WordPress Security Plugins

Some people use one of these “security plugins” for WordPress:

The way these work is to block some “visits” to your site — that’s their whole purpose. But if the plugin makes any mistake, it will block people who should have been allowed.

We receive a relatively high number of complaints from our customers who have been blocked from their own sites by these plugins or had other trouble. We’ve seen each of these things happen as a result of these plugins:

  • showing an incorrect 404 or 403 error
  • showing an incorrect blank white page
  • showing a page that contains only the word “error”, or only the words “Not available.”
  • redirecting you to the invalid address “http://127.0.0.1”
  • blocking image loading so the page contains text but no images
  • showing worrying “warnings” about things that are actually common and harmless
  • preventing uploads of anything except very small files
  • scheduled tasks (like publishing a scheduled post) not working
  • starting unexpected or unnecessarily frequent backups that run every few minutes and use large amounts of disk space
  • redirecting your SSL pages to non-SSL versions
  • extremely high CPU usage as the plugins, particularly Wordfence, needlessly “scan” gigabytes of images, backups, and other files that are very unlikely to contain malware

Given the trouble they cause, we don’t think these kinds of plugins are necessary on a regularly updated WordPress site that uses strong passwords. Almost all of the infected WordPress sites we come across are due to out-of-date software, with the second most common problem being a weak password that was easily stolen from another service or guessed within a few tries; they’re not caused by attacks these plugins would have blocked. (The main useful thing these plugins could theoretically do is block people trying to repeatedly guess your WordPress administrator password if it was a very weak password, but our hosting service already does that for all WordPress sites.)

So what security plugin should I use?

We use only one “security” plugin on our own blog. It provides two factor authentication, which prevents “hackers” from logging in even if they somehow steal or guess a WordPress password.

We used to recommend a second plugin that automatically updates plugins and themes, but WordPress 5.5 and later has this feature built-in, so we simply enable automatic updates for all the plugins and themes we use:

WordPress plugin automatic updates
WordPress theme automatic updates

As we mentioned above, the vast majority of security problems we see with WordPress result from weak/stolen passwords and out-of-date plugins. The two factor authentication plugin, plus automatic updates, directly address both problems.

We host thousands of WordPress sites, and one thing it’s taught us is that automatic plugin updates and strong passwords provide many times the practical security protection of any of the other plugins mentioned at the top of this page.