In the meantime, over 38 percent of all websites run on WordPress . This makes our favorite CMS a popular hacker and malware target. But there's no need to panic! Because WordPress security is not witchcraft. In addition to practical security tips, today we have the three best WordPress securityPlugins in the bag and show you when you really need it.
Do I still need a securityPlugin? We get this question regularly in the support. In the following article I would like to show you what added value a security-Plugin has for the security of your WordPress site and when it really makes sense to use one.
In the second part, we compare the three most popular WordPress -security-Plugins to give you a quick overview. This way, you can make a targeted and quick decision and then devote yourself to the essentials: your business.
Basically, there are three essential aspects why you should actively deal with the security of your WordPress site and not bury your head in the sand.
#1 Your website can become unusable
A few years ago, we were still in the agency business. There were times when we had to completely redesign site because the original site had become unusable due to security problems that could have been avoided.
Now, someone who installs malware on sites is usually not interested in destroying it. After all, the attacker wants to use it to send spam, redirect visitors tosites , embed ads or generate cryptocurrency, for example. In addition to the general restriction of the functionality of your site , malware can also lead to considerable performance problems.
#2 Blacklisting and crash in Google rankings
An even more serious issue in this day and age is the blacklisting of the domain, especially by Google or Norton. If Google blacklists your website, this means in the worst case that your website will be removed from the Google search results.
It is possible to resubmit a scan of site after a malware attack. However, this does not guarantee that you will get your previous rankings back. Especially for important money keywords or high organic traffic, this can have serious economic consequences.
Especially in times of GDPR , where the topic of data protection has reached a new dimension, it is important to protect the data of your users. While this is less important for a normal company website, it is even more dramatic for a shopsite if payment information is not sufficiently protected.
Brute Force Attacks on the login area
In the case of a Brute Force attack a large number of password combinations are automatically tried in order to gain access to site via the /wp-admin login of WordPress . Once this has been achieved and the WordPress user has admin rights, the website is almost completely under the control of the attacker.
Our experience at RAIDBOXES shows: By using a strong password and limiting login attempts, almost all malware cases can be avoided. But more about this in a moment.
Automated exploitation of security vulnerabilities
As a rule, attacks on websites are automated. WordPress sites are scanned automatically by so-called crawlers, for example for a specific Plugin, which has a security vulnerability. Various security vulnerabilities can be exploited in the attacks, such as in the case of SQL injections or Cross-site scripting.
Of course, it is also possible to manually exploit a security vulnerability. However, this is rather rare, as the effort would only be worthwhile for large WooCommerce shops where, for example, payment data is actually to be stolen.
8 Safety measures that we provide as host
In principle, the security of your website can be WordPress Hosting can significantly increase the security of your website. Over the years, we have continuously expanded the RAIDBOXES security concept so that cases of malware have become an absolute rarity. Especially the detailed analysis of malware cases helps to detect frequently used security holes and to prevent them with appropriate measures.
One of the most important security measures is a strong password for all WordPress users. Unfortunately, we as host have only limited influence on the password assignment. Especially in case of relocations we can only have little influence on the passwords. Enforcing a strong password when creating a BOX (WordPress -website) has led to a significant reduction in malware infestation.
As a reminder
A password should consist of numbers, special characters and lower case letters with a minimum length of seven characters. If this is not the case for your WordPress users, you should definitely do step 1 first and change your passwords immediately.
#2 Protection against Brute Force attacks
Almost a billion times a month, websites are attacked with the above-described Brute Force Attacks described above. Good if your WordPress web host has already taken care of this. Our RB Login Protector will preempt your WP login area and 'blacklist' IP addresses that repeatedly try to log in with false login credentials.
In the settings of your BOX you can define exactly after how many login attempts this block should take effect and how long the relevant IPs are blocked. In combination with a strong password, it is practically impossible to gain access to the website in this way.
#3 WP Session Eraser
According to GDPR , you should store as little data as possible. We help you with that! Our tool for more data economy - the WordPress Session Eraser - deletes the WordPress sessions of all your users from the database after a defined interval. You can set this interval individually for each BOX in your BOX settings in our dashboard.
