WordPress Security: How Useful Are Security Plugins Really?

Johannes Benz Last updated 11.03.2021
16 Min.
WordPress  Security Security Plugins

In the meantime, over 38 percent of all websites run on WordPress . This makes our favorite CMS a popular hacker and malware target. But there's no need to panic! Because WordPress security is not witchcraft. In addition to practical security tips, today we have the three best WordPress securityPlugins in the bag and show you when you really need it.

Do I still need a securityPlugin? We get this question regularly in the support. In the following article I would like to show you what added value a security-Plugin has for the security of your WordPress site and when it really makes sense to use one.

In the second part, we compare the three most popular WordPress -security-Plugins to give you a quick overview. This way, you can make a targeted and quick decision and then devote yourself to the essentials: your business.

Why WordPress security is so crucial

Basically, there are three essential aspects why you should actively deal with the security of your WordPress site and not bury your head in the sand.

#1 Your website can become unusable

A few years ago, we were still in the agency business. There were times when we had to completely redesign site because the original site had become unusable due to security problems that could have been avoided.

Now, someone who installs malware on sites is usually not interested in destroying it. After all, the attacker wants to use it to send spam, redirect visitors tosites , embed ads or generate cryptocurrency, for example. In addition to the general restriction of the functionality of your site , malware can also lead to considerable performance problems.

#2 Blacklisting and crash in Google rankings

An even more serious issue in this day and age is the blacklisting of the domain, especially by Google or Norton. If Google blacklists your website, this means in the worst case that your website will be removed from the Google search results.

It is possible to resubmit a scan of site after a malware attack. However, this does not guarantee that you will get your previous rankings back. Especially for important money keywords or high organic traffic, this can have serious economic consequences.

#3: Loss of data

Especially in times of GDPR , where the topic of data protection has reached a new dimension, it is important to protect the data of your users. While this is less important for a normal company website, it is even more dramatic for a shopsite if payment information is not sufficiently protected.

Typical threats to the safety of your WP site

Brute Force Attacks on the login area
In the case of a Brute Force attack a large number of password combinations are automatically tried in order to gain access to site via the /wp-admin login of WordPress . Once this has been achieved and the WordPress user has admin rights, the website is almost completely under the control of the attacker.

Our experience at RAIDBOXES shows: By using a strong password and limiting login attempts, almost all malware cases can be avoided. But more about this in a moment.

Automated exploitation of security vulnerabilities
As a rule, attacks on websites are automated. WordPress sites are scanned automatically by so-called crawlers, for example for a specific Plugin, which has a security vulnerability. Various security vulnerabilities can be exploited in the attacks, such as in the case of SQL injections or Cross-site scripting.

Manual attacks
Of course, it is also possible to manually exploit a security vulnerability. However, this is rather rare, as the effort would only be worthwhile for large WooCommerce shops where, for example, payment data is actually to be stolen.

8 Safety measures that we provide as host

In principle, the security of your website can be WordPress Hosting can significantly increase the security of your website. Over the years, we have continuously expanded the RAIDBOXES security concept so that cases of malware have become an absolute rarity. Especially the detailed analysis of malware cases helps to detect frequently used security holes and to prevent them with appropriate measures.

#1 Strong passwords – the most important security measure of all

One of the most important security measures is a strong password for all WordPress users. Unfortunately, we as host have only limited influence on the password assignment. Especially in case of relocations we can only have little influence on the passwords. Enforcing a strong password when creating a BOX (WordPress -website) has led to a significant reduction in malware infestation.

Forcing a strong password when creating a Web WordPress page
Enforcing a strong password when creating a WordPress website has led to a significant reduction in malware infestation.
As a reminder

A password should consist of numbers, special characters and lower case letters with a minimum length of seven characters. If this is not the case for your WordPress users, you should definitely do step 1 first and change your passwords immediately.

#2 Protection against Brute Force attacks

Almost a billion times a month websites are attacked with the above described Brute Force Attacks described above. Good if your WordPress web hoster has already taken care of this. Our RB Login Protector will get in front of your WP login area and 'blacklist' IP addresses that repeatedly try to log in with fake login credentials.

In the settings of your BOX you can define exactly after how many login attempts this block should take effect and how long the relevant IPs are blocked. In combination with a strong password, it is practically impossible to gain access to the website in this way.

#3 WP Session Eraser

According to GDPR , you should store as little data as possible. We help you with that! Our tool for more data economy - the WordPress Session Eraser - deletes the WordPress sessions of all your users from the database after a defined interval. You can set this interval individually for each BOX in your BOX settings in our dashboard.

