10 Popular Security WordPress Plugins for Webmasters

When it comes to security there are two common types of webmasters. The first includes those WordPress admins who cram their blogs with every possible security plugin, while the other type are webmasters that are happily ignorant of the various web dangers including hackers, malicious code, and spam attacks who don’t even imagine why they need any security plugin.

No matter which type of webmaster you are, below we have a list of security plugins any webmaster should consider for their WordPress website:

  1. Simple Backup – This WordPress plugin was developed to create and download backups of your WordPress website. Note: Simple Backup plugin creates a special directory in the root of your WordPress directory – usually its name is ‘simple-backup’ for backup files. Sometimes it’s necessary to create this directory manually (in case you get an error message). Requirements: It requires PHP 5.2 or higher version, WordPress 3.3 or newer version, Linux Style Server, mysqldump (for DB backup) and tar, zip, gzip, or bzip (for compression of files).
  2. Ask Apache Password Protect – This is quite an unusual security plugin. Unlike other similar plugins it works not at the level of application but at the network level and does not use php to prevent attacks as it starts functioning before php. Ask Apache Password Protect was developed to stop attacks before they even reach your blog. Requirements: The plugin requires Apache web server and hosting support for .htaccess files.
  3. Login Dongle – Nobody will be able to log in but you. As simple as a pie! Login Dongle plugin protects your login information with the help of security question as an additional security layer. Note: Your login page stays unchanged, so attackers won’t know how to guess the answer to your security question. And even if someone uses your computer and browser that fills in the login form automatically, still this person will not be able to log in! And you can install it with any other login plugin. Requirements: WordPress 1.0 or newer versions.
  4. Sideways8 Custom Login and Registration – This plugin was designed in such a way that you and your users never see the built-in login option, registration form, and password reset form of your WordPress. Additionally you’ll be able to add some custom content to the login, forgot password, registration and password reset pages. Requirements: WordPress 3.3 or newer versions.
  5. Exploit Scanner – This plugin will look through your WordPress files and database to find any signs of some malicious activity. It also examines your active plugins for unusual filenames. And don’t be afraid – it won’t delete anything! You are the one that will make the decision! Requirements: WordPress 3.3 or higher versions.
  6. WordPress AntiVirus – It’s an easy-to-use plugin that will automatically and regularly monitor any kind of malicious injections and warn you of any possible attacks. What is even more, it has a multilingual support. Requirements: PHP 5.1 and WordPress version 2.8.
  7. WebsiteDefender – WebsiteDefender plugin is another free WordPress plugin that can offer you a list of useful security options. Among them are: scanning your blog for security configuration mistakes, offering easy solutions of security issues, hiding your WP version, checking your files permissions, removing WP Generator META tag from the core code etc. Requirements: WordPress 3.0 or higher version, PHP5.
  8. WordPress HTTPS (SSL) – This plugin was created as an all-in-one solution (includes private and shared SSL, force SSL per page option, admin panel security and ‘partially encrypted’ errors solutions) for your WordPress SSL. Requirements: WordPress 3.0 or higher versions.
  9. Anti-spam plugin – This plugin blocks spam in your posts’ comments automatically and invisibly both for users and for admins. What are its main advantages? First of all, it has no captcha; additionally, it has no moderation queues and no options. So, you can forget about spam forever! Requirements: WordPress 3.0 or newer.
  10. Theme Authenticity Checker – It’s a plugin that can scan all your theme files and let you know if there is any suspicious or unwanted code hidden. That’s a great tool for avoiding non-wanted advertising mostly, but before deleting any piece of code from your theme’s source files we suggest that you contact theme author to obtain some additional information about it. Requirements: WordPress 3.0 or newer versions.

This article was contributed by Diane Parks, a Template Monster representative who is fond of WordPress themes, plugins and tutorials.

WordPress Continues to Take Over the Top 100 Blogs

Back in 2006 blogging was still in its infancy and I remember searching for a platform to launch my first blog.  TypePad and Blogger were both big at that time, WordPress.com was around and growing, and Moveable Type, Joomla, Drupal, and WordPress.org were also good options.  In fact there were so many good options that it was difficult to decide what foundation I would use for what I hoped to be my new job. 

For my first few months of blogging I actually went with TypePad, but quickly found that it was very limited and wasn’t a good fit for my needs. I went back to the drawing board at that point and knew I needed something that was flexible and was also going to be around for the long haul. At that time open source was really starting to take off in the mainstream and WordPress.org was leading that charge in the blogging niche, so I decided to align myself with the WordPress community and re-launched my first blog.  Between the WordPress plugins and both the free and premium WordPress themes available, I knew I had made the right choice and was able to quickly make a custom design with little work on my end. The flexibility and the excellent open source community was the key to creating a great experience for me, and many I talked to felt the same way. 

Fast forward 7 years and WordPress continues to meet my needs and validate my early decision. One report I use to determine this is released annually by Royal Pingdom, which has done a study of the Top 100 blogs each year since 2009 and recently published their 2013 report. This report shows WordPress continues to grow as the top choice among the most prominent blogs.  Initially back in 2009, WordPress was on 32% of the Top 100 blogs.  Last year it was up to 48%.  For 2013, WordPress is now on 52% of the Top 100 blogs, and I expect that percentage to continue to grow over the coming years thanks to its flexibility and the fact that it is very user friendly.


According to Wikipedia, WordPress is used by over 14.7% of the top 1 million websites and manages over 22% of all new websites created as of August 2011, boasting a total of over 60 million websites.  Its hard to imagine what these numbers will look like next year or several years from now.

