Have you read the forums, Googled for hours, and even received a tip from your brother-in-law about the best WordPress security plugin?
Funny thing, after years of trying and testing virtually every well rated WordPress security plugin in the repository, I sometimes walk into San Diego WordPress Meetups still feeling uneasy about recommending yet another blog security plugin. The inevitable questions:
“What is the best security plugin?”
“I have a really active blog, what WordPress security plugin would be best to block the spammers?”
“What security plugin is the easiest to install?”
“Are any of the security plugins well supported— what if I need help?”
So I made a promise to myself, “Before I present WordPress security recommendations to another Meetup I’m going to get my facts in writing.”
Over the course of a month or so, I reexamined every active security plugin installed over the past year, then took careful notes as I reinstalled and tested the different plugins and settings on each website.
What most amazed me was how little I fully understood the WordPress security plugins I had been installing. I mean, I’m supposed to be the subject matter expert, as “The Hack Repair Guy.” But as I ran through each plugin and began comparing features I experienced an epiphany.
“There is no best WordPress security plugin.”
Each plugin has its own core focus. Some are better at blocking bots, others better at blocking comment spam, and others fit into a category all their own.
“The best security plugin is the plugin that best meets the client’s needs.”
In a trial and error fashion over the past few years I’ve found some plugins work better with certain types of clients, while others are chosen based on the client’s website security needs. My hope is the chart below will help you decide which is best for you or your client’s based on your clients needs. The plugins I’ll be reviewing are:
Better WP Security WordFence All in One Security BulletProof Security WordPress Simple Firewall
The WordPress Security Plugins Revealed Chart below is broken out into general categories of features at left:
- Post/Registration Related
- Deny/Accept Login Related
- Backups Related
- File Edit/Deny Related
- Database Related
- Logs Related
- Special/Trademark Features
- Plugin Author Social Activity
- Jim Walker’s “In My Humble Opinion”
Each feature implementation was given a rating between zero and two:
0=Badly, 1=OK, 2=Kudos! (or great job!)
For example, top left on the chart below you’ll see Better WP Security rated as “2” for the plugin author’s implementation of the “404 Blocking Whitelist” feature.
A “2” essentially means the plugin author did a better than average job in integrating a whitelist against 404 blocking. If you’ve ever been locked out of your WordPress dashboard for no apparent reason while checking for non-existent pages or links, then you’ll know why this can be a worthwhile feature.
WordPress Security Plugins Revealed Chart, by Jim Walker, The Hack Repair Guy, HackRepair.com
Security Plugins - Post/RegistrationHow each plugin scores. Keywords: 404, user registration, CAPTCHA, comment blocking.
|404 Blocking Whitelist||2||1|
|Block Automated Comment Posting||1||1||2|
|Block Repeated 404 Connections||1||1|
|Comments CAPTCHA or GASP||1||2|
|Login CAPTCHA or GASP||1||1|
|Registration CAPTCHA or GASP||1||1|
Security Plugins - Deny/Accept Login RelatedHow each plugin scores. Keywords: user login, login blocking
|Adds or Edits .htaccess file||1||1||1||2||1|
|Add or Edit User Agent Blocking||2||1||2||1|
|Block 3+ Bad login Attempts||1||1||1||1||1|
|Block nonexistent User Logins||2||1||1|
|Change Login URL (Brute Force Protection)||2||1|
|Cookie Required to Login||1||1|
|Email Alert When Admin Logs in||1||1|
|Enforce/Enable SSL Login||1||1|
|Force User Logouts After X Minutes||1||1|
|Login Blocking Blacklist IP||1||2||1||1|
|Login Blocking Unblock by Email||1|
|Login Blocking Whitelist IP||1||2|
|Login Deny All Except IP Addresses||1|
|Deny "/?author=1" username searches||1|
Security Plugins - Backups RelatedHow each plugin scores. Keywords: backups, downloading
|Database Backup Scheduling||1|
Security Plugins - File Edit/Deny RelatedHow each plugin scores. Keywords: file editing, editing limits
|Block Executable File Uploads||1||1|
|Denies Editing .htaccess||1||1||1|
|Disable PHP File Editing||1||1||1|
|Disable xmlrpc.php File Access||2||1||1|
|Limit File Upload Size||1|
Security Plugins - Database RelatedHow each plugin scores. Keywords: database protection, database naming
|Change Database Prefix||1||2|
|Limits Plugin Memory Usage||1|
|User Name/Password Checking||1||1||1|
Security Plugins - Logs RelatedHow each plugin scores. Keywords: error logging, logs maintenance.
|Allows Log Clearing|
(404, lockouts, et al).
|Logs User Login Times / IP Address||2||1|
|Logs Bad Logins / 404 Errors / IP Lockouts||1||1||1||1|
|Shows Logged In Users||1||1|
Security Plugins - Special Trademark FeaturesHow each plugin scores. Keywords: Distinguishing features, unique options.
|Check Core Files Against Repository||2|
|Disable WordPress Automatic Updates||2|
|Emails Files Changed List||2|
|Email Security Concerns Daily||2|
|Disable Logins Between X to Y Hour||2|
|Live Traffic Logging||2|
|Internal Malware/Suspicious Code Scan||2|
|Rename Dashboard Login URL||2|
|Limit Access to Plugin||2|
|Monitor/Report File Changes||2||1|
Security Plugins - Developer or Support AVailabilityHow active the developer(s) are in the WordPress community, support forum and/or other channels.
WordPress Simple Firewall
|Developer Other WordPress Plugins||Yes||Yes||Yes||No||Yes|
|Has Active Related Twitter Account||Not Lately||No||No||No||Yes|
|Active in GitHub||Guy Lives There||No||No||Yes||No|
|Answers WordPress.org Tickets Within (3) Days||Sometimes||Sometimes||Often||Guy Lives There||Guy Lives and Sleeps there|
Jim Walker's "In My Humble Opinion"Just my two cents about each plugins generally speaking.
|Ease of setup or Complexity|
(1 = Easy, 5=Difficult)
|Installation Setup Time|
(1 = Few Minutes, 5=Crazy Long Time)
|Liklihood of Causing Downtime Over Time||3||2||4||3||1|
|Promotion of other Plugins or Services||Excessive||Zero Annoyance||Zero Annoyance||Minor Annoyance||Excessive|
For brevity sake options on left are what I feel are relevant security options, or are features not necessary included in all similar security plugins. Plugin developers may provide other options not listed here.
Email errors or corrections to: firstname.lastname@example.org
The chart above does not discuss paid features. So while these and other plugins have worthwhile paid options to consider, my goal here was to try keep it simple. Maybe I’ll discuss paid features in part two of this security plugin review.
If you do have questions please feel free to leave your comments below. If you know of a feature I may have missed or notice an error please do contact me. With your comments or questions I’ll strive to make this WordPress security plugin review even better. Enjoy!
- No, you cannot add the columns to derive which plugin is best.
- Blank entries mean feature does not exist in plugin.
- Yes, I have a favorite plugin, but I’m not telling… Sherlock the chart above for the answer to that question.
- “Likelihood of causing downtime” relates to the likelihood you will lock yourself out of the WordPress dashboard after setting up one of the more advanced features, particularly the renaming of the login page or blocking related features.
*This review is 100% affiliate link free. Plugin authors were not asked
to contribute to this review. No monies were paid to write this article.
And a Thank You out to a few folks who helped me in proof reading and editing:
Ador Charming @adorcharm
Devin Walker @innerwebs
Matt Cromwell MattCromwell.com
Table was generated using Tablepress and FooTable Lite plugins.