WordPress Security: How Useful Are Security Plugins Really?

16 Min.
WordPress  Security Security Plugins

Meanwhile over 32 percent of all websites at WordPress. This makes our favorite CMS a popular hacker and malware target. But no reason to panic! Because WordPress security is not witchcraft. In addition to practical safety tips, today we have the three best WordPress security plugins in your luggage and show you when you really need it.

Do I even need a securityPlugin? This question is regularly asked in support. In the following article I would like to show you the added value of a security solution.Plugin for the safety of your WordPress site and when it really makes sense to use one.

In the second part, we compare the three best - WordPress security plugins to give you a quick overview. So you can make a decision quickly and purposefully and then get back to the essentials: your business.

Why WordPress -Security is so crucial

Basically there are three main aspects why you should actively deal with the safety of your WordPress site and not bury your head in the sand.

Point 1: Your WordPress site may become unusable

A few years ago we were still in the agency business. Then it happened that we were allowed to tackle a complete redesign of onesite , because the original site had become unusable due to security problems that could have been avoided.

Now someone who installs malware on sites usually has no interest in destroying it. After all, the attacker may want to use it to send spam, direct visitors to spamsites , integrate ads or generate crypto currency. In addition to generally limiting the functionality of your site website, Malware can also lead to significant performance problems.

WordPress Security: How Useful Are Security Plugins Really?

Point 2: Blacklisting and crash in Google rankings

An even more serious point in the present time is the blacklisting of the domain, especially by Google or Norton. If Google blacklists your website, in the worst case this means that your website will be banned from Google search results.

It is possible to site resubmit a scan after a Malware infection. However, this does not guarantee that you will get your previous rankings back. Especially with important money keywords or high organic traffic this can have serious economic consequences.

Point 3: Loss of data

Especially in times of GDPR, where the subject of data protection has reached a new dimension, it is important to protect the data of your users. While this plays a rather minor role on a normal company site, it is even more dramatic on a shopsite site if payment information is not sufficiently protected.

Typical threats to the safety of your WP site

Brute Force attacks on the login area

With a Brute Force attack will automatically try a high number of password combinations to gain access via the /wp-admin login of WordPress to provide access to itsite . Once this has been achieved and the WordPress -user admin rights, the Web site is almost entirely in the control of the attacker.

Our experience at RAIDBOXES shows: By using a strong password and limiting login attempts, almost all malware cases can be avoided. But more about this in a moment.

Automated exploitation of security vulnerabilities

In general, attacks on websites are automated. WordPress sites are automatically scanned by so-called crawlers, e.g. for a specific plugin security vulnerability. Various security holes can be exploited in the attacks. SQL injections, Cross-site scripting or taking advantage of the XMLrpc interface.

Manual Hacks

Of course, it is also possible to exploit a security hole manually. However, this is rather rare, as the effort would only be worthwhile in large WooCommerce Shops where, for example, payment data are actually to be stolen.

7 Security measures that we provide as hosters

In principle, specialized WordPress Hosting significantly increase the security of your website. Over the years, the security concept has been continuously expanded, so that cases of malware have become an absolute rarity. Especially the detailed analysis of Malware cases helps to identify and then close frequently used security holes.

#1 Strong passwords – the most important security measure of all

One of the most important security measures at all is a strong password for all WordPress users! Unfortunately, as a hoster we have only limited influence on the password assignment. Especially when migrating sites we can only have little influence on the passwords. Forcing a strong password when creating a BOX (WordPress website) has led to a significant reduction in malware infection.

Forcing a strong password when creating a Web WordPress page
Enforcing a strong password when creating a BOX (WordPress website) has led to a significant reduction in malware infection.
As a reminder: A password should consist of numbers, special characters and lower case letters with a minimum length of seven characters. If this is not the case for your WordPress users, you should definitely do step 1 first and change your passwords immediately.

#2 Protection against Brute Force attacks

Almost a billion times a month, websites with the above Brute Force attacks attacked. Well, if your WordPress hoster's already taken care of it. Because on every website we have, the plugin Limit Login Attempts is pre-installed, brute force attacks have played no role since the beginning. If an attacker tries three passwords incorrectly, his IP address is automatically blocked. In combination with a strong password, it is practically impossible to access the website this way.

#3 Standard blocking of XML-RPC

XML-RPC is an interface that is available WP site on everyone since 3WordPress .5. Since most webmasters don't use XML-RPC anyway, it makes sense to disable this interface. Because: Via XML-RPC hackers can directly attack yourssite .

For this reason, XML-RPC is now blocked by default and can be unblocked via the settings in the RAIDBOXES dashboard.