Google+ Comments for WordPress Plugin

google-plus-commentsFor many years now Facebook has had a very popular login feature and also offered the ability to easily integrate blog comments using your Facebook account. These options have proven to be very popular with all types of webmasters as they provide several convenient features and also help to discourage spammy or anonymous comments.

It always surprised me that Google wasn’t in this game, but the introduction of Google+ seems to offer Google the ability to offer these features to webmasters and be the ones collecting this information.  According to reports, apps that support Google’s login are now getting favorable search treatment and Google is starting to really push this feature.  Then last month, Google announced that Google+ comment integration is now available for Blogger users. So, what about WordPress users?

Not long after the Blogger integration was announced, the necessary code was discovered to do this manually using the following code:


<script src="https://apis.google.com/js/plusone.js">

Valid HTML5 version:

<script src="https://apis.google.com/js/plusone.js">

Comments counter HTML (replaces < g:comments >):

<g:commentcount href="[URL]"></g:commentcount>

Valid HTML5 version (replaces < div >):

<div data-href="[URL]"></div>

Replace ‘[URL]’ with the URL of your web page and fit the ‘width’.

Link your web page to your Google+ profile to verify authorship.

Dynamic Google+ Comments HTML:

<div id="comments"></div>
gapi.comments.render('comments', {
    href: window.location,
    width: '624',
    first_party_property: 'BLOGGER',
    view_type: 'FILTERED_POSTMOD'

Google+ Comments Counter:

<div id="commentscounter"></div>
gapi.commentcount.render('commentscounter', {
    href: window.location

Google+ Comments for WordPress Plugin

Fortunately, the WordPress community has already come through with an easier solution, the Google+ Comments for WordPress plugin. This plugin makes the comment section tabbed by seamlessly adding tabs for Google+ Comments, Facebook, Disqus, WordPress Comments, and Trackbacks. Early reviews are promising and I manage this plugin will continue to evolve over time.

If you decide to give this plugin on your website leave us a comment and let us know how the setup went.

PSA: Massive Botnet Attacks on WordPress Installations

Over the past 24 hours it has come to our attention that a large network of over 90,000 IP addresses have ramped up their use of a brute force attack to target WordPress blog installations. According to several published reports, the botnet is attempting to gain access to WordPress installations by using the default Admin user name and trying multiple passwords. By default, WordPress allows unlimited login attempts either through the login page or by sending special cookies. This allows passwords (or hashes) to be brute-force cracked with relative ease.

Popular hosting providers CloudFlare and HostGator are reporting that the scale of the current attack is much larger than what they typically experience, with some reports claiming that they are blocking 60 million requests per hour during peak times. After reviewing our logs we’ve already noticed several failed login attempts using the username Admin.

What can I do to protect my WordPress installation(s)?

  1. If your username is currently set as Admin, change it to something custom. The easiest way is probably by using something like the Better WP Security WordPress plugin.
  2. Change/strengthen your password. Your password should include capital letters and symbols (%+!#)
  3. Install a plugin to limit login requests.  We use the appropriately titled Limit Login Attempts WordPress plugin, but there are several other plugins with similar functionality.

Once that is done, sit back and hope for the best!

Update: HostGator has provided additional tips.

5 Common Mistakes When Backing Up WordPress

As a leading Content Management System for managing websites and especially for writing blogs, WordPress makes it extremely easy to back up your valuable content from the database and site files. There are a number of tools you can use that make life easy on website owners and bloggers, but don’t let the simplicity of backing up WordPress leave you with an inadequate back up plan. In fact, there are plenty of back up tools out there that don’t get the job done well enough. Here are five back up mistakes to avoid:

Only Backing up Your Posts

Your website has a lot more going on than just the posts on your blog. While losing your posts would be catastrophic, don’t forget that a true back up will include your pages, theme modifications, and WordPress plugins. These elements of your website make it functional, and losing them will be a major setback for your time.

A tool like Backup Buddy is designed to store all of your site’s information and to restore it all at once should any kind of loss occur. This means you won’t lose page views, advertising revenue, or potential customers when your site goes down. It will be up and running in no time.

Not Backing Up Frequently

If you only backup your website on a weekly basis, but you average about one post per day, you could cause yourself some major headaches if your blog goes down and you lose several blog posts. That means any inbound links, comments, or social media shares to those posts will land on your 404 page. While this may be a temporary setback, you will plant a seed of doubt in the minds of potential visitors about the quality and reliability of your website.

Relying on Manual Backups

There are plenty of online storage options from Amazon’s Cloud Drive to Dropbox, but managing the website backup process on your own is difficult to maintain for the long haul and can take up valuable time. Even if you’ve figured out a quick way to back up your website, it’s one more thing on your to do list that could be easily automated.

Backing Up Your Blog on Your Computer

If a hacker can access your website, there’s a good chance he may have already gotten into your computer and other files as well (For more about further protection from hackers, look at the services Passbook hast to offer). In addition, there’s no telling if the files on your computer have been corrupted with a virus when it’s time to restore your site. You could very well be uploading files with the same problems that took your site down in the first place. While you can use a service like Filezilla to back up your site on your own computer, it’s far safer to rely on an online backup site.

Never Testing Your Backups

A backup of your website is a safety net that will catch you when the worst case scenario happens on your website. However, what good is a safety net if it has a hole in it? By testing your backed up files, you’ll learn whether your website backup plan is adequate to meet your needs in a website emergency situation. Make sure you have the files you need in a format that you can easily access and restore to your site.

Your website has information that is far too valuable to leave your back up files in a state of uncertainty. If you don’t know about the security, scope, and viability of your website backups, it’s time to look into a reliable, automated WordPress back up option or to carefully test which back up plugin is right for you.