WordPress plugins for Better Security

In recent weeks I have created and published two WordPress plugins, my first but certainly not last additions to the plugins library.

Better Passwords

This is a WordPress plugin that stops the use of a bad passwords, including those in the Have I Been Pwned? breached password database.

This plugin sets a default minimum password length of 10 characters, to ensure that passwords are suitably long that they are hard to guess. However, it does not insist on any complexity rules, such as digits and special characters, as length is the most important thing when making a password hard to guess.

This plugin uses Troy Hunt’s Pwned Passwords API in order to check a user’s potential password against a corpus of breached passwords.

The password itself is never sent to any third party, only a partial hash is sent. This means that the password entered will always be private.

As an added bonus, this plugin also upgrades the hashing algorithm used when storing your password in the database. This is a secure one-way hash created using the Bcrypt algorithm.

Download Better Passwords from WordPress.org

Better Headers

Improve the security of your website by easily setting HTTP response headers to enable browser protection.

This plugin does not make any changes to your server configuration, such as the .htaccess file, but instead sends the headers as part of the WordPress page response. The reason for this is that many of them are not valid for assets such as stylesheets and images, but are sent anyway if the server configuration method is used.

Unlike many security plugins, these headers are also sent for your admin panel, where security is arguably the most important.

Headers that can be set include…

  • Feature-Policy
  • Referrer-Policy
  • Strict-Transport-Security
  • X-Frame-Options
  • X-Content-Type-Options
  • X-XSS-Protection
  • X-Permitted-Cross-Domain-Policies
  • Expect-CT

Download Better Headers from WordPress.org

Better Detection

I have a third plugin in the works at the moment, designed at detecting unexpected changes to the content of your website.  More on this in the coming weeks!