How to Compare the Features of WordPress Security Plugins (and Services)
As a part of WordPress Security with Confidence, I built a feature that I felt a lot of people were hungry for. It’s a comparison table of WordPress security plugins. It starts to take people along the journey from “security is a serious topic that I have no idea how to handle” and toward “security is a set of problems I can solve in a variety of ways.” That transition is my motivation for the course, and it’s also the motivation for something I just made free: WPSecurityCompared.com. Which, well, makes it easy to compare WordPress security plugins.
Why You Need to Understand Services of WordPress Security Plugins in Detail
What you see on WPSecurityCompared.com today is the first-draft. I’m slowly working on improving it, and my most concentrated promotional push will come after I have a little more time to sit and think about the best format for the data I’m trying to present there.
Even in a rough form, this table is useful in helping you make an informed decision about the what and why of buying a WordPress security plugin—or choosing to use a free one. Much of the marketing around security is intentionally unclear about what they’re doing, for the sake of making more impressive claims.
WordPress is Secure
One of the first things that people misunderstand is that they think they need a WordPress security plugin. You don’t need a security plugin.
That said, needs are different from wants. Default WordPress, running well-made plugins, and all kept up-to-date is secure. But not everyone polices plugins closely, updates just as soon as they can, or verifies that their server configuration is perfect.
For those busy people, security plugins can be an attractive option. They offer a leg-up on the process of making your WordPress site secure, by giving you some clear and simple tasks to undertake, and taking care of other things without you needing to do any work.
Why WordPress Security Plugins Exist
Plugins that help with WordPress security exist because there are useful things you can do to make WordPress more secure in a plugin. And given just how big the WordPress ecosystem is, if it can be done you can bet that someone will.
The Cynical Take: They Want Your Money
Cynically, so many WordPress security plugins and services exist you can make money selling them.
One might say that it doesn’t even matter if your plugin makes WordPress more secure. Scared people will buy it whether or not it does anything. And to continue to the height of the cynical take: there’s no better audience to sell to than the scared people shopping for security features. There are few times a buyer is more willing to part with money than when they’re scared that they’re going to be “hacked” or have been.
The Optimistic Take: They Want to Help
More realistically, no one in the security ecosystem is trying to just make money off scared people. All of them have started to make a security plugin with the intention to help. Most of them do.
Surely there are poorly implemented features, and poorly designed one, where the security benefits can and perhaps should be debated. But I choose to believe that we live in a friendly universe, and the small several times that nominal security plugins have issues are a result of human error not malice.
What Features To Look For In WordPress Security Plugins
We should not understand security plugins as monolithic tools with the ability to make our websites completely “secure.”
We should not understand security plugins as monolithic tools with the ability to make our websites completely “secure.” Thinking that way conflicts with the reality of the way security (on the web, and anywhere else) actually works.
Rather, defense and security are evolving processes which themselves contain many distinct processes. For example, to protect the President, the United States Secret Service does many things: make sure (s)he never exits a car without overhead covering, make sure the general area has been surveyed, make sure no one without verified need is allowed near them, etc.
Similarly, a “complete” WordPress security plugin is itself a selection of different processes that one may want to use. They each work differently, and it’s impossible to clearly and specifically list every single feature that a plugin will contain. But they generally fit into about 10 buckets, and that’s what we’ll describe.
Web Application Firewall, or WAF
A “WAF,” or web-application firewall, segregates your web app from the bad actors on the internet.
A web application firewall is one of the most interesting and least-understood kinds of security benefits. Like any firewall, the idea is segregation of bad things on one side from the other. (A literal firewall is a fire-proof (or -resistant) barrier that stops the spread of a blaze.
With a “WAF,” or web-application firewall, the idea is to segregate your web app from the bad actors on the internet. Or, for WordPress, keeping the world from having too-easy access to your WordPress installation.
In practice, you will see two different types of WAF sold for WordPress:
- DNS-intermediary: Sucuri, CloudFlare, and SiteLock are configured when you point your DNS at them, and then they point it back where it used to be pointed. In this way, they’re a complete intermediary to (almost) all the traffic to your site. When installed as a middle-man, they’re able to screen all traffic for you. (It is notable that they can be routed around if someone knows your real server IP.)
