Do you really need a WordPress security plugin?

My personal opinion? Yes and no. Most of them suck. Most of their features suck.

  • They slow down your site.
  • They can’t secure/detect everything.
  • They cost money.
  • They give a false sense of security (BIGGEST OFFENSE).
  • (I’ll also cover which features DON’T suck.)

Don’t worry, I’ll explain.

Introduction to WordPress security

To talk about WordPress security, you have to understand what you’re actually securing your site from! Attacks come in various forms and with different motives behind them. And the attacks target different aspects of your site. Without understanding this, you’ll never know how to secure your website. At best, you’ll be a paranoid web-owner installing every random security option without knowing if it has any impact against what you’re trying to secure!

I could make a full-blown WordPress security guide later, but not today!

Common WordPress attacks (and how they work)

Brute-force

  • Bot trying rapidly trying different passwords on your login page (usually WP-admin).
  • They are a problem even if they can’t get in since their constant effort still overwhelms your server with requests and slow down your website.
  • They can also hammer your XML-RPC protocol on WordPress.

Code injection

  • Using vulnerability in your website software (usually theme/plugins) or server software (operating system, modules) somewhere to inject code into your site.
  • This code can cause unwanted site behavior, typical malware like ads or redirect links to other sites, display prank-style messages.
  • The code is also used to open backdoors and access information in your website and database, stealing sensitive content and passwords. Once they have your passwords, they’ll also try it on other sites…like your email, PayPal, and eBay accounts. (Backdoors are basically files that allow the hacker back into your site even if you correct the original vulnerability.)
  • The code can also change existing data, such as redirect your links to theirs or changing your PayPal address to their account instead.
  • The way these code injections usually get in is from vulnerable code in themes or plugins. This is why it’s important to choose your themes and plugins carefully and to always keep them updated.

DDOS (distributed denial-of-service)

  • Using multiple servers to bring your server down by flooding it with massive requests. They don’t steal any info, they just want to make your site go down.
  • Commonly used against government, religious sites, or business competitors. Also used for targeting individuals/organizations for other personal reasons.

So there you go! So simple, right? Most website attacks generally boil down to those 3 basic categories. And basically, all the attacks are either to 1) gain entry into your site/server, 2) steal sensitive information, 3) alter the site for their own benefit.

The problem with WordPress security plugins

1. They slow down your site.

This should be public enemy #1. Why?! Because many security attacks are very much a performance issue. Look at the TSA lines at the airports. Super long wait times and they almost never ever catch anyone, right?! That’s what you’re doing to your website. Making it slow as heck for the 99.99% of legitimate users that are never going to hack your site. This is terrible UI by design.

The other problem with a security method that slows down your site is that you’re potentially helping some hackers to attack you better. If their main goal is to overwhelm you with requests and you use a plugin that makes your website slower, and requiring more processing time, well guess…now it’s even easier for them to overwhelm your server with DDOS attack!

2. Security plugins can’t secure/detect everything.

Hear me out for a second. Maybe you think because a plugin can detect 98% of the hacks out there, that means it’s 98% effective…well I say “NO!” Here’s why…most people get hacked because of vulnerable themes and plugins. Security plugins CANNOT secure an insecure plugin. Pretend I kept building new room additions to my house but they had insecure windows and doors…well, I could have a security guard walking around the house but it doesn’t mean those windows and doors are now suddenly locked. So yeah…security plugins can’t prevent most attacks!

The hackers will STILL get into your site. Ok fine, but you have a security guard who will get all the junk files out, right? WRONG! Because they can’t detect all the bad guy. So they’ll clean up maybe 98% of them, but the ones still left will KEEP LETTING THEIR FRIENDS BACK IN!

Ok, fine. So how do we completely clean out a site once it’s been hacked? If you want my honest opinion of having personally cleaned hundreds of sites over the years…you have to do it manually. That’s the only way. If you use any automated tool or security service out there…they catch only a chunk of it but still leave some behind. And then it’s up to you to pray that the small chunk left behind isn’t enough to allow the hacker back in. Sure, some services out there guarantee a 100% clean-up and will go in and manually repair your site. It’s a great deal if they actually honor it but how much money have you lost by now?

