Security Plugins Every WordPress Website Should Have Installed

If you run a website, then website security is probably on your mind regularly. As technology becomes more integrated with our lives, news about security breeches, DOS attacks and hacks has become more frequent. The need for being proactive about protecting your website has never been stronger. Here are some of my favorite security plugins, most of which are free, even if the free version is limited is definitely something every WordPress website should have installed. Check back as I’ll keep this list updated as things change, plugins are added or in the case any are sadly removed!

A Simple Captcha Can Help Deter Attacks.

Brute Force Attacks occur no matter what host you’re with, and no matter how strong your password is. The first step to protecting your website from a successful brute force attack is setting up a strong user name and password.
(Helpful articles: Is my password strong enough? and How to Create a Strong Password You Can Remember)

Step two in protecting your website from brute force attacks is adding an extra layer of difficulty to the bot attempts at cracking your login is adding a Captcha, which can be as simple as a basic math question (or not so simple if it’s before coffee). I recommend the Captcha by BWS plugin, which will add a simple captcha form to your login page. You can learn more about it here: BWS Captcha plugin and download from WordPress repository, here.

Secure your Login.

Adding a captcha to your login page is good, but what’s even better is limiting the number of login attempts anyone tries making to get into your WordPress admin area. For this I highly recommend Login Security Solution. This plugin logs IP addresses of attempted logins, and will systematically slow down the login process to those IPs. The delay is a ‘survival of the fittest’ method, meant to deter attackers, steering them away from your site to move on to the next one that may be an easier target. The beauty of this plugin is, if they DO manage to break in, the plugin recognizes the user as a miscreant and kicks them out, anyway!

Stay in Control of Your Site Security.

As an added measure of security, I also recommend using the WordFence plugin. It works well especially if you set it up to work in conjunction with Login Security Solution. This plugin offers lots of options, and while it has some great pro-active features, some features come in very handy during an attack.

Proactive features I’ve found most useful are the ability to block aggressive search engine spiders like Baidu and Sogou, which can be resource hogs.

There is a live traffic tab that will allow you to see current activity on the site, and if you’re undergoing a brute force attack, you’ll be able to see the IP addresses of the attackers. Combined with the tab to manually block an IP or IP range, you can do something about it.

Scan your site for Potential Problems.

If you’re running a free theme and want to check for possible exploits in the code, you should definitely install and run the “Exploit Scanner” plugin, written and maintained by Donncha Ó Caoimh, a highly respected WordPress developer. This plugin runs a deep scan of your database and will give you a lot of detail about anything suspicious. It can be overwhelming and not every warning is an indication that you have malicious code, and may require a more trained eye to work with, but is a great and powerful tool.

Compromised Website? Get Help Sooner Rather Than Later.

Sometimes you don’t need to run a scan – you notice things like advertisements for the latest variety of Viagra or similar being prominently displayed on your site, or maybe just the mobile version of your site. If you want to run a test to be sure, here’s a site that will let you run a scan of your site to check for malicious activity or malware. Be patient, it takes awhile to complete. (It took about 5 minutes for my test to run).

Viruses, especially database injection viruses, can get evil and messy very quickly. If you suspect your site has been compromised and you don’t have the technical know-how to fix it, it’s better to get help from someone who does sooner rather than later. Every moment your site exists with a virus allows that virus to propagate through your site and make it harder to clean later on, so consider it important to treat this as an urgent matter.

To get help from TrekVisual for an infected website, visit our webmaster services page or contact us.

Is my Password Strong Enough?

Username: admin
Password: admin

You know that’s really not bright, but why? First, I’ll answer the question –

Why do I need a strong password? 

It may not be obvious, but a strong password will help prevent a successful brute force attack on your account (whether this is your FTP account or your WordPress website).

“(A brute force attack) consists of systematically checking all possible keys or passwords until the correct one is found.” (wiki) You’ve seen it in movies, a computer screen cycling through characters one by one until each one is a hit and ‘locks’. This is the basic concept behind

Give it a go, at this Brute Force Space Analysis calculator. Enter admin as a password. This is an accelerated test, with the smallest scenario showing how fast a password could be cracked with 1,000 attempts per second (3.43 hours). Now try a password like adm1n:) and it now estimates a successful crack would take centuries.

