Recently, Uber paid a ransom of $100k to hackers who stole data from 57 million accounts so they would delete the data and keep their mouths shut.
While it’s easy to sit and think that of course hackers will target giants look Uber or Yahoo (reportedly all 3 billions accounts that existed at the time were breached in 2013), I’m afraid I have some bad news for you…
It’s not just the big sites hackers target, and you’re not flying under their radar.
before you have even get a site fully up and running.
This is where WordPress security plugins come in. These plugins can help to minimize or eliminate the known vulnerabilities in your WordPress site and make it more difficult for a hacker to get in.
I’m going to be honest with you here: using these plugins may not stop a truly determined hacker if they decide to target your site, but they will make it harder and possibly alert you that someone is in there running amok.
Also, by removing obvious vulnerabilities, it makes it less likely that your site will be targeted in the first place.
Think of it like putting a burglar alarm on your house in the hope that it will put off the thieves so they will rob your neighbours instead.
So, which security plugin provides is the best to protect your WordPress site?
What Do We Look For In A Security Plugin?
A Web Application Firewall (WAF) = a plugin or cloud service that monitors traffic and defends against the bad or malicious stuff.
In a nutshell: the firewall screens traffic before it gets to the site. The good traffic is let through, and the bad traffic is denied entry. Think of it like the doorman: the firewall decides who gets in and who doesn’t.
Firstly, a firewall will block things like blacklisted IP addresses or DDoS (Distributed Denial of Service) attacks.
A firewall can also block malicious acts like:
- SQL injections that modify your database
- Users accessing directories to look for vulnerabilities
- Injecting WordPress shortcodes to interfere with plugins
Not all firewalls are created equally. In fact, there are two main types of firewall:
- Application-level firewall
- DNS-level firewall
The application-level firewall looks at the traffic when it reaches your servers. At this point, it compares the traffic against a set of criteria (such as blacklisted IP addresses) and decides whether or not to let it through.
DNS-level firewalls allow you to review your traffic before it even reaches your server. This means your own servers don’t have to screen the traffic. Instead, the provider will screen the traffic on their own servers before sending good traffic on to your site.
What we want
A DNS-level firewall.
It reduces the load on our servers by handling the work on the firewall provider’s servers. The provider’s servers also have a larger capacity to deal with DDoS attacks.
2. Database Protection
Database Protection = making sure that it’s as difficult as possible for anyone to make unauthorized changes to the database.
Everything on your site ends up being saved in the WordPress database.
We’re talking pages, posts, comments, images, menus, everything.
So, imagine how much damage someone can do if they can mess with your database. In fact, deleting your database only takes one line of code.
So, we need a plugin that protects us from SQL injections and makes it difficult for any bad actors (hackers looking for vulnerabilities within our site — not, like, Gerard Butler) to gather any information about our database that they can use to easily gain access to it.
What we want
The ability to stop SQL injection into the database to modify data.
We also want the database to be difficult to access. This means enforcing strong passwords, changing the default username or default table names so they are harder for hackers to guess.
3. Login Protection
Login protection = making it as difficult as possible for hackers to log-in to your site by guessing the admin URL, your username and your password.
The easiest way in the world for a hacker to get into any website is by knowing or guessing the username or password.
Think about it: there is a clear format for most WordPress sites:
Admin URL: domainname.com/wp-admin
If you use a simple username (e.g. Admin), the only thing a hacker needs to figure out is your password. This is why it shouldn’t be something like ‘password’ or ‘123456’.
We need a plugin that can enforce strong passwords for all users, that will limit the amount of login attempts, and that will allow additional security features, such as:
- Security questions (‘What is your Mother’s maiden name?’ or ‘What was the name of your first pet?’).
- Two factor authentication, which turns logging into into a two-step process whereby you enter a code sent to your mobile each time you go to log-in
It must also protect us from brute force attacks where the hackers will try to go through all of the possible passwords until they stumble across the right one.
On top of that, the plugin should be able to change the admin URL from domainname.com/wp-admin (the default login URL) to something else, making it harder to find.
What we want
- To be able to change the admin URL
- Two factor authentication or security questions
- To enforce strong passwords
4. Malware and File Changes
Malware = software that is designed to mess things up or gain access to information. For our purposes, let’s use a simple definition of malware: malicious software.
As you can imagine, this is an issue.
For example, if the malware takes the form of spyware, it can record personal information such as your customers’ credit card details. But it can do lots of other harmful stuff, too (and that’s a list that could go on forever).