#4 Default blocking of XML-RPC

XML-RPC is an interface that has been available since WordPress 3.5 on every WP site . Since the vast majority of webmasters do not use XML-RPC anyway, it makes sense to deactivate this interface. Because: Hackers can directly attack your site via XML-RPC.

For this reason, XML-RPC is now blocked by default and can be unblocked via the settings in the RAIDBOXES dashboard.

XML-RPC Blocker
For this reason, XML-RPC is now blocked by default and can be unblocked via the settings in the RAIDBOXES dashboard.

#5 Managed security updates from WordPress

Of course, the update of WordPress is very important. Every 2-3 months new WordPress -versions are published. Especially maintenance updates close important security gaps. These updates should be installed immediately.

Major updates usually involve major code changes, which is why incompatibilities can occur. In order to give the Theme and Plugin manufacturers enough time, we always roll out major updates on our system after 14 days. Of course we provide the latest WordPress version immediately for manual update. Of course, it is important that you always make a backup of your site before updating!

#6 Selective write protection - WordPress Hardening measures

A focus of the SecurityPlugins iThemes Security is to make WordPress more secure by protecting files. This is also selectively integrated with us. This makes it more difficult to infect elements of site and make them unusable. Here, a sensible balance must always be struck between flexibility and security. We maintain this through configuration options directly via the RAIDBOXES user interface.

Preventing file changes in WordPress
In addition, we also use WordPress best-case practices where they make sense. One example is renaming the prefix of the WordPress database.

In addition, we also use WordPress best-case practices where they make sense. One example is renaming the prefix of the WordPress database. This is not accessible via the standard wp_. Renaming the WP-Content folder, on the other hand, as done by iThemes Security has shown to lead to errors, since Plugins and Themes do not know how to handle it.

#7 Managed Plugin-Updates from WordPress

Now we have to close the last major gateway before attacks: Outdated plugins. As with WordPress itself, there can also be security gaps in plugins and themes around the system. Not every update includes security features. Nevertheless: If all plugins of them are up-to-date, the probability of security holes is much lower.

Since this feature in particular saves a lot of time, it is included in our Fully Managed plan for 30 Euro (net). As a reader of this blog article you can take advantage of the plan permanently for only 20 Euro at the following link during checkout: Fully Managed special.

#8 Server-side measures

All of the above measures protect WordPress itself. In addition, there is of course an almost endless list of security measures that affect the server itself. This starts with Linux updates and ends with the regular update of PHP as the basis of WordPress . We take care of the automatic update of outdated PHP versions (of course with appropriate lead time and time for testing) without you having to take care of it yourself.

Disadvantages of Security Plugins

Having outlined this, I would now like to briefly discuss the disadvantages of security plugins. These are partly not insignificant, especially from time aspects.

Set-up effort

Who thinks that simply installing a plugins is done, is wrong. Unfortunately, setting up a security plugins a certain amount of knowledge.

Using the example of the Plugins All-in-One-Security this becomes very clear. It is one of the most popular free Plugins, which uses the .htaccess file to a very large extent. However, the Plugin does not even recognize if it is a NGINX server. This does not support the concept of .htaccess and is used in the WordPress environment because of its flexibility.

Furthermore, although the security measures are divided into difficulty levels, which makes a lot of sense, many of the measures offered by Plugin are less useful. In order to adequately assess the necessity of the various measures, one must inevitably familiarize oneself with the security matter.

Maintenance and perceived (in)safety

For our test we have different security plugins installed. One of the plugins has automatically used a team e-mail address WordPress stored in the system and started to send e-mails diligently. To the great delight of all team members...

Unfortunately, this is not at all uncommon. Of course, one would like to remain informed in certain respects. However, in the most frequent cases, one is pointed to things that do not represent a security risk at all. In the end, you feel more insecure than before, because you are informed about every file change, for example, and have to check in case of doubt.

Performance problems

By default, each of the Plugins offers a malware or security scan. The Plugin Wordfence likes to automate these at one hour. This means that in case of doubt every hour (!) a scan of your site runs through an automatic script (via cronjob). Anyone who has ever installed antivirus software on his computer knows the tales of woe of sometimes massive performance problems.

This may also be a reason why "only" 2 million of over 90 million downloads remained active in the end.

Costs

For the research of this article we have only plugins which is also available in a free version. Nevertheless, it is unfortunately the case that with many WordPress security plugins that really useful features cost at least $ 80 a year. If you don't use them, there is often a feeling of uncertainty.

When does a WordPress -Security-Plugin really make sense?

