Over 43 percent of all websites now run on WordPress. This makes our favorite CMS a popular target for attacks and malware. But there's no need to panic! Because WordPress security is not rocket science. In addition to practical security tips, today we're sharing the three best WordPress security plugins and showing you when you really need them.
Do I still need a WordPress security plugin at all? We are regularly asked this question in support. In the following article, I would like to show you what added value a security plugin has for the security of your WordPress website and when it really makes sense to use one.
In the second part, we compare the three most popular WordPress security plugins to give you a quick overview. This way, you can make a quick and targeted decision and then get back to the essentials: your business.
Why WordPress security is so crucial
There are three main reasons why you should actively address the security of your WordPress website and not bury your head in the sand.
#1 Your website may become unusable
A few years ago, we were still in the agency business. There were times when we had to completely redesign a site because the original site had become unusable due to security problems that could have been avoided.
Now, someone who installs malware on websites usually has no interest in destroying them. After all, the attacker wants to use it to send spam, direct visitors to spam websites, embed ads or generate cryptocurrency, for example. In addition to generally limiting the functionality of your website, malware can also lead to significant performance problems.
"*" indicates required fields
#2 Blacklisting and crash in Google rankings
An even more serious issue these days is the blacklisting of the domain, especially by Google or Norton. If Google puts your website on its blacklist, in the worst case scenario this means that your website will be removed from the Google search results.
It is possible to resubmit a scan of the site after a malware attack. However, this does not guarantee that you will get your previous rankings back. This can have serious economic consequences, especially for important money keywords or high organic traffic.
#3: Loss of data
Especially in times of the GDPR, where the topic of data protection has reached a new dimension, corresponding data must be protected. While this is less important for a normal company website, it is all the more dramatic for a store website if payment information is not sufficiently protected.
Typical threats to the security of WordPress
Brute force attacks on the login area
In a brute force attack, a large number of password combinations are automatically tried in order to gain access to the website via the /wp-admin login of WordPress. Once this has been successful and the account on your website has admin rights, the website is almost completely in the hands of a third party.
Our experience at Raidboxes shows: By using a strong password and limiting login attempts, almost all cases of malware can be avoided. But more on that in a moment.
Automated exploitation of security vulnerabilities
As a rule, attacks on websites are automated. WordPress websites are automatically scanned by so-called crawlers, for example for a specific plugin that has a security vulnerability. Various security vulnerabilities can be exploited in attacks, such as SQL injections or cross-site scripting.
Manual attacks
Of course, it is also possible to exploit a security vulnerability manually. However, this is rather rare, as the effort would only be worthwhile for large WooCommerce stores where payment data is actually to be stolen.
8 security measures that we provide as a hoster
In principle, specialized WordPress hosting can significantly increase the security of your website. We have continuously expanded the Raidboxes security concept over the years so that cases of malware have become an absolute rarity. In particular, the detailed analysis of malware cases helps to identify frequently exploited security vulnerabilities and prevent them with appropriate measures.
#1 Strong passwords - the most important security measure of all
One of the most important security measures of all is a strong password for all accounts. Unfortunately, as the hoster, we only have limited influence on the password assignment. We have little influence on the passwords, especially when moving accounts. Enforcing a strong password when creating a box (i.e. a new WordPress website) has led to a significant reduction in malware attacks.
Reminder
A password should consist of numbers, special characters and lower-case letters with a minimum length of seven characters. If this is not the case with your WordPress accounts, you should definitely take step 1 first and change your passwords immediately.
#2 Protection against brute force attacks
Websites are attacked almost a billion times a month with the brute force attacks described above. Good if your WordPress host has already taken care of this. Our login protection switches to your WordPress login area and 'blacklists' IP addresses that repeatedly try to log in with false login data.
In the settings of your box, you can define exactly after how many login attempts this block should take effect and how long the IPs in question should be blocked. In combination with a strong password, it is practically impossible to gain access to the website in this way.
#3 WP Session Eraser
According to the GDPR, you should store as little data as possible. We can help you with this! Our tool for more data economy - the WordPress Session Eraser - deletes the WordPress sessions of all your users from the database after an interval defined by you. You can set this interval individually for each box in your box settings in our dashboard.
#4 Standard blocking of the XML-RPC
XML-RPC is an interface that has been available on every WordPress website since WordPress 3.5. Since the vast majority of webmasters do not use XML-RPC anyway, it makes sense to deactivate this interface. This is because hackers can directly attack your site via XML-RPC.
