Have you read the forums, Googled for hours, and even received a tip from your brother-in-law about the best WordPress security plugin?
Funny thing, after years of trying and testing virtually every well rated WordPress security plugin in the repository, I sometimes walk into San Diego WordPress Meetups still feeling uneasy about recommending yet another blog security plugin. The inevitable questions:
“What is the best security plugin?”
“I have a really active blog, what WordPress security plugin would be best to block the spammers?”
“What security plugin is the easiest to install?”
“Are any of the security plugins well supported— what if I need help?”
So I made a promise to myself, “Before I present WordPress security recommendations to another Meetup I’m going to get my facts in writing.”
Over the course of a month or so, I reexamined every active security plugin installed over the past year, then took careful notes as I reinstalled and tested the different plugins and settings on each website.
What most amazed me was how little I fully understood the WordPress security plugins I had been installing. I mean, I’m supposed to be the subject matter expert, as “The Hack Repair Guy.” But as I ran through each plugin and began comparing features I experienced an epiphany.
“There is no best WordPress security plugin.”
Each plugin has its own core focus. Some are better at blocking bots, others better at blocking comment spam, and others fit into a category all their own.
“The best security plugin is the plugin that best meets the client’s needs.”
In a trial and error fashion over the past few years I’ve found some plugins work better with certain types of clients, while others are chosen based on the client’s website security needs. My hope is the chart below will help you decide which is best for you or your client’s based on your clients needs. The plugins I’ll be reviewing are:
Better WP Security WordFence All in One Security
BulletProof Security WordPress Simple Firewall
The WordPress Security Plugins Revealed Chart below is broken out into general categories of features at left:
- Post/Registration Related
- Deny/Accept Login Related
- Backups Related
- File Edit/Deny Related
- Database Related
- Logs Related
- Special/Trademark Features
- Plugin Author Social Activity
- Jim Walker’s “In My Humble Opinion”
Each feature implementation was given a rating between zero and two:
0=Badly, 1=OK, 2=Kudos! (or great job!)
For example, top left on the chart below you’ll see Better WP Security rated as “2” for the plugin author’s implementation of the “404 Blocking Whitelist” feature.
A “2” essentially means the plugin author did a better than average job in integrating a whitelist against 404 blocking. If you’ve ever been locked out of your WordPress dashboard for no apparent reason while checking for non-existent pages or links, then you’ll know why this can be a worthwhile feature.
WordPress Security Plugins Revealed Chart, by Jim Walker, The Hack Repair Guy, HackRepair.com
Security Plugins - Post/Registration
How each plugin scores. Keywords: 404, user registration, CAPTCHA, comment blocking.Feature | iThemes Security Download | WordFence Download | All-in-One Security Download | BulletProof Security Download | WordPress Simple Firewall Download |
---|---|---|---|---|---|
404 Blocking Whitelist | 2 | 1 | |||
Block Automated Comment Posting | 1 | 1 | 2 | ||
Block Repeated 404 Connections | 1 | 1 | |||
Comments CAPTCHA or GASP | 1 | 2 | |||
Login CAPTCHA or GASP | 1 | 1 | |||
Registration CAPTCHA or GASP | 1 | 1 |
Security Plugins - Deny/Accept Login Related
How each plugin scores. Keywords: user login, login blockingFeature | iThemes Security Download | WordFence Download | All-in-One Security Download | BulletProof Security Download | WordPress Simple Firewall Download |
---|---|---|---|---|---|
Adds or Edits .htaccess file | 1 | 1 | 1 | 2 | 1 |
Add or Edit User Agent Blocking | 2 | 1 | 2 | 1 | |
Block 3+ Bad login Attempts | 1 | 1 | 1 | 1 | 1 |
Block nonexistent User Logins | 2 | 1 | 1 | ||
Change Login URL (Brute Force Protection) | 2 | 1 | |||
Cookie Required to Login | 1 | 1 | |||
Email Alert When Admin Logs in | 1 | 1 | |||
Enforce/Enable SSL Login | 1 | 1 | |||
Force User Logouts After X Minutes | 1 | 1 | |||
Two-Factor Authentication | 1 | ||||
Login Blocking Blacklist IP | 1 | 2 | 1 | 1 | |
Login Blocking Unblock by Email | 1 | ||||
Login Blocking Whitelist IP | 1 | 2 | |||
Login Deny All Except IP Addresses | 1 | ||||
Deny "/?author=1" username searches | 1 |
Security Plugins - Backups Related
How each plugin scores. Keywords: backups, downloadingFeature | iThemes Security Download | WordFence Download | All-in-One Security Download | BulletProof Security Download | WordPress Simple Firewall Download |
---|---|---|---|---|---|
Database Backup Scheduling | 1 | ||||
Download/View .htaccess | 1 | 2 | |||
Download/View wp-config.php | 1 | ||||
Download/View Database | 1 |
Security Plugins - File Edit/Deny Related
How each plugin scores. Keywords: file editing, editing limitsFeature | iThemes Security Download | WordFence Download | All-in-One Security Download | BulletProof Security Download | WordPress Simple Firewall Download |
---|---|---|---|---|---|
