WordPress Security Plugins Revealed

Have you read the forums, Googled for hours, and even received a tip from your brother-in-law about the best WordPress security plugin?

Funny thing, after years of trying and testing virtually every well rated WordPress security plugin in the repository, I sometimes walk into San Diego WordPress Meetups still feeling uneasy about recommending yet another blog security plugin. The inevitable questions:

“What is the best security plugin?”
“I have a really active blog, what WordPress security plugin would be best to block the spammers?”
“What security plugin is the easiest to install?”
 
“Are any of the security plugins well supported
— what if I need help?”

 

So I made a promise to myself, “Before I present WordPress security recommendations to another Meetup I’m going to get my facts in writing.”

San Diego Advanced WordPress MeetupOver the course of a month or so, I reexamined every active security plugin installed over the past year, then took careful notes as I reinstalled and tested the  different plugins and settings on each website.

What most amazed me was how little I  fully understood the WordPress security plugins I had been installing. I mean, I’m supposed to be the subject matter expert, as “The Hack Repair Guy.” But as I ran through each plugin and began comparing features I experienced an epiphany.


“There is no best WordPress security plugin.”

 

Each plugin has its own core focus. Some are better at blocking bots, others better at blocking comment spam, and others fit into a category all their own.


“The best security plugin is the plugin that best meets the client’s needs.”

 

In a trial and error fashion over the past few years I’ve found some plugins work better with certain types of clients, while others are chosen based on the client’s website security needs. My hope is the chart below will help you decide which is best for you or your client’s based on your clients needs. The plugins I’ll be reviewing  are:

 

Better WP SecurityWordFenceAll in One Security
BulletProof SecurityWordPress Simple Firewall


The WordPress Security Plugins Revealed Chart below is broken out into general categories of features at left: 

  • Post/Registration Related
  • Deny/Accept Login Related
  • Backups Related
  • File Edit/Deny Related 
  • Database Related
  • Logs Related
  • Special/Trademark Features
  • Plugin Author Social Activity
  • Jim Walker’s “In My Humble Opinion”

Each feature implementation was given a rating between zero and two:


0=Badly,  1=OK, 2=Kudos! (or great job!)

 

For example, top left on the chart below you’ll see Better WP Security rated as “2” for the plugin author’s implementation of the “404 Blocking Whitelist” feature.

A “2” essentially means the plugin author did a better than average job in integrating a whitelist against 404 blocking. If you’ve ever been locked out of your WordPress dashboard for no apparent reason while checking for non-existent pages or links, then you’ll know why this can be a worthwhile feature.

 

WordPress Security Plugins Revealed Chart, by Jim Walker, The Hack Repair Guy, HackRepair.com

 

Security Plugins - Post/Registration

How each plugin scores. Keywords: 404, user registration, CAPTCHA, comment blocking.
Feature
iThemes Security
Download
WordFence
Download
All-in-One Security
Download
BulletProof Security
Download
WordPress Simple Firewall
Download
404 Blocking Whitelist21
Block Automated Comment Posting112
Block Repeated 404 Connections11
Comments CAPTCHA or GASP12
Login CAPTCHA or GASP11
Registration CAPTCHA or GASP11

 

Security Plugins - Deny/Accept Login Related

How each plugin scores. Keywords: user login, login blocking
Feature
iThemes Security
Download
WordFence
Download
All-in-One Security
Download
BulletProof Security
Download
WordPress Simple Firewall
Download
Adds or Edits .htaccess file11121
Add or Edit User Agent Blocking2121
Block 3+ Bad login Attempts11111
Block nonexistent User Logins211
Change Login URL (Brute Force Protection)21
Cookie Required to Login11
Email Alert When Admin Logs in11
Enforce/Enable SSL Login11
Force User Logouts After X Minutes11
Two-Factor Authentication1
Login Blocking Blacklist IP1211
Login Blocking Unblock by Email1
Login Blocking Whitelist IP12
Login Deny All Except IP Addresses1
Deny "/?author=1" username searches1

 

Security Plugins - Backups Related

How each plugin scores. Keywords: backups, downloading
Feature
iThemes Security
Download
WordFence
Download
All-in-One Security
Download
BulletProof Security
Download
WordPress Simple Firewall
Download
Database Backup Scheduling1
Download/View .htaccess12
Download/View wp-config.php1
Download/View Database1

 

Security Plugins - File Edit/Deny Related

How each plugin scores. Keywords: file editing, editing limits
Feature
iThemes Security
Download
WordFence
Download
All-in-One Security
Download
BulletProof Security
Download
WordPress Simple Firewall
Download
Block Executable File Uploads11
Denies Editing .htaccess111
Disable PHP File Editing111
Disable xmlrpc.php File Access211
Limit File Upload Size1

 