#4 Default blocking of XML-RPC
XML-RPC is an interface that has been available since WordPress 3.5 on every WP site . Since the vast majority of webmasters do not use XML-RPC anyway, it makes sense to deactivate this interface. Because: Hackers can directly attack your site via XML-RPC.
For this reason, XML-RPC is now blocked by default and can be unblocked via the settings in the RAIDBOXES dashboard.
#5 Managed security updates from WordPress
Of course, the update of WordPress is very important. Every 2-3 months new WordPress -versions are published. Especially maintenance updates close important security gaps. These updates should be installed immediately.
Major updates usually involve major code changes, which is why incompatibilities can occur. In order to give the Theme and Plugin manufacturers enough time, we always roll out major updates on our system after 14 days. Of course we provide the latest WordPress version immediately for manual update. Of course, it is important that you always make a backup of your site before updating!
#6 Selective write protection - WordPress Hardening measures
A focus of the SecurityPlugins iThemes Security is to make WordPress more secure by protecting files. This is also selectively integrated with us. This makes it more difficult to infect elements of site and make them unusable. Here, a sensible balance must always be struck between flexibility and security. We maintain this through configuration options directly via the RAIDBOXES user interface.
In addition, we also use WordPress best-case practices where they make sense. One example is renaming the prefix of the WordPress database. This is not accessible via the standard wp_. Renaming the WP-Content folder, on the other hand, as done by iThemes Security has shown to lead to errors, since Plugins and Themes do not know how to handle it.
#7 Managed Plugin-Updates from WordPress
Now we have to close the last major gateway before attacks: Outdated plugins. As with WordPress itself, there can also be security gaps in plugins and themes around the system. Not every update includes security features. Nevertheless: If all plugins of them are up-to-date, the probability of security holes is much lower.
Since this feature in particular saves a lot of time, it is included in our Fully Managed plan for 30 Euro (net). As a reader of this blog article you can take advantage of the plan permanently for only 20 Euro at the following link during checkout: Fully Managed special.
#8 Server-side measures
All of the above measures protect WordPress itself. In addition, there is of course an almost endless list of security measures that affect the server itself. This starts with Linux updates and ends with the regular update of PHP as the basis of WordPress . We take care of the automatic update of outdated PHP versions (of course with appropriate lead time and time for testing) without you having to take care of it yourself.
Having outlined this, I would now like to briefly discuss the disadvantages of security plugins. These are partly not insignificant, especially from time aspects.
Who thinks that simply installing a plugins is done, is wrong. Unfortunately, setting up a security plugins a certain amount of knowledge.
Using the example of the Plugins All-in-One-Security this becomes very clear. It is one of the most popular free Plugins, which uses the .htaccess file to a very large extent. However, the Plugin does not even recognize if it is a NGINX server. This does not support the concept of .htaccess and is used in the WordPress environment because of its flexibility.
Furthermore, although the security measures are divided into difficulty levels, which makes a lot of sense, many of the measures offered by Plugin are less useful. In order to adequately assess the necessity of the various measures, one must inevitably familiarize oneself with the security matter.
Maintenance and perceived (in)safety
For our test we have different security plugins installed. One of the plugins has automatically used a team e-mail address WordPress stored in the system and started to send e-mails diligently. To the great delight of all team members...
Unfortunately, this is not at all uncommon. Of course, one would like to remain informed in certain respects. However, in the most frequent cases, one is pointed to things that do not represent a security risk at all. In the end, you feel more insecure than before, because you are informed about every file change, for example, and have to check in case of doubt.
By default, each of the Plugins offers a malware or security scan. The Plugin Wordfence likes to automate these at one hour. This means that in case of doubt every hour (!) a scan of your site runs through an automatic script (via cronjob). Anyone who has ever installed antivirus software on his computer knows the tales of woe of sometimes massive performance problems.
This may also be a reason why "only" 2 million of over 90 million downloads remained active in the end.
For the research of this article we have only plugins which is also available in a free version. Nevertheless, it is unfortunately the case that with many WordPress security plugins that really useful features cost at least $ 80 a year. If you don't use them, there is often a feeling of uncertainty.
