WordPress Security Plugins

WordPress Security: How useful are security plugins really?

Meanwhile, more than 43 percent of all websites run on WordPress. This makes our favorite CMS a popular target for attacks and malware. But there's no need to panic! Because WordPress security is not witchcraft. In addition to practical security tips, today we have the three best WordPress security plugins in the bag and show you when you really need them.

Do I still need a WordPress Security plugin? We get this question regularly in support. In the following article I would like to show you what added value a security plugin has for the security of your WordPress website and when it really makes sense to use one.

In the second part, we compare the three most popular WordPress security plugins to give you a quick overview. This way, you can make a quick and targeted decision and then get back to the essentials: your business.

Why WordPress Security is so crucial

Basically, there are three main aspects why you should actively look into the security of your WordPress website and not bury your head in the sand.

#1 Your website can become unusable

A few years ago, we were still in the agency business. There were times when we had to completely redesign site because the original site had become unusable due to security problems that could have been avoided.

Now, someone who installs malware on sites is usually not interested in destroying them. After all, the attacker wants to use it to send spam, direct visitors to spam websites, embed ads or generate cryptocurrency, for example. In addition to the general restriction of your website's functionality, malware can also lead to significant performance problems.

"*" indicates required fields

I would like to subscribe to the newsletter to be informed about new blog articles, ebooks, features and news about WordPress. I can withdraw my consent at any time. Please note our Privacy Policy.
This field is for validation and should not be changed.

#2 Blacklisting and crash in Google rankings

An even more serious point in this day and age is the blacklisting of the domain, especially by Google or Norton. If Google blacklists your website, in the worst case it means that your website will be removed from the Google search results.

It is possible to resubmit a scan of site after a malware attack. However, this does not guarantee that you will get back your previous rankings. Especially for important money keywords or high organic traffic, this can have serious economic consequences.

#3: Loss of data

Especially in times of GDPR, where the topic of data protection has reached a new dimension, corresponding data must be protected. While this is less of an issue on a normal company website, it is all the more dramatic on a store website if payment information is not adequately protected.

Typical threats to WordPress security

Brute force attacks on the login area
In a brute force attack, a large number of password combinations are automatically tried to gain access to the website via the /wp-admin login of WordPress. Once this has succeeded and the account on your website has admin rights, the website is almost completely in foreign hands.

Our experience at Raidboxes shows: By using a strong password and limiting login attempts, almost all malware cases can be avoided. But more about that in a moment.

Automated exploitation of security vulnerabilities
As a rule, attacks on websites are automated. WordPress websites are scanned automatically by so-called crawlers, for example for a specific plugin, which has a security vulnerability. Various security vulnerabilities can be exploited in the attacks, such as SQL injections or cross site scripting.

Manual attacks
Of course, it is also possible to exploit a security vulnerability manually. However, this is rather rare, as the effort would only be worthwhile for large WooCommerce stores, for example, where payment data is actually to be stolen.

8 Safety measures that we provide as host

Basically, specialized WordPress hosting can significantly increase the security of your website. Over the years, we have continuously expanded the Raidboxes security concept so that cases of malware have become an absolute rarity. In particular, the detailed analysis of malware cases helps to identify frequently used security vulnerabilities and prevent them with appropriate measures.

#1 Strong passwords – the most important security measure of all

One of the most important security measures of all is a strong password for all accounts. Unfortunately, as host we have only limited influence on the password assignment. Especially with moves we can only have little influence on the passwords. Enforcing a strong password when creating a Box (i.e. a new WordPress website) has led to a significant reduction in malware infestations.

WordPress Security Password Box Creation
Enforcing a strong password when creating a WordPress website has led to a significant reduction in malware infestations.

As a reminder

A password should consist of numbers, special characters and lowercase letters with a minimum length of seven characters. If this is not the case with your WordPress accounts, you should definitely take step 1 first and change your passwords immediately.

#2 Protection against brute force attacks

Almost a billion times a month websites are attacked with the brute force attacks described above. Good if your WordPress host has already taken care of this. Our Login Protection will get in front of your WordPress login area and 'blacklist' IP addresses that repeatedly try to log in with false login credentials.

In the settings of your Box you can define exactly after how many login attempts this block should take effect and how long the IPs in question are blocked. In combination with a strong password, it is practically impossible to gain access to the website this way.

#3 WP Session Eraser

According to GDPR , you should store as little data as possible. We help you with that! Our tool for more data economy - the WordPress Session Eraser - deletes the WordPress sessions of all your users from the database after a defined interval. You can set this interval in your box settings in our Dashboard for each Box individually.

