The listed combination of plugins are recommended to make your WordPress blog more secure. The individual plugins may not be the best available, but the combination works very well for your site.

Word of caution here. My recommendations are based on the following assumptions:

– That what you have is a fresh wordpress installation. This would  work on an old installation too but there is a possibility that existing installed security plugins may be in conflict with some of my recommendations. So, please, proceed with caution.
– These installations are not one-offs. The developers usually release updates to keep abreast of new vulnerabilities. Always ensure that you update these plugins whenever the updates are available.
– Ensure your wordpress installation is updated regularly.
– Especially for old wordpress installations, i would suggest you test these plugins on a test server first before deploying it to your production or live site. A test server could be a sub domain on your main site but ,preferrably, an entirely different site.

You may direct issues you encounter through my twitter handle @diaryofageek


I consider this plugin as very key and probably the best defense against hack attacks or other forms of misadventures you may have on your blog. A good backup can return you back online within minutes of your site going offline.

Note: This plugin only backs up your blog site. Any other services available on your site, like emails, would not be backed up effectively. I do recommend you use Google Apps free email services for your email. This ensures that your email is always up, no matter what.

Backwpup comes highly recommended not because it does what it claims to do well, but because you get to enjoy an otherwise premium service for free. This plugin allows you to backup your blog to a local folder, email, remote ftp site (could be another shared hosting account) or, interestingly, a slew of free (and premium) online cloud services like Amazon S3, Google Storage, Microsoft Azure (Blob), RackSpaceCloud, Dropbox, SugarSync, etc.

The plugin can be scheduled to run backups on a regular basis with no input from you.

Bad Behaviour

Most hack attacks are not usually personal. These attacks are usually automated. These website cracking tools seek out blogs that still have known vulnerabilities that have not being patched.

Bad Behavior runs before your software on each request to your Web site, so if a spam bot does visit, it will receive nothing. When Bad Behavior looks at a request, it determines if the request matches a profile of known malicious or spammy activity, which falls outside the bounds of a normal human browsing the web. If so, the request is blocked.

BulletProof Security

BPS Free covers one very important aspect of website security – secure .htaccess files to block browser based hacking attempts. The best feature of the  plugin is that it is designed to be fast, simple and convenient.  It helps you to activate .htaccess website security from within your WordPress Blog’s Dashboard.

Login LockDown

Login LockDown records the IP address and timestamp of every failed WordPress login attempt. If more than a certain number of attempts are detected within a short period of time from the same IP range, then the login function is disabled for all requests from that range. This helps to prevent brute force password discovery, especially for the admin account. Currently the plugin defaults to a 1 hour lock out of an IP block after 3 failed login attempts within 5 minutes. This can be modified via the Options panel. Admisitrators can release locked out IP ranges manually from the panel.

The plugin has not been updated recently but it still does what it was intended to do very well.

TimThumb Vulnerability Scanner

Quite a number of wordpress themes, especially the fancy 3rd party ones, come with a programming code called Timthumb embedded in it. Unfortunately, hackers have exploited loopholes in this programming code to bring down a lot of wordpress blogs. You can read more about this here.

The Timthumb Vulnerability Scanner plugin will scan your entire blog for instances of any outdated and insecure version of the timthumb script, and give you the option to automatically upgrade them with a single click. Doing so will protect you from hackers looking to exploit this particular vulnerability.

WordPress File Monitor Plus

In case the undesired happens and someone breaks into your site, they will most likely add files to your site. These extra files can act as backdoors, which can potentially allow hackers to execute files from their own servers. These files can hijack your traffic, place unwanted ads or links on your pages and place malware on your visitors computers. This plugin monitors your WordPress installation for added/deleted/changed files. When a change is detected an email alert can be sent to a specified address.

While no claims are being made that these plugins would make your site “hack-proof”, it would definitely serve as a deterrent to a would-be opportunist hacker.

This list is by no means exhaustive, suggestions and recommendations are always welcome.


5 Responses

  1. This is just great. Exactly what I’ve been looking for. Now I can safely install WordPress on my main site with peace of mind. Till date, I’ve been using RVSitebuilder with its cumbersome and not so user-friendly interface.

    However, I would like to ask if any of these plugins would affect the functions of google analytics code and google crawlers accessing the site. Also, do they have effects on ads like google Adsense, etc.

    1. I do not expect any of my recommended plugins to have any effect on the ones you listed.

      However, unless you are very sure of what you are doing, try to stick to recently updated plugins that are listed as being compatible with the version of wordpress you are using. You save yourself a lot of stress with this.

    1. Yeah, that would be a good way to look at it. Amazing how some plugins can transform an ordinary looking blog.

Leave a Reply

Your email address will not be published. Required fields are marked *

This is an Advertorial

Learn how to build digital products without writing a single line of code

Build anything you can dream of without writing code or hiring a developer

Our non-technical students start companies using tools like Bubble, Softr , Elementor and Airtable. It’s easier, faster and more fun.

No matter what your background is, our lessons are designed to figure out what you don’t know and fill in the gaps

Join our learning community of soulmates, learn at your own pace and stay motivated to reach your objectives.

Begin Your No-Code Journey.

Training Mode : in-class
Location : E-349 Ikota Shopping Complex, VGC, Ajah, Lagos
Fees : N150,000