Wordpress Security

Google Authenticator

  
The Google Authenticator plugin for WordPress gives you two-factor authentication using the Google Authenticator app for Android/iPhone/Blackberry.

If you are security aware, you may already have the Google Authenticator app installed on your smartphone, using it for two-factor authentication on your Gmail or Google Apps account.

The two-factor authentication requirement can be enabled on a per-user basis. You could enable it for your administrator account, but log in as usual with less privileged accounts.

If You need to maintain your blog using an Android/iPhone app, or any other software using the XMLRPC interface, you can enable the App password feature in this plugin, but please note that enabling the App password feature will make your blog less secure.


Installation

  • Install and activate the plugin.
  • Enter a description on the Users -> Profile and Personal options page, in the Google Authenticator section.
  • Scan the generated QR code with your phone, or enter the secret manually (remember to pick the time based one).
  • Remember to hit the Update profile button at the bottom of the page before leaving the Personal options page.
  • That's it, your WordPress blog is now a little more secure.

 

WP Email Login

Lets you use your email address to log into your WordPress account instead of a username.

Since email addresses are required to be unique within WordPress anyway, they also make good identifiers for logging in. For slightly better security, set your username to something random and then just forget it and use your email address instead.

Installation

  • Unzip and upload /wp-email-login/ to the /wp-content/plugins/ directory
  • Activate the plugin through the 'Plugins' menu in WordPress
  • Log out, log in again using the email address associated with your WordPress account.

 

Limit Login Attempts

Limit the number of login attempts possible both through normal login as well as using auth cookies.

By default WordPress allows unlimited login attempts either through the login page or by sending special cookies. This allows passwords (or hashes) to be brute-force cracked with relative ease.

Limit Login Attempts blocks an Internet address from making further attempts after a specified limit on retries is reached, making a brute-force attack difficult or impossible.

Features

  • Limit the number of retry attempts when logging in (for each IP). Fully customizable
  • Limit the number of attempts to log in using auth cookies in same way
  • Informs user about remaining retries or lockout time on login page
  • Optional logging, optional email notification
  • Handles server behind reverse proxy

Plugin uses standard actions and filters only.

Installation

  • Download and extract plugin files to a wp-content/plugin directory.
  • Activate the plugin through the WordPress admin interface.
  • Customize the settings on the options page, if desired. If your server is located behind a reverse proxy make sure to change this setting.

 

WP Login Security

WP Login Security provides enhanced security for blog administrators by requiring administrators to register or whitelist their IP address. If the IP address is not recognized, the plugin will send an email to the blog administrator with a link that contains a one-time key.

What does this Plugin do?

  • Each time a user logs in, the plugin will compare their existing IP address to the last seen IP address.
  • If the IP does not match or no IP addresses have been whitelisted, an email will be sent to the users registered email address.
  • The user must login to their email and click the included link, which contains the one-time password. Note: passwords expire after
  • The plugin can be configured to also send an email to the blog administrator as well as the user.


Upcoming Features

  • Ability to update whitelist from within admin interface.
  • Custom set expiry time for one-time key
  • Admin activity audit/access log

Installation
This Plugin works without you having to make any changes.

  • Search for the plugin using the WordPress Plugin Installer OR download and unzip the directory into your plugins directory
  • Activate the Plugin through the 'Plugins' menu in WordPress – Upon activation, your current IP will be automatically whitelisted.
  • Enjoy the enhanced security!

 

Login Lock

Login Lock provides a number of security enhancing features:

  • Enforces strong password selection policies.
  • Monitors login attempts.
  • Blocks IP addresses for too many failed login attempts.
  • Lets you manually unblock IP addresses at any time.
  • Lets you forcibly log out all users immediately and require that they all change their passwords before logging back in.
  • Lets you forcibly log out idle users after a configurable number of minutes.


Enforce Strong Password Policies

  • Define which types of characters must be used in passwords.
  • Define the minimum required password length.
  • Define how long a password is valid before it must be changed.
  • Prevent users from reusing the same passwords repeatedly.
  • Prevent users from choosing common passwords, includes a list of more than 3100 common passwords.

 

Emergency Lock Down
If your site is ever hacked then you probably need to make sure the intruder is forced to logout and is no longer able to log back in to your site.

Login Lock provides an emergency "panic button" that, when used, immediately logs out all users, resets all user passwords to a random value, and sends each user an email message informing them that they must change their password before logging back in to your site.

Installation

  • Extract the zip file and upload all files into your plugins directory, making sure to put the files in their own unique folder.
  • Activate the plugin.
  • Go to "Settings->Login Lock" to configure the plugin features.

