WordPress Security: How Useful Are Security Plugins Really?

Johannes Benz Last updated on 20.10.2020
16 Min.
WordPress  Security Security Plugins

Meanwhile over 38 percent of all websites at WordPress. This makes our favorite CMS a popular hacker and malware target. But no reason to panic! Because WordPress security is not witchcraft. In addition to practical safety tips, today we have the three best WordPress security plugins in your luggage and show you when you really need it.

Do I even need a securityPlugin? This question is regularly asked in support. In the following article I would like to show you the added value of a security solution.Plugin for the safety of your WordPress site and when it really makes sense to use one.

In the second part, we compare the three most popular WordPress -security-Pluginsto give you a quick overview. So you can make a decision quickly and purposefully and then get back to the basics: your business.

Why WordPress -Security is so crucial

Basically there are three main aspects why you should actively deal with the safety of your WordPress site and not bury your head in the sand.

#1 Your website may become unusable

A few years ago we were still in the agency business. Then it happened that we were allowed to tackle a complete redesign of onesite , because the original site had become unusable due to security problems that could have been avoided.

Now someone who installs malware on sites usually has no interest in destroying it. After all, the attacker may want to use it to send spam, direct visitors to spamsites , integrate ads or generate crypto currency. In addition to generally limiting the functionality of your site website, Malware can also lead to significant performance problems.

#2 Blacklisting and crash in Google rankings

An even more serious point in the present time is the blacklisting of the domain, especially by Google or Norton. If Google blacklists your website, in the worst case this means that your website will be banned from Google search results.

It is possible to site resubmit a scan after a Malware infection. However, this does not guarantee that you will get your previous rankings back. Especially with important money keywords or high organic traffic this can have serious economic consequences.

#3: Loss of data

Especially in times of GDPR , where the subject of data protection has reached a new dimension, it is important to protect the data of your users. While this is less important for a normal company website, it is even more dramatic for a shopsite if payment information is not sufficiently protected.

Typical threats to the safety of your WP site

Brute Force Attacks on the login area
With a Brute Force Attack a high number of password combinations are automatically tried out to gain WordPress access to the site /wp-admin login. Once this is successful and the WordPress user has admin rights, the website is almost completely in the control of the attacker.

Our experience at RAIDBOXES shows: By using a strong password and limiting login attempts, almost all malware cases can be avoided. But more about this in a moment.

Automated exploitation of security vulnerabilities
As a rule, attacks on websites are automated. WordPress sites are automatically scanned by so-called crawlers, for example, for a specific Pluginsecurity hole. Various security gaps can be exploited in the attacks, for example SQL injections , Cross-site scripting.

Manual attacks
Of course, it is also possible to manually exploit a security hole. However, this is rather rare, as the effort would only be worthwhile in large WooCommerce shops where, for example, payment data is actually to be stolen.

8 Security measures that we considerhost

In principle, it is possible to detect and prevent malware via specialized WordPress Hosting significantly increase the security of your website. Over the years, we have continuously expanded the security RAIDBOXES concept, so that cases of malware have become an absolute rarity. Especially the detailed analysis of Malware cases helps to identify frequently used security gaps and to prevent them with appropriate measures.

#1 Strong passwords – the most important security measure of all

One of the most important security measures is a strong password for all WordPress users. Unfortunately, we have host only limited influence on password assignment. Especially when moving house, we can only have little influence on the passwords. Forcing a strong password when creating a BOX (WordPress -Website ) has led to a significant reduction of malware infections.

Forcing a strong password when creating a Web WordPress page
Enforcing a strong password when creating a WordPress website has led to a significant reduction in malware infection.
As a reminder

A password should consist of numbers, special characters and lower case letters with a minimum length of seven characters. If this is not the case for your WordPress users, you should definitely do step 1 first and change your passwords immediately.

#2 Protection against Brute Force attacks

Almost a billion times a month, websites with the above Brute Force Attacks attacked. Well, if yours WordPress hoster has already taken care of. Our RB Login Protector appears in front of your WP login area and 'blacklists' IP addresses that repeatedly try to log in with incorrect login data.

In your BOXsettings you can define exactly after how many login attempts this lock should take effect and how long the respective IPs are locked out. In combination with a strong password, it is practically impossible to access the website this way.

#3 WP Session Eraser

According to it you GDPR should save as little data as possible. We will help you with that! Our tool for more data economy - the WordPress Session Eraser - deletes the WordPress sessions of all your users from the database after an interval defined by you. You can set this interval in your BOXsettings in our dashboard for each one BOX individually.

