How to safeguard your WordPress blog
I recently had to research how to protect my own weblogs and those of my clients after one got badly hacked.
To protect my weblogs I have ended up installing even more plugins than I had before. I’m not keen on doing this, since invariably there crops up a plugin that one installs that all of a sudden makes the simplest action no longer possible. For example, I recently tried to help a friend out who was having problems with his polls plugin. I did some research and ultimately, after testing the WP-Polls plugin on one of my sites, suggested he tried it. I left the WP-Polls plugin on my site, but found that I was unable to insert a hard break (a line) in between my photos in a post. This was a bit of a disaster since this site is a photo gallery site. I tried all sorts of options – including the html route which I prefer – all to no avail. Suddenly my WordPress photo gallery site decided that it no longer liked paragraphs, nor did it want to display my photos neatly with a line in between each of the series of photos. I knew this was due to the WP-Polls plugin because it’s the only major back-end change I have made in the last few days. At some point I will probably uninstall the WP-Polls plugin, but for the time being I might make use of it. 
To make the page break reappear I had to install – yet another plugin – the TinyMCE Advanced plugin.
The plugins I am currently using for security purposes are as follows:
Askimet - This plugin comes standard with the WordPress installation, and captures 99% of spam.
Antivirus for WordPress - Monitors malicious injections, and warns you of any possible attacks by sending you an e-mail if this has happened. Obviously if you receive the dreaded e-mail to say that your site has been compromised, you’ll need to manually fix the hack. If you take regular backups of
WordPress Exploit Scanner – Searches your site for compromised files and database records. It will not stop someone hacking into your site, but might help you find any compromised files left by the hacker.
WP Security Scan – Performs a security scan of your WordPress installation. Where necessary, it gives recommendations to secure your site.
WP Captcha Free – This plugin works in the background by blocking comment spam, without using captcha.
TAC (Theme Authenticity Checker) – Scans all of your theme files for potentially malicious and unwanted code.
After reading an article or two on WordPress security, I now also have introduced plain, empty “index.html” files into my plugins and themes folders. This is especially good for thwarting hackers getting into your themes files. I did try putting the “index.html” file into other WordPress folders too to secure them even more, but….. it stops various parts of WordPress from doing its job!
Lastly, not quite security plugins , but recommended all the same, are the following which I now could not live without.
WP-Optimise – Helps you to keep your database clean by removing post revisions and spams. Also runs the optimise command on your WordPress database (use with caution).
Broken Link Checker – Checks your posts for broken links and missing images, and notifies you on the dashboard if any are found. This plugin does have a tiny glitch, in that sometimes it reports a broken link when there isn’t one (which threw me at first) but if you refresh the page it will re-verify the links and, hopefully, report that there are none.
I know that this list is not exhaustive, and that there are many more plugins and different ways of securing your WordPress blog – I have tried many. At the end of the day, be aware that the more you secure your blog, the more time you will spend temporarily sometimes having to deactivate the plugins, or whatever, just to make some minor amendment to your site which the added security enhancements won’t let you do.
Personally, I like to run a blog with as few plugins as possible. I prefer to hardcode rather than have 20 odd plugins using up my web space; which results in having to continually update them, and which invariably will conflict either with another plugin or with the next upgrade of WordPress.