- Endpoint Firewalls: Endpoint WAFs are run on the same server as your application, and try to do the same thing. In WordPress, this is the WordFence plugin. It has the benefit that you don’t have to re-point DNS, and it can’t be routed around by people with your server’s IP. It has the disadvantage that substantially all (even bad) traffic gets through to your server. This makes them more-or-less useless against a (D)DoS attack.
These two types can actually both work as two distinct layers of the same security structure, but it’s likely to be overkill for most sites
Quick Diversion: What’s a (D)DoS attack?
This article is not a full summary of all security issues. But understanding DDOS is important for evaluating WAFs. They are a common attack on the internet, not against run-of-the-mill WordPress sites. The idea is to send an overwhelming amount of bad (that is: intentionally malicious) traffic to your server with the intent of slowing it so much it becomes inoperable. This is called a (Distributed) Denial of Service attack. (It is not about stealing data.)
This attack is most commonly politically motivated. A good DNS-intermediary WAF will just block all this traffic and keep it from taking-down your site. But the volume of the biggest DDOS attacks on record are so big that some of the most determined traffic-blockers have surrendered. This most clearly happened with Akamai’s “surrender” to the Krebs on Security attack in 2016. This type of attack isn’t really a concern for a run-of-the-mill blog or small-business site on WordPress. But Krebs is a WordPress site, so defenses for WordPress are relevant to that story.
Back to WAFs
Most WAFs will do their best to block all traffic they know to do malicious, using various methods to try to decide that it is malicious. One method they have: when they see requests that look like they’re trying to attack known vulnerabilities in a web app (like WordPress core or one of its plugins), they can stop that before it even hits your server. This is often called “virtual patching” and is a very cool feature.
Smart or pooled IP Blocking
If it has a WAF, it’ll have this. But many security plugins that don’t claim a WAF will do IP blocking.
Another feature that all WAFs will include, is that they’ll block known-malicious IP addresses. This feature is a different method from “virtual patching” mentioned above, but is often offered by security plugins and independent from other WAF features. For almost every case, you can consider that if it has a WAF, it’ll have this. But many security plugins that don’t claim a WAF will do this.
The mechanism varies, but in general anyone who tracks malicious traffic (most often against brute-force attacks, which we’ll cover next) can block IPs (servers) that are known to have been trying to “attack” your site. Some methods offer this just to your local site (they “attacked” us, now we block them) and some pool. When they pool, they know an IP attacked Suzy’s site, so they’ll stop that same IP from attacking your site as well. It’s a nice but not-essential benefit. Service that from memory I know pool IP blocking are iThemes Security (via an optional opt-in/sign-up) and Jetpack.
Brute Force Blocking to Stop Password Guessing
Out-of-the-box, WordPress does nothing to slow or stop a brute-force password attack.
An even narrower feature that almost every security plugin (that aims for comprehensiveness) offers is what I’d call “brute force protection.” When someone makes many attempts to log in to your account without knowing your password (but trying to guess it) we call this a “brute-force attack.” The idea is that rather than having real knowledge (like your password on a different source) they’re just guessing and guessing and hoping that the brute force of their computer’s guessing power is enough to get them through.
Out-of-the-box, WordPress does nothing to slow or stop this kind of attack. This means that if you forget your password, you’ll be able to guess the five you cycle between without issue. It also means that Beth the hacker can make her computer guess 10,000 passwords for your account you as fast as your server will allow.
You protect against a brute force attack by slowing password guesses after three or five failed log-in attempts. This is enough guesses that most people mis-typing their password will still get in without issue, but will severely slow a password-cracker like Beth. There are lots of free plugins that offer only this feature, “Limit Login Attempts” is my favorite. After the third bad password guess, it’ll block an IP address from trying to log in again for 10 minutes.
2-Factor Authentication for Improved Account Security
If you need something beyond a password for access, someone else is unlikely to succeed in an unauthorized login attempt.
Another, very different, method of protection from a brute-force password-guessing attack is to make a password inadequate for the goal of logging in. If you need something beyond a password for access, someone else is unlikely to succeed in an unauthorized login attempt. What would be beyond? How about needing your email inbox or mobile phone to log in as you. Access to this other thing is thus used as a second-factor in the authentication (making sure its you) process, and makes your account more secure.
There are many single-purpose WordPress plugins that just give second-factor authentication. Most are made by specific security companies. But many of our more-comprehensive security plugins in the table also offer this as a feature. They either send you an email or use a time-code from a phone-app like Google Authenticator or Authy.
