Have you read the forums, Googled for hours, and even received a tip from your brother-in-law about the best WordPress security plugin?
Funny thing, after years of trying and testing virtually every well rated WordPress security plugin in the repository, I sometimes walk into San Diego WordPress Meetups still feeling uneasy about recommending yet another blog security plugin. The inevitable questions:
“What is the best security plugin?”
“I have a really active blog, what WordPress security plugin would be best to block the spammers?”
“What security plugin is the easiest to install?”
“Are any of the security plugins well supported— what if I need help?”
So I made a promise to myself, “Before I present WordPress security recommendations to another Meetup I’m going to get my facts in writing.”
Over the course of a month or so, I reexamined every active security plugin installed over the past year, then took careful notes as I reinstalled and tested the different plugins and settings on each website.
What most amazed me was how little I fully understood the WordPress security plugins I had been installing. I mean, I’m supposed to be the subject matter expert, as “The Hack Repair Guy.” But as I ran through each plugin and began comparing features I experienced an epiphany.
“There is no best WordPress security plugin.”
Each plugin has its own core focus. Some are better at blocking bots, others better at blocking comment spam, and others fit into a category all their own.
“The best security plugin is the plugin that best meets the client’s needs.”
In a trial and error fashion over the past few years I’ve found some plugins work better with certain types of clients, while others are chosen based on the client’s website security needs. My hope is the chart below will help you decide which is best for you or your client’s based on your clients needs. The plugins I’ll be reviewing are:
Better WP Security WordFence All in One Security
BulletProof Security WordPress Simple Firewall
The WordPress Security Plugins Revealed Chart below is broken out into general categories of features at left:
- Post/Registration Related
- Deny/Accept Login Related
- Backups Related
- File Edit/Deny Related
- Database Related
- Logs Related
- Special/Trademark Features
- Plugin Author Social Activity
- Jim Walker’s “In My Humble Opinion”
Each feature implementation was given a rating between zero and two:
0=Badly, 1=OK, 2=Kudos! (or great job!)
For example, top left on the chart below you’ll see Better WP Security rated as “2” for the plugin author’s implementation of the “404 Blocking Whitelist” feature.
A “2” essentially means the plugin author did a better than average job in integrating a whitelist against 404 blocking. If you’ve ever been locked out of your WordPress dashboard for no apparent reason while checking for non-existent pages or links, then you’ll know why this can be a worthwhile feature.
WordPress Security Plugins Revealed Chart, by Jim Walker, The Hack Repair Guy, HackRepair.com
Scoring: 0=Badly 1=OK 2=Kudos! | Better WP Security | WordFence | All in One Security | BulletProof Security | WordPress Simple Firewall | ||||||
---|---|---|---|---|---|---|---|---|---|---|---|
Post/RegistratIon Related | Post/Registration Related |
||||||||||
404 Blocking Whitelist | 2 | 1 | 404 Blocking Whitelist | ||||||||
Block Automated Comment Posting | 1 | 1 | 2 | Block Automated Comment Posting | |||||||
Block Repeated 404 Connections | 1 | 1 | Block Repeated 404 Connections | ||||||||
Comments CAPTCHA or GASP | 1 | 2 | Comments CAPTCHA or GASP | ||||||||
Login CAPTCHA or GASP | 1 | 1 | Login CAPTCHA or GASP | ||||||||
Registration CAPTCHA or GASP | 1 | 1 | Registration CAPTCHA or GASP | ||||||||
Deny/Accept Login Related | Deny/Accept Login Related |
||||||||||
Adds or Edits .htaccess file | 1 | 1 | 1 | 2 | 1 | Adds or Edits .htaccess file | |||||
Add or Edit User Agent Blocking | 2 | 1 | 2 | 1 | Add or Edit User Agent Blocking |
||||||
Block 3+ Bad Login Attempts | 1 | 1 | 1 | 1 | Block 3+ Bad Login Attempts |
||||||
Block Nonexistent User Logins | 2 | 1 | Block Nonexistent User Logins |
||||||||
Change Login URL (Brute Force Protection) | 2 | 1 | Change Login URL | ||||||||
Cookie Required To Login | 1 | 1 | Cookie Required To Login |
||||||||
Email Alert When User Locked Out | 1 | 1 | 1 | 1 | 1 | Email Alert When User Locked Out |
|||||
Email Alert When Admin Logs In | 1 | 1 | Email Alert When Admin Logs In |
||||||||
Enforce/Enable SSL Login | 1 | Enforce/Enable SSL Login |
|||||||||
Force User Logouts After X Minutes | 1 | Force User Logouts After X Minutes |
|||||||||
Two-Factor Authentication | 1 | Two-Factor Authentication |
|||||||||
Login Blocking Blacklist IP | 1 | 2 | 1 | 1 | Login Blocking Blacklist IP |
||||||
Login Blocking Unblock By Email | 1 | Login Blocking Unblock By Email |
|||||||||
Login Blocking Whitelist IP | 1 | 2 | Login Blocking Whitelist IP |