#4 Standard blocking of XML-RPC

XML-RPC is an interface that is available WP site on everyone since 3WordPress .5. Since most webmasters don't use XML-RPC anyway, it makes sense to disable this interface. Because: Via XML-RPC hackers can directly attack yourssite .

For this reason, XML-RPC is now blocked by default and can be unblocked via the settings in the RAIDBOXES dashboard.

XML-RPC blocker
For this reason, XML-RPC is now blocked by default and can be unblocked via the settings in the RAIDBOXES dashboard.

#5 Managed security updates from WordPress

Of course, the most important thing is the update of WordPress . Here, every 2-3 months new WordPress -Versions published. Especially Maintenance Updates close important security gaps. These updates should be installed immediately.

Major updates usually involve major code changes, which can lead to incompatibilities. To give the Theme- and Plugin-manufacturers enough time, we always roll out major updates on our system after 14 days. Of course we provide the latest WordPress version for manual updates immediately. Of course, it is important that you always site make a backup of yours before updating!

#6 Selective write protection - WordPress Hardening measures

One focus of the Security Plugins iThemes Security is to WordPress make it more secure by protecting files. This is also selectively integrated in our system. This makes it more difficult to infect elements of the site files and make them unusable. Here a sensible balance between flexibility and security must always be found. We maintain this balance through configuration options directly via the user RAIDBOXES interface.

Prevent file changes in WordPress
In addition we also use of course WordPress Best case practices where they make sense. An example is renaming the prefix of the WordPress -database.

In addition, we naturally also use WordPress Best case practices where they make sense. An example is renaming the prefix of the WordPress -database. This is not accessible via the standard wp_. Renaming the WP-Content folder, however, as described in iThemes Security offers, experience has shown that it leads to errors, because plugins and themes not getting along with it.

#7 Managed Plugin-Updates from WordPress

Now we have to close the last major gateway before attacks: Outdated plugins. As with WordPress itself, there can also be security gaps in plugins and themes around the system. Not every update includes security features. Nevertheless: If all plugins of them are up-to-date, the probability of security holes is much lower.

As this feature in particular saves a lot of time, it is included in our FULLY MANAGEDplan price of 30 Euro (net). As a reader of this blog article you can use it plan permanently for only 20 Euro at the checkout under the following link: FULLY MANAGED Special.

#8 Server side measures

All the above measures protect WordPress themselves. In addition, there is of course an almost endless list of security measures that affect the server itself. This starts with Linux updates and WordPress ends with regular updates of PHP as the basis of. We take care of the automatic update of outdated PHP versions (of course with the appropriate lead time and time for testing) without you having to take care of it yourself.

Disadvantages of Security Plugins

Having outlined this, I would now like to briefly discuss the disadvantages of security plugins. These are partly not insignificant, especially from time aspects.

Setup effort

Who thinks that simply installing a plugins is done, is wrong. Unfortunately, setting up a security plugins a certain amount of knowledge.

Using the example of the plugins All-in-One Security this becomes very clear. It is one of the most popular free plugins, which uses to a very large extent the .htaccess file. But this does not even plugin recognize if it is an NGINX server. This does not support the concept of .htaccess and is used in the WordPress environment because of its flexibility.

In addition, although the security measures are divided into difficulty levels, which makes a lot of sense, many of the measures offered by Pluginthe offered are less useful. In order to adequately assess the necessity of the various measures, one inevitably has to deal with the security matter.

Maintenance and perceived (in)safety

For our test we have different security plugins installed. One of the plugins has automatically used a team e-mail address WordPress stored in the system and started to send e-mails diligently. To the great delight of all team members...

This is unfortunately not at all uncommon. Of course, one would like to stay informed in a certain way. However, in most cases one is pointed to things that do not pose a security risk at all. In the end, you feel more insecure than before, because you are informed about every file change, for example, and have to check in case of doubt.

Performance problems

By default, each of them offers plugins a malware or security scan. The plugin Wordfence likes to set this automatically at one hour. This means, that in case of doubt, every hour (!) a scan of yours site is run by an automatic script (via cronjob). Whoever has ever installed an antivirus software on his computer knows the tales of woe about sometimes massive performance problems.

Under certain circumstances, this is also a reason why "only" 2 million of over 90 million downloads remained active in the end.


For the research of this article we have only plugins which is also available in a free version. Nevertheless, it is unfortunately the case that with many WordPress security plugins that really useful features cost at least $ 80 a year. If you don't use them, there is often a feeling of uncertainty.

When does a WordPress -security-Plugin really make sense?

