Meanwhile, more than 43 percent of all websites run on WordPress. This makes our favorite CMS a popular target for attacks and malware. But there's no need to panic! Because WordPress security is not witchcraft. In addition to practical security tips, today we have the three best WordPress security plugins in the bag and show you when you really need them.
Do I still need a WordPress Security plugin? We get this question regularly in support. In the following article I would like to show you what added value a security plugin has for the security of your WordPress website and when it really makes sense to use one.
In the second part, we compare the three most popular WordPress security plugins to give you a quick overview. This way, you can make a quick and targeted decision and then get back to the essentials: your business.
Why WordPress Security is so crucial
Basically, there are three main aspects why you should actively look into the security of your WordPress website and not bury your head in the sand.
#1 Your website can become unusable
A few years ago, we were still in the agency business. There were times when we had to completely redesign site because the original site had become unusable due to security problems that could have been avoided.
Now, someone who installs malware on sites is usually not interested in destroying them. After all, the attacker wants to use it to send spam, direct visitors to spam websites, embed ads or generate cryptocurrency, for example. In addition to the general restriction of your website's functionality, malware can also lead to significant performance problems.
"*" indicates required fields
#2 Blacklisting and crash in Google rankings
An even more serious point in this day and age is the blacklisting of the domain, especially by Google or Norton. If Google blacklists your website, in the worst case it means that your website will be removed from the Google search results.
It is possible to resubmit a scan of site after a malware attack. However, this does not guarantee that you will get back your previous rankings. Especially for important money keywords or high organic traffic, this can have serious economic consequences.
#3: Loss of data
Especially in times of GDPR, where the topic of data protection has reached a new dimension, corresponding data must be protected. While this is less of an issue on a normal company website, it is all the more dramatic on a store website if payment information is not adequately protected.
Typical threats to WordPress security
Brute force attacks on the login area
In a brute force attack, a large number of password combinations are automatically tried to gain access to the website via the /wp-admin login of WordPress. Once this has succeeded and the account on your website has admin rights, the website is almost completely in foreign hands.
Our experience at Raidboxes shows: By using a strong password and limiting login attempts, almost all malware cases can be avoided. But more about that in a moment.
Automated exploitation of security vulnerabilities
As a rule, attacks on websites are automated. WordPress websites are scanned automatically by so-called crawlers, for example for a specific plugin, which has a security vulnerability. Various security vulnerabilities can be exploited in the attacks, such as SQL injections or cross site scripting.
Manual attacks
Of course, it is also possible to exploit a security vulnerability manually. However, this is rather rare, as the effort would only be worthwhile for large WooCommerce stores, for example, where payment data is actually to be stolen.
8 Safety measures that we provide as host
Basically, specialized WordPress hosting can significantly increase the security of your website. Over the years, we have continuously expanded the Raidboxes security concept so that cases of malware have become an absolute rarity. In particular, the detailed analysis of malware cases helps to identify frequently used security vulnerabilities and prevent them with appropriate measures.
#1 Strong passwords – the most important security measure of all
One of the most important security measures of all is a strong password for all accounts. Unfortunately, as host we have only limited influence on the password assignment. Especially with moves we can only have little influence on the passwords. Enforcing a strong password when creating a Box (i.e. a new WordPress website) has led to a significant reduction in malware infestations.
As a reminder
A password should consist of numbers, special characters and lowercase letters with a minimum length of seven characters. If this is not the case with your WordPress accounts, you should definitely take step 1 first and change your passwords immediately.
#2 Protection against brute force attacks
Almost a billion times a month websites are attacked with the brute force attacks described above. Good if your WordPress host has already taken care of this. Our Login Protection will get in front of your WordPress login area and 'blacklist' IP addresses that repeatedly try to log in with false login credentials.
In the settings of your Box you can define exactly after how many login attempts this block should take effect and how long the IPs in question are blocked. In combination with a strong password, it is practically impossible to gain access to the website this way.
#3 WP Session Eraser
According to GDPR , you should store as little data as possible. We help you with that! Our tool for more data economy - the WordPress Session Eraser - deletes the WordPress sessions of all your users from the database after a defined interval. You can set this interval in your box settings in our Dashboard for each Box individually.
#4 Default blocking of XML-RPC
XML-RPC is an interface that is available on every WordPress website since WordPress 3.5. Since the vast majority of webmasters do not use XML-RPC anyway, it makes sense to disable this interface. Because: Via XML-RPC hackers can directly attack your site .