||||||||
Login Deny All Except IP Addresses | 1 | Login Deny All Except IP Addresses |
|||||||||
Backups Related | Backups Related | ||||||||||
Database Backup Scheduling | 1 | Database Backup Scheduling | |||||||||
Download/View .htaccess | 1 | 2 | Download/View .htaccess |
||||||||
Download/View .wp-config.php | 1 | Download/View .wp-config.php |
|||||||||
Download/View Database | 1 | Download/View Database |
|||||||||
File Edit/Deny Related | File Edit/Deny Related |
||||||||||
Block Executable File Uploads | 1 | Block Executable File Uploads | |||||||||
Denies Editing .htaccess | 1 | 1 | 1 | Denies Editing .htaccess |
|||||||
Disable PHP File Editing | 1 | 1 | 1 | Disable PHP File Editing |
|||||||
Disable xmlrpc.php File Access | 1 | Disable xmlrpc.php File Access |
|||||||||
Limit File Upload Size | 1 | Limit File Upload Size |
|||||||||
Database Related | Database Related | ||||||||||
Change Database Prefix | 1 | 2 | Change Database Prefix | ||||||||
Limits Plugin Memory Usage | 1 | Limits Plugin Memory Usage |
|||||||||
User Name/Password Checking | 1 | 1 | 1 | User Name/Password Checking |
|||||||
Logs Related | Log Related | ||||||||||
Allows Log Clearing (404, lockouts, et al). | 1 | 1 | 1 | 1 | 1 | Allows Log Clearing (404, lockouts, et al). |
|||||
Logs User Login Times / IP Address | 2 | Logs User Login Times / IP Address |
|||||||||
Logs Bad Logins/404 Errors/IP Lockouts | 1 | 1 | 1 | 1 | Logs Bad Logins/404 Errors/IP Lockouts |
||||||
Maintenance Mode | 1 | Maintenance Mode | |||||||||
Shows Logged In Users | 1 | Shows Logged In Users |
|||||||||
Special / Tradmark Features | Speical/Trademark Features |
||||||||||
Check Core Files Against Repository | 2 | Check Core Files Against Repository | |||||||||
Diable WordPress Automatic Updates | 2 | Diable WordPress Automatic Updates |
|||||||||
Emails Files Changed List | 2 | 0 | Emails Files Changed List |
||||||||
Email Security Concerns Daily | 2 | Email Security Concerns Daily |
|||||||||
Disable Logins Between X to Y Hour | 1 | Disable Logins Between X to Y Hour |
|||||||||
Live Traffic Logging | 2 | 1 | Live Traffic Logging | ||||||||
Internal Malware/Suspicious Code Scan | 2 | Internal Malware/Suspicious Code Scan |
|||||||||
Monitor/Report File Changes | 2 | 1 | Monitor/Report File Changes |
||||||||
Chris Wiegman | Mark Maunder | Peter Petreski | Ed Alexander | Paul Goodchild | |||||||
Develops Other WordPress Plugins | Yes | Yes | Yes | No | Yes | ||||||
Has Active Related Twitter Account | Not Lately | No | No | No | Yes | ||||||
Active in Github | Guy Lives There | No | No | Yes | No | ||||||
Answers WordPress.org Tickets Within (3) Days | Sometimes | Sometimes | Often | Guy Lives There | Guy Lives And Sleeps There | ||||||
Better WP Security | WordFence | All in One Security | BulletProof Security | WordPress Simple | |||||||
Jim Walker's "In My Humble Opinion" | |||||||||||
Ease of setup or Complexity | |||||||||||
(1=Easy to 5=Difficult) | 2 | 2 | 4 | 3 | 2 | ||||||
Installation Setup Time | |||||||||||
(1=Few Minutes to 5=Crazy Long Time) | 2 | 2 | 4 | 3 | 3 | ||||||
Likelihood Of Causing Downtime Over Time | 3 | 2 | 4 | 3 | 1 | ||||||
Promotion of other Plugins or Services | Excessive | Zero Annoyance | Zero Annoyance | Minor Annoyance | Excessive | ||||||
General Notes | |||||||||||
For brevity sake options on left are what I feel are relevant security options, or are features not necessary included in all | |||||||||||
similar security plugins. Plugin developers may provide other options not listed here. | |||||||||||
Email errors or corrections to: [email protected] | |||||||||||
*This review is 100% affiliate link free. Plugin authors were not asked
to contribute to this review. No monies were paid to write this article.
The chart above does not discuss paid features. So while these and other plugins have worthwhile paid options to consider, my goal here was to try keep it simple. Maybe I’ll discuss paid features in part two of this security plugin review.
If you do have questions please feel free to leave your comments below. If you know of a feature I may have missed or notice an error please do contact me. With your comments or questions I’ll strive to make this WordPress security plugin review even better. Enjoy!
[printfriendly]
FAQs:
- No, you cannot add the columns to derive which plugin is best.
- Blank entries mean feature does not exist in plugin.
- Yes, I have a favorite plugin, but I’m not telling… Sherlock the chart above for the answer to that question.
- “Likelihood of causing downtime” relates to the likelihood you will lock yourself out of the WordPress dashboard after setting up one of the more advanced features, particularly the renaming of the login page or blocking related features.
And a Thank You out to a few folks who helped me in proof reading and editing:
Ador Charming @adorcharm
Devin Walker @innerwebs