XML-RPC blocker
For this reason, XML-RPC is now blocked by default and can be unblocked via the settings in the RAIDBOXES dashboard.

#4 Managed WordPress security updates

Of course, the most important thing is the update of WordPress . Here, every 2-3 months new WordPress -Versions published. Especially Maintenance Updates close important security holes. These updates should be installed immediately. Major updates often allow you to weigh up what it means for compatibility in case of doubt. Therefore managed WordPress hosters usually delay major updates to give the plugin  and theme manufacturers time to adjust to the new version.

#5 Selective write protection – WordPress Hardening measures

One focus of the Security Plugins iThemes Security is to make it more secure WordPress by protecting files. This is also selectively integrated with us. This makes it more difficult to infect elements of the site files and make them unusable. Here a reasonable balance between flexibility and security must always be created. We maintain this balance through configuration options directly via the user RAIDBOXES interface.

Prevent file changes in WordPress
In addition we also use of course WordPress Best case practices where they make sense. An example is renaming the prefix of the WordPress -database.

In addition, we naturally also use WordPress Best case practices where they make sense. An example is renaming the prefix of the WordPress -database. This is not accessible via the standard wp_. Renaming the WP-Content folder, however, as described in iThemes Security offers, experience has shown that it leads to errors, because plugins and themes not getting along with it.

#6 Managed WordPress plugin updates

Now we have to close the last major gateway before attacks: Outdated plugins. As with WordPress itself, there can also be security gaps in plugins and themes around the system. Not every update includes security features. Nevertheless: If all plugins of them are up-to-date, the probability of security holes is much lower.

As this feature in particular saves a lot of time, it is included in our FULLY MANAGEDplan price of 30 Euro (net). As a reader of this blog article you can use it plan permanently for only 20 Euro at the checkout under the following link: FULLY MANAGED Special.

#7 Server side measures

Protect all the above measures WordPress yourself. In addition, there is of course an almost endless list of security measures that affect the server itself. This starts with Linux updates and continues with regular updates of PHP as the basis of WordPress on. PHP 5.6 and also 7.0 will soon no longer be supported and security updates will be provided. Therefore we take care of the automatic update without the customer having to worry about it.

Disadvantages of Security Plugins

Having outlined this, I would now like to briefly discuss the disadvantages of security plugins. These are partly not insignificant, especially from time aspects.

Setup effort

Who thinks that simply installing a plugins is done, is wrong. Unfortunately, setting up a security plugins a certain amount of knowledge.

Using the example of the plugins All-in-One Security this becomes very clear. It is one of the most popular free plugins, which uses to a very large extent the .htaccess file. But this does not even plugin recognize if it is an NGINX server. This does not support the concept of .htaccess and is used in the WordPress environment because of its flexibility.

In addition, although the security measures are divided into difficulty levels, which makes a lot of sense, many of the measures offered by Pluginthe offered are less useful. In order to adequately assess the necessity of the various measures, one inevitably has to deal with the security matter.

WordPress Security: How Useful Are Security Plugins Really?


For our test we have different security plugins installed. One of the plugins has automatically used a team e-mail address WordPress stored in the system and started to send e-mails diligently. To the great delight of all team members...

This is unfortunately not at all uncommon. Of course, one would like to stay informed in a certain way. However, in most cases one is pointed to things that do not pose a security risk at all. In the end, you feel more insecure than before, because you are informed about every file change, for example, and have to check in case of doubt.

Performance problems

By default, each of them offers plugins a malware or security scan. The plugin Wordfence likes to set this automatically at one hour. This means that in case of doubt every hour! a scan that runs site through an automatic script (via cronjob). Anyone who has ever installed antivirus software on his computer knows the tales of woe of sometimes massive performance problems.

Under certain circumstances, this is also a reason why "only" 2 million of over 90 million downloads remained active in the end.


For the research of this article we have only plugins which is also available in a free version. Nevertheless, it is unfortunately the case that with many WordPress security plugins that really useful features cost at least $ 80 a year. If you don't use them, there is often a feeling of uncertainty.

Performance Fairs E-Book

When does a WordPress -security-Plugin really make sense?

For all those who still want to go the extra mile, here are a few examples where Plugin for the WordPress -security can make sense. These recommendations refer only to specialized WordPress Hosting. Since security measures are not implemented so specifically and extensively by other providers, a security service can be offered there in general.Plugin make sense.

Manual hacking of the WooCommerce Shop

This is one of the few examples where we have actually activelyPlugin recommended a security to increase the security of the online shop. The WooCommercecustomer had the impression that he was being attacked manually, which, as we described above, is very rare.

