***Update 10/18 – after struggling with the fact that all of these security plugins make database changes and obfuscations that are difficult to deem valuable or invaluable, I switched to a host that handles all of the security and backups automatically. And i love it. The best security plugin for your website may be no security plugin. But if you’re looking or one…..
You have a website that you contribute a lot of time, energy and persistence to. It’s completely reasonable to want to protect your site with a security plugin of some sort (I’m assuming, anyhow). For instance, since turning off Disqus last week, I’ve had 1,300 spambot registrations to my site. So, you’re naive if you think that people aren’t trying to do something insidious to your site (even if it’s something as seemingly innocuous as a backlink for beautiful brand-name purses).
Two of the most popular security plugins for WordPress are Wordfence Security and iThemes Security, and a cursory search of security plugins on WordPress.org reveals a figurative butt-load of plugins that purport to secure your site. So which should you choose?
You might impulsively choose one, which might not be a bad decision. These plugins aren’t innocuous, they make changes to your WordPress database. I didn’t show any discretion about going from security plugin to security plugin to research this piece, and I killed my website with 500 Internal Server Errors as a result (it may have been my most popular post this weekend).
Long story short: before you get a wild hair to try one of these BACK YOUR WEBSITE up now!!!!!
Like I know what I’m talking about
Let’s first talk about what security plugins can do and cannot. Paid or free, security plugins will catch between 70% and 80% of malicious activity on your site (source). Presumably you want a security plugin that has a large user base, since one of the primary sources of information about malicious code for these plugins are the sites they support. A post on WPEngine’s blog (and my own experience) also lead me to suspect that you want to be cautious about having multiple plugins performing redundant security functions on your site (source). These are the assumptions that I’m making for the rest of the post.
I don’t have time, depth or the constitution to review all of the security plugins out there, but I picked out a handful of the most popular ones to articulate a rationale for choosing one. That said, I’m going to make a simplistic assumption that most of the arguments for specific security plugins over others are marketing points. If one really speaks to you, then maybe it makes sense to use that one instead of going by my criteria.
To evaluate each plugin, I’m going to ask the same questions: Will it make my site secure? Does it have a notable number of positive reviews? Does it have a differentiating feature from another security plugin that is helpful for me? Does it impact my load time? Does it cost money?
So, let’s evaluate a few of the most popular security plugins given this criteria:
Wordfence Security is one of the most popular security plugins for self-hosted WordPress sites. Its features include real-time blocking of known attackers, a firewall, core file scanning, and caching features. Paid features include two-factor authentication.
You can see from the feedback on WordPress.org that a lot of people use Wordfence and a lot of people are happy with it. So let’s run it through the gauntlet:
Will it make your site secure? 70-80% secure. We’ll make the assumption that popular = better, at least so far as how much information Wordfence has about potential security threats.
Does it have a notable number of positive reviews? Yes (disproportionately favorable). You can see that it also has a good sample of feedback.
Does it have a differentiating feature from another security plugin that is helpful for me? Not really. Queuing and real time features are differentiating but aren’t especially usable.
Does it impact my load time? In its default setting (with real-time tracking enabled), it slaughters your load time. This is a known problem that Wordfence has copped to in forums. Not that it’s not a cool feature, but it tripled my load time when it was enabled. I tested the speed of the queuing features (using Pingdom’s site speed tools) and found both their top tier queuing feature (Falcon) and their middle tier queuing to be demonstrably slower than W3 Total Cache.
Does it cost money? It is free with additional features such as two-factor authentication for $39 per year (with a sliding volume discount).
One other note. If you are (theoretically) uninstalling Wordfence Security, you will want to go to the settings and click the button that reads “Delete Wordfence tables and data on deactivation.” (source) You read that right: you have to opt-in to have Wordfence delete its data tables from your server. I’ll let you draw your own conclusion about that.
iThemes Security, formerly known as Better WP Security is another plugin in the same model as Wordfence. It is a free plugin with a subscription based Pro model. It has a slicker interface than Wordfence but it is so heavily co-promoted with the robust iThemes offerings that it’s very easy to confuse the features of products like their BackupBuddy service. In any event: it’s got a cool interface, about the same amount of users as Wordfence, and provides security against attacks.