For all those who still want to go the extra mile, here are a few examples of cases where one Plugin can be useful for WordPress safety. These recommendations only apply to specialized WordPress hosting. Since other providers may not have such specific and extensive security measures in place, security may generally bePlugin recommended. You see, it is hardly possible to make a general statement about the benefits of security plugins, because the requirements and circumstances are different.

Manual Hacking at the WooCommerce-Shop

This is one of the few examples where we have actually activelyPlugin recommended a security system to increase the security of the online shop. The WooCommercecustomer had the impression that he is being attacked manually, which as described above, is very rare.

In this case, he was able to work with Wordfence and its logging function quickly identify the IP address of the attacker and then block it. The attack could thus be effectively prevented.

Vulnerable plugins

The higher the number of Plugins, the higher is also the probability of security risks . Especially if no tool is used for updating, existing security gaps remain unnoticed in the system for a long time and offer a surface for attack. Particularly in the case of WooCommerceshops, the number of vulnerabilities is Plugins usually inherent in the system and the data is also more sensitive. That is why securityPlugin should be considered here.

The three best security plugins for WordPress

In the following I would like to briefly explain why we are limiting ourselves to only three plugin sand not presenting ten - or even the best 101 WordPress security plug-ins.

With the Security plugins we limit ourselves to the TOP 3 WordPress plugins worldwide. We've also looked at other security plugins such as All In One WP Security & Firewall which with 800.000+ is the most popular purely free Plugin version (without premium version). However, the usability and partly the recommended measures did not convince us. At the same time it is only applicable on Apache web servers.

It's all about the last few meters

Since we have the plugins rather as a supplement to an already secure WordPress hosting the aim is to cover the last 0.1 percent of the security risk. We therefore restrict ourselves to the professional plugins which have a very high prevalence.

But this selection is Plugins also highly relevant for other, non-specialized hosters. Here you should anyway deal more intensively with the topic of WordPress security.

Quick decision support

At the same time, it is important to us to provide a quick decision-making aid. In our opinion, this is possible with a representation of ten plugins no longer possible, because in the end all ten plugins need to be evaluated. At three plugins with different focus, the decision is easier here.    

Restriction to All-In-One-Plugins

Of course, there are countlessPlugins, which are great for individual functions, such as limiting login attempts (Limit Login Attempts). But also functions, which are Plugins only offered in the new PRO versions, can be Plugins solved by single ones. Best example is this Plugin for 2-factor authentication.

Distribution and data are important with firewalls

Firewalls apply certain rules to detect whether someone is acting maliciously or just site visiting them. If someone tries to enter themsite , they are blocked. Especially the rules are based on the knowledge of existing security holes. At the same time, it is easier to detect networks of attackers with 2 million sites in the administration and sites block them for all others than with 10,000 sites . Therefore, distribution plays a role for security plugins.

Your personal favourites are welcome

This does not mean that there are not other great plugins ones for more WordPress safety. Feel free to mention your personal favorites in the comments. In this way we ensure even more equal opportunities for new innovative approaches.

The three best security plugins in the overview

Website of the pluginsWordfenceiThemes SecuritySucuri
Download linkDownloadDownloadDownload
Active installations3+ million900.000+700.000+
LanguagesEnglish16 languages (also DE)English, Spanish
Tested with the latest WordPress versionYesYesto 5.3.4
Number of ratings3,5723,830338
Rating (five stars)4,84,74,4
Free VersionYesYesYes
Premium (annual license)from $99from $80 up $199,99
Malware removal from$286.40not offeredincluded in the license

In the overview it becomes clear that each of them has plugins a very high distribution and is well rated. Nevertheless Wordfence the undisputed market leader and also balanced in terms of price-performance ratio. At Sucuri you pay for the removal of the malware directly, but here the prices can be reduced, especially through a faster service and more frequent scans for $500 a year rise. At Wordfence professional malware removal is called optional service offered. So this is where it all depends on your needs.

It is important to know that it is quite unlikely to catch malware with strong WP user passwords. In our opinion, it makes little sense to buy Malware removal directly as a service.

At Wordfence the free version gives you direct access to the entire spectrum of the firewall, unlike the iThemes Securitywhere information from the network is only accessible in the PROversion

This is an important point which should not be disregarded: Wordfence is in our example the single independent supplierwho specializes only in the topic of WordPress security. Sucuri meanwhile belongs to the GoDaddy Group and iThemes was also purchased by another hosting company. They are also active in various other areas, such as Themedevelopment. Behind Wordfence the security company is the only one Defiant.