Just FYI…here’s a common timeline of how sites get hacked.

  1. Theme or plugin has a vulnerability.
  2. Hackers (or their bots) scanning websites eventually find yours and exploits it, creating a hole.
  3. The site is now vulnerable but the hacker doesn’t get to it until a month later. The hacker’s probably busy with hundreds of vulnerable sites around the world; it’ll be a while before he gets to yours.
  4. 2 months hacker finally gets in and starts all kinds of crazy things. Messing with the site and information.
  5. You wake up the next morning and realize something is wrong. You start to fix the damage, usually either by trying a free plugin-scan or asking your “web guy” who will also probably try a free plugin-scan. The problem is your web guy also probably don’t know how he got in. And the access logs that show his traces are already deleted since the system doesn’t save logs past a certain number of hours/days.
  6. From here you take blind guesses. You’ll update plugins, restore from backups. Then you’ll run a security plugin and try scanning to remove all the hack files. The scans complete.
  7. From here you basically pray nothing happens.
  8. A week goes by and then BOOM, you’re hacked again. All the bad files are back and it’s like nothing was ever cleaned. You’re scared as heck. You’ve done everything right and now realize you have no idea how he’s getting in.
  9. Yes, perhaps the vulnerable theme/plugin was patched but he probably left some backdoors in your site to allow himself back in. Your plugins can’t detect them because they’re written to be somewhat unique and not like the common hack scripts out there in the wild.
  10. You get desperate, contact a security expert or ask your security plugin to honor their guarantee. The person does a half-assed job mostly, running a typical scan and looking at only the most common folders and files. The mere $100-200 that you paid them doesn’t cover the hours it takes for them to actually scan every little corner of your site.
  11. You get hacked AGAIN. A 3rd time and again, all the hacks are back! And this time, your security person has the sense to look at the logs and know exactly where the hack is coming from. By now, you’ve been hacked 3 times and lost a time of sleep. Also have pissed off visitors and customers, probably lost a good chunk of revenue as well.

3. Security plugins cost money.

Why does this suck? Well…it’s because it means most of them will be designed and marketing in a way that increases revenue rather than increasing security. Lots of fear-based marketing that prey on ignorant users. And lots of bloated features to justify their cost. The worst part of all is that naive users will stay naive and never learn what it takes to secure their site. They’ll continue to focus on all the wrong things further increasing their trust in all the wrong security measures that don’t actually improve security.

4. Useless feature bloat

This is especially annoying since plugins will try to out-do each other for marketing purposes by loading every possible feature. Even features that are only marginally related to security and really don’t even need to be part of a plugin. Sure, it’s convenient for users but at the same time also confusing and can distract them from the most important security functions.

Common security features (and why they fail)

Let’s go over some common security methods and how they fail against the most common hacks!

