WordPress is an amazing free content management system but it is also the target of every single kind of attack you can think of, it’s the Windows of the open source content management world. While it’s impossible to prevent attacks completely, you can mitigate and track bad activity. Not only can you secure your blog but there are a plethora of plugins out there that make your life a whole lot easier instead of reinventing the wheel each time.
These are the plugins that I use when developing a WordPress website. I use all of these, no exceptions.
If you’re like most WordPress users or developers, you like options. While WordPress gives you support for custom fields out-of-the-box, the ability of custom fields is quite limited — this is where Advanced Custom Fields steps in. This plugin will allow you to create custom image uploading fields, WYSIWYG editor instances, file upload fields, colour picker fields, date picker fields and more. This seriously is a must have if you want to make your WordPress install a lot easier to manage. It’s hard to believe this plugin is free, there are paid addons which are a measily $25 each and can be used on unlimited websites.
This is a no brainer. If your site gets a bit of traffic, this magical plugin will save you from the perils of having your site taken down. The ability to cache your pages as HTML is worth installing alone, this plugin will reduce page load time and database calls almost down to zero. Install it, configure it and thank me later. This plugin bundled with a cheap VPS will actually handle quite a lot of traffic especially on a cheap Linode hosting plan it works a treat.
People are still very scpetical about this plugin and until recently I was too, that was until I tasked with building quite an advanced form within WordPress for a client and eventually ended up getting the plugin instead. You’ll soon discover that there is no other alternative that matches the calibre of Gravity Forms. I hate to sound like a salesman, but the free alternative is Contact Form 7 which is good for simple forms but the moment you want a customisable form that allows every facet to be customised, Contact Form 7 starts to show it’s weak underbelly. Seriously, just buy the plugin. At $200 for the developer licence, you’ll more than break even after just one site built. It’s this or building forms from scratch which take forever.
When you’re running the worlds most popular content management system you’re bound to be highly targeted. Although it’s not just WordPress that falls prey to the simplest of all attacks: login dictionary attacks. Twitter famously got hacked via this attack a few years, protect your WordPress installation from repeated tries to guess your administration account password with this plugin.
Leading on from number #4, a firewall plugin is a must. WordPress has this nasty problem of rogue plugins, improper file permissions and even outdated core files of WordPress itself allowing attackers to upload and inject rogue code into your website. I once ran into an instance where an attacker managed to inject a bunch of eval’d base64 PHP code at the top of the page that would redirect users to pharmacy websites if they visited from a search engine. This is the kind of plugin that will not only prevent nasty request methods like PUT, DELETE and TRACK but it will also analyse query strings and whatnot as well as protecting against SQL injections and other points-of-entry.