#4 Default blocking of XML-RPC

XML-RPC is an interface that is available on every WordPress website since WordPress 3.5. Since the vast majority of webmasters do not use XML-RPC anyway, it makes sense to disable this interface. Because: Via XML-RPC hackers can directly attack your site .

For this reason, the interface is now blocked by default in our company and can be enabled if required via the settings in Raidboxes Dashboard .

WordPress Security XML-RPC Blocking
That's why XML-RPC is blocked by default and can be enabled via the settings in Raidboxes Dashboard .

#5 Managed security updates from WordPress

Quite essential is of course the update of WordPress. New WordPress versions are released about every 2-3 months. Especially maintenance updates close important security gaps. These updates should be installed immediately.

Major updates usually involve major code changes, which is why incompatibilities can occur in the process. To allow enough time for the updates of themes and plugins, we always roll out major updates after 14 days on our system. Of course, we provide the latest WordPress version immediately for manual update. Of course, it is important here that you always make a backup of your site before the update!

#6 Selective write protection - WordPress Hardening measures

One focus of the iThemes Security plugin is to make WordPress more secure by protecting files. This is also selectively integrated with us. This makes it more difficult to infect elements of site and make them unusable. Here, a sensible balance must always be struck between flexibility and security. We maintain this through configuration options directly via the Raidboxes user interface.

WordPress Security Disallow File Edit
In addition, of course, we also use WordPress best case practices where they make sense. One example here is renaming the WordPress database prefix.

In addition, of course, we also use WordPress best case practices where they make sense. One example here is renaming the WordPress database prefix. This is not accessible by us via the default wp_. Renaming the wp-content folder on the other hand, as iThemes Security offers, leads to errors from experience, because plugins and themes do not cope with it.

#7 Managed plugin updates from WordPress

Now we have to close the last major gateway from attacks: not up-to-date plugins. As with WordPress itself, plugins and themes can also have security vulnerabilities. Not every update includes security features. Nevertheless: If all plugins are up to date, the probability of security vulnerabilities is significantly lower.

#8 Server-side measures

All of the above measures protect WordPress itself. Otherwise, there is of course an almost endless list of security measures that affect the server itself. This starts with Linux updates and ends with regular updates of PHP as the basis of WordPress. We take care of the automatic update of outdated PHP versions (of course with appropriate lead time and time for testing), without you having to take care of it yourself.

Disadvantages of WordPress Security Plugins

With this in mind, I would now like to briefly discuss the disadvantages of security plugins. Some of these are not insignificant, especially from a time perspective.

Set-up effort

If you think that simply installing a plugin is enough, you are wrong. Unfortunately, setting up a security plugin also requires certain knowledge.

Using the example of the plugin All-in-One Security this becomes wonderfully clear. It is one of the most popular free plugins, which uses the .htaccess file to a very large extent. However, the plugin does not even recognize if it is a NGINX server. This does not support the concept of the .htaccess file. NGINX is used in the WordPress environment because of its flexibility.

Furthermore, although the security measures are divided into difficulty levels, which makes a lot of sense, many of the measures offered by plugin are less useful. In order to adequately assess the necessity of the various measures, one must inevitably familiarize oneself with the security matter.

Maintenance and perceived (in)safety

For our test, we installed several security plugins. One of the plugins automatically used a team email address stored in WordPress and started sending emails diligently. To the great delight of all team members...

Unfortunately, this is not at all uncommon. Of course, one would like to remain informed in certain respects. However, in the most frequent cases, one is pointed to things that do not represent a security risk at all. In the end, you feel more insecure than before, because you are informed about every file change, for example, and have to check in case of doubt.

Performance issues

By default, each of the plugins offers a malware or security scan. The plugin Wordfence likes to set this automatically at one hour. This means that in case of doubt, every hour (!) a scan of your site runs through an automatic script (via cronjob). Anyone who has ever installed antivirus software on their computer knows the tales of woe of sometimes massive performance problems.

This may also be a reason why "only" 2 million of over 90 million downloads remained active in the end.


For the research of this article, we have evaluated only plugins that are also available in a free version. Nevertheless, it is unfortunate that with many WordPress security plugins the really useful features cost at least $80 per year. If you do not use them, you are often left with a feeling of insecurity.

When is a WordPress Security plugin really useful?

For those who want to go the extra mile, here are a few examples of cases where a WordPress Security plugin may be useful. These recommendations only refer to specialized WordPress hosting. Since other hosters may not have security measures implemented as specifically and extensively, a WordPress Security plugin may be recommended there. As you can see, it is hardly possible to make a general statement about the usefulness of security plugins, because the requirements and circumstances are different.