  • Firewall blocking malicious traffic – they can only block known malicious traffic. Will they be able to block NEW malicious traffic? Probably not if your server is among the first ones to get hit. But sure, the plugin will probably catch it 3-6 months later when the hack is already outdated and “caught”. By then, the hacker’s already got a new script out.
  • IP blacklist – do you really think any hacker worth his salt would waste his efforts without using a proxy from a “trusted” IP?
  • Malware signature defense – all malware scans are designed to detect PAST malware signatures, not new ones. If a new one is similar enough to an old one, it may be detected. If it’s not, then it won’t!
  • Malware scanner – isn’t this funny? Why the heck does it need to scan if it’s already detecting them? Or the scan is to prevent you from inadvertently putting hack files on your site/server? Again, the malware scanner doesn’t detect everything and not only that but it slows down your server when it runs. How annoying.
  • Brute force protection – limiting login attempts. This one’s good!
  • Enforcing strong passwords – this is silly. You don’t need a plugin for this! Just use strong passwords.
  • Hiding WP-admin login page – this works somewhat in that hackers can’t find your login page to attack it. But it also fails (slowing down your site/server) if the automated bot keeps trying to reach your login page and your 404 page isn’t cached.
  • Checking WP core files – this is a nice feature; making sure your WordPress core files aren’t compromised. It’s nice but at the same time, believe me…it’s obvious when you’re hacked and the moment you realize one is affected, you’ll already know to immediately replace all WP core files. Everybody who’s been hacked knows immediately to check wp-config.php, index.php, functions.php. I can’t think of any hack that doesn’t prioritize these files first!
  • Hack reports – it’s nice because you see how many hacks are thwarted and makes you more aware of how often your site is being hit by bots and hackers. But also over-estimates the plugin’s effectiveness since many of these hackers would have been thwarted by WordPress naturally!
  • Bullshit features – captcha against bots/spammers, logging user actions, forcing SSL, blocking file editing, blocking XML-RPC protocol, removing WordPress site information from the code, changing database prefix. All this junk isn’t specifically-related to WordPress security and doesn’t actually thwart any attacks. They also don’t need a security plugin to implement. They’re a bunch of bloated features to justify the cost of having a security plugin.

Fine, so what’s the best way to secure WordPress?

  1. BACK UP YOUR SITE. So that things can be repaired!
  2. Update your WordPress core, themes, and plugins.
  3. Use only quality themes/plugins. Avoid outdated ones or ones by smaller little-known development teams. Don’t buy themes/plugins illegally or download from unknown sources. Also avoid keeping any unused themes/plugins since they create unnecessary directories for hacks to hide inside and making your job harder when you have to find the hacks.
  4. Use strong passwords. And don’t use the same passwords for your site that you do for email and your PayPal account.
  5. Protect against brute force.
  6. Have some kind of brute force protection on your login page. Block XML-RPC protocol if you don’t use it.
  7. If you’re paranoid, you can install a security plugin that has a malware scanner BUT leave it deactivated. Don’t have it running constantly. And every now and then or when you notice issues with your site, you can run the scanner to see what it finds.
  8. Have a contact for a good server-admin or programmer for when you do get hacked. It will happen eventually and you’ll need someone you can call immediately. Are you really gonna trust your business site to random plugin? It’s much better to trust a live human-being who knows your site and can be made to guarantee their work.
  9. All other common sense applies. Use updated webhost, web-server, PHP, etc.
  10. You can install Cloudflare or Sucuri for extra security at the DNS level. Problem is they only help against DDOS attacks which most of you will never get! DDOS attacks are kind of expensive and usually targeted for very specific purposes.

So does this mean you NEVER use security plugins?

Yeaup, I don’t use ANY security plugins on my site. Again, the reason why these security plugins suck is because:

  • They can’t secure vulnerable themes/plugins. Most of you getting hacked are due to vulnerable code in your themes and plugins. Your best protection against this is not a security plugin but simply to keep your WordPress core, themes, and plugins updated!
  • They can’t detect the newest hacks and attacks. Their system is designed against detecting old ones that are already known and probably not circulating anymore. Don’t be fooled by “this scanner detects 5,000,000 known signatures”…it’s bullshit. Almost all of them are not used anymore. Hackers are always coming up with new hacks to exploit new vulnerabilities! So don’t waste your time with scanners slowing down the server and still not detecting the latest attacks. ARGH, I’m so impatient explaining all this!
  • They slow down your site. How annoying, right? They can’t detect the latest stuff AND they slow down your site? What’s the point anyway?!
  • NOTE: if you get hacked, you’re welcome to run a security plugin just to help repair/remove the most obvious hacked files but you still need to hire a professional to make sure the site is completely secured!

More interesting reads:

I’ll get some more helpful examples soon. Honestly, I think security plugins do almost nothing but slow down your site and give you a checklist of basic “security tips”. I see tons of people still getting hacked with security plugins installed and the ones that don’t get hacked are probably because their site wasn’t vulnerable in the first place.

Latest Guides