WordPress Security Plugins

Some people use one of these “security plugins” for WordPress:

The way these work is to block some “visits” to your site — that’s their whole purpose. But if the plugin makes any mistake, it will block people who should have been allowed.

We receive a relatively high number of complaints from our customers who have been blocked from their own sites by these plugins or had other trouble, with symptoms including:

  • showing an incorrect 404 or 403 error
  • showing an incorrect blank white page
  • blocking image loading so the page contains text but no images
  • showing a page that contains only the word “error”, or only the words “Not available.”
  • scheduled tasks (like publishing a scheduled post) not working
  • starting unexpected or unnecessarily frequent backups that run every few minutes and use large amounts of disk space
  • showing “warnings” about things that are actually routine and harmless
  • redirecting your SSL pages to non-SSL versions
  • extremely high CPU usage as the plugins, particularly Wordfence, needlessly “scan” gigabytes of images, backups, and other files that are very unlikely to contain malware

Given the trouble they cause, we don’t think these kinds of plugins are necessary on a regularly updated WordPress site that uses strong passwords. Almost all of the infected WordPress sites we come across are due to out-of-date software, with the second most common problem being a weak password that was easily guessed within a few tries; they’re not caused by attacks these plugins would have blocked. (The main useful thing these plugins would do is block people trying to repeatedly guess your WordPress administrator password if it was a very weak password, but our hosting service already does that for all WordPress sites).

So what security plugin should I use?

We use only two “security” plugins on our own blog.

The first is one that provides two factor authentication. This prevents “hackers” from logging in even if they somehow steal or guess a WordPress password.

The second automatically updates plugins and themes, in the same way that WordPress automatically updates its own files.

You might think that a plugin to automatically update other plugins isn’t a “security plugin”, but it is. As we mentioned above, the vast majority of security problems we see with WordPress result from weak passwords and out-of-date plugins. These two plugins directly address both problems.

We host thousands of WordPress sites, and one thing it’s taught us is that automatic plugin updates and strong passwords provide many times the practical security protection of any of the other plugins mentioned at the top of this page.