For those who want to go the extra mile, here are a few examples of cases where Plugin may be useful for WordPress security. These recommendations only apply to specialized WordPress hosting. Since other providers may not have security measures implemented as specifically and extensively, a securityPlugin may be recommended there in general. As you can see, it is hardly possible to make a general statement about the usefulness of security plugins, as the requirements and circumstances are different.
This is one of the few examples where we actually actively recommended a securityPlugin to increase the security of the online shop. The WooCommerce customer had the impression that he was being attacked manually, which, as described above, is very rare.
In this case, he was able to use Wordfence and its logging function to quickly identify the attacker's IP address and then block it. The attack could thus be effectively stopped.
The higher the number of Plugins, the higher the probability of security risks. In particular, if no tool is used for updating, existing security gaps remain unnoticed in the system for a long time and offer an attack surface. Especially with WooCommerce shops, the number of Plugins is usually inherently high and the data is also more sensitive. Therefore, a securityPlugin should be considered here.
In the following I would like to briefly explain why we are limiting ourselves to only three plugin sand not presenting ten - or even the best 101 WordPress security plug-ins.
With the Security-Plugins we limit ourselves to the TOP 3 WordPress -Plugins world-wide. We have also looked at other securityPlugins, such as. All In One WP Security & Firewall which is the most popular purely free Plugin (without premium version) with 800.000+ users. However, we were not convinced by the usability and partly the recommended measures here. At the same time, it is only applicable to Apache web servers.
Since we have the plugins rather as a supplement to an already secure WordPress hosting the aim is to cover the last 0.1 percent of the security risk. We therefore restrict ourselves to the professional plugins which have a very high prevalence.
However, this selection of Plugins is also highly relevant for other, non-specialised hosters. Here you should deal more intensively with the topic of WordPress security anyway.
At the same time, it is important to us to provide a quick decision-making aid. In our opinion, this is possible with a representation of ten plugins no longer possible, because in the end all ten plugins need to be evaluated. At three plugins with different focus, the decision is easier here.
Of course, there are countless Plugins, which take over great individual functions, for example, limit the login attempts (Limit Login Attempts). But also functions, which the Plugins only offer in the PRO versions, can be solved via individual Plugins . Best example is this Plugin for 2-factor authentication.
Firewalls apply certain rules to detect whether someone is acting maliciously or just site visiting them. If someone tries to enter themsite , they are blocked. Especially the rules are based on the knowledge of existing security holes. At the same time, it is easier to detect networks of attackers with 2 million sites in the administration and sites block them for all others than with 10,000 sites . Therefore, distribution plays a role for security plugins.
This does not mean that there are not other great plugins ones for more WordPress safety. Feel free to mention your personal favorites in the comments. In this way we ensure even more equal opportunities for new innovative approaches.
|Website of the Plugins||Wordfence||iThemes Security||Sucuri|
|Active installations||3+ million||900.000+||700.000+|
|Languages||English||16 languages (also DE)||English, Spanish|
|Tested with the latest WordPress version||Yes||Yes||to 5.3.4|
|Number of ratings||3,572||3,830||338|
|Rating (five stars)||4,8||4,7||4,4|
|Premium (annual license)||from $99||from $80||$199,99|
|Malware removal from||$286.40||not offered||included in license|
In the overview, it is clear that each of the Plugins has a very high prevalence and is well rated. Nevertheless Wordfence the undisputed market leader and also balanced in terms of price-performance ratio. At Sucuri you pay for the malware removal directly, but here the prices can be increased, especially through a faster service and more frequent scans, to 500 dollars per year per year. At Wordfence professional malware removal is offered as an optional service offered as an optional service. So it all depends on your needs.
It is important to know that it is quite unlikely to catch malware with strong WP user passwords. In our opinion, it therefore makes little sense to purchase malware removal directly as a service.
At Wordfence you get direct access to the entire firewall spectrum in the free version, unlike, for example, with iThemes Securitywhere information from the network is only accessible in the PRO version.
An important point not to be sneezed at either: Wordfence in our example, is the only independent providerwhich has specialized only in the topic WordPress security. Sucuri belongs to the GoDaddy group and iThemes was also bought by another hosting company. They are also active in various other areas, such as Theme development. Behind Wordfence is exclusively the security company Defiant.