For this reason, the interface is now blocked by default in our company and can be enabled if required via the settings in Raidboxes Dashboard .
#5 Managed security updates from WordPress
Quite essential is of course the update of WordPress. New WordPress versions are released about every 2-3 months. Especially maintenance updates close important security gaps. These updates should be installed immediately.
Major updates usually involve major code changes, which is why incompatibilities can occur in the process. To allow enough time for the updates of themes and plugins, we always roll out major updates after 14 days on our system. Of course, we provide the latest WordPress version immediately for manual update. Of course, it is important here that you always make a backup of your site before the update!
#6 Selective write protection - WordPress Hardening measures
One focus of the iThemes Security plugin is to make WordPress more secure by protecting files. This is also selectively integrated with us. This makes it more difficult to infect elements of site and make them unusable. Here, a sensible balance must always be struck between flexibility and security. We maintain this through configuration options directly via the Raidboxes user interface.
In addition, of course, we also use WordPress best case practices where they make sense. One example here is renaming the WordPress database prefix. This is not accessible by us via the default wp_. Renaming the wp-content folder on the other hand, as iThemes Security offers, leads to errors from experience, because plugins and themes do not cope with it.
#7 Managed plugin updates from WordPress
Now we have to close the last major gateway from attacks: not up-to-date plugins. As with WordPress itself, plugins and themes can also have security vulnerabilities. Not every update includes security features. Nevertheless: If all plugins are up to date, the probability of security vulnerabilities is significantly lower.
#8 Server-side measures
All of the above measures protect WordPress itself. Otherwise, there is of course an almost endless list of security measures that affect the server itself. This starts with Linux updates and ends with regular updates of PHP as the basis of WordPress. We take care of the automatic update of outdated PHP versions (of course with appropriate lead time and time for testing), without you having to take care of it yourself.
Disadvantages of WordPress Security Plugins
With this in mind, I would now like to briefly discuss the disadvantages of security plugins. Some of these are not insignificant, especially from a time perspective.
Set-up effort
If you think that simply installing a plugin is enough, you are wrong. Unfortunately, setting up a security plugin also requires certain knowledge.
Using the example of the plugin All-in-One Security this becomes wonderfully clear. It is one of the most popular free plugins, which uses the .htaccess file to a very large extent. However, the plugin does not even recognize if it is a NGINX server. This does not support the concept of the .htaccess file. NGINX is used in the WordPress environment because of its flexibility.
Furthermore, although the security measures are divided into difficulty levels, which makes a lot of sense, many of the measures offered by plugin are less useful. In order to adequately assess the necessity of the various measures, one must inevitably familiarize oneself with the security matter.
Maintenance and perceived (in)safety
For our test, we installed several security plugins. One of the plugins automatically used a team email address stored in WordPress and started sending emails diligently. To the great delight of all team members...
Unfortunately, this is not at all uncommon. Of course, one would like to remain informed in certain respects. However, in the most frequent cases, one is pointed to things that do not represent a security risk at all. In the end, you feel more insecure than before, because you are informed about every file change, for example, and have to check in case of doubt.
Performance issues
By default, each of the plugins offers a malware or security scan. The plugin Wordfence likes to set this automatically at one hour. This means that in case of doubt, every hour (!) a scan of your site runs through an automatic script (via cronjob). Anyone who has ever installed antivirus software on their computer knows the tales of woe of sometimes massive performance problems.
This may also be a reason why "only" 2 million of over 90 million downloads remained active in the end.
Costs
For the research of this article, we have evaluated only plugins that are also available in a free version. Nevertheless, it is unfortunate that with many WordPress security plugins the really useful features cost at least $80 per year. If you do not use them, you are often left with a feeling of insecurity.
When is a WordPress Security plugin really useful?
For those who want to go the extra mile, here are a few examples of cases where a WordPress Security plugin may be useful. These recommendations only refer to specialized WordPress hosting. Since other hosters may not have security measures implemented as specifically and extensively, a WordPress Security plugin may be recommended there. As you can see, it is hardly possible to make a general statement about the usefulness of security plugins, because the requirements and circumstances are different.
Manual hacking at WooCommerce store
This is one of the few examples where we actually actively recommended a security plugin to increase the security of the online store. The WooCommerce customer had the impression that they were being attacked manually, which as described above, is very rare.
In this case he could use Wordfence and its logging function to quickly identify the corresponding IP address and then block it. The attack could thus be effectively stopped.
