Understanding the WordPress Security Plugins Ecosystem

Last updated on December 06th, 2014 by Robert Abela. Filed under WordPress Security Plugins

Which WordPress security plugin should I install? Or how many do I need? Before you answer these questions you should first understand the concepts of WordPress security and the scope and role of each WordPress security plugin.

While browsing and participating in several WordPress security groups and discussions on different social media outlets, I cannot help but notice that many fail to understand the scope of WordPress security plugins and what role they play in the security ecosystem of a WordPress installation. Many have this impression that they can install a WordPress security plugin and forget about WordPress security. Many others think that the more security plugins they install the more secure WordPress will be, and the more difficult it will be for an attacker to break in.

There is a lot of misunderstanding when it comes to WordPress security plugins and WordPress security. In this article we will look into what the problem is and why there is such a misunderstanding. We also look into the different types of WordPress security plugins available, explain what is the role and scope of each type and of course give our recommendation.

The Problem with WordPress Security Plugins

The WordPress Community

Without wanting to, the WordPress community is harming its own reputation when it comes to WordPress security. WordPress is easy to use and many are led to believe that everything that revolves around WordPress is so. Therefore when it comes to WordPress security, just install a plugin and your website is secure. I have seen many WordPress developers, designers, and consultants asking from where to start to secure their customer’s website. A typical question that always pops up in WordPress security groups is “I have to secure my customer’s website. From where should I start? Which plugins do you recommend?”

If you are asking such a question, such task is not for you to handle and you are providing a service that you are not qualified in. WordPress security, or any other type of security is not about installing something or tweaking some parameters only. If you do not understand such concept, or if you don’t have an idea of which WordPress security plugins are available on the market, I am sorry to say but you cannot and should not provide a security solution. By doing so you are damaging the community’s and WordPress’ reputation because the day the customer’s site is hacked, then it is WordPress to blame. No wonder many think that WordPress is not secure.

The Marketing of WordPress Security Plugins

The marketing tactics used to promote most of the WordPress security plugins available on the market today is not helping the situation neither. WordPress users are used to the “everything is easy to use” concept, and many WordPress security plugins developers are taking advantage of such situation and promote their plugin as the must have easy to use security plugin, the plugin that will solve all your WordPress security headaches. Many WordPress users do not have the time to look into what solutions are available and why there are so many different solutions. They do not have the knowledge and do not understand the why’s and what’s of WordPress security, hence they find the most popular plugin and install it, and think that the job is done.

The Concepts of WordPress Security and Plugins

When it comes to plugins the concept of WordPress security is very easy. To start off with, there is no one stop shop, solution or plugin when it comes to security. There is no perfect plugin that covers all aspects of security and there will never be. You need to use a variety of plugins and take the best of each to:

  1. Harden the security of WordPress
  2. Protect WordPress from external attacks
  3. Monitor and keep an audit log of everything that is happening on WordPress

Once you know of these concepts, you are better equipped to choose the right WordPress security plugins for your WordPress and ensure that you are closing down almost every possible entry point typically exploited by malicious attackers.

Note: This article is only tackling the part of WordPress security that is covered by WordPress security plugins. There is much more to WordPress security but that is out of the scope of this article.

The Hardening WordPress Security Plugins

These are the old school WordPress security plugins, those which made it first to the WordPress repository, such as iThemes Security and Wordfence. These type of plugins can be used to automate the process of renaming the WordPress database table prefixes, change the ID of the WordPress administrator, rename the default WordPress administrator account, change the WordPress login page URL and do other similar tasks.

Therefore these plugins do not protect your WordPress against malicious attacks such as the exploitation of known vulnerabilities in plugins, but instead help you address issues which can be typically considered as users’ shortcomings that hackers take advantage of. These plugins also come in very handy if your WordPress is hacked. If you use all of their tweaks and configure them correctly, and a hacker still manages to hack into your website, it is difficult for the attacker to continue penetrating through the website, thus containing the attack and reducing the damage the attacker could have done.

Most of these plugins now also have an inbuilt firewall therefore they are not just about hardening your WordPress, as explained in the following section.