You can see from the feedback on WordPress.org that almost twice as many people have rated iThemes Security (large sample size) and have very favorable things to say about it. The biggest critiques were related to compatibility issues with W3 Total Cache.
Will it make your site secure? 70-80% secure. We’ll make the Wordfence assumption that popular = better and assume that the wealth of threat data that iThemes gets from its deployments is at least as good and probably better than Wordfence.
Does it have a notable number of positive reviews? Yes. iThemes Security has the best sample size of feedback of any security program, although a disproportionate number of those reviews appear to be for earlier versions of the plugin.
Does it have a differentiating feature from another security plugin that is helpful for me? It has some obscuring capabilities that are very interesting in the hypothetical, although I didn’t run any tests to confirm these.
Does it impact my load time? I found iThemes Security did add a little bit of load time but not demonstrably more for my site.
Does it cost money? It is free with additional features such as two-factor authentication for $80 per year (oddly for two keys).
Bulltproof Security is slightly less popular than the other options, but still has a really great sample size of feedback. It appears to work a little differently than the other options, it killed my website numerous times because of compatibility issues with (we theorize) my theme, but their support is so over the top outstanding that I bought the premium version of this one and will explain a little more in detail about how they helped to troubleshoot my problems quickly and win my loyalty.
You can see from the feedback on WordPress.org that a lot of people like BulletProof, and the resounding strength (besides their perception of security) is the support that they offer. That said, the people behind BulletProof are far on the technical spectrum and a common critique is that they presume a lot of technical knowledge to implement the plugin and navigate through different obstacles. I share from experience that this is more-or-less accurate.
Will it make your site secure? 70-80% secure. Their body of feedback sites to draw from is lower, but they claim (and I tend to believe this) that the way that their plugin interacts with the site may protect sites a bit differently than the others.
Does it have a notable number of positive reviews? Yes (disproportionately favorable). And nearly 600 critiques is a good sample size to gauge whether people are happy with the plugin.
Does it have a differentiating feature from another security plugin that is helpful for me? BulletProof is transparent about the types of protection they provide (source), which as far as I’m concerned could be written in Greek. The huge advantage of Bulletproof for me is their robust support forums and customer support.
Does it impact my load time? Yes. I’m not going sugar coat that I sacrifice a little load time to use this. For an inexplicable reason, this is incompatible with W3 Total Cache and my theme. I am assured this is not the norm, although it does take some doing to incorporate caching plugins with BulletProof.
Does it cost money? It is free with additional features (a separate Pro plugin) for $59.99 (no subscription, usable on multiple owned sites).
So, why did I choose to use Bulletproof? There’s probably a cheapskate factor to it, but ultimately I felt that anything that I dorked up I could probably fix b referencing the support forums and restoring the backups of my site. Of course, I couldn’t get it going with W3TC and my theme, so I emailed the folks at ait (makers of bulletproof) and here’s what they did:
- asked for temporary administrative access
- did a complete install and troubleshoot
- fixed a couple of things on the server side, and with plugin accessibility which they fixed
- saw that I had a bunch of Wordfence files still in my database and let me know how to fix that
- ended up as perplexed as I did about the conflict
- offered a solution to speed the site up and keep BulletProof running
… all before I logged into the site again. Over the top extraordinary customer service ending with a good solution. For me, the decision to use BulletProof was less about the features and more about my comfort that someone was going to help me keep my site secure in spite of myself.
There are some other solutions out there, but not with the widespread use that these three have. All-In-One WP Security is another popular one that I intended to try, but I cut my losses after BulletProof and figure I proved my point.
After my experimentation, I am high on BulletProof for their customer service. I do covet the page speed of WordFence (non-cached, no live tracking enabled), and I liked the usability of iThemes Security. So, it really boils down to what you’re looking for from the plugin. But for goodness sake, back up your website before you install one of these bad boys AND don’t be an idiot like me and vacillate between them. Put a ring on the security solution you choose and stay loyal.
I’m curious to know if you have any experiences with these or any other security plugins, especially if you’ve had some sort of intrusion.