The higher the number of plugins, the higher the probability of security risks. Especially if no tool is used for updating, existing security gaps remain unnoticed in the system for a long time and provide an attack surface. Especially in WooCommerce stores, the number of plugins is usually high due to the nature of WooCommerce and the data is more sensitive at the same time. Therefore, a security plugin should be considered here.
The three best security plugins for WordPress
In the following, I would like to briefly explain why we are limiting ourselves to only three plugins and not presenting ten - or even the best 101 WordPress security plugins.
When it comes to security plugins, we limit ourselves to the top 3 WordPress plugins in the world. We have also looked at other security plugins, such as All In One WP Security & Firewall, which is the most popular purely free plugin (without premium version) with 800,000+. However, we were not convinced by the usability and partly the recommended measures here. At the same time, it is only applicable to Apache web servers.
It's about the last meters
Since we see the plugins more as a supplement to an already secure WordPress hosting, the aim is to cover the last 0.1 percent security risk. Thus, we limit ourselves to the professional plugins, which have a very high distribution.
But also for other, non-specialized hosters this selection of plugins has a high relevance. Here you should deal more intensively with the topic of WordPress security anyway.
Quick decision support
At the same time, it is important to us to provide a quick decision-making aid. In our opinion, this is possible with a representation of ten plugins no longer possible, because in the end all ten plugins need to be evaluated. At three plugins with different focus, the decision is easier here.
Limitation to all-in-one plugins
Of course, there are countless plugins, which take over great individual functions, for example, limit the login attempts (Limit Login Attempts). But also functions, which the plugins offer only in the PRO versions, can be solved via individual plugins. The best example is this plugin for 2-factor authentication.
Distribution and data are important for firewalls
Firewalls apply certain rules to detect whether someone is acting maliciously or simply visiting site . If someone tries to enter site , they are blocked. In particular, the rules are based on the knowledge of existing vulnerabilities. At the same time, networks of attackers can be better detected and blocked for all other sites when there are 2 million sites in the administration than when there are 10,000 sites. Therefore, distribution plays a role for security plugins.
Your personal favorites are welcome
This doesn't mean that there aren't other great plugins for more WordPress security. Feel free to name your personal favorites in the comments. This way we provide even more equal opportunities for new innovative approaches as well.
The three best security plugins at a glance
| Website of the Plugins | Wordfence | iThemes Security | Sucuri Security |
| Download link | Download | Download | Download |
| Features | Here | Here | Here |
| Active installations | 3+ million | 900.000+ | 700.000+ |
| Languages | English | 16 languages (also DE) | English, Spanish |
| Tested with the latest WordPress version | Yes | Yes | to 5.3.4 |
| Number of ratings | 3,572 | 3,830 | 338 |
| Rating (five stars) | 4,8 | 4,7 | 4,4 |
| Free version | Yes | Yes | Yes |
| Premium (annual license) | from $99 | from $80 | $199,99 |
| Malware removal from | $286.40 | not offered | included in license |
In the overview, it is clear that each of the plugins has a very high distribution and is well rated. Nevertheless Wordfence is the undisputed market leader and also well-balanced in terms of price-performance ratio. With Sucuri, you pay for the malware removal directly, but here the prices can rise to $500 per year , especially due to a faster service and more frequent scans. At Wordfence professional malware removal is offered as an optional service. So it all depends on your needs.
It is important to know that it is quite unlikely to catch malware with strong WP user passwords. In our opinion, it therefore makes little sense to purchase malware removal directly as a service.
At Wordfence you get direct access to the entire firewall spectrum in the free version, unlike iThemes Security, for example, where information from the network is only accessible in the PRO version.
An important point, which is also not to be despised: Wordfence In our example, Sucuri is the only independent provider that specializes only in WordPress security. Sucuri is now part of the GoDaddy group and iThemes was also bought by another hosting company. They are also active in various other areas, such as theme development. Behind Wordfence is exclusively the security company Defiant.
Interim summary
Our Security plugin recommendation is therefore quite clear Wordfence. The plugin offers already in the free version a comprehensive firewall and focuses on the two core topics that a WordPress security plugin should provide: A firewall and security scans.
Furthermore, it is set up quickly, kept clear and does not confuse, as happens with other plugins with too technical information.
To avoid performance problems, "Low Resource Scanning" should be used under the scan options. Since IP addresses are processed, you shouldclose an AV with Wordfence .
In the following, I will once again go into detail about the individual core areas of a WordPress security plugin in order to make the differences between the plugins clear.