In this case, he was able to work with Wordfence and its logging function quickly identify the IP address of the attacker and then block it. The attack could thus be effectively stopped.

Vulnerable plugins

The higher the number of plugins The higher the probability of security risks, the higher the probability of security risks. Especially if no tool is used for updating, existing security gaps can remain in the system. Especially with WooCommerce Shops, the number of plugins is usually inherently high and the data is at the same time more sensitive. For this reason, security plugin should be considered here.

The three best security plugins for WordPress

In the following I would like to briefly explain why we are limiting ourselves to only three plugin sand not presenting ten - or even the best 101 WordPress security plug-ins.

Others plugins were evaluated

With the Security plugins we limit ourselves to the TOP 3 WordPress plugins worldwide. We've also looked at other security plugins such as All In One WP Security & Firewall which with 700.000+ is the most popular purely free version (without Pluginpremium version). However, the usability and partly the recommended measures did not convince us. At the same time it is only applicable on Apache web servers.

It's all about the last few meters

Since we have the plugins rather as a supplement to an already secure WordPress hosting the aim is to cover the last 0.1 percent of the security risk. We therefore restrict ourselves to the professional plugins which have a very high prevalence.

But this selection is plugin salso highly relevant for other, non-specialized hosters. Here one should anyway deal more intensively with the topic of WordPress security.

Quick decision support

At the same time, it is important to us to provide a quick decision-making aid. In our opinion, this is possible with a representation of ten plugins no longer possible, because in the end all ten plugins need to be evaluated. At three plugins with different focus, the decision is easier here.    

Restriction to All-In-One-Plugins

Of course there are countless plugins which are great at performing individual functions. Our Limit Login Attempts plugin is the best example. But also functions, which the plugins only offered in the PRO versions, can be accessed via individual plugins solve. The best example is this Plugin for 2-factor authentication.

FREE DEV blog purple

Distribution and data are important with firewalls

Firewalls apply certain rules to detect whether someone is acting maliciously or just site visiting them. If someone tries to enter themsite , they are blocked. Especially the rules are based on the knowledge of existing security holes. At the same time, it is easier to detect networks of attackers with 2 million sites in the administration and sites block them for all others than with 10,000 sites . Therefore, distribution plays a role for security plugins.

Your personal favourites are welcome

This does not mean that there are not other great plugins ones for more WordPress safety. Feel free to mention your personal favorites in the comments. In this way we ensure even more equal opportunities for new innovative approaches.

The three best security plugins in the overview

Website of the pluginsWordfenceiThemes SecuritySucuri
Download linkDownloadDownloadDownload
Active installations2+ million900.000+400.000+
LanguagesEnglish12 languagesEnglish, Spanish
Tested with the latest WordPress versionYesYesYes
Number of ratings32803812303
Rating of five stars4,84,74,5
Free VersionYesYesYes
Premium from$99 ($8.25 p.m.)$80 ($6.67 p.m.)$9.99 p.m.
Malware removal from179$Not offered$200 ($16.67 p.m.)

In the overview it becomes clear that each of them has plugins a very high distribution and is well rated. Nevertheless Wordfence the undisputed market leader and also balanced in terms of price-performance ratio. At Sucuri you pay for the removal of the malware directly, but here the prices can be reduced, especially through a faster service and more frequent scans for $500 a year rise. At Wordfence professional malware removal is called optional service offered. So this is where it all depends on your needs.

It is important to know that it is quite unlikely that strong WP user passwords will catch malware. In our opinion, it makes little sense to buy malware removal directly as a service. Conversely, in the event of a malware infection at Wordfence the per-year license is included directly and would therefore only have to pay 179 dollars for one year.

At the same time Wordfence also in the free version direct access to the entire spectrum of the firewall, unlike for example iThemes Securitywhere information from the network is only accessible in the PROversion

This is an important point which should not be disregarded: Wordfence is in our example the single independent supplierwhich has 35 employees and specializes only in the subject of WordPress security. Sucuri meanwhile belongs to the GoDaddy Group and iThemes was also purchased by another hosting company. They are also active in various other areas, such as Themedevelopment. Behind Wordfence the security company is the only one Defiant.

Interim conclusion

Our securityPluginrecommendation is therefore quite clear Wordfence. The Plugin already offers a comprehensive firewall in the free version and concentrates on the two core topics that are important for a securityPlugin should provide: a firewall and security scans.

In addition, it is quickly set up, clearly laid out and does not unsettle, as is the case with others plugins with too much technical information.

To avoid performance problems, "Low Resource Scanning" should be used among the scan options. Since IP addresses are processed, you should use Wordfence close an AV.