What we want
A plugin that regularly scans for malware and keeps a log of site changes so that we can pinpoint the cause of any issues.
5. Common Sense Lockdown
Common sense lockdown = forcing the user to make changes that make it more difficult for hackers to gain easy access to databases, directories or exploit known weaknesses within WordPress.
There are a number of areas on our sites where information is readily available that can aid hackers or that are exposed areas which make things easier for hackers.
For example, leaving your directories open so that people can navigate to them in the address bar.
This lets people view your site structure, allowing them to identify areas of weakness that can be exploited.
Security can be complicated, so we’re looking for a plugin that can take the lead by highlighting the simple steps that you can take to make your site much more secure.
What we want
A security checklist of known issues and mechanisms that allow us (or our users) to solve them with the plugin.
You can’t put a price on security.
Just kidding, of course you can. We’re asking a lot from a security plugin. So, most of the plugins here will be pretty expensive.In general, we usually recommend an all-in-one security plugin.
However, there are also a few free plugins that do a good job with individual functionalities. You can also:
- Limit access to directories yourself by editing the .htaccess file
- Change the Admin usernames and passwords yourself
- Change the prefixes on the database so that they are more secure
We are looking for a plugin that provides value for money. If it does a lot for us we are willing to pay more but if there are two plugins that cannot be separated on functionality it only makes sense to choose the cheaper option.
What we want
A plugin that offers the most functionality at its price — i.e. the most value per dollar spent.
Best Security Plugins for WordPress
SiteLock is a popular security plugin, mainly because a free version comes included with a number of hosting packages from popular hosting companies (HostGator and Bluehost).
After you install the plugin, you need to sign up to a paid or free plan. While the site does not list plans and pricing very clearly, once you have created an accounted, you are provided the following options:
With the free version, you get a basic malware scan and not much more. In the WP Starter pack, I’m honestly not sure what else you get. They say you get “malware detection and removal,” but doesn’t that beg the question: what does the free version do?
Finally, you have the WP Protect package for $39.20 per month.
For your $40, you get everything in the first two packages (a malware scan) and a WAF. This is a DNS server that also comes with a CDN that will boost your website speed. A CDN is nice for site speed, but it’s not a concern for us at the moment.
The DNS-level WAF means there’s reduced server load because the traffic screening is done before the traffic gets anywhere near your server.
Overall, SiteLock is an expensive product that covers some but not all of the bases that we are looking for.
It could be that the products are aimed at enterprise organizations with security teams that know what they’re doing but, for me, it’s not the right product for the kind of sites that we’re building.
Google ‘wordpress security’ and Wordfence is one of the top results. The same happens when you search the WordPress plugin repository.
It’s little wonder, then, that it is one of the most downloaded security plugins around. But is it actually any good?
Upon installation and activation, Wordfence prompts you to perform a scan. This acts as an initial audit to report issues needing to be resolved immediately. These are fairly basic alerts, such as WordPress version being out of date.
To begin with, in both the free version and the paid version, Wordfence only has an application-level firewall. As mentioned, this puts a bit of strain on the server.
Here’s my main beef, though: in the free version Wordfence loads and secures your site after WordPress and some other plugins load. At this point, your site is vulnerable, and if there’s an issue with any of these plugins, it can damage your site before Wordfence has even loaded.
In the paid version, there is an option to rectify this and load Wordfence before anything else.
This is obviously better than the alternative, but we’re still slightly disappointed by the lack of DNS-level firewall, and the loading order feels more like an oversight than a payment-tier feature.
When it comes to database protection, Wordfence scans your database tables including your comments, users table, posts and pages. This is intended to identify vulnerabilities and alert you on what these issues are and how to resolve them.
The plugin can also audit the strength of both new and existing passwords. Strong passwords make it very difficult for a brute force attack to be successful.
Finally, Wordfence has a heap of additional features in the premium version, including advanced spam protection, checking your site against domain blacklists and more.
The paid version will set you back $99.00 per year, which works to be about $8.25 per month. That seems quite reasonable for a plugin that does pretty much everything that we’re looking from in a security plugin.
However, as we mentioned, it would have been nice to be able to get a DNS level firewall.
iThemes Security comes from the same people that brought us Backupbuddy, so they have serious credentials in this space.
There are some interesting features that come with iThemes Security:
- File Change Detection
- Database Backups
- Strong Password
- Two Factor Authentication
- Password Expiration
- Away Mode – Only allow edits within a certain time period
To stay consistent, let’s have a look at the criteria we have set out for ourselves.