For this reason, the interface is now blocked by default and can be enabled if required via the settings in the Raidboxes dashboard.
#5 Managed security updates from WordPress
Of course, updating WordPress is very important. New WordPress versions are released approximately every 2-3 months. Maintenance updates in particular close important security gaps. These updates should be installed immediately.
Major updates usually involve major code changes, which can lead to incompatibilities. In order to allow enough time for the updates of themes and plugins, we always roll out major updates on our system after 14 days. However, we will of course make the latest WordPress version available for manual updates immediately. It is of course important that you always make a backup of your site before updating!
#6 Selective write protection - WordPress hardening measures
One focus of the iThemes Security security plugin is to make WordPress more secure by protecting files. This is also selectively integrated with us. This makes it more difficult to infect elements of the site and render them unusable. A sensible balance must always be struck between flexibility and security. We maintain this through configuration options directly via the Raidboxes user interface.
Of course, we also use WordPress best case practices where they make sense. One example here is renaming the prefix of the WordPress database. This is not accessible via the standard wp_. Renaming the wp-content folder, on the other hand, as iThemes Security offers, usually leads to errors, as plugins and themes cannot cope with this.
#7 Managed plugin updates from WordPress
Now it's time to close the last major gateway to attacks: out-of-date plugins. As with WordPress itself, plugins and themes can also have security vulnerabilities. Not every update contains security features. Nevertheless, if all plugins are up-to-date, the probability of security vulnerabilities is significantly lower.
#8 Server-side measures
All of the above measures protect WordPress itself. Otherwise, there is of course an almost endless list of security measures that affect the server itself. This starts with Linux updates and ends with the regular updating of PHP as the basis of WordPress. We take care of the automatic update of outdated PHP versions (with the appropriate lead time and time for testing, of course) without you having to worry about it yourself.
Disadvantages of WordPress security plugins
Having said this, I would now like to briefly discuss the disadvantages of security plugins. Some of these are not insignificant, especially from a time perspective.
Setup effort
Anyone who thinks that simply installing a plugin is enough is mistaken. Unfortunately, setting up a security plugin also requires certain knowledge.
Using the example of the plugin All-in-One Security plugin makes this wonderfully clear. It is one of the most popular free plugins, which uses the .htaccess file to a very large extent. However, the plugin does not even recognize if it is an NGINX server. This does not support the concept of the .htaccess file. However, NGINX is used in the WordPress environment due to its flexibility.
Furthermore, although the security measures are divided into difficulty levels, which makes a lot of sense, many of the measures offered by the plugin are less useful. In order to adequately assess the necessity of the various measures, you inevitably have to familiarize yourself with the security matter.
Maintenance and perceived (in)security
We installed various security plugins for our test. One of the plugins automatically used a team email address stored in WordPress and started sending emails diligently. To the great delight of all team members...
Unfortunately, this is not at all uncommon. Of course you want to stay informed to a certain extent. However, in most cases you are informed about things that pose no security risk at all. In the end, you feel more insecure than before, as you are informed about every file change, for example, and have to check if in doubt.
Performance problems
By default, each of the plugins offers a malware or security scan. The Wordfence plugin likes to set this to run automatically every hour. This means that in case of doubt, your site will be scanned every hour (!) by an automatic script (via cronjob). Anyone who has ever installed anti-virus software on their computer will know the tales of woe of sometimes massive performance problems.
This may also be one reason why "only" 2 million of the more than 90 million downloads remained active in the end.
Costs
When researching this article, we only evaluated plugins that are also available in a free version. Nevertheless, it is unfortunately the case that the really useful features of many WordPress security plugins cost at least 80 dollars per year. If you don't use them, you are often left with a feeling of insecurity.
When is a WordPress security plugin really useful?
For all those who want to go the extra mile, here are a few examples of cases where a WordPress security plugin can be useful. These recommendations only refer to specialized WordPress hosting. As security measures may not be implemented as specifically and extensively with other hosts, a WordPress security plugin may be recommended there. As you can see, it is hardly possible to make a general statement about the benefits of security plugins, as the requirements and circumstances vary.
Manual hacking of the WooCommerce store
This is one of the few examples where we have actually actively recommended a security plugin to increase the security of the online store. The WooCommerce customer had the impression that he was being attacked manually, which, as described above, happens very rarely.