In the following, I will go into detail about the individual core areas of a security plugins to highlight the differences between plugins to make it clear.

The most important plugin features in comparison

Monitoring and scans

 WordfenceiThemes SecuritySucuri
Monitoring and scans   
security scansYesWith Sucuri per clickYes
Scheduled Security ScansPremium onlyPremium onlyPremium only
Malware identificationYesWith Sucuri per clickYes
Identification of security anomaliesYesWith Sucuri per clickYes
blacklist monitoringGoogle Safe Browsing onlyWith Sucuri per clickYes
File changesYesWith Sucuri per clickYes
DNS monitoringYesUnclearYes
SSL monitoringNoUnclearYes
Spam checkPremium onlyYesYes
security logsExtendedBasicBasic

An essential part of security plugins is checking whether the website has been compromised.

Since each Plugin-manufacturer basically uses different names for the same content and presents it differently, it is very difficult to make a reasonable comparison. The table above should give an overview.

Each Pluginoffers a scan function

For example, security scans, malware identification, security anomaly identification, or file modification are often listed separately, but they mean the same thing. File matching is the process of checking whether malware is site present on the file. In our experience, it is quite possible that an inconspicuous test can be performed on Sucuri can still mean that malware is found on the site file when scanning in more detail or looking at the individual files.  

Malware check: Site is clean
iThemes Security simply uses the API from Sucuri. As a result, both Sucuri and iThemes offer nothing more than the free Sitecheck, which can also be found on the Sucuri website.

iThemes Security simply uses the API of Sucuri. As a result, with both Sucuri and iThemes you get nothing but the free sitecheckwhich can also be found on the Sucuri website.

Differences in blacklist monitoring

Besides the scans, blacklist monitoring is an important factor, especially for the ranking losses described above. Here checks Wordfence according to its own representation only the Google Safe Browsing Status. If a website appears here, it is basically already too late. The website will most likely be thrown out of the search results first. iThemes Security and Sucuri check several blacklists directly here. The result is nevertheless identical. When the website appears on the blacklists, it is already too late. It is precisely to prevent this from happening that these scans are taken.

Securi check: not blacklisted
An extended blacklist check is Wordfenceonly available in the Premium Version. Here, the point of spam advertising, which can be easily recognized from the outside and is important for Google, is also checked.

An extended blacklist check is available at Wordfence only available in the Premium Version. Here, the point of spam advertising, which is easy to recognize from the outside and important for Google, is also checked.

Low relevance of DNS monitoring

We consider the features of DNS and SSL monitoring to be of little relevance. We are not aware of a single case where DNS changes or SSL changes have been made in order to pursue criminal activities.

Wordfence scores with the Security Logs

The basis of a security plugins should be to represent logins reasonably. This is important for all plugins given. Wordfence is a few steps ahead with its Live Traffic Monitoring. Not only are logins recognized, but traffic is categorized accordingly. In this way, crawler activities or visitor behaviour can be traced with regard to security aspects. The tool is therefore ideally suited to prevent manual hacks, for example.

Wordfence live traffic
Wordfence is a few steps ahead with its Live Traffic Monitoring.
Conclusion in this category

The scan quality is difficult to assess and would have to be evaluated by test cases. iThemes Security and Sucuri have better blacklist monitoring. However, the scan should be used anyway to prevent it site from ending up on the blacklist. In monitoring, the live traffic feature of Wordfence a big plus.  

Protection in combination with firewalls

 WordfenceiThemes SecuritySucuri
Web Application Firewall (WAF)Restricted404 detectionYes
Intrusion Detection System (IDS)YesNoYes
DDoS ProtectionNoNoYes
Brute Force ProtectionYesYesYes
Block of hacking attemptsYesPartlyYes
Zero-day Exploits ProtectionUnclearNoYes
Single side protectionNoNoYes
heuristic correlation algorithmUnclearNo 
Load Balancing / FailoverNoYesYes
Country BlockingYesNoNo
Advanced manual blockingYesNoNo
iThemes without real firewall

When it comes to firewalls, the differences between the two are plugins particularly clear. The approaches to the subject are in fact fundamentally different here. Strictly speaking iThemes Security no real firewall. The 404 detection approach could be described as a first approach. This checks whether a crawler generates and blocks many 404 errors.

Sucuri including full CDN

Whereas for Wordfence only one must be Plugininstalled to use the firewall, must be installed with Sucuri the name server or an A-record can be changed in the DNS settings. It is a completely cloud-based solution, including a CDN (Content Delivery Network), which can also prevent DDoS attacks. In a DDoS attack, a botnet is often used to fire up a site botnet with requests until it is site no longer accessible because the server gives way.