You should be aware that this calculator doesn’t tell a complete story. Many brute force attacks are ‘password dictionary’ attacks, meaning a dictionary of common passwords are tried. Admin, 123456, Password are some of the more common (obvious) dictionary passwords.

How do I create a strong password?

The strongest password should be as long as possible (if you’re allowed to use 24 characters, use them), with a minimum of 8 characters. Your password should include numbers and be MiXeDCase (using upper and lower case letters). Most importantly, special characters should be interspersed among numbers and letters.

1Password! is an example of a password that includes all of those recommendations, but is definitely not a strong password, because it’s obviously a commonly recognizable word that begins with a number and ends in a (meaningful) special character. You should avoid common words, and I’d even suggest avoiding the use of the number 1 and the exclamation point.

To create a completely random password, you can use a site like If you’re super careful bordering on paranoid, you can use two or more password generator sites and combine parts of the generated password from each. I can’t guarantee this method will create an easy to remember password, though. For ideas to create a strong password you can remember, check out How to Create a Strong Password You Can Remember.

*Funny note: While writing this blog entry we got an automated notice from our TrekVisual security program to notify us that one of our sites was undergoing a brute force attack. Username they tried? admin

How to Create a Strong Password You Can Remember

Long gone are the days when you could create a password by spelling your name backwards. Or using your numeric birth date.

To create a strong password, many websites now offer a ‘strength meter’ when you choose a password to show you how strong your password is as you create it. Long, meaningless strings of caps and lower case letters mixed with numbers and special characters make an awesome password – but trying remembering it without writing it down can mean lots of wasted time going through the ‘Lost Password’ process to recover and recreate another long, complicated password you won’t remember next time. The cycle continues.

Adding to that complexity, we need passwords for just about everything we do today online – and they should all be different. I haven’t ever actually counted my passwords, but as a rough estimate, I know I have over 300 different passwords.

Kind of reminds me of Susan Powter back in the 90s, yelling “Stop the Insanity!”

Here are some ideas for creating strong passwords you will actually remember.

  • Choose a favorite quote, or passage from a book or poem you love.Add special characters and numbers throughout as they make sense. For this example, I chose the following quote:

    “Know or listen to those who know.”

    You can turn that into a password like this:

    I converted each letter o to the number zero, changed the word ‘to’ to a number two, and added punctuation that I can remember in places that make sense to me. I also attributed the quote at the end with a dash followed by the last name.

  • Use that favorite quote, passage or line from a poem and create an acronym to use as a password:
    Using the example above, the password acronym would be K,0L2Twk-G 
  • Create a sentence that integrates the name or purpose of the website to make it unique

  • Make a tagline for your experience on that particular website and run with it in creating a strong password. For example, if I were creating a password for logging in to my Chase bank account where my house mortgage is held, I might come up with something like:

    S0m3d4y,1w1ll0wn*Ur*House,Chase! (Someday, I will own your house, Chase)

    (Note that some sites won’t let you use certain special characters, like the asterisk)

It doesn’t have to make sense to anyone but you…and better if it doesn’t! Be creative.

Finally, I’m not a big fan of electronic keychains or password collection apps. I recommend keeping your passwords written down in a secure location which doesn’t exist on any electronic device – ie., on paper. I know it’s a bit old-fashioned, but if it’s not anywhere you can access digitally, it’s not anywhere a hacker can access it digitally, either.

WordPress Security Tip: Update Regularly

Just because we look healthy doesn’t mean we are. Someone who looks to be in perfect physical condition can have a number of ‘invisible’ diseases or conditions. Likewise, (bare with me for a tree falling in the forest analogy for a moment), just because nobody sees the dust on the top shelf doesn’t mean it’s not there (as hard as I wish it not be true)! The same can be said for a website. Just because it looks good on the front end, doesn’t mean it is healthy or ‘dust-free’ on the back end. (Who wants a dusty back end, anyway?!)