The most important plugin features in comparison
Monitoring and scans
| Wordfence | iThemes Security | Sucuri | |
| security scans | Yes | Yes | Yes |
| Scheduled Security Scans | Pro version only | Pro Version only | Pro Version only |
| Malware identification | Yes | Yes | Yes |
| Identification of security anomalies | Yes | Yes | Yes |
| Blacklist monitoring | Google Safe Browsing only | Blacklist Status Check | Yes |
| File Changes | Yes | Yes | Yes |
| DNS monitoring | Yes | Unclear | Yes |
| SSL monitoring | No | Yes | Yes |
| Notifications | Yes | Yes | Yes |
| Spam check | Pro version only | Yes | Yes |
| security logs | Yes | Yes | Basic |
An essential part of a WordPress security plugin is checking if the website has been compromised. Since there is no uniform use of terms and different terms and explanations are often used for the same content, it is very difficult to make a reasonable comparison. The table above should provide an overview here.
Each plugin offers a scan function
Security scans, malware identification, identification of security anomalies or file changes are often listed separately, but they mean the same thing. File comparison is used to check whether malware is present on the site . In our experience, it is quite possible that an inconspicuous test at Sucuri may nevertheless mean that malware is to be found on site , if more detailed scanning or looking into the individual files is performed.
iThemes Security simply uses the API of Sucuri. As a result, both Sucuri and iThemes give you nothing but the free site check, which can also be found on the Sucuri website.
Differences in blacklist monitoring
In addition to scans, blacklist monitoring is an important factor, especially for the ranking losses described above. Here Wordfence according to its own presentation, only checks the Google Safe Browsing status. If a website appears here, it is in principle already too late. The website will most likely be kicked out of the search results first. iThemes Security and Sucuri check several blacklists directly here. Nevertheless, the result is identical. When the website appears on the blacklists, it is already too late. It is precisely to prevent this that these scans are made.
An extended blacklist check is only available Wordfence only available in the premium version. Here, the point of spam advertising, which can be easily recognized externally and is important for Google, is also checked.
Low relevance of DNS monitoring
We consider the features of DNS and SSL monitoring to be of little relevance. We are not aware of a single case where DNS changes or SSL changes were made in order to investigate criminal activities.
Wordfence scores with the security logs
The basis of a WordPress security plugin should be to display logins reasonably. This is given with all plugins. Wordfence goes here with its live traffic monitoring a few steps ahead. Not only logins are detected, but traffic is categorized accordingly. This way, crawler activities or human behavior can be tracked with regard to security aspects. The tool is therefore ideal for preventing manual hacks, for example.
Conclusion in this category
The scan quality is difficult to judge and would need to be evaluated through test cases. iThemes Security and Sucuri have better blacklist monitoring. However, the scan should prevent site from being blacklisted anyway. When it comes to monitoring, the live traffic feature of Wordfence is a big plus.
Protection in combination with firewalls
| Wordfence | iThemes Security | Sucuri | |
| Web Application Firewall (WAF) | Restricted | 404 Detection | Yes |
| Intrusion Detection System (IDS) | Yes | No | Yes |
| DDoS protection | No | No | Yes |
| Brute Force Protection | Yes | Yes | Yes |
| Block of hacking attempts | Yes | Partial | Yes |
| Zero-day exploits protection | Unclear | No | Yes |
| Single side guard | No | No | Yes |
| Heuristic Correlation Algorithm | Unclear | No | |
| Load Balancing / Failover | No | Yes | Yes |
| country blocking | Yes | No | No |
| Advanced manual blocking | Yes | No | No |
iThemes without proper firewall
The differences between the plug-ins are particularly clear when it comes to firewalls. The approaches to the topic are fundamentally different. Strictly speaking, iThemes-Security does not use a real firewall. The 404 detection could be called a first approach. Here it is looked whether a crawler generates many 404 errors and blocked.
Sucuri including full CDN
Whereas for Wordfence you only need to install plugin to use the firewall, Sucuri requires you to change the name server or an A record in the DNS settings. Instead, it is a completely cloud-based solution, including a CDN (Content Delivery Network), which can also prevent DDoS attacks. In a DDoS attack, a botnet is often used to fire up a site with requests until the site is no longer accessible because the server gives in.
The Sucuri approach also leads to the fact that it works in contrast to Wordfence works with load balancers. Overall, Sucuri 's use of certain terms, such as "Heuristic Correlation Algorithm", is more likely to be a marketing formulation, and it is unclear whether this is an actual added value, since Wordfence presumably also works with heuristic methods. However, those who only need a CDN could also realize this for free through Cloudflare.