The Sucuri-approach also leads to the fact that, unlike Wordfence works with load balancers.

In total Sucuri for certain terms such as the "Heuristic Correlation Algorithm" more likely to be based on a marketing formulation and it is unclear whether this is a real added value, as Wordfence probably also works with heuristic methods.

If you only need a CDN, you could also Cloudflarerealize this free of charge.

Wordfence with more configuration possibilities

At Sucuri a lot of things run automatically and without the user having to do anything. But apparently less can be configured here. This is how you can Wordfence explicitly block individual countries IPs and manual blocking is also possible. This is especially helpful for manual hacks.

WordPress Security measures

 WordfenceiThemes SecuritySucuri
Database BackupsNoYesNo
WordPress make saferNoYesNo
hide informationNoYesNo
Write protectionNoYesNo
Password managementNoYesNo
two-factor authenticationPremiumPremiumNo

iThemes Security as shown in the table, focuses on the security measures within WordPress . A total of 30 different points are processed here, most of which are very useful. Many of the points are therefore already included in our hosting.

iThemes Security is therefore a great way to add more security at WordPress -level to an "insecure" generic hosting. The free version already offers extensive protection. In the premium version, the 2-factor authentication should be emphasized.

There Wordfence and Sucuri focus on "shielding" the site If they are weak on these points.

Malware & Performance Removal

 WordfenceiThemes SecuritySucuri
Hack Cleanup & Malware RemovalOptionalNot findableOptional
Blacklist Warning RemovalOptionalNot findableOptional
Malware Removal Request LimitOptionalNot findableOptional
Automatic cleanupPartlyNot findablePartly
Security Analyst EscalationOptionalNot findableOptional
Full Website CleanupOptionalNot findableOptional
Closing the security gapsOptionalNot findableOptional
BackupsNoNot findableYes
post-cleanup reportOptionalNot findableOptional
Full Log and Incident ReportOptionalNot findableOptional
Root Cause Follow UpOptionalNot findableOptional

Last but not least, let's take a look at the topic of malware removal. Here are the prices at Sucuri and Wordfence similar. Wordfence is $179 and Sucuri starts at $200. For a faster processing both require an additional charge. The services offered here are identical. At iThemes I was unable to detect a malware removal service. A malware removal can take 2-3 hours, with large fluctuations. Since we also perform malware removal, the prices are fair.

And what about the performance?

Last but not least, a note on performance. You would not expect this in a securityPlugincomparison. But since Sucuri offers a CDN and a firewall in one, there may also be a performance improvement, especially with international visitors. With a CDN, the website is always delivered from the nearest server, which has particular advantages for overseas visitors. With a WooCommerce Shop little cacheable content, however, it is less to use.

Gutenberg and 5WordPress .0 e-book

Our conclusion

What is the overall conclusion on the subject WordPress -Security? Our personal overall conclusion can be summed up by the following fact: We use for our own RAIDBOXES -site no securityPlugin. We've never had a security-Plugin and have never had any problems. All this, although our website has an absolutely central meaning for us. However, extensive customer data is not stored on our WordPress -website. For us, the risk of a performance loss due to extensive scanning measures was too high and the disadvantages outweighed for us.

A security-Plugin improves the security

Nevertheless, a firewall increases the security of the website. Therefore, if you want to achieve maximum security and accept the disadvantages in terms of performance and time expenditure, you should choose a securityPlugin solution.

Especially for WooCommerce Shops or endangered sites, which may have had problems with malware, a WordPress security plugin can be useful. Our recommendation is therefore as follows:

Wordfence as the best free solution

If you are looking for a really solid firewall with extensive monitoring Wordfence very well served. Not for nothing it is the most popular securityPlugin in the world. The premium version complements the functionality very precisely and sensibly. During implementation, care should be taken to set up the scan processes correctly to avoid performance problems.

iThemes Security for generic hosters

iThemes Security takes really reasonable security measures on the website, in particular WordPress for generic hosters it is a great way to increase the security level even in the free version without extensive scans and firewall.

Sucuri for people interested in CDN

For those who are thinking of using a CDN anyway and for whom the topic of DDoS attacks should be relevant, we recommend Sucuri recommended. The only thing that remains is the somewhat bland aftertaste of the Godaddy corporation.

How do you handle the topic of WordPress security? Do you rely on the security measures of your hoster or do you just let a security plugin calmly sleep? As always, I am glad about your comment!

Related articles

Comments on this article

Write a comment

Your e-mail address will not be published. Required fields are marked with * .