Block Executable File Uploads | 1 | 1 | |||
Denies Editing .htaccess | 1 | 1 | 1 | ||
Disable PHP File Editing | 1 | 1 | 1 | ||
Disable xmlrpc.php File Access | 2 | 1 | 1 | ||
Limit File Upload Size | 1 |
Security Plugins - Database Related
How each plugin scores. Keywords: database protection, database namingFeature | iThemes Security Download | WordFence Download | All-in-One Security Download | BulletProof Security Download | WordPress Simple Firewall Download |
---|---|---|---|---|---|
Change Database Prefix | 1 | 2 | |||
Limits Plugin Memory Usage | 1 | ||||
User Name/Password Checking | 1 | 1 | 1 |
Security Plugins - Logs Related
How each plugin scores. Keywords: error logging, logs maintenance.Feature | iThemes Security Download | WordFence Download | All-in-One Security Download | BulletProof Security Download | WordPress Simple Firewall Download |
---|---|---|---|---|---|
Allows Log Clearing (404, lockouts, et al). | 1 | 1 | 1 | 1 | 1 |
Logs User Login Times / IP Address | 2 | 1 | |||
Logs Bad Logins / 404 Errors / IP Lockouts | 1 | 1 | 1 | 1 | |
Maintenance Mode | 1 | ||||
Shows Logged In Users | 1 | 1 |
Security Plugins - Special Trademark Features
How each plugin scores. Keywords: Distinguishing features, unique options.Feature | iThemes Security Download | WordFence Download | All-in-One Security Download | BulletProof Security Download | WordPress Simple Firewall Download |
---|---|---|---|---|---|
Check Core Files Against Repository | 2 | ||||
Disable WordPress Automatic Updates | 2 | ||||
Emails Files Changed List | 2 | ||||
Email Security Concerns Daily | 2 | ||||
Disable Logins Between X to Y Hour | 2 | ||||
Live Traffic Logging | 2 | ||||
Internal Malware/Suspicious Code Scan | 2 | ||||
Rename Dashboard Login URL | 2 | ||||
Page Caching | 1 | ||||
Limit Access to Plugin | 2 | ||||
Monitor/Report File Changes | 2 | 1 |
Security Plugins - Developer or Support AVailability
How active the developer(s) are in the WordPress community, support forum and/or other channels.Feature | iThemes Security Chris Weigman | WordFence Mark Maunder | All-in-One Security Peter Petreski | BulletProof Security Ed Alexander | WordPress Simple Firewall Paul Goodchild |
---|---|---|---|---|---|
Developer Other WordPress Plugins | Yes | Yes | Yes | No | Yes |
Has Active Related Twitter Account | Not Lately | No | No | No | Yes |
Active in GitHub | Guy Lives There | No | No | Yes | No |
Answers WordPress.org Tickets Within (3) Days | Sometimes | Sometimes | Often | Guy Lives There | Guy Lives and Sleeps there |
Jim Walker’s “In My Humble Opinion”
Just my two cents about each plugins generally speaking.Feature | iThemes Security Download | WordFence Download | All-in-One Security Download | BulletProof Security Download | WordPress Simple Firewall Download |
---|---|---|---|---|---|
Ease of setup or Complexity (1 = Easy, 5=Difficult) | 2 | 2 | 4 | 3 | 2 |
Installation Setup Time (1 = Few Minutes, 5=Crazy Long Time) | 4 | 2 | 4 | 3 | 3 |
Liklihood of Causing Downtime Over Time | 3 | 2 | 4 | 3 | 1 |
Promotion of other Plugins or Services | Excessive | Zero Annoyance | Zero Annoyance | Minor Annoyance | Excessive |
General Notes
For brevity sake options on left are what I feel are relevant security options, or are features not necessary included in all similar security plugins. Plugin developers may provide other options not listed here.
The chart above does not discuss paid features. So while these and other plugins have worthwhile paid options to consider, my goal here was to try keep it simple. Maybe I’ll discuss paid features in part two of this security plugin review.
If you do have questions please feel free to leave your comments below. If you know of a feature I may have missed or notice an error please do contact me. With your comments or questions I’ll strive to make this WordPress security plugin review even better. Enjoy!
FAQs:
- No, you cannot add the columns to derive which plugin is best.
- Blank entries mean feature does not exist in plugin.
- Yes, I have a favorite plugin, but I’m not telling… Sherlock the chart above for the answer to that question.
- “Likelihood of causing downtime” relates to the likelihood you will lock yourself out of the WordPress dashboard after setting up one of the more advanced features, particularly the renaming of the login page or blocking related features.
*This review is 100% affiliate link free. Plugin authors were not asked
to contribute to this review. No monies were paid to write this article.
And a Thank You out to a few folks who helped me in proof reading and editing:
Ador Charming @adorcharm
Devin Walker @innerwebs
Matt Cromwell MattCromwell.com
Table was generated using Tablepress and FooTable plugins.
3 Comments
Ray Boller says
Excellent article. Thanks for all the great resources.
I want to add a more good security plugin that is the user activity logging plugin. It is very useful for monitoring and tracking all activities occurs on the side of the administrator.
Geoffrey says
wonderful points altogether, you just won a emblem new reader.
mathetos says
Excellent piece, really useful! It’s very comprehensive and really detailed. Some of these features I never even think about so it’s cool to see them all side-by-side.