attck-black404 copyPage 1Page 1Google_-G-_Logo.svgicon-launchicon-planeTriangle Copy 6arrowGroup 9 Copy 2Page 1

Top 3 WordPress Security Plugins

← blog ⋅ Dennis Plucinik ⋅ February 28 2018

Companies stake their brand and reputation on WordPress every day. Currently, in 2018, WordPress is estimated to power roughly 29% of the top one million websites. The disadvantage of its popularity is that this makes WordPress an attractive target for hackers. At least half of our business centers around WordPress development from startups and large enterprises.

You can see just how many known exploits there currently are here and here.

Fortunately, WordPress is a well established platform and has been battle tested for nearly fifteen years. The internal WordPress Security Team is made up of approximately 50 experts focused on identifying and fixing bugs around the clock.

In addition to following best practices and updating plugins and core files regularly, the WordPress community has provided us with an exceptional array of additional resources, including the following plugins, to help keep your WordPress site safe and secure.

It’s important to note the difference between these and other traditional “plugins”. Considering the wealth of security risks, and the ever-increasing torrent of major site attacks in the news, it is important to think of security management as an ongoing process. As such, these solutions are less like a one-time plugin install, and more like employing the ongoing service of a professional security monitoring company.

As with most things, you get what you pay for, and good security isn’t free.

There are many posts on the internet that elaborate on dozens of security plugin options but we’re only going to focus on the best. We have determined this list by comparing a variety of attributes including popularity, longevity, company size and focus, and pricing, among other attributes.

We will not be ranking plugins on their ability to block or manage spam comments, enhance SEO, or backup files or data.

 


 

Firewall & Malware Scan
URL: https://wordpress.org/plugins/wordfence/
Active installations: 2+ million
Last updated: 2 weeks ago (2/11/18)
Company: Defiant, Inc. (private), Seattle, WA, Mark Maunder founded Feedjit Inc. in 2007, $450k Angel funded in 2008 (Crunchbase), Launched WordFence in 2012, Rebranded to Defiant in 2017
Price: $99/year

Notable features

 Endpoint firewall with real-time updates (via Threat Defense Feed)
 Brute-force attack protection and file access rate-limiting
 Malware scanning
 Live traffic monitoring
 Automatic security updates within 24 hours of release

Recommendation

This leading cyber-security company employs a team of security professionals, and has created a viable business model focused exclusively on providing the most advanced WordPress security products. Their CEO regularly writes and speaks on the topics of internet security.

Aside from price, one detractor appears to be performance. Evidently, performing some of the functions like live traffic monitoring, requires a surprising amount of additional database tables, and subsequently large amount of memory (i.e., a more expensive server).

Related to actually providing security functionality, some other security experts have even noted their absence in reporting some issues and false advertising.

 


 

Firewall & Malware Scan
URLhttps://wordpress.org/plugins/better-wp-security/
Active installations: 900k+
Last updated:  2 weeks ago (2/11/18)
Company: iThemes Media LLC (Acquired by Liquid Web (also owns Rackspace), 1/31/18), Founded 2008, Makers of BackupBuddy
Price: $80/year

Notable features

  File change detection
  File integrity monitoring
 Brute force attack prevention
 One-click default setup
“Away mode” dashboard lock

Recommendation

There are a considerable amount of negative reviews you may notice, however many appear to be related to a mis-configuration by inexperienced site administrators. They also appear to have some users discontented with customer service responses.

Overall, there are some aspects of this UI that are appealing to an average user such as the easy default setup, and “Away Mode”. I personally wish there was an Away Mode option that wasn’t time based and instead forced two-factor authentication in order to come back from Away Mode (two-factor authentication is simply too burdensome for most applications with more than one regular user.) File change detection is also unique and important.

Lastly, I’m torn on whether to consider their acquisition by Liquid Web as a pro or a con. An independent company has no other incentive than to provide great service and though Liquid Web may provide additional resources to bolster the product offering, the fact that Liquid Web’s core business isn’t exclusively security means their motives aren’t perfectly aligned.

 


 

Sucuri-WordPress-Plugin-logo

Auditing, Malware Scanner and Security Hardening
URLhttps://wordpress.org/plugins/sucuri-scanner/
Active installations: 300k+
Last updated:  1 week ago (2/18/18)
Company: Founded 2010 by Daniel Cid (Founder of OSSEC), Acquired by GoDaddy 3/22/17
Price: $199/year

Notable features

  Cloud firewall (WAF)
  Blacklist monitoring
 Malware scanning and unlimited removal
 File integrity monitoring
“File and data security enhancements

Recommendation

Despite the fact that a cloud-based WAF may actually boost performance, when absolute security is necessary, if choosing between the two, we prefer an endpoint firewall solution as opposed to the cloud solution provided by this and other services like CloudFlare. It is, however possible to employ both solutions if following a Defense in Depth strategy, albeit at a higher cost.

 


 

All three of these options provide an exceptional solution for managing security. You’ll have to decide which is right for you depending on your own security strategy as each satisfies individual requirements slightly differently.

In closing, security plugins represent one step in a Defense in Depth security strategy. When absolute security is a priority for you, we recommend applying a combination of the most finely tailored solution at each potential layer of vulnerability.

Lastly, if you can afford to make some feature concessions and want to combine ultra-high performance and insanely bulletproof security, read our post on Secure, High-Performance, Static WordPress Sites.

If you need reliable WordPress development services, please email us at hello@attck.com or click the “Start Your Project” button below.

Further reading

Tags: Development
Latest Post

In the CSS Lab: *Shiny* Gradient Hover Effect

Sarah Quigley ⋅ June 8 2018

The CSS spec is continuously evolving, giving developers increasingly granular control of page layout, as well as the appearance and behavior of individual elements. Long gone are the cowboy...

Tags: , , Read More
Close

Start your project

hello@attck.com

0 months

$10K – $500K

Back
Next
Close

Thank you!

We will be in touch soon.

Close

Thank you!

Please check your email to confirm your subscription.