In this case, he was able to use Wordfence and its logging function to quickly identify the IP address in question and then block it. The attack was thus effectively prevented.
The higher the number of plugins, the higher the probability of security risks. In particular, if no tool is used for updating, existing security gaps remain unnoticed in the system for a long time and offer a target for attack. With WooCommerce stores in particular, the number of plugins is usually high due to the nature of WooCommerce and the data is also more sensitive. Therefore, a security plugin should also be considered here.
The three best security plugins for WordPress
In the following, I would like to briefly explain why we are limiting ourselves to just three plugins and not presenting ten - or even the best 101 WordPress security plugins.
When it comes to security plugins, we limited ourselves to the top 3 WordPress plugins worldwide. We also looked at other security plugins, such as All In One WP Security & Firewall, which is the most popular purely free plugin (without a premium version) with 800,000+. However, we were not convinced by its usability and some of the recommended measures. At the same time, it can only be used on Apache web servers.
It's about the last few meters
As we see the plugins more as a supplement to an already secure WordPress hosting, the aim is to cover the last 0.1 percent security risk. We therefore limit ourselves to the professional plugins, which are very widely used.
However, this selection of plugins is also highly relevant for other, non-specialized hosters. In this case, you should deal more intensively with the topic of WordPress security anyway.
Quick decision-making aid
At the same time, it is important to us to provide a quick decision-making aid. In our opinion, this is no longer possible with a presentation of ten plugins, as in the end all ten plugins have to be evaluated again. With three plugins with a different focus, the decision is easier.
Restriction to all-in-one plugins
Of course, there are countless plugins that take over individual functions, for example limiting login attempts (Limit Login Attempts). But functions that the plugins only offer in the PRO versions can also be solved via individual plugins. The best example is this plugin for 2-factor authentication.
Distribution and data are important for firewalls
Firewalls apply certain rules to detect whether someone is acting maliciously or simply visiting the site. If someone tries to enter the site, they are blocked. The rules in particular are based on knowledge of existing security vulnerabilities. At the same time, networks of attackers can be better recognized and blocked for all other sites with 2 million sites in the administration than with 10,000 sites. This is why distribution plays a role for security plugins.
Your personal favorites are welcome
This doesn't mean that there aren't other great plugins for more WordPress security. Feel free to name your personal favorites in the comments. This way, we can ensure even more equal opportunities for new innovative approaches.
The three best security plugins at a glance
Website of the plugin | Wordfence | iThemes Security | Sucuri Security |
Download link | Download | Download | Download |
Features | Here | Here | Here |
Active installations | 3+ million | 900.000+ | 700.000+ |
Languages | English | 16 languages (also DE) | English, Spanish |
Tested with the latest WordPress version | Yes | Yes | to 5.3.4 |
Number of ratings | 3,572 | 3,830 | 338 |
Rating (five stars) | 4,8 | 4,7 | 4,4 |
Free version | Yes | Yes | Yes |
Premium (annual license) | from $99 | from $80 | $199,99 |
Malware removal from | $286.40 | not offered | included in license |
The overview clearly shows that each of the plugins is very popular and well rated. Nevertheless, Wordfence is the undisputed market leader and also offers good value for money. With Sucuri, you pay directly for malware removal, but prices can rise to 500 dollars per year , particularly due to a faster service and more frequent scans. With Wordfence, professional malware removal is offered as an optional service. So it all depends on your needs.
It is important to know that it is quite unlikely to catch malware with strong WP user passwords. In our opinion, it therefore makes little sense to purchase malware removal directly as a service.
The free version of Wordfence gives you direct access to the entire firewall spectrum, unlike iThemes Security, for example, where information from the network is only accessible in the PRO version.
Another important point that should not be overlooked: Wordfence is the only independent provider in our example that specializes solely in WordPress security. Sucuri is now part of the GoDaddy Group and iThemes was also bought by another hosting company. They are also active in various other areas, such as theme development. Wordfence is exclusively backed by the security company Defiant.
Interim conclusion
Our security plugin recommendation is therefore clearly Wordfence. Even in the free version, the plugin offers a comprehensive firewall and focuses on the two core topics that a WordPress security plugin should provide: a firewall and security scans.
Furthermore, it is quick to set up, clearly laid out and does not cause confusion, as is the case with other plugins with overly technical information.
To avoid performance problems, "Low Resource Scanning" should be used under the scan options. As IP addresses are processed, you should close an AV with Wordfence.