“Malware Scans” for Bad PHP
They’re looking in PHP files for lines that seem to do bad things
Another very common feature for WordPress security plugins is that they try to scan your plugin and theme files for the sake of trying to decide whether they contain bad lines or are known malicious.
The logic here is simple: if an attacker got access to your site, they’d run bad code in a plugin or theme. But it’s hard to know which one they’d choose, so most people who offer this feature will scan all of your PHP files. They’re looking in them for lines that seem to do bad things, like steal your visitors information and send it to a different site.
There is an this, however. Sucuri offers a “black box” probing service (as well as a file-based scan). In the Sucuri suite, this is a first-level, in front of a server-file scan. iThemes Security offers this off-the-server service (from Sucuri, resold) only.
I have no first-hand experience with how good any of these services are, having never done massive experimentation with known-malicious code against them, nor having been attacked myself. I’m sure that people have opinions about their relative quality, and I’m sure some of those are informed opinion. But I will refrain from offering any of those here.
File Integrity to Stop Hacks
A similar feature to malware scanning is to check merely for the fact that WordPress files haven’t changed over time. The concern here is similar: we think bad things might happen to your plugin or theme PHP files.
The difference here is that we just assume they’re now good, just warn you that those files changed. Depending on configuration, this can create a lot of noise or false-positives. (Some plugins change files as they do their business, and that can generate noise from such a system.) The idea is good: if you check file integrity from a time you know the site is secure, it’ll stay secure if you’re on-top of every change made to every file.
Audit Log to Know What’s Happening on Your WordPress Site
The idea is that they’ll generate a journal of all the changes made to the site over time.
Similarly, one of the easiest things you can do to keep your site secure is make sure that all the changes made are known to you. To do this when you alone have an account on the site (and you alone log into it) is easy. Doing this when many people control and change the site is harder.
That’s the reason that some plugins offer a security audit log. The idea is that they’ll generate a journal of all the changes made to the site over time. With them you can log in and periodically make sure that nothing troubling has been done on your site. And if something bad happens, you’ll be able to see and correct it from the audit log.
Hardening WordPress Directions
There are a lot of small practices that you can do to make a WordPress site more secure: move the login URL, check the system-level file permissions on your server, further limit access to
wp-config.php. Most of these things have some (kind of small) security benefit. Many WordPress security plugins have a feature whose only goal is to help you follow this kind of advice.
Almost all of these plugins give you limited context about why the practices they’re helping you do are (or are not) actually helping with the goal of having a secure site. But “yeses” are aiming to make this kind of practice easier.
Backups are an ancillary feature of a security plugin. I really would almost always rather have a good backup solution other than my security plugin.
Those things said, backups are a core part of a WordPress security strategy, as they give you the security of a contingency plan. If the worst happens and your site is compromised in a security breach, you can restore. It is better that you avoid the breech, but a good backup is the next-best-thin. And a necessary thing for a reasonable level of security.
How to Compare and Choose WordPress Security Plugins
There are as many opinions about security practices as there are security practitioners.
There are as many opinions about security practices as there are security practitioners. Which plugins people swear-by and bad-mouth will vary hugely for reasons both real and imagined.
A friend’s fervent opinion may be well-informed or arbitrary. The best thing to do is to understand the ecosystem. Which features you think will most effectively secure your own site?
The two features I put most stock in personally are a WAF and a malware scan. They’re the most likely to work for you at all levels of site, and with any chosen levels of attention from you and other administrators. Most other features are subsets of or alternatives to these two features.
I also think, as we discussed at the outset, that not using a WordPress security plugin is a perfectly valid choice. If you feel confident in the security of your site, there’s no absolute need for you to have any of these security plugins or services running on your site. Stock WordPress, kept-up-to-date, with good plugins, is secure.
You Don’t Need One, But I Hope This Helps if You Want One
My biggest goal here with WPSecurityCompared is that you know what you’re buying, and why. A lot of security products, especially, are sold based on fear and not knowledge and need. So I hope that you now have a much clearer sense of what people are selling, and whether it’d be likely to help you.
If you want to understand all of this (and a lot more) in greater detail, check out my WordPress Security with Confidence course. It’s the best course available on WordPress security, and I know you’ll learn a lot from it.
Image credit: Neil Rickards