The WordPress Firewall Plugins

When installed these type of plugins “sit” between your visitor and your WordPress. They check every incoming HTTP request reaching a WordPress blog or website, and should it be malicious it is dropped rather than passed over to WordPress. What does this mean? If you have a plugin installed on your WordPress that is vulnerable to an SQL Injection vulnerability, when the hacker tries to exploit such vulnerability by sending specific HTTP requests to your WordPress, these requests are blocked hence the vulnerability cannot be exploited.

Therefore by running a WordPress firewall plugin you are ensuring that your WordPress is not vulnerable to generic technical attacks such as SQL Injection and Cross-site Scripting vulnerabilities. This does not mean that you should not keep your plugins, themes and WordPress up to that. Firewall plugins should be installed as an extra security measure and not to avoid maintaining your WordPress. A good firewall plugin we have stumbled upon is BBQ: Block Bad Queries.

The WordPress Monitoring and Auditing Plugins

So far we have seen that there are plugins that are meant to harden the security of your WordPress, while others are meant to protect it from malicious HTTP requests, typically used to exploit vulnerabilities. There is one other important security measure that is vital to the security of your WordPress and unfortunately it is often overlooked in the WordPress security community; monitoring and keeping an audit log of everything happening on your WordPress.

If you have a WordPress website or blog where more than one user log in, or a WordPress multisite with hundreds of sites and thousands of users, how do you ensure that everything happening on all of the sites is indeed legitimate? How do you ensure that no WordPress user has been hijacked and is being used to infect your website with malware, or that someone is trying to hack your WordPress? You can only identify such malicious behaviour by installing a plugin that keeps track of everything that is happening on your WordPress installation, such as WP Security Audit Log.

Monitoring and auditing plugin have several other roles apart from helping WordPress administrators upkeep the security of a WordPress installation. They can be used to monitor users’ productivity, and in some cases they can be used to meet legal and compliancy requirements. They also come in very handy in case your WordPress is hacked, i.e. they enable you to trace back the malicious attacker activity and identify the security hole that was exploited so you can close it down.

The Complete WordPress Security Plugins Suite

Therefore to keep your WordPress secure and avoid malicious hacker attacks you need at least three WordPress security plugins, one from each different category. You need a plugin to harden the security of your WordPress, another that will act as firewall and another one to keep track of everything that is happening on your WordPress to ensure you can spot any suspicious behaviour before it becomes a security problem. My three plugins of choice are:

  • iThemes Security to harden the security of WordPress
  • BBQ: Block Bad Queries to act as a firewall and block any type of malicious HTTP requests
  • WP Security Audit Log to monitor and keep an audit log of everything that is happening on your WordPress

WordPress Hosting, Firewall and Backup

WP White Security is hosted on A2 Hosting, protected with BBQ:Block Bad Queries Firewall and backed up with BlogVault online WordPress backup service

6 comments

Jim Walker 10/10/2014

You missed a particularly important aspect of today’s and future WordPress security plugins: Database Backups

Currently iThemes has the easiest to implement database backup option.

Pretty much a click, set how often to save database, click and you are done.

This is an essential aspect of security, which I predict will become an option within all security plugins in the not to distant future.

Robert Abela 10/10/2014

HI Jim,

It is indeed a very good point. I was looking at this subject only from the attack point of view, not from the maintaining and ensuring everything in place, but yeah, very good point.

carl 10/10/2014

I agree backups are more important now than ever before!
Nice post Robert!

Robert Abela 10/10/2014

Thanks Carl.

Rob 10/10/2014

any thoughts on the ninja firewall plugin? their benchmarks show it beating the others hands down and it is a true firewall not a plugin which loads after wp has loaded:

http://nintechnet.com/wordpress-brute-force-detection-plugins-benchmarks.html

Robert Abela 10/10/2014

Hi Rob,

As you might have noticed this article is not about comparing security plugins even though we recommend what we like. It is about explaining the concepts of WordPress security plugins and their scope and roles in the WordPress security ecosystem. We might do some analysis at a later stage and write something about it but this was not the scope of the plugin. Any thoughts on Ninja firewall plugin? None so far sorry.

Leave a Reply

Your email address will not be published. Required fields are marked *