In the following, I will go into more detail about the individual core areas of a WordPress security plugin in order to make the differences between the plugins clear.
A comparison of the most important plug-in features
Monitoring and scans
Wordfence | iThemes Security | Sucuri | |
Security scans | Yes | Yes | Yes |
Scheduled security scans | Pro version only | Pro version only | Pro version only |
Malware identification | Yes | Yes | Yes |
Identification of security anomalies | Yes | Yes | Yes |
Blacklist monitoring | Google Safe Browsing only | Blacklist status check | Yes |
File changes | Yes | Yes | Yes |
DNS monitoring | Yes | Unclear | Yes |
SSL Monitoring | No | Yes | Yes |
Notifications | Yes | Yes | Yes |
Spam check | Pro version only | Yes | Yes |
Security logs | Yes | Yes | Basic |
An essential part of a WordPress security plugin is checking whether the website has been compromised. Since there is no standardized use of terms and different terms and explanations are often used for the same content, it is very difficult to make a reasonable comparison. The table above is intended to provide an overview.
Each plugin offers a scan function
Although security scans, malware identification, identification of security anomalies or file changes are often listed separately, they all mean the same thing. File matching is used to check whether malware is present on the site. In our experience, it is quite possible that an inconspicuous test with Sucuri can still mean that malware can be found on the site if a more detailed scan or a look is taken into the individual files.
iThemes Security simply uses the Sucuri API here. As a result, both Sucuri and iThemes provide nothing other than the free site check, which can also be found on the Sucuri website.
Differences in blacklist monitoring
In addition to the scans, blacklist monitoring is an important factor, especially for the ranking losses described above. According to Wordfence, it only checks the Google Safe Browsing status. If a website appears here, it is generally already too late. The website will most likely be thrown out of the search results first. iThemes Security and Sucuri check several blacklists directly here. However, the result is identical. If the website appears on the blacklists, it is already too late. These scans are carried out precisely to prevent this.
An extended blacklist check is only available in the premium version of Wordfence. Here, the point of spam advertising, which is easy to recognize from the outside and important for Google, is also checked.
Low relevance of DNS monitoring
We consider the DNS and SSL monitoring features to be of little relevance. We are not aware of a single case where DNS changes or SSL changes have been made in order to pursue criminal activities.
Wordfence scores points with the security logs
The basis of a WordPress security plugin should be to display logins properly. This is a given for all plugins. Wordfence goes a few steps ahead here with its live traffic monitoring. Not only are logins detected, but traffic is also categorized accordingly. In this way, crawler activities and human behavior can be tracked with regard to security aspects. The tool is therefore ideal for preventing manual hacks, for example.
Conclusion in this category
The scan quality is difficult to assess and would have to be evaluated through test cases. iThemes Security and Sucuri have better blacklist monitoring. However, the scan should prevent the site from ending up on the blacklist anyway. Wordfence 's live traffic feature in particular is a big plus when it comes to monitoring.
Protection in combination with firewalls
Wordfence | iThemes Security | Sucuri | |
Web Application Firewall (WAF) | Restricted | 404 Detection | Yes |
Intrusion Detection System (IDS) | Yes | No | Yes |
DDoS protection | No | No | Yes |
Brute force protection | Yes | Yes | Yes |
Block of hacking attempts | Yes | Partial | Yes |
Zero-day exploits protection | Unclear | No | Yes |
Single side protection | No | No | Yes |
Heuristic Correlation Algorithm | Unclear | No | |
Load balancing / failover | No | Yes | Yes |
Country blocking | Yes | No | No |
Advanced manual blocking | Yes | No | No |
iThemes without a proper firewall
The differences between the plugins are particularly clear when it comes to the firewall. The approaches to the topic are fundamentally different here. Strictly speaking, iThemes-Security does not use a real firewall. To some extent, 404 detection could be described as a first approach. This looks at whether a crawler generates a lot of 404 errors and blocks them.
Sucuri including full CDN
Whereas Wordfence only requires a plugin to be installed in order to use the firewall, Sucuri requires the name server or an A record to be changed in the DNS settings. Instead, it is a completely cloud-based solution, including a CDN (Content Delivery Network), which can also prevent DDoS attacks. In a DDoS attack, a botnet is often used to fuel a site with requests until the site is no longer accessible because the server gives way.