Our Security-Plugin-recommendation is therefore quite clear Wordfence. The Plugin already offers a comprehensive firewall in the free version and concentrates on the two core topics that a securityPlugin should provide: A firewall and security scans.
In addition, it is quickly set up, clearly laid out and does not unsettle, as is the case with others plugins with too much technical information.
To avoid performance problems, "Low Resource Scanning" should be used among the scan options. Since IP addresses are processed, you should use Wordfence close an AV.
In the following, I will go into detail about the individual core areas of a security plugins to highlight the differences between plugins to make it clear.
|Scheduled Security Scans||Pro |
|Pro Version only||Pro Version only|
|Identification of security anomalies||Yes||Yes||Yes|
|Blacklist monitoring||Google Safe Browsing only||Blacklist Status Check||Yes|
An essential part of a securityPlugins is checking whether the website has been compromised. Since every Plugin vendor basically uses different names for the same content and presents it differently, it is very difficult to make a reasonable comparison. The table above should provide an overview here.
Each Plugin offers a scan function
Although security scans, malware identification, identification of security anomalies or file changes are often listed separately, they are all the same. The comparison of files is used to check whether malware is present on the site . In our experience, it can happen that an inconspicuous test at Sucuri can still mean that malware can be found on site , if more detailed scanning is carried out or the individual files are looked at.
iThemes Security simply uses the API of Sucuri. As a result, you get both Sucuri and iThemes nothing but the free site checkwhich can also be found on the Sucuri website.
Differences in blacklist monitoring
In addition to scans, blacklist monitoring is an important factor, especially for the ranking losses described above. Here checks Wordfence according to its own presentation only checks the Google Safe Browsing status. If a website shows up here, it is basically already too late. The website will most likely be thrown out of the search results first. iThemes Security and Sucuri check several blacklists directly here. The result is still the same. If the website appears on the blacklists, it is already too late. Exactly to prevent this, these scans are made.
An extended blacklist check is only available Wordfence only available in the Premium Version. Here, the point of spam advertising, which can be easily recognized externally and is important for Google, is also checked.
Low relevance of DNS monitoring
We consider the features of DNS and SSL monitoring to be of little relevance. We are not aware of a single case where DNS changes or SSL changes were made in order to investigate criminal activities.
Wordfence scores with the security logs
The basis of a securityPlugins should be to display logins reasonably. This is the case with all Plugins . Wordfence goes a few steps ahead with its live traffic monitoring. Not only logins are recognized, but traffic is categorized accordingly. In this way, crawler activities and visitor behaviour can be tracked with regard to security aspects. The tool is therefore ideal for preventing manual hacks, for example.
Conclusion in this category
The scan quality is difficult to judge and would have to be evaluated through test cases. iThemes Security and Sucuri have better blacklist monitoring. However, the scan should prevent the site from being blacklisted anyway. When it comes to monitoring, the live traffic feature of Wordfence is a big plus.
|Web Application Firewall (WAF)||Restricted||404 detection||Yes|
|Intrusion Detection System (IDS)||Yes||No||Yes|
|Brute Force Protection||Yes||Yes||Yes|
|Block of hacking attempts||Yes||Partial||Yes|
|Zero-day exploits protection||Unclear||No||Yes|
|Single side guard||No||No||Yes|
|Heuristic Correlation Algorithm||Unclear||No|
|Load Balancing / Failover||No||Yes||Yes|
|Advanced manual blocking||Yes||No||No|
iThemes without proper firewall
When it comes to firewalls, the differences between the Plugins are particularly clear. The approaches to the topic are fundamentally different here. Strictly speaking iThemes-Security does not use a real firewall. You could call the 404-detection-approach a first approach. Here it is looked whether a crawler generates many 404 errors and blocked.
Sucuri including full CDN
Whereas for Wordfence only one Plugin needs to be installed to use the firewall, with Sucuri you have to change the nameserver or an A-record in the DNS settings. For this, it is a completely cloud-based solution, including a CDN (content delivery network), which can also prevent DDoS attacks. In a DDoS attack, a botnet is often used to fire up a site with requests until the site is no longer accessible because the server gives in.