Chap Secure Login

Whenever you try to login into your website, you can use this plugin to transmit your password encrypted. The encryption process is done by the Chap protocol; this is particularly useful when you can't use SSL or other kinds of secure protocols. By activating the ChapSecureLogin plugin, the only information transmitted unencrypted is the username; password is hided with a random number (nonce) generated by the session – and opportunely transformed by the SHA-256 algorithm.
The first time you use this plugin it tends to give an error, but the next login's attempt will work..
This is a zero-configuration plugin.

Installation

  • Upload the directory chap-secure-login to the /wp-content/plugins/ directory (Example: /wp-content/plugins/chap-secure-login/ )
  • Activate the plugin through the 'Plugins' menu in WordPress

 

WordPress HTTPS (SSL) 

Description

  • Supports Shared and Private SSL.
  • Helps reduce or completely fix partially encrypted / mixed content errors.
  • Force SSL on a per-page basis.
  • Force SSL in admin panel.

Installation

  • Upload the wordpress-https folder to the /wp-content/plugins/ directory.
  • Activate the plugin through the 'Plugins' menu in WordPress.


Notes:

To only make certain pages secure: In the Publish box on the add/edit post screen, a checkbox for 'Force SSL' has been added to make this process easy.

Getting 404 errors on all my pages: If you're using a public/shared SSL, try disabling your custom permalink structure. Some public/shared SSL's have issues with WordPress' permalinks because of the way they are configured.

How to fix partially encrypted/mixed content errors: To identify what is causing your page(s) to be insecure, please follow the instructions below.

  • Download Google Chrome.
  • Open the page you're having trouble with in Google Chrome.
  • Open the Developer Tools. How to access the Developer Tools.
  • Click on the Console tab.

For each item that is making your page partially encrypted, you should see an entry in the console similar to "The page at https://www.example.com/ displayed insecure content from http://www.example.com/." Note that the URL that is loading insecure content is HTTP and not HTTPS.

If you see any external elements (not hosted no your server) that are loading over HTTP, try enabling the 'External HTTPS Elements' option in the WordPress HTTPS settings.

Any other insecure content warnings can generally be resolved by changing absolute references to elements, or removing the insecure elements from the page completely. Although WordPress HTTPS does its best to fix all insecure content, there are a few cases that are impossible to fix.

  • Elements loaded via JavaScript that are hard-coded to HTTP. Usually this can be fixed by altering the JavaScript calling these elements.
  • External elements that cannot be delivered over HTTPS. These elements will have to be removed from the page, or hosted locally so that they can be loaded over HTTPS.
  • YouTube videos – YouTube does not allow videos to be streamed over HTTPS. YouTube videos will have to be removed from secure pages.
  • Google Maps – Loading Google maps over HTTPS requires a Google Maps API Premiere account. (source)

 

BulletProof Security

BulletProof Security protects your website from XSS, CSRF, Base64_encode and SQL Injection hacking attempts. One-click .htaccess WordPress security protection. Protects wp-config.php, bb-config.php, php.ini, php5.ini, install.php and readme.html with .htaccess security protection. One-click Website Maintenance Mode (HTTP 503). Additional website security checks: DB errors off, file and folder permissions check… System Info: PHP, MySQL, OS, Memory Usage, IP, Max file sizes… Built-in .htaccess file editing, uploading and downloading.

The BulletProof Security WordPress Security plugin is designed to be a fast, simple and one click security plugin to add .htaccess website security protection for your WordPress website. Activate .htaccess website security and .htaccess website under maintenance modes from within your WordPress Dashboard – no FTP required. The BulletProof Security WordPress plugin is a one click security solution that creates, copies, renames, moves or writes to the provided BulletProof Security .htaccess master files. BulletProof Security protects both your Root website folder and wp-admin folder with .htaccess website security protection, as well as providing additional website security protection.

BulletProof Security allows you to add .htaccess website security protection from within the WordPress Dashboard so that you do not have to access your website via FTP or your Web Host Control Panel in order to add website security protection for your WordPress site. BulletProof Security Modes: Root .htaccess security protection, wp-admin .htaccess security protection, Deny All .htaccess self protection, WordPress default .htaccess mode and .htaccess Maintenance Mode (503 Website Under Maintenance). In BulletProof Security Mode your WordPress website is protected from XSS, CSRF, Base64_encode and SQL Injection hacking attempts.