Wordfence with more configuration options
With Sucuri, many things run automatically and without the user's intervention. On the other hand, it seems that less can be configured here. For example, individual countries can be Wordfence you can explicitly block individual countries' IPs, and manual blocking is also possible. This is especially helpful for manual hacks.
WordPress Security measures
| Wordfence | iThemes Security | Sucuri | |
| Database backups | No | Yes | No |
| WordPress make safer | No | Yes | No |
| hide information | No | Yes | No |
| Write protection | No | Yes | No |
| Password management | No | Yes | No |
| Two Factor Authentication | Premium | Premium | No |
iThemes Security focuses on the security measures within WordPress, as shown in the table. A total of 30 different points are worked through here, most of which make a lot of sense. Many of the points are therefore already included in our hosting.
iThemes Security is therefore a great way to add more security on WordPress level to an "insecure" generic hosting. The free version already offers extensive protection here. In the premium version, the 2-factor authentication is worth highlighting.
Since Wordfence and Sucuri focus on "shielding" the site . They are rather weak in these points.
Malware & Performance Removal
| Wordfence | iThemes Security | Sucuri | |
| Hack Cleanup & Malware Removal | A plus if you have: | Untraceable | A plus if you have: |
| Blacklist Warning Removal | A plus if you have: | Untraceable | A plus if you have: |
| Malware Removal Request Limit | A plus if you have: | Untraceable | A plus if you have: |
| Automatic Cleanup | Partial | Untraceable | Partial |
| Security Analyst Escalation | A plus if you have: | Untraceable | A plus if you have: |
| Full Website Cleanup | A plus if you have: | Untraceable | A plus if you have: |
| Closing the security gaps | A plus if you have: | Untraceable | A plus if you have: |
| Backups | No | Untraceable | Yes |
| Post-Cleanup Report | A plus if you have: | Untraceable | A plus if you have: |
| Full Log and Incident Report | A plus if you have: | Untraceable | A plus if you have: |
| Root Cause Follow Up | A plus if you have: | Untraceable | A plus if you have: |
Last but not least, let's take a look at malware removal. Here the prices are similar for Sucuri and Wordfence are similar. Both charge extra for faster processing. The services offered here are identical. I could not discover a malware removal service at iThemes. Malware removal can take 2-3 hours, with large fluctuations though. Since we also perform malware removal, the prices can be classified as fair.
And what about performance?
Last but not least, a note about the performance. You would not expect this in a security plugin comparison. But since Sucuri offers a CDN and a firewall in one, there can be a performance improvement especially for international visitors. With a CDN the website is always delivered from the next server, which has advantages especially with overseas visitors. However, for a WooCommerce store with little cacheable content, it is less crucial.
"*" indicates required fields
Conclusion
So what is the overall conclusion about WordPress security? Our personal conclusion can be summed up by the following fact: We do not use a Security plugin for our own Raidboxes website. We have never used a security plugin and never had any problems. All this, although our website has an absolutely central importance for us. However, extensive customer data is also not stored on our WordPress website. For us, the risk of performance loss due to extensive scanning measures was too high and the disadvantages outweighed the benefits.
Nevertheless, a firewall increases the security of the website. Therefore, if you have the goal of achieving maximum security and want to accept the disadvantages in terms of performance and time, you should reach for a security plugin .
Especially for WooCommerce stores or vulnerable websites, which may have already had problems with malware, a WordPress Security plugin can be useful. Our recommendation is therefore as follows:
Wordfence as the best free solution
If you want a really solid firewall with extensive monitoring, Wordfence is an excellent choice. It is not for nothing that it is the most popular WordPress security plugin in the world. The premium version complements the functionality precisely and sensibly. During implementation, it is essential to ensure that the scans are set up correctly in order to prevent performance problems.
iThemes Security for generic host
iThemes Security performs really useful security measures on the website, especially concerning WordPress itself. For websites on generic hosts, it's a great way to increase the security level without extensive scans and firewall, even in the free version.
Sucuri for CDN
If you are thinking about using a CDN anyway, and if the topic of DDoS attacks is relevant, Sucuri is recommended. The only thing that remains is the somewhat bland aftertaste of the GoDaddy group.
How much (perceived) security do you need?
How do you handle WordPress security? Do you rely on the security measures of your hoster or does only a WordPress Security plugin let you sleep peacefully? As always, we'd love to hear your comments!