DDoS attacks explained
What exactly a DDoS attack is and how you can effectively prevent it, shows you Nick Schäferhoff in his article.
The Sucuriapproach also means that it works with load balancers as opposed to Wordfence works with load balancers. Overall, with Sucuri is more of a marketing term, such as "Heuristic Correlation Algorithm", and it is unclear whether this is an actual added value, as Wordfence presumably also works with heuristic methods. However, those who only need a CDN could also implement these free of charge through Cloudflare .
Wordfence with more configuration options
At Sucuri many things run automatically and without the user's intervention. But here apparently less can be configured. So you can block Wordfence explicitly block individual countries IPs and manual blocking is also possible. This is especially helpful for manual hacks.
|WordPress make safer||No||Yes||No|
iThemes Security focuses on the security measures within WordPress as shown in the table. A total of 30 different points are worked through here, most of which make a lot of sense. Many of the points are therefore already included in our hosting.
iThemes Security is therefore a great way to add more security on WordPress level to an "insecure" generic hosting. The free version already offers extensive protection. With the premium version, the 2-factor authentication is to be emphasized.
Sync and corrections by n17t01 Wordfence and Sucuri focus on "shielding" the site . Are they rather weak in these points.
|Hack Cleanup & Malware Removal||Optional||Untraceable||Optional|
|Blacklist Warning Removal||Optional||Untraceable||Optional|
|Malware Removal Request Limit||Optional||Untraceable||Optional|
|Security Analyst Escalation||Optional||Untraceable||Optional|
|Full Website Cleanup||Optional||Untraceable||Optional|
|Closing the security gaps||Optional||Untraceable||Optional|
|Full Log and Incident Report||Optional||Untraceable||Optional|
|Root Cause Follow Up||Optional||Untraceable||Optional|
Last but not least, let's look at malware removal. Here are the prices at Sucuri and Wordfence are similar. For faster processing, both charge extra. The services offered here are identical. At iThemes I could not discover a malware removal service. Malware removal can take 2-3 hours, with large fluctuations though. Since we also do malware removal, the prices are fair.
And what about performance?
Last but not least, a note on performance. You would not expect this from a security comparisonPlugin. But since Sucuri offers a CDN and a firewall in one, there can be a performance improvement especially for international visitors. With a CDN the website is always delivered from the next server, which has advantages especially for overseas visitors. However, for a WooCommerce shop with little cacheable content, it is less crucial.
So what is the overall conclusion on the subject of WordPress security? Our personal conclusion can be summed up well by the following fact: We do not use securityPlugin for our own RAIDBOXES-site . We have never used a securityPlugin and have never had any problems. All this, although our web page has an absolutely central meaning for us. However, extensive customer data is not stored on our WordPress website. For us, the risk of a loss of performance due to extensive scanning measures was too high and the disadvantages outweighed the benefits.
Nevertheless, a firewall increases the security of the website. Therefore, if you want to achieve maximum security and accept the disadvantages in terms of performance and time, you should use a securityPlugin .
Especially for WooCommerce Shops or endangered sites, which may have had problems with malware, a WordPress security plugin can be useful. Our recommendation is therefore as follows:
If you want a really solid firewall with extensive monitoring, you are very well served with Wordfence is very well served. Not for nothing is it the most popular securityPlugin in the world. The Premium version complements the functionality very precisely and sensibly. During implementation, it is essential to ensure that the scan processes are set up correctly in order to prevent performance problems.
iThemes Security performs really useful security measures on the website, especially WordPress . For generic host it is a great way to increase the security level without extensive scans and firewall even in the free version.
For those who are thinking about using a CDN anyway and for whom the topic of DDoS attacks should be relevant, we recommend the following Sucuri is recommended. The only thing that remains is the somewhat bland aftertaste of the Godaddy corporation.
How much (perceived) security do you need?
How do you handle the issue of WordPress security? Do you rely on the security measures of your hoster or does only a security-Plugin let you sleep calmly? As always, we look forward to your comments!