For those who want to go the extra mile, here are a few examples of cases where Plugin may be useful for WordPress security. These recommendations only apply to specialized WordPress hosting. Since other providers may not have security measures implemented as specifically and extensively, a securityPlugin may be recommended there in general. As you can see, it is hardly possible to make a general statement about the usefulness of security plugins, as the requirements and circumstances are different.

Manual hacking of the WooCommerce Shop

This is one of the few examples where we actually actively recommended a securityPlugin to increase the security of the online shop. The WooCommerce customer had the impression that he was being attacked manually, which, as described above, is very rare.

In this case, he was able to use Wordfence and its logging function to quickly identify the attacker's IP address and then block it. The attack could thus be effectively stopped.

Vulnerable plugins

The higher the number of Plugins, the higher the probability of security risks. In particular, if no tool is used for updating, existing security gaps remain unnoticed in the system for a long time and offer an attack surface. Especially with WooCommerce shops, the number of Plugins is usually inherently high and the data is also more sensitive. Therefore, a securityPlugin should be considered here.

The three best security plugins for WordPress

In the following I would like to briefly explain why we are limiting ourselves to only three plugin sand not presenting ten - or even the best 101 WordPress security plug-ins.

With the Security-Plugins we limit ourselves to the TOP 3 WordPress -Plugins world-wide. We have also looked at other securityPlugins, such as. All In One WP Security & Firewall which is the most popular purely free Plugin (without premium version) with 800.000+ users. However, we were not convinced by the usability and partly the recommended measures here. At the same time, it is only applicable to Apache web servers.

It's about the last meters

Since we have the plugins rather as a supplement to an already secure WordPress hosting the aim is to cover the last 0.1 percent of the security risk. We therefore restrict ourselves to the professional plugins which have a very high prevalence.

However, this selection of Plugins is also highly relevant for other, non-specialised hosters. Here you should deal more intensively with the topic of WordPress security anyway.

Quick decision support

At the same time, it is important to us to provide a quick decision-making aid. In our opinion, this is possible with a representation of ten plugins no longer possible, because in the end all ten plugins need to be evaluated. At three plugins with different focus, the decision is easier here.    

Restriction to all-in-onePlugins

Of course, there are countless Plugins, which take over great individual functions, for example, limit the login attempts (Limit Login Attempts). But also functions, which the Plugins only offer in the PRO versions, can be solved via individual Plugins . Best example is this Plugin for 2-factor authentication.

Distribution and data are important for firewalls

Firewalls apply certain rules to detect whether someone is acting maliciously or just site visiting them. If someone tries to enter themsite , they are blocked. Especially the rules are based on the knowledge of existing security holes. At the same time, it is easier to detect networks of attackers with 2 million sites in the administration and sites block them for all others than with 10,000 sites . Therefore, distribution plays a role for security plugins.

Your personal favorites are welcome

This does not mean that there are not other great plugins ones for more WordPress safety. Feel free to mention your personal favorites in the comments. In this way we ensure even more equal opportunities for new innovative approaches.

The three best security plugins in the overview

Website of the PluginsWordfenceiThemes SecuritySucuri
Security
Download linkDownloadDownloadDownload
featuresHereHereHere
Active installations3+ million900.000+700.000+
LanguagesEnglish16 languages (also DE)English, Spanish
Tested with the latest WordPress versionYesYesto 5.3.4
Number of ratings3,5723,830338
Rating (five stars)4,84,74,4
Free versionYesYesYes
Premium (annual license)from $99from $80 $199,99
Malware removal from$286.40not offeredincluded in license

In the overview, it is clear that each of the Plugins has a very high prevalence and is well rated. Nevertheless Wordfence the undisputed market leader and also balanced in terms of price-performance ratio. At Sucuri you pay for the malware removal directly, but here the prices can be increased, especially through a faster service and more frequent scans, to 500 dollars per year per year. At Wordfence professional malware removal is offered as an optional service offered as an optional service. So it all depends on your needs.

It is important to know that it is quite unlikely to catch malware with strong WP user passwords. In our opinion, it therefore makes little sense to purchase malware removal directly as a service.

At Wordfence you get direct access to the entire firewall spectrum in the free version, unlike, for example, with iThemes Securitywhere information from the network is only accessible in the PRO version.

An important point not to be sneezed at either: Wordfence in our example, is the only independent providerwhich has specialized only in the topic WordPress security. Sucuri belongs to the GoDaddy group and iThemes was also bought by another hosting company. They are also active in various other areas, such as Theme development. Behind Wordfence is exclusively the security company Defiant.