Manual hacking at WooCommerce store

This is one of the few examples where we actually actively recommended a security plugin to increase the security of the online store. The WooCommerce customer had the impression that they were being attacked manually, which as described above, is very rare.

In this case he could use Wordfence and its logging function to quickly identify the corresponding IP address and then block it. The attack could thus be effectively stopped.

Vulnerable plugins

The higher the number of plugins, the higher the probability of security risks. Especially if no tool is used for updating, existing security gaps remain unnoticed in the system for a long time and provide an attack surface. Especially in WooCommerce stores, the number of plugins is usually high due to the nature of WooCommerce and the data is more sensitive at the same time. Therefore, a security plugin should be considered here.

The three best security plugins for WordPress

In the following, I would like to briefly explain why we are limiting ourselves to only three plugins and not presenting ten - or even the best 101 WordPress security plugins.

When it comes to security plugins, we limit ourselves to the top 3 WordPress plugins in the world. We have also looked at other security plugins, such as All In One WP Security & Firewall, which is the most popular purely free plugin (without premium version) with 800,000+. However, we were not convinced by the usability and partly the recommended measures here. At the same time, it is only applicable to Apache web servers.

It's about the last meters

Since we see the plugins more as a supplement to an already secure WordPress hosting, the aim is to cover the last 0.1 percent security risk. Thus, we limit ourselves to the professional plugins, which have a very high distribution.

But also for other, non-specialized hosters this selection of plugins has a high relevance. Here you should deal more intensively with the topic of WordPress security anyway.

Quick decision support

At the same time, it is important to us to provide a quick decision-making aid. In our opinion, this is possible with a representation of ten plugins no longer possible, because in the end all ten plugins need to be evaluated. At three plugins with different focus, the decision is easier here.    

Limitation to all-in-one plugins

Of course, there are countless plugins, which take over great individual functions, for example, limit the login attempts (Limit Login Attempts). But also functions, which the plugins offer only in the PRO versions, can be solved via individual plugins. The best example is this plugin for 2-factor authentication.

Distribution and data are important for firewalls

Firewalls apply certain rules to detect whether someone is acting maliciously or simply visiting site . If someone tries to enter site , they are blocked. In particular, the rules are based on the knowledge of existing vulnerabilities. At the same time, networks of attackers can be better detected and blocked for all other sites when there are 2 million sites in the administration than when there are 10,000 sites. Therefore, distribution plays a role for security plugins.

Your personal favorites are welcome

This doesn't mean that there aren't other great plugins for more WordPress security. Feel free to name your personal favorites in the comments. This way we provide even more equal opportunities for new innovative approaches as well.

The three best security plugins at a glance

Website of the PluginsWordfenceiThemes SecuritySucuri
Download linkDownloadDownloadDownload
Active installations3+ million900.000+700.000+
LanguagesEnglish16 languages (also DE)English, Spanish
Tested with the latest WordPress versionYesYesto 5.3.4
Number of ratings3,5723,830338
Rating (five stars)4,84,74,4
Free versionYesYesYes
Premium (annual license)from $99from $80 $199,99
Malware removal from$286.40not offeredincluded in license

In the overview, it is clear that each of the plugins has a very high distribution and is well rated. Nevertheless Wordfence is the undisputed market leader and also well-balanced in terms of price-performance ratio. With Sucuri, you pay for the malware removal directly, but here the prices can rise to $500 per year , especially due to a faster service and more frequent scans. At Wordfence professional malware removal is offered as an optional service. So it all depends on your needs.

It is important to know that it is quite unlikely to catch malware with strong WP user passwords. In our opinion, it therefore makes little sense to purchase malware removal directly as a service.

At Wordfence you get direct access to the entire firewall spectrum in the free version, unlike iThemes Security, for example, where information from the network is only accessible in the PRO version.

An important point, which is also not to be despised: Wordfence In our example, Sucuri is the only independent provider that specializes only in WordPress security. Sucuri is now part of the GoDaddy group and iThemes was also bought by another hosting company. They are also active in various other areas, such as theme development. Behind Wordfence is exclusively the security company Defiant.

Interim summary

Our Security plugin recommendation is therefore quite clear Wordfence. The plugin offers already in the free version a comprehensive firewall and focuses on the two core topics that a WordPress security plugin should provide: A firewall and security scans.

Furthermore, it is set up quickly, kept clear and does not confuse, as happens with other plugins with too technical information.