Interim conclusion

Our securityPluginrecommendation is therefore quite clear Wordfence. The Plugin already offers a comprehensive firewall in the free version and concentrates on the two core topics that are important for a securityPlugin should provide: a firewall and security scans.

In addition, it is quickly set up, clearly laid out and does not unsettle, as is the case with others plugins with too much technical information.

To avoid performance problems, "Low Resource Scanning" should be used among the scan options. Since IP addresses are processed, you should use Wordfence close an AV.

In the following, I will go into detail about the individual core areas of a security plugins to highlight the differences between plugins to make it clear.

The most important plugin features in comparison

Monitoring and scans

 WordfenceiThemes SecuritySucuri
security scansYesYesYes
Scheduled Security ScansPro only
Pro version onlyPro version only
Malware identificationYesYesYes
Identification of security anomaliesYesYesYes
blacklist monitoringGoogle Safe Browsing onlyBlacklist Status CheckYes
File changesYesYesYes
DNS monitoringYesUnclearYes
SSL monitoringNoYesYes
Spam checkPro only
security logsYesYesBasic

An essential part of securityPlugins is checking whether the website has been compromised. Since every Pluginmanufacturer basically uses different names for the same content and presents it differently, it is very difficult to make a reasonable comparison. The table above should give you an overview.

Each Pluginoffers a scan function

For example, security scans, malware identification, security anomaly identification, or file modification are often listed separately, but they mean the same thing. File matching is the process of checking whether malware is site present on the file. In our experience, it is quite possible that an inconspicuous test can be performed on Sucuri can still mean that malware is found on the site file when scanning in more detail or looking at the individual files.  

Malware check: Site is clean
iThemes Security uses the API from Sucuri for this.

iThemes Security simply uses the API of Sucuri. As a result, with both Sucuri and iThemes you get nothing but the free sitecheckwhich can also be found on the Sucuri website.

Differences in blacklist monitoring

Besides the scans, blacklist monitoring is an important factor, especially for the ranking losses described above. Here checks Wordfence according to its own representation only the Google Safe Browsing Status. If a website appears here, it is basically already too late. The website will most likely be thrown out of the search results first. iThemes Security and Sucuri check several blacklists directly here. The result is nevertheless identical. If the website appears on the blacklists, it is already too late. It is precisely to prevent this from happening that these scans are made.

Securi check: not blacklisted
An extended blacklist check is Wordfence only available in the Premium Version.

An extended blacklist check is available at Wordfence only available in the Premium Version. Here, the point of spam advertising, which is easy to recognize from the outside and important for Google, is also checked.

Low relevance of DNS monitoring

We consider the features of DNS and SSL monitoring to be of little relevance. We are not aware of a single case where DNS changes or SSL changes have been made in order to pursue criminal activities.

Wordfence scores with the Security Logs

The basis of a security plugins should be to represent logins reasonably. This is important for all plugins given. Wordfence is a few steps ahead with its Live Traffic Monitoring. Not only are logins recognized, but traffic is categorized accordingly. In this way, crawler activities or visitor behaviour can be traced with regard to security aspects. The tool is therefore ideally suited to prevent manual hacks, for example.

Wordfence live traffic
Wordfence is a few steps ahead with its Live Traffic Monitoring.

Conclusion in this category

The scan quality is difficult to judge and would have to be evaluated by test cases. iThemes Security and Sucuri have better blacklist monitoring. However, the scan should in any case prevent it site from ending up on the blacklist. In monitoring, the live traffic feature of Wordfence a big plus.

Protection in combination with firewalls

 WordfenceiThemes SecuritySucuri
Web Application Firewall (WAF)Restricted404 detectionYes
Intrusion Detection System (IDS)YesNoYes
DDoS ProtectionNoNoYes
Brute Force ProtectionYesYesYes
Block of hacking attemptsYesPartlyYes
Zero-day Exploits ProtectionUnclearNoYes
Single side protectionNoNoYes
heuristic correlation algorithmUnclearNo 
Load Balancing / FailoverNoYesYes
Country BlockingYesNoNo
Advanced manual blockingYesNoNo

iThemes without real firewall

When it comes to firewalls, the differences between the two are plugins particularly clear. The approaches to the subject are in fact fundamentally different here. Strictly speaking iThemes Security no real firewall. The 404 detection approach could be described as a first approach. This checks whether a crawler generates and blocks many 404 errors.

Sucuri including full CDN

Whereas for Wordfence only one must be Plugininstalled to use the firewall, must be installed with Sucuri the name server or an A-record can be changed in the DNS settings. It is a completely cloud-based solution, including a CDN (Content Delivery Network), which can also prevent DDoS attacks. In a DDoS attack, a botnet is often used to fire up a site botnet with requests until it is site no longer accessible because the server gives way.

