I’ve found Better WP Security and Bulletproof Security (same as leejosepho uses) to be complimentary security plugins. I use them on every site. I generally add the Sucuri Sitecheck Malware Scanner plugin as well. The plugin is free, but you might want to check out their paid service. Highly recommended and regarded in the community (though I don’t use it, do as I say, not as I do :).
There are other things you’ll want to do, Better WP Security will walk you through some of it. Here are a few things I always do.
- Keep WordPress, plugins, and theme(s) up-to-date!
- Make sure admin user doesn’t use ‘admin’ as username.
- Change userid for admin user (it’s usually 1).
- Change the database table prefix.
- Delete unused themes.
- Delete unused plugins.
- Delete wp-admin/install.php after install.
- Update the secret keys in wp-config.php.
- Move wp-config.php up a directory if I can.
- Delete the WP readme.
A few other plugins I use:
- Exploit Scanner (manual scan).
- TAC (Theme Authenticity Checker).
- Bad Behavior.
- Block Bad Queries.
- WordPress Firewall 2.
- WordPress File Monitor Plus.
- Ultimate Security Checker (another manual scanner that provides a “score”).
I used to use a separate Login Lockdown-type plugin, but that comes built in with Better WP Security (I’d recommend you limit login attempts, regardless of which plugin you use).
Then, there are more procedural things you can do like enforce strong passwords, whitelist IP addresses for admin login (only allow logins from certain IPs, maybe even only during certain times), require SSH for logins, etc.
A final caveat – I am not a security expert, but I have worked in web development for over 10 years, working on some very high traffic sites. I’ve read and follow who I consider to be WordPress security experts and have picked up a lot along the way.
