Mika Epstein’s Case Against Security Plugins
I made a whole course about WordPress security last year. So I’ve got some opinions on how and what it means to keep a WordPress site secure. I think I won’t fully endorse Mika’s whole argument—I think there are clear benefits to the fully featured WordPress security plugins she’s writing against. But that said, I think she makes a very good point that real time and thought is better than some false sense of security from something that claims to do it all. As she says:
Security plugins stop people from thinking about what’s going on.
I’ve seen it time and again, people install a plugin that ‘makes them safe,’ follow the bare minimum of requirements, and then install whatever they want without thinking about it, leave registrations open, and oops, get hacked.
I think there are users for whom a security plugin is part of a comprehensive security stance. For those people, I absolutely think it’s a good practice to have one. A security audit can be very useful for this kind of situation.
But I must give Mika points for the fact that not everyone who installs a security plugin is in the WordPress Security Facebook group (for example) and so maybe hasn’t thought enough about what they’re doing and why to keep them safe. That’s why my course exists, after all.