DDoS attacks explained

Nick Schäferhoff shows you exactly what a DDoS attack is and how you can effectively prevent it in his blog post.

The Sucuri-approach also leads to the fact that, unlike Wordfence works with load balancers. In total Sucuri certain terms such as the "Heuristic Correlation Algorithm" tend to be based on a marketing formulation and it is unclear whether this is an actual added value, as Wordfence probably also works with heuristic methods. If you only need a CDN, you could also Cloudflarerealize this free of charge.

Wordfence with more configuration possibilities

At Sucuri a lot of things run automatically and without the user having to do anything. But apparently less can be configured here. This is how you can Wordfence explicitly block individual countries IPs and manual blocking is also possible. This is especially helpful for manual hacks.

WordPress Security measures

 WordfenceiThemes SecuritySucuri
Database BackupsNoYesNo
WordPress make saferNoYesNo
hide informationNoYesNo
Write protectionNoYesNo
Password managementNoYesNo
two-factor authenticationPremiumPremiumNo

iThemes Security as shown in the table, focuses on the security measures within WordPress . A total of 30 different points are processed here, most of which are very useful. Many of the points are therefore already included in our hosting.

iThemes Security is therefore a great way to add more security at WordPress -level to an "insecure" generic hosting. The free version already offers extensive protection. In the premium version, the 2-factor authentication should be emphasized.

There Wordfence and Sucuri focus on "shielding" the site Are they rather weak on these points.

Malware & Performance Removal

 WordfenceiThemes SecuritySucuri
Hack Cleanup & Malware RemovalOptionalNot findableOptional
Blacklist Warning RemovalOptionalNot findableOptional
Malware Removal Request LimitOptionalNot findableOptional
Automatic cleanupPartlyNot findablePartly
Security Analyst EscalationOptionalNot findableOptional
Full Website CleanupOptionalNot findableOptional
Closing the security gapsOptionalNot findableOptional
BackupsNoNot findableYes
post-cleanup reportOptionalNot findableOptional
Full Log and Incident ReportOptionalNot findableOptional
Root Cause Follow UpOptionalNot findableOptional

Last but not least, let's take a look at the topic of malware removal. Here are the prices at Sucuri and Wordfence similar. For a faster processing both require an additional charge. The services offered are identical here. At iThemes I was unable to detect a malware removal service. A malware removal can take 2-3 hours, with large fluctuations. Since we also perform malware removal, the prices are fair.

And what about the performance?

Last but not least, a note on performance. You would not expect this in a securityPlugincomparison. But since Sucuri offers a CDN and a firewall in one, there may also be a performance improvement, especially with international visitors. With a CDN, the website is always delivered from the nearest server, which has particular advantages for overseas visitors. However, this is less important for a WooCommerceshop with little cacheable content.


So what is the overall conclusion on the subject of WordPress security? Our personal conclusion can be summed up well by the following fact: We use for our own RAIDBOXES -site no security-Plugin. We have neverPlugin used a security system and have never had any problems. All this, although our website has an absolutely central meaning for us. However, extensive customer data is not stored on our WordPress website. The risk of a performance loss due to extensive scanning was too high for us and the disadvantages outweighed for us.

Nevertheless, a firewall increases the security of the website. Therefore, if you want to achieve maximum security and accept the disadvantages in terms of performance and time, you should choose a securityPlugin solution.

Especially for WooCommerce Shops or endangered sites, which may have had problems with malware, a WordPress security plugin can be useful. Our recommendation is therefore as follows:

Wordfence as the best free solution

If you are looking for a really solid firewall with extensive monitoring Wordfence very well served. Not for nothing it is the most popular securityPlugin in the world. The premium version complements the functionality very precisely and sensibly. During implementation, care should be taken to set up the scan processes correctly to avoid performance problems.

iThemes Security for generic host

iThemes Security takes really reasonable security measures on the website, in particular WordPress for generic hosts it is a great way to increase the security level even in the free version without extensive scans and firewall.

Sucuri for people interested in CDN

For those who are thinking about using a CDN anyway and for whom the topic of DDoS attacks should be relevant, we recommend Sucuri recommended. The only thing that remains is the somewhat bland aftertaste of the Godaddy corporation.

How much (perceived) security do you need?

How do you handle the topic of WordPress security? Do you rely on the security measures of your hoster or do you just let a security guard sleepPlugin peacefully? As always, we are happy about your comment!

Related articles

Comments on this article

Write a comment

Your email address will not be published. Required fields are marked with * .