Interim summary

Our Security-Plugin-recommendation is therefore quite clear Wordfence. The Plugin already offers a comprehensive firewall in the free version and concentrates on the two core topics that a securityPlugin should provide: A firewall and security scans.

In addition, it is quickly set up, clearly laid out and does not unsettle, as is the case with others plugins with too much technical information.

To avoid performance problems, "Low Resource Scanning" should be used among the scan options. Since IP addresses are processed, you should use Wordfence close an AV.

In the following, I will go into detail about the individual core areas of a security plugins to highlight the differences between plugins to make it clear.

The most important plugin features in comparison

Monitoring and scans

 WordfenceiThemes SecuritySucuri
security scansYesYesYes
Scheduled Security ScansPro
version only
Pro Version onlyPro Version only
Malware identificationYesYesYes
    
Identification of security anomaliesYesYesYes
Blacklist monitoringGoogle Safe Browsing onlyBlacklist Status CheckYes
File ChangesYesYesYes
    
DNS monitoringYesUnclearYes
SSL monitoringNoYesYes
NotificationsYesYesYes
    
Spam checkPro
version only
YesYes
security logsYesYesBasic

An essential part of a securityPlugins is checking whether the website has been compromised. Since every Plugin vendor basically uses different names for the same content and presents it differently, it is very difficult to make a reasonable comparison. The table above should provide an overview here.

Each Plugin offers a scan function

Although security scans, malware identification, identification of security anomalies or file changes are often listed separately, they are all the same. The comparison of files is used to check whether malware is present on the site . In our experience, it can happen that an inconspicuous test at Sucuri can still mean that malware can be found on site , if more detailed scanning is carried out or the individual files are looked at.

Malware check: Site is clean
iThemes Security makes use of Sucuri's API here.

iThemes Security simply uses the API of Sucuri. As a result, you get both Sucuri and iThemes nothing but the free site checkwhich can also be found on the Sucuri website.

Differences in blacklist monitoring

In addition to scans, blacklist monitoring is an important factor, especially for the ranking losses described above. Here checks Wordfence according to its own presentation only checks the Google Safe Browsing status. If a website shows up here, it is basically already too late. The website will most likely be thrown out of the search results first. iThemes Security and Sucuri check several blacklists directly here. The result is still the same. If the website appears on the blacklists, it is already too late. Exactly to prevent this, these scans are made.

Securi check: not blacklisted
An extended blacklist check is available at Wordfence only in the Premium version.

An extended blacklist check is only available Wordfence only available in the Premium Version. Here, the point of spam advertising, which can be easily recognized externally and is important for Google, is also checked.

Low relevance of DNS monitoring

We consider the features of DNS and SSL monitoring to be of little relevance. We are not aware of a single case where DNS changes or SSL changes were made in order to investigate criminal activities.

Wordfence scores with the security logs

The basis of a securityPlugins should be to display logins reasonably. This is the case with all Plugins . Wordfence goes a few steps ahead with its live traffic monitoring. Not only logins are recognized, but traffic is categorized accordingly. In this way, crawler activities and visitor behaviour can be tracked with regard to security aspects. The tool is therefore ideal for preventing manual hacks, for example.

Wordfence Live Traffic
Wordfence is a few steps ahead here with its live traffic monitoring.

Conclusion in this category

The scan quality is difficult to judge and would have to be evaluated through test cases. iThemes Security and Sucuri have better blacklist monitoring. However, the scan should prevent the site from being blacklisted anyway. When it comes to monitoring, the live traffic feature of Wordfence is a big plus.

Protection in combination with firewalls

 WordfenceiThemes SecuritySucuri
Web Application Firewall (WAF)Restricted404 detectionYes
Intrusion Detection System (IDS)YesNoYes
DDoS protectionNoNoYes
Brute Force ProtectionYesYesYes
Block of hacking attemptsYesPartialYes
Zero-day exploits protectionUnclearNoYes
Single side guardNoNoYes
Heuristic Correlation AlgorithmUnclearNo 
Load Balancing / FailoverNoYesYes
country blockingYesNoNo
Advanced manual blockingYesNoNo

iThemes without proper firewall

When it comes to firewalls, the differences between the Plugins are particularly clear. The approaches to the topic are fundamentally different here. Strictly speaking iThemes-Security does not use a real firewall. You could call the 404-detection-approach a first approach. Here it is looked whether a crawler generates many 404 errors and blocked.

Sucuri including full CDN

Whereas for Wordfence only one Plugin needs to be installed to use the firewall, with Sucuri you have to change the nameserver or an A-record in the DNS settings. For this, it is a completely cloud-based solution, including a CDN (content delivery network), which can also prevent DDoS attacks. In a DDoS attack, a botnet is often used to fire up a site with requests until the site is no longer accessible because the server gives in.