Maintenance Mode is AutoMagic as of BulletProof Security .46.1. Create your website under maintenance page within BulletProof Security in minutes and activate Maintenance Mode to put your website in maintenance mode. Maintenance Mode allows website developers or website owners to access and work on a website while a 503 Website Under Maintenance page is displayed to all other visitors to the website.
 

BulletProof Security provides the additional website security measures and protection that every website should have.

  • One-click .htaccess website security protection from within the WP Dashboard
  • Secure .htaccess protection blocks XSS, CSRF, Base64_encode and SQL Injection hacking attempts
  • Permanent online backup and restore
  • Built-in File Editing, File Downloading and File Uploading
  • WordPress readme.html and /wp-admin/install.php protected with .htaccess security protection
  • wp-config.php and bb-config.php files protected with .htaccess security protection
  • php.ini and php5.ini files protected with .htaccess security protection
  • WordPress database errors turned off – Verification and function insurance
  • WordPress version is not displayed / not shown – WordPress version is removed
  • WP Generator Meta Tag filtered – not displayed / not shown
  • The Administrator username “admin” check – check WP DB for admin username
  • System Information Page PHP, MySQL, Server Info, Memory Usage, Upload size, etc.
  • Security Status Page – Displays all website security status information
  • File and Folder Permission Checking
  • Help & FAQ page – links to BPS Guide and other detailed Help & Info pages
  • Extensive Read Me! help hover ToolTips throughout the BulletProof Security plugin pages
  • Backup and Restore your original existing .htaccess files
  • Backup and Restore customized / modified .htaccess files
  • Use, modify, edit add too the provided BulletProof Security .htaccess Master files
  • Create your own .htaccess Master files and use BulletProof Security to manage them
  • Website Developer Maintenance Mode (503 website open to Developer / Site Owner ONLY)
  • Log in / out of your website while in Maintenance Mode
  • Customizable 503 Website Under Maintenance page w/Javascript countdown timer
  • Detailed Success / Error message display / HUD
  • BPS Pro Modules – BPS Pro Modules are installed separately

Installation

  • For BPS upgrades – Backup your files before upgrading.
  • BPS includes permanent online backup options.
  • For new installations – If you are downloading the zip file from the WordPress Plugin Directory.
  • Download the bulletproof-security.zip file to your computer and unzip it.
  • Upload the bulletproof-security folder (including all files within) to your /wp-content/plugins folder.
  • Activate the BulletProof Security plugin.
  • Activating the BulletProof Security Plugin DOES NOT activate any of the BulletProof Security .htaccess modes.
  • BulletProof Security has built-in Backup and Restore. Back up your existing .htaccess files first before activating BulletProof Security Modes.
  • Click on the Settings link under BulletProof Security on your Plugins page or click the WP Settings Panel, then BulletProof Security to go to the BulletProof Security Settings page.
  • Click on the Read Me First link at the top of the BulletProof Security Settings page. Enjoy!

 

Update Unique Keys – Plugin

In an effort to help make WordPress installations more secure, this plugin will use the WordPress hosted Unique Key generator to update the wp-config.php file with the following keys/salts:

  • AUTH_KEY
  • SECURE_AUTH_KEY
  • LOGGED_IN_KEY
  • NONCE_KEY
  • AUTH_SALT
  • SECURE_AUTH_SALT
  • LOGGED_IN_SALT
  • NONCE_SALT

If the wp-config.php file is not writable, then the plugin will show the key / salt values on the plugin options page so the admin can then manually update the wp-config.php file.

Installation

  • After downloading the Update Unique Keys plugin, unpack and upload the file to the wp-content/plugins folder on your website. Make sure to leave the directory structure of the archive intact so that all of the Update Unique Keys files are located in 'wp-content/plugins/updateuniquekeys/'
  • You will need to activate the Update Unique Keys plugin in order to update your wp-config.php file. Go to the Plugins tab and find Update Unique Keys in the list and click Activate.
  • After activating proceed to the plugin settings page (under Settings > Update Unique Keys) to update your keys and wp-config.php file.
  • You will be automatically logged out, due to the keys changing, simply re-login with the same username and password.

 

Content Security Policy – Plugin

Content Security Policy prevents content injection attacks by allowing admins to specify which sites they trust to serve JavaScript and other types of content in their site. Any content which is not explicitly allowed by the policy will be blocked from loading.

The Content Security Policy plugin provides WordPress administrators a mechanism to specify a custom policy, or adopt a recommended policy based on the types and sources of content present in their site.
 

Installation

  • Upload content-security-policy.zip to the /wp-content/plugins/ directory and unzip
  • Activate the plugin through the 'Plugins' menu in WordPress
  • Configure a policy for your site in the 'Settings > CSP menu