Here’s the biggest downside: there is no firewall. None.
As I mentioned earlier, there are standalone firewall plugins that you can install, but this is a huge miss for an all-in-one security plugin.
When it comes to database protection, the plugin can perform complete backups of your database. This is nice, but is more reactive than I would like. I’m looking for a security plugin to prevent the issue rather than solve the issue after it occurs. In an ideal world, you’ll get yourself a plugin that can do both.
Login protection is where iThemes really excels, in my opinion. You can use two-factor authentication, change the admin URL, lock out users with too many login attempts, and enforce strong passwords and brute force protection.
It’s belts and braces stuff.
You can purchase the Blogger package, a single site license, for $80 per year or purchase the gold package for a one-off fee of $297.
Overall, I think iThemes is a great plugin. If it had a firewall, it would be almost perfect. Having said that, if you could find a great firewall plugin for a good price, these two plugins could work brilliantly in conjunction with each other.
I think it’s fair to say that Cloudflare is best known for its CDN option, but there is a security aspect that covers a lot of what we are looking for in a security solution.
From a security perspective, the main thing Cloudflare offers is the DNS firewall. They have a range of data centers all over the world that can absorb all but the most ferocious DDoS attacks.
The firewall can also handle the more mundane tasks of blocking malicious bots and traffic from bad IP addresses.
To prevent threats, Cloudflare leverages big data. They learn with each new web property and share this data to feed back into their tools to gain greater intelligence of where the threats are coming from so that they are easier to deal with.
In terms of data breaches, Cloudflare is doing things that are probably over the heads of most standard site owners (mine included).
However, the end result is that Cloudflare is pretty confident they can prevent code injection, snooping on data while in transit and DNS spoofing, which can all result in data breaches.
Again, there is a downside. Cloudflare tends to focus on stopping traffic before it gets to your site.
So, I wouldn’t necessarily recommend it as a security plugin. However, the Pro version will cost $20. This could be the option you’re looking for to accompany iThemes if you’re really serious about your security.
It protects from DDoS attacks, defends against brute force attacks, stops hackers exploiting vulnerabilities, and cleans sites that have been infected with malware, blacklisted by Google or disabled by their hosts.
Sucuri provides you with a DNS firewall. The CDN is an added bonus that can speed your site up. Beyond that, it also has just about everything else that we are looking for.
Let’s start with the firewall. Like Cloudflare, Sucuri provides a pretty comprehensive DNS-level firewall.
The plugin will do an initial scan to identify vulnerabilities.
This includes any issues with the database. Regular malware scans take some of the burden off the user to stay on top of security themselves.
One drawback with Securi is the lack of login protection. As far as I can tell, there’s no way to limit login attempts, enforce strong passwords or change the admin URL for your WordPress.
However, I would say that Sucuri does everything else so well that you could use some other free plugins to fill the gap that is left here by Sucuri.
At $16.66 per month or $199.99 per year, Sucuri is right in the middle price-wise. The free version doesn’t provide you with afirewall. So, in my opinion, the paid version is necessary.
Overall, it’s a good option, but, as we have found to be the case with all of the plugins that we have featured, it needs additional plugins to supplement gaps in functionality.
How Do They Compare?
|Plugin||Firewall||DB Protection||Login Protection||Malware and File Changes||Common Sense Lockdown||Price|
For each criteria, plugins have been given a score from 0 to 5 (with 0 being the worst and 5 being the best).
If a plugin does not have a feature at all, it will score a zero. If a feature meets the full requirements it will get a 5.
Anywhere in between will get a score on the sliding scale depending upon how close it gets to what we require.
For example, for ‘Firewall’:
- Cloudflare gets 5 because it has a DNS-level fire
- iThemes Security gets 0 because it does not have a firewall
- Wordfence gets 3 because it has an application-level firewall
Which One Should You Get?
Our vote: Sucuri.
I’m going to start by ruling out SiteLock. I don’t like it, and I do not think it has the functionality I’m looking for as a site owner.
Personally, I really like some of the features available with iThemes Security. I think it does a great job of tackling common sense issues and offer solutions to eliminate them.
I also like the common sense aspect of Sucuri.
In terms of firewall, through, Cloudflare is my favorite.
So, when it comes to actually buying one, I would either go for iThemes Security and get a firewall plugin to fill the functionality gap or get Sucuri and install plugins to limit login attempts, enforce strong passwords, change the login URL and add security questions to the login page.
I think Sucuri just edges it.