To avoid performance problems, "Low Resource Scanning" should be used under the scan options. Since IP addresses are processed, you shouldclose an AV with Wordfence .

In the following, I will once again go into detail about the individual core areas of a WordPress security plugin in order to make the differences between the plugins clear.

The most important plugin features in comparison

Monitoring and scans

 WordfenceiThemes SecuritySucuri
security scansYesYesYes
Scheduled Security ScansPro
version only
Pro Version onlyPro Version only
Malware identificationYesYesYes
Identification of security anomaliesYesYesYes
Blacklist monitoringGoogle Safe Browsing onlyBlacklist Status CheckYes
File ChangesYesYesYes
DNS monitoringYesUnclearYes
SSL monitoringNoYesYes
Spam checkPro
version only
security logsYesYesBasic

An essential part of a WordPress security plugin is checking if the website has been compromised. Since there is no uniform use of terms and different terms and explanations are often used for the same content, it is very difficult to make a reasonable comparison. The table above should provide an overview here.

Each plugin offers a scan function

Security scans, malware identification, identification of security anomalies or file changes are often listed separately, but they mean the same thing. File comparison is used to check whether malware is present on the site . In our experience, it is quite possible that an inconspicuous test at Sucuri may nevertheless mean that malware is to be found on site , if more detailed scanning or looking into the individual files is performed.  

Malware check: Site is clean
iThemes Security makes use of Sucuri's API here.

iThemes Security simply uses the API of Sucuri. As a result, both Sucuri and iThemes give you nothing but the free site check, which can also be found on the Sucuri website.

Differences in blacklist monitoring

In addition to scans, blacklist monitoring is an important factor, especially for the ranking losses described above. Here Wordfence according to its own presentation, only checks the Google Safe Browsing status. If a website appears here, it is in principle already too late. The website will most likely be kicked out of the search results first. iThemes Security and Sucuri check several blacklists directly here. Nevertheless, the result is identical. When the website appears on the blacklists, it is already too late. It is precisely to prevent this that these scans are made.

Securi check: not blacklisted
An extended blacklist check is available at Wordfence only in the Premium version.

An extended blacklist check is only available Wordfence only available in the premium version. Here, the point of spam advertising, which can be easily recognized externally and is important for Google, is also checked.

Low relevance of DNS monitoring

We consider the features of DNS and SSL monitoring to be of little relevance. We are not aware of a single case where DNS changes or SSL changes were made in order to investigate criminal activities.

Wordfence scores with the security logs

The basis of a WordPress security plugin should be to display logins reasonably. This is given with all plugins. Wordfence goes here with its live traffic monitoring a few steps ahead. Not only logins are detected, but traffic is categorized accordingly. This way, crawler activities or human behavior can be tracked with regard to security aspects. The tool is therefore ideal for preventing manual hacks, for example.

Wordfence Live Traffic
Wordfence is a few steps ahead here with its live traffic monitoring.

Conclusion in this category

The scan quality is difficult to judge and would need to be evaluated through test cases. iThemes Security and Sucuri have better blacklist monitoring. However, the scan should prevent site from being blacklisted anyway. When it comes to monitoring, the live traffic feature of Wordfence is a big plus.

Protection in combination with firewalls

 WordfenceiThemes SecuritySucuri
Web Application Firewall (WAF)Restricted404 DetectionYes
Intrusion Detection System (IDS)YesNoYes
DDoS protectionNoNoYes
Brute Force ProtectionYesYesYes
Block of hacking attemptsYesPartialYes
Zero-day exploits protectionUnclearNoYes
Single side guardNoNoYes
Heuristic Correlation AlgorithmUnclearNo 
Load Balancing / FailoverNoYesYes
country blockingYesNoNo
Advanced manual blockingYesNoNo

iThemes without proper firewall

The differences between the plug-ins are particularly clear when it comes to firewalls. The approaches to the topic are fundamentally different. Strictly speaking, iThemes-Security does not use a real firewall. The 404 detection could be called a first approach. Here it is looked whether a crawler generates many 404 errors and blocked.

Sucuri including full CDN

Whereas for Wordfence you only need to install plugin to use the firewall, Sucuri requires you to change the name server or an A record in the DNS settings. Instead, it is a completely cloud-based solution, including a CDN (Content Delivery Network), which can also prevent DDoS attacks. In a DDoS attack, a botnet is often used to fire up a site with requests until the site is no longer accessible because the server gives in.

The Sucuri approach also leads to the fact that it works in contrast to Wordfence works with load balancers. Overall, Sucuri 's use of certain terms, such as "Heuristic Correlation Algorithm", is more likely to be a marketing formulation, and it is unclear whether this is an actual added value, since Wordfence presumably also works with heuristic methods. However, those who only need a CDN could also realize this for free through Cloudflare.

