One of the questions asked by the audience at my WordPress presentation at the Silver Falls Library last autumn was, “What is the best security plugin for WordPress?” It’s an excellent question. The topic is important enough that I had previously addressed it in this post from 2013; but the matter is worth revisiting, because things have changed since then.
Specifically, the plugin that I declared the winner of my last roundup was subsequently taken over by a different developer. The new developer renamed and rewrote the plugin, introduced a lot of new “features,” and, in a word, wrecked it. (In my humble opinion.)
Why use a security plugin for WordPress?
Consider the major security threats to your WordPress-based website. When you get down to it, they are:
- brute force login attacks
- coding errors in plugins & themes
Many security plugins provide .htaccess rules that mitigate vulnerable code by preventing an attacker from accessing URLs matching certain suspicious parameters.
However, the author of this post was able to demonstrate quite persuasively that .htaccess rules and the plugins who implement them are not sufficient to prevent the execution of malicious code via plugins with known vulnerabilities. The purpose of that post is to convince you to sign up for a commercial service that backs up your site for you, so that if it ever gets compromised, you’ll be able to restore it.
But what if you don’t want your site to get compromised in the first place?
No silver bullet
There is no single solution that meets all challenges.
Recommendations begin with utilizing the aforementioned .htaccess rules in conjunction with a login security plugin (such as Daniel Convissor’s “Login Security Solution“). The plugin “BulletProof Security” meets these requirements: a list of .htaccess rules bundled with the logic of the (arguably dated) “Limit Login Attempts” plugin.
For an upgrade, you can move to something with file scanning technology capabilities, combined with the login security you need. If you select a plugin that doesn’t offer .htaccess rules, you could always add them to your site manually via FTP.
One popular solution is WordFence Security. This plugin was the runner-up in my previous security plugin review/comparison; and now that “Better WP Security” has become “iThemes Security,” this leaves WordFence as the de-facto winner of that roundup. It offers traffic logging, live site scans, and brute force protection; although the settings are not effective out of the box, and require some tweaking to get it to do anything useful. (Also, it does not include a simple checkbox to disable the much-abused xml-rpc pingback.ping, which would be a nice addition.) If you pay for the premium upgrade, you can also get two-factor authentication (cell-phone sign-in) which you have to admit, is a nice touch.
Or you could skip the free plugins with their paid upgrades available, and go straight for a paid professional solution. No lesser Internet deity than Chris Coyier himself once revealed that he employs professional WordPress security by Sucuri. They offer scans of your live site, security alerts & malware cleanup.
Check with your web host if…
Some WordPress web hosts include these essential security features in their core installations. If you are paying good money for a service marketed as “WordPress hosting,” ask your host what security plugin they recommend. Some of the high-end, fancy web hosts even prohibit the use of security plugins because the functionality is redundant, and places an unnecessary load on the server.
But if you’re on cheap shared hosting like most of the world, choose your security plugin, choose it well, configure it strictly, and don’t let the bad guys in.
After all, it’s your business.