and stress. I can also easily backup sites and mess around with settings freely and restore with ‘1’ click if I happen to muck-up anything I shouldn’t of. It’s a premium plugin, and that’s a shame for those who don’t want to pay for plugins, but it’s a plugin that I really cannot live without now that I have it.
Read more about this plugin on my Plugins to help Optimize & Cleanup WordPress (to make your host happy) post
Make sure you also review the other WordPress Plugins that I recommend:
- The full list of WordPress Plugins that I recommend (on one page, without images/descriptions)
- Site Performance WordPress Plugins
- Site Protection WordPress Plugins (you’re viewing this one now)
- Tracking & SEO WordPress Plugins
- Pretty WordPress Plugins