The Sucuri approach also means that, unlike Wordfence, it works with load balancers. Overall, Sucuri 's use of certain terms such as "heuristic correlation algorithm" is more likely to be a marketing formulation and it is unclear whether this is an actual added value, as Wordfence presumably also works with heuristic methods. However, anyone who only needs a CDN could also use Cloudflare to implement this free of charge.
Wordfence with more configuration options
With Sucuri, many things run automatically without the user having to do anything. On the other hand, there seems to be less that can be configured here. With Wordfence, individual country IPs can be explicitly blocked and manual blocking is also possible. This is particularly helpful for manual hacks.
WordPress security measures
Wordfence | iThemes Security | Sucuri | |
Database backups | No | Yes | No |
Making WordPress more secure | No | Yes | No |
Hide information | No | Yes | No |
Write protection | No | Yes | No |
Password management | No | Yes | No |
Two Factor Authentication | Premium | Premium | No |
As you can see in the table, iThemes Security focuses on the security measures within WordPress. A total of 30 different points are covered here, most of which are very useful. Many of the points are therefore already included in our hosting.
iThemes Security is therefore a great way to add more security at WordPress level to an "insecure" generic hosting. The free version already offers comprehensive protection. In the premium version, the 2-factor authentication should be emphasized.
Since Wordfence and Sucuri focus on "shielding" the site. They are rather weak on these points.
Malware removal & performance
Wordfence | iThemes Security | Sucuri | |
Hack Cleanup & Malware Removal | Optional | Not findable | Optional |
Blacklist warning removal | Optional | Not findable | Optional |
Malware Removal Request Limit | Optional | Not findable | Optional |
Automatic cleanup | Partial | Not findable | Partial |
Security Analyst Escalation | Optional | Not findable | Optional |
Full website cleanup | Optional | Not findable | Optional |
Closing the security gaps | Optional | Not findable | Optional |
Backups | No | Not findable | Yes |
Post-Cleanup Report | Optional | Not findable | Optional |
Full Log and Incident Report | Optional | Not findable | Optional |
Root Cause Follow Up | Optional | Not findable | Optional |
Last but not least, let's take a look at malware removal. The prices for Sucuri and Wordfence are similar here. Both charge a surcharge for faster processing. The services offered here are identical. I could not find a malware removal service at iThemes. Malware removal can take 2-3 hours, but with large fluctuations. Since we also perform malware removal, the prices are fair.
And what about the performance?
Last but not least, a note on performance. You would not expect this from a security plugin comparison. However, as Sucuri offers a CDN and a firewall in one, performance can also be improved, especially for international visitors. With a CDN, the website is always delivered from the nearest server, which is particularly advantageous for overseas visitors. For a WooCommerce store with little cacheable content, however, it is less important.
"*" indicates required fields
Our conclusion
So what is the overall conclusion on the subject of WordPress security? Our personal conclusion can be summed up by the following fact: We do not use a security plugin for our own Raidboxes website. We have never used a security plugin and have never had any problems. All this despite the fact that our website is of absolutely central importance to us. However, extensive customer data is not stored on our WordPress website either. The risk of a loss of performance due to extensive scanning measures was too high for us and the disadvantages outweighed the benefits.
Nevertheless, a firewall increases the security of the website. Therefore, if you want to achieve maximum security and are willing to accept the disadvantages in terms of performance and time, you should use a security plugin.
A WordPress security plugin can be particularly useful for WooCommerce stores or vulnerable websites that may have already had problems with malware. Our recommendation is therefore as follows:
Wordfence as the best free solution
If you want a really solid firewall with comprehensive monitoring, Wordfence is the perfect choice. It is not the most popular WordPress security plugin in the world for nothing. The premium version complements the functionality precisely and sensibly. During implementation, it is essential to ensure that the scanning processes are set up correctly in order to prevent performance problems.
iThemes Security for generic hosters
iThemes Security implements really useful security measures on the website, especially for WordPress itself. For websites with generic hosters, it is a great way to increase the security level without extensive scans and firewalls, even in the free version.
Sucuri for CDN
If you are thinking of using a CDN anyway and if the topic of DDoS attacks is relevant, then Sucuri is recommended. The only thing that remains is the somewhat bland aftertaste of the GoDaddy group.
How much (perceived) security do you need?
How do you handle WordPress security? Do you rely on your host's security measures or does a WordPress security plugin let you sleep soundly? As always, we look forward to your comments!