Have you read the forums, Googled for hours, and even received a tip from your brother-in-law about the best WordPress security plugin?
Funny thing, after years of trying and testing virtually every well rated WordPress security plugin in the repository, I sometimes walk into San Diego WordPress Meetups still feeling uneasy about recommending yet another blog security plugin. The inevitable questions:
“What is the best security plugin?”
“I have a really active blog, what WordPress security plugin would be best to block the spammers?”
“What security plugin is the easiest to install?”
“Are any of the security plugins well supported— what if I need help?”
So I made a promise to myself, “Before I present WordPress security recommendations to another Meetup I’m going to get my facts in writing.”
Over the course of a month or so, I reexamined every active security plugin installed over the past year, then took careful notes as I reinstalled and tested the different plugins and settings on each website.
What most amazed me was how little I fully understood the WordPress security plugins I had been installing. I mean, I’m supposed to be the subject matter expert, as “The Hack Repair Guy.” But as I ran through each plugin and began comparing features I experienced an epiphany.
“There is no best WordPress security plugin.”
Each plugin has its own core focus. Some are better at blocking bots, others better at blocking comment spam, and others fit into a category all their own.
“The best security plugin is the plugin that best meets the client’s needs.”
In a trial and error fashion over the past few years I’ve found some plugins work better with certain types of clients, while others are chosen based on the client’s website security needs. My hope is the chart below will help you decide which is best for you or your client’s based on your clients needs. The plugins I’ll be reviewing are:
Better WP Security WordFence All in One Security
BulletProof Security WordPress Simple Firewall
The WordPress Security Plugins Revealed Chart below is broken out into general categories of features at left:
- Post/Registration Related
- Deny/Accept Login Related
- Backups Related
- File Edit/Deny Related
- Database Related
- Logs Related
- Special/Trademark Features
- Plugin Author Social Activity
- Jim Walker’s “In My Humble Opinion”
Each feature implementation was given a rating between zero and two:
0=Badly, 1=OK, 2=Kudos! (or great job!)
For example, top left on the chart below you’ll see Better WP Security rated as “2” for the plugin author’s implementation of the “404 Blocking Whitelist” feature.
A “2” essentially means the plugin author did a better than average job in integrating a whitelist against 404 blocking. If you’ve ever been locked out of your WordPress dashboard for no apparent reason while checking for non-existent pages or links, then you’ll know why this can be a worthwhile feature.
WordPress Security Plugins Revealed Chart, by Jim Walker, The Hack Repair Guy, HackRepair.com
Better WP Security
All in One Security
WordPress Simple Firewall
|404 Blocking Whitelist||2||1||404 Blocking Whitelist|
|Block Automated Comment Posting||1||1||2||Block Automated Comment Posting|
|Block Repeated 404 Connections||1||1||Block Repeated 404 Connections|
|Comments CAPTCHA or GASP||1||2||Comments CAPTCHA or GASP|
|Login CAPTCHA or GASP||1||1||Login CAPTCHA or GASP|
|Registration CAPTCHA or GASP||1||1||Registration CAPTCHA or GASP|
Deny/Accept Login Related
|Adds or Edits .htaccess file||1||1||1||2||1||Adds or Edits .htaccess file|
|Add or Edit|
User Agent Blocking
|2||1||2||1||Add or Edit User
|Block 3+ Bad Login Attempts||1||1||1||1||Block 3+ Bad Login
|Block Nonexistent User Logins||2||1||Block Nonexistent
|Change Login URL (Brute Force Protection)||2||1||Change Login URL|
|Cookie Required To Login||1||1||Cookie Required To
When User Locked Out
|1||1||1||1||1||Email Alert When
User Locked Out
When Admin Logs In
|1||1||Email Alert When
Admin Logs In
Logouts After X Minutes
|1||Force User Logouts
After X Minutes
Unblock By Email
Unblock By Email
|Login Deny All|
Except IP Addresses
|1||Login Deny All
Except IP Addresses
|Database Backup Scheduling||1||Database Backup Scheduling|
File Edit/Deny Related
|Block Executable File Uploads||1||Block Executable File Uploads|
|1||1||1||Disable PHP File
xmlrpc.php File Access
|Limit File Upload Size||1||Limit File Upload
|Change Database Prefix||1||2||Change Database Prefix|
|Limits Plugin Memory Usage||1||Limits Plugin Memory
|User Name/Password Checking||1||1||1||User Name/Password
|Allows Log Clearing (404, lockouts, et al).||1||1||1||1||1||Allows Log Clearing (404, lockouts,
|Logs User Login Times / IP Address||2||Logs User Login
Times / IP Address
|Logs Bad Logins/404 Errors/IP Lockouts||1||1||1||1||Logs Bad Logins/404
|Maintenance Mode||1||Maintenance Mode|
|Shows Logged In Users||1||Shows Logged In
Special / Tradmark Features
|Check Core Files Against Repository||2||Check Core Files Against Repository|
|Diable WordPress Automatic Updates||2||Diable WordPress
|Emails Files Changed List||2||0||Emails Files Changed
|Email Security Concerns Daily||2||Email Security
|Disable Logins Between X to Y Hour||1||Disable Logins
Between X to Y Hour
|Live Traffic Logging||2||1||Live Traffic Logging|
|Internal Malware/Suspicious Code Scan||2||Internal
Malware/Suspicious Code Scan
|Monitor/Report File Changes||2||1||Monitor/Report File
|Develops Other WordPress Plugins||Yes||Yes||Yes||No||Yes|
|Has Active Related Twitter Account||Not Lately||No||No||No||Yes|
|Active in Github||Guy Lives There||No||No||Yes||No|
|Answers WordPress.org Tickets Within (3) Days||Sometimes||Sometimes||Often||Guy Lives There||Guy Lives And Sleeps|
Better WP Security
All in One Security
Jim Walker's "In My Humble Opinion"
|Ease of setup or Complexity|
|(1=Easy to 5=Difficult)||2||2||4||3||2|
|Installation Setup Time|
|(1=Few Minutes to 5=Crazy Long Time)||2||2||4||3||3|
|Likelihood Of Causing Downtime Over Time||3||2||4||3||1|
|Promotion of other Plugins or Services||Excessive||Zero Annoyance||Zero Annoyance||Minor Annoyance||Excessive|
|For brevity sake options on left are what I feel are relevant security options, or are features not necessary included in all|
|similar security plugins. Plugin developers may provide other options not listed here.|
|Email errors or corrections to: [email protected]|
*This review is 100% affiliate link free. Plugin authors were not asked
to contribute to this review. No monies were paid to write this article.
The chart above does not discuss paid features. So while these and other plugins have worthwhile paid options to consider, my goal here was to try keep it simple. Maybe I’ll discuss paid features in part two of this security plugin review.
If you do have questions please feel free to leave your comments below. If you know of a feature I may have missed or notice an error please do contact me. With your comments or questions I’ll strive to make this WordPress security plugin review even better. Enjoy!
- No, you cannot add the columns to derive which plugin is best.
- Blank entries mean feature does not exist in plugin.
- Yes, I have a favorite plugin, but I’m not telling… Sherlock the chart above for the answer to that question.
- “Likelihood of causing downtime” relates to the likelihood you will lock yourself out of the WordPress dashboard after setting up one of the more advanced features, particularly the renaming of the login page or blocking related features.
And a Thank You out to a few folks who helped me in proof reading and editing:
Ador Charming @adorcharm
Devin Walker @innerwebs