DDoS attacks explained

What exactly a DDoS attack is and how you can effectively prevent it, shows you Nick Schäferhoff in his article.

The Sucuriapproach also means that it works with load balancers as opposed to Wordfence works with load balancers. Overall, with Sucuri is more of a marketing term, such as "Heuristic Correlation Algorithm", and it is unclear whether this is an actual added value, as Wordfence presumably also works with heuristic methods. However, those who only need a CDN could also implement these free of charge through Cloudflare .

Wordfence with more configuration options

At Sucuri many things run automatically and without the user's intervention. But here apparently less can be configured. So you can block Wordfence explicitly block individual countries IPs and manual blocking is also possible. This is especially helpful for manual hacks.

WordPress Security measures

 WordfenceiThemes SecuritySucuri
Database backupsNoYesNo
WordPress make saferNoYesNo
hide informationNoYesNo
Write protectionNoYesNo
Password ManagementNoYesNo
two-factor authenticationPremiumPremiumNo

iThemes Security focuses on the security measures within WordPress as shown in the table. A total of 30 different points are worked through here, most of which make a lot of sense. Many of the points are therefore already included in our hosting.

iThemes Security is therefore a great way to add more security on WordPress level to an "insecure" generic hosting. The free version already offers extensive protection. With the premium version, the 2-factor authentication is to be emphasized.

Sync and corrections by n17t01 Wordfence and Sucuri focus on "shielding" the site . Are they rather weak in these points.

Malware & Performance Removal

 WordfenceiThemes SecuritySucuri
Hack Cleanup & Malware RemovalOptionalUntraceableOptional
Blacklist Warning RemovalOptionalUntraceableOptional
Malware Removal Request LimitOptionalUntraceableOptional
Automatic CleanupPartialUntraceablePartial
Security Analyst EscalationOptionalUntraceableOptional
Full Website CleanupOptionalUntraceableOptional
Closing the security gapsOptionalUntraceableOptional
BackupsNoUntraceableYes
Post-Cleanup ReportOptionalUntraceableOptional
Full Log and Incident ReportOptionalUntraceableOptional
Root Cause Follow UpOptionalUntraceableOptional

Last but not least, let's look at malware removal. Here are the prices at Sucuri and Wordfence are similar. For faster processing, both charge extra. The services offered here are identical. At iThemes I could not discover a malware removal service. Malware removal can take 2-3 hours, with large fluctuations though. Since we also do malware removal, the prices are fair.

And what about performance?

Last but not least, a note on performance. You would not expect this from a security comparisonPlugin. But since Sucuri offers a CDN and a firewall in one, there can be a performance improvement especially for international visitors. With a CDN the website is always delivered from the next server, which has advantages especially for overseas visitors. However, for a WooCommerce shop with little cacheable content, it is less crucial.

Conclusion

So what is the overall conclusion on the subject of WordPress security? Our personal conclusion can be summed up well by the following fact: We do not use securityPlugin for our own RAIDBOXES-site . We have never used a securityPlugin and have never had any problems. All this, although our web page has an absolutely central meaning for us. However, extensive customer data is not stored on our WordPress website. For us, the risk of a loss of performance due to extensive scanning measures was too high and the disadvantages outweighed the benefits.

Nevertheless, a firewall increases the security of the website. Therefore, if you want to achieve maximum security and accept the disadvantages in terms of performance and time, you should use a securityPlugin .

Especially for WooCommerce Shops or endangered sites, which may have had problems with malware, a WordPress security plugin can be useful. Our recommendation is therefore as follows:

Wordfence as the best free solution

If you want a really solid firewall with extensive monitoring, you are very well served with Wordfence is very well served. Not for nothing is it the most popular securityPlugin in the world. The Premium version complements the functionality very precisely and sensibly. During implementation, it is essential to ensure that the scan processes are set up correctly in order to prevent performance problems.

iThemes Security for generic host

iThemes Security performs really useful security measures on the website, especially WordPress . For generic host it is a great way to increase the security level without extensive scans and firewall even in the free version.

Sucuri for people interested in CDN

For those who are thinking about using a CDN anyway and for whom the topic of DDoS attacks should be relevant, we recommend the following Sucuri is recommended. The only thing that remains is the somewhat bland aftertaste of the Godaddy corporation.

How much (perceived) security do you need?

How do you handle the issue of WordPress security? Do you rely on the security measures of your hoster or does only a security-Plugin let you sleep calmly? As always, we look forward to your comments!

Related articles

Comments on this article