Question: My website is working perfectly, and I can’t see any problems when I look at it, so why should I concern myself with available updates?

Updates are sometimes released because they include upgrades with new features, but they are often released because of a discovery about a vulnerability in the programming. Often that vulnerability is a security hole that was exploited by some mad genius and his team. As technology evolves, methods to implement and exploit that technology evolves. Maintaining a website is like owning the horse in the lead at the races – followed by hackers and evil geniuses just a neck behind. To stay in the lead, you have to keep your website on it’s “A” game, always. 

Conveniently, when you create a site with TrekVisual, we take care of the tedious updating stuff for you. You’ll not have to worry about having the latest release of anything, because we’re on top of it for you, so you can do the other important stuff, like running your business. Learn more about how our website monthly plan can make it a breeze to keep your site healthy.

Whether it’s your WordPress version, your PHP version or a plugin, you need to be sure your system is kept up to date, or you’re potentially a sitting duck. Don’t have time? Hire someone to do it for you, because the costs for not doing this will eventually catch up with you, and will end up costing more than paying for regular updates in time, money and frustration.

If there’s an update, there’s a reason. Update. Every time.

WordPress Security Tip: Don’t Install THAT Plugin!

One of the many ways you can contribute to the safety of your website is by refraining from installing that plugin – you know, the one that does that neat little thing you need it to do, but might have been developed in 1983? Just say no.

When we took a cruise this past spring, the toilet lid had a sign that asked ‘You want to flush WHAT?’ The little sign went on to explain how your thing-that-doesn’t-belong-in-a-flushing-toilet could stop up toilets for many people on the ship, including yourself…and toilet-less vacations do not make for a happy situation. (Only *I* could possibly create an analogy between flushing and website security.) That reminded me of how a ‘simple little plugin’ could cause damage on a much larger scale than might seem possible.

Just like in any profession, there are many levels of expertise in the world of PHP and WordPress developers. Even a plugin by a good-willed developer can cause major harm to a website if it’s written badly, includes outdated methods, has security holes, or all of the above by exposing your website to security vulnerabilities. It seems so small, so innocent, this nifty little plugin. It just does this one cool thing – how could it hurt? Believe me, just like a little virtual q-tip, one bad little plugin – harmless as it might seem – can quickly give you the ‘wish I hadn’t done that’ feeling.  Not only can it break your website and make it behave badly like curly hair on a rainy day, it can leave your website vulnerable to security issues. Did I forget to mention it can also make your webmaster a little richer? Yeah, that too.

TrekVisual website plugins have either been built by us, or have been purchased from reputable sources that we’ve worked with and trusted our business to for years. You won’t have to worry about finding plugins that are safe, because we take care of all that niggly stuff for you. (I decided today I love the word ‘niggly’ – it’s so much fun to say). If the plugin isn’t built by us, the TrekVisual team carefully evaluates plugins sourced from other companies, long before we make them available to you. We kick the virtual tires, if you will, so you can just enjoy the ride. If you’re building a custom website with us and will be using our website monthly plan, we’ve got you covered. You won’t have to worry about unsafe plugins.

How do you know if a Plugin is safe? That’s a difficult question to answer, in a way that would be helpful to someone who’s not a coder. The short answer is, you don’t.

You might expect a plugin listed in the WordPress repository would be safe. You might expect a plugin you have to pay for would be safe. You might expect a plugin that’s been around for a long time and has a lot of great reviews is safe. None of the above are always going to be the case.

There was a very popular script (called “TimThumb”) a number of years ago. A security hole was found and exploited, causing major havoc in the industry. The script was SO widely used by WordPress users that, as a result of the vulnerability attack, caused many people to question the security of building WordPress websites. The script itself was not malicious, by far, but an exploit was found and taken advantage of by hackers, making the script a major security risk to anyone who used it. Though it had a long history and a solid reputation, one vulnerability made it insecure.

Soon I’ll be writing about our favorite plugins here in the TrekVisual blog, so stay tuned for more!