Security Plugins - Database Related

How each plugin scores. Keywords: database protection, database naming
Feature
iThemes Security
Download
WordFence
Download
All-in-One Security
Download
BulletProof Security
Download
WordPress Simple Firewall
Download
Change Database Prefix12
Limits Plugin Memory Usage1
User Name/Password Checking111

 

Security Plugins - Logs Related

How each plugin scores. Keywords: error logging, logs maintenance.
Feature
iThemes Security
Download
WordFence
Download
All-in-One Security
Download
BulletProof Security
Download
WordPress Simple Firewall
Download
Allows Log Clearing
(404, lockouts, et al).
11111
Logs User Login Times / IP Address21
Logs Bad Logins / 404 Errors / IP Lockouts1111
Maintenance Mode1
Shows Logged In Users11

 

Security Plugins - Special Trademark Features

How each plugin scores. Keywords: Distinguishing features, unique options.
Feature
iThemes Security
Download
WordFence
Download
All-in-One Security
Download
BulletProof Security
Download
WordPress Simple Firewall
Download
Check Core Files Against Repository2
Disable WordPress Automatic Updates2
Emails Files Changed List2
Email Security Concerns Daily2
Disable Logins Between X to Y Hour2
Live Traffic Logging2
Internal Malware/Suspicious Code Scan2
Rename Dashboard Login URL2
Page Caching1
Limit Access to Plugin2
Monitor/Report File Changes21

 

Security Plugins - Developer or Support AVailability

How active the developer(s) are in the WordPress community, support forum and/or other channels.
Feature
iThemes Security
Chris Weigman
WordFence
Mark Maunder
All-in-One Security
Peter Petreski
BulletProof Security
Ed Alexander
WordPress Simple Firewall
Paul Goodchild
Developer Other WordPress PluginsYesYesYesNoYes
Has Active Related Twitter AccountNot LatelyNoNoNoYes
Active in GitHubGuy Lives ThereNoNoYesNo
Answers WordPress.org Tickets Within (3) DaysSometimesSometimesOftenGuy Lives ThereGuy Lives and Sleeps there

 

Jim Walker's "In My Humble Opinion"

Just my two cents about each plugins generally speaking.
Feature
iThemes Security
Download
WordFence
Download
All-in-One Security
Download
BulletProof Security
Download
WordPress Simple Firewall
Download
Ease of setup or Complexity
(1 = Easy, 5=Difficult)
22432
Installation Setup Time
(1 = Few Minutes, 5=Crazy Long Time)
42433
Liklihood of Causing Downtime Over Time32431
Promotion of other Plugins or ServicesExcessiveZero AnnoyanceZero AnnoyanceMinor AnnoyanceExcessive

 

General Notes

For brevity sake options on left are what I feel are relevant security options, or are features not necessary included in all similar security plugins. Plugin developers may provide other options not listed here.

Email errors or corrections to: jim@hackrepair.com

The chart above does not discuss paid features. So while these and other plugins have worthwhile paid options to consider, my goal here was to try keep it simple. Maybe I’ll discuss paid features in part two of this security plugin review.

If you do have questions please feel free to leave your comments below. If you know of a feature I may have missed or notice an error please do contact me. With your comments or questions I’ll strive to make this WordPress security plugin review even better. Enjoy!

 

FAQs:

  1. No, you cannot add the columns to derive which plugin is best.
  2. Blank entries mean feature does not exist in plugin.
  3. Yes, I have a favorite plugin, but I’m not telling… Sherlock the chart above for the answer to that question.
  4. “Likelihood of causing downtime” relates to the likelihood you will lock yourself out of the WordPress dashboard after setting up one of the more advanced features, particularly the renaming of the login page or blocking related features.

 

*This review is 100% affiliate link free. Plugin authors were not asked
to contribute to this review. No monies were paid to write this article.
And a Thank You out to a few folks who helped me in proof reading and editing:
Ador Charming @adorcharm
Devin Walker @innerwebs
Matt Cromwell MattCromwell.com
Table was generated using Tablepress and FooTable Lite plugins.

 

Summary
Article Name
WordPress Security Plugins Revealed
Author
Description
Website security expert Jim Walker "The Hack Repair Guy", HackRepair.com reviews the pro's and con's of WordPress security plugins. After extensive research he shares his results and findings.
The following two tabs change content below.
Jim Walker has been a website security expert and website hosting services provider for over 16 years. Living in San Diego, California, his current passion is everything WordPress. He manages HackRepair.com, a malware cleanup and website security services company, and HackGuard.com, a WordPress security and WordPress management service.

Latest posts by Jim Walker (see all)

Your Comments or Questions for The Hack Repair Guy?

Loading Facebook Comments ...
Loading Disqus Comments ...

Comments

  1. mathetos says

    Excellent piece, really useful! It’s very comprehensive and really detailed. Some of these features I never even think about so it’s cool to see them all side-by-side.

Leave a Reply

You must fill in your Livefyre SiteID in the Comments Evolved plugin options.