Wordfence with more configuration options

With Sucuri, many things run automatically and without the user's intervention. On the other hand, it seems that less can be configured here. For example, individual countries can be Wordfence you can explicitly block individual countries' IPs, and manual blocking is also possible. This is especially helpful for manual hacks.

WordPress Security measures

 WordfenceiThemes SecuritySucuri
Database backupsNoYesNo
WordPress make saferNoYesNo
hide informationNoYesNo
Write protectionNoYesNo
Password managementNoYesNo
Two Factor AuthenticationPremiumPremiumNo

iThemes Security focuses on the security measures within WordPress, as shown in the table. A total of 30 different points are worked through here, most of which make a lot of sense. Many of the points are therefore already included in our hosting.

iThemes Security is therefore a great way to add more security on WordPress level to an "insecure" generic hosting. The free version already offers extensive protection here. In the premium version, the 2-factor authentication is worth highlighting.

Since Wordfence and Sucuri focus on "shielding" the site . They are rather weak in these points.

Malware & Performance Removal

 WordfenceiThemes SecuritySucuri
Hack Cleanup & Malware RemovalA plus if you have:UntraceableA plus if you have:
Blacklist Warning RemovalA plus if you have:UntraceableA plus if you have:
Malware Removal Request LimitA plus if you have:UntraceableA plus if you have:
Automatic CleanupPartialUntraceablePartial
Security Analyst EscalationA plus if you have:UntraceableA plus if you have:
Full Website CleanupA plus if you have:UntraceableA plus if you have:
Closing the security gapsA plus if you have:UntraceableA plus if you have:
Post-Cleanup ReportA plus if you have:UntraceableA plus if you have:
Full Log and Incident ReportA plus if you have:UntraceableA plus if you have:
Root Cause Follow UpA plus if you have:UntraceableA plus if you have:

Last but not least, let's take a look at malware removal. Here the prices are similar for Sucuri and Wordfence are similar. Both charge extra for faster processing. The services offered here are identical. I could not discover a malware removal service at iThemes. Malware removal can take 2-3 hours, with large fluctuations though. Since we also perform malware removal, the prices can be classified as fair.

And what about performance?

Last but not least, a note about the performance. You would not expect this in a security plugin comparison. But since Sucuri offers a CDN and a firewall in one, there can be a performance improvement especially for international visitors. With a CDN the website is always delivered from the next server, which has advantages especially with overseas visitors. However, for a WooCommerce store with little cacheable content, it is less crucial.

"*" indicates required fields

I would like to subscribe to the newsletter to be informed about new blog articles, ebooks, features and news about WordPress. I can withdraw my consent at any time. Please note our Privacy Policy.
This field is for validation and should not be changed.


So what is the overall conclusion about WordPress security? Our personal conclusion can be summed up by the following fact: We do not use a Security plugin for our own Raidboxes website. We have never used a security plugin and never had any problems. All this, although our website has an absolutely central importance for us. However, extensive customer data is also not stored on our WordPress website. For us, the risk of performance loss due to extensive scanning measures was too high and the disadvantages outweighed the benefits.

Nevertheless, a firewall increases the security of the website. Therefore, if you have the goal of achieving maximum security and want to accept the disadvantages in terms of performance and time, you should reach for a security plugin .

Especially for WooCommerce stores or vulnerable websites, which may have already had problems with malware, a WordPress Security plugin can be useful. Our recommendation is therefore as follows:

Wordfence as the best free solution

If you want a really solid firewall with extensive monitoring, Wordfence is an excellent choice. It is not for nothing that it is the most popular WordPress security plugin in the world. The premium version complements the functionality precisely and sensibly. During implementation, it is essential to ensure that the scans are set up correctly in order to prevent performance problems.

iThemes Security for generic host

iThemes Security performs really useful security measures on the website, especially concerning WordPress itself. For websites on generic hosts, it's a great way to increase the security level without extensive scans and firewall, even in the free version.

Sucuri for CDN

If you are thinking about using a CDN anyway, and if the topic of DDoS attacks is relevant, Sucuri is recommended. The only thing that remains is the somewhat bland aftertaste of the GoDaddy group.

How much (perceived) security do you need?

How do you handle WordPress security? Do you rely on the security measures of your hoster or does only a WordPress Security plugin let you sleep peacefully? As always, we'd love to hear your comments!

Did you like the article?

With your rating you help us to improve our content even further.
Comments are disabled.