WordPress is the most widely used CMS on the internet, but is WordPress safe? Indeed, that tremendous popularity makes WordPress websites a perfect target for hackers.
Every year, a ton of WordPress websites are hacked and shut down. Adding WordPress security plugins to your website is thus highly critical.
Here’s a table of contents to help you navigate this post:
Bottom line: you need a security tool on your WordPress site to have a successful business online.
Julio Potier (WordPress security expert and founder of SecuPress) and Ryan Dewhurst (Codebreaker and founder of WPScan) helped me to write this article.
Websites are like stores. You have to protect them or they get robbed and damaged.
Two years ago, a report from Sitelock revealed that the typical small business website is attacked 44 times a day.
According to a study made by Sucuri in 2017, out of 8000 infected websites, 74% were built on WordPress.
An amazing infographic made by WPClicboard perfectly sums up WordPress security statistics for 2020.
So yes, you need a WordPress Security Plugin on your website.
WordPress is probably the most secure CMS to build your website. But please, keep in mind nothing on the internet is 100% secure.
In 2017 1.5 million WordPress websites were hacked because of a core vulnerability. The issue was quickly dealt with: WordPress has been safe and secure ever since.
Here is the reason why: the WordPress community is so huge and so talented that security breaches are identified and fixed almost instantly. But still, so many WordPress websites are hacked every day.
You have to understand that WordPress has some good security measures in place, but it’s nothing compared to what the best security plugins can provide you with like:
Only 3% of the incident affecting websites are discovered.
These are frightening figures that should encourage you to install a security plugin.
“WordPress today is a mature and secure software project, trusted by millions of users, which even includes the White House’s official website. In terms of security, the main problem that we are seeing is with third-party WordPress plugins, with 87% of vulnerabilities within the WPScan WordPress Vulnerability Database being attributed to plugins. That being said, we are seeing a gradual increase in the quality of plugins on the official WordPress plugin repository. To keep your WordPress website secure I recommend that you keep your everything up to date, choose a strong admin password and install a security plugin.” @Ryan Dewhurst – Founder & CEO at WPScan
Vulnerabilities and security breaches are almost always related to human misbehaves.
So the best way to improve your website security is to be watchful about a few things!
According to the WPScan database, 95% of WordPress vulnerabilities are actually coming from themes and plugins.
And 95% of this 95% are actually coming from free themes and plugins.
The best way to protect your website from hackers is to keep your plugins and theme up to date. You should also remove all the unnecessary plugins installed on your website.
This tip might be more tricky to implement if you are not comfortable with the PHP language.
Most of them are harmless, but some might jeopardize your website and lead to downtime.
To know which plugins generate PHP Errors, you need to access the WordPress Error Log.
The easiest way to do this is to install WP Umbrella.
Go to the PHP Monitoring tab et enable the advanced view.
From here you can access all the errors and related information necessary to troubleshoot them and make your WordPress website more secure.
” Some people think that a not updated plugin will generate security flaws, like it’s growing in it. Of course that’s not how it works. Every plugin, theme or even CMS core has some sort of security holes, but until it’s discovered it’s not a problem. The problem exists when they are discovered and not fixed, luckily (or not) the WordPress community is full of white hat people who will responsively disclose the issues, so when you hear “this plugin/core flaw has been discovered”, it’s already patched. ” Julio Potier CEO @Secupress
Needless to say that selecting a secure hosting should also be one of your top priorities.
Before looking into security plugins, you should make sure that your WordPress host has significant security measures.
Here are some of the security measures a good WordPress hosting provider should provide you with:
Kinsta, our hosting provider, offers all these services.
Using the same password for every website is bad.
Using the same password on several is the best way to get hacked.
Not all sites are secure. If you use the same password from everywhere and a hacker manages to get it, he will have access to all your accounts.
You must choose a different password for each site you use.
If you’re in a hurry, check this summary table. If you’d like to see our in-depth analysis of every security plugin, keep reading!
| Plugin | Features | Performance | Support | Pricing | Overall |
|---|---|---|---|---|---|
| SecuPress |   | | | 69$ | |
| WPScan | | | | 5-25$/month | |
| iTheme Security | | | | 80$ | |
| WordFence | | | | 100$ | |
| Sucuri Security | | | | 200$ | |
WordFence is the most popular security plugin. The license for 1 website costs 99,99$. WordFence includes:
WordFence Security plugin is not the best WordPress security plugin because it requires a lot of resources from your server.
This can slow down your website load times, which is terrible for SEO and UX.
Besides, in a shared hosting environment, the plugin triggers might issue and mess up with the data stored in your database.
The last reviews on WordPress Plugin Directory are not great since 3 out of 8 reviewers complain about having their website hacked.
The most popular plugins never are almost the best ones. This is the price of fame!
| Overall | |
| Features | |
| Performance | |
| Ease of Use | |
| Support | |
| Pricing | |
iThemes Security (formerly Better WP Security) offers you over 30 ways to secure and protect your WordPress site.
With +1 million active installs, it is the second most popular security plugin on the market. iTheme Security features include:
iTheme Security has a nice and easy-to-use dashboard. The plugin costs 80$ per website.
iTheme Security has nice support, a user-friendly dashboard, and will consume fewer server resources than WordFence. That’s why I’d advise you to chose iTheme security over WordFence.
But there are many other amazing security plugins, and you should keep reading this article!
| Overall | |
| Features | |
| Performance | |
| Ease of Use | |
| Support | |
| Pricing | |
Sucuri is a globally recognized authority in all matters related to WordPress website security.
It offers its users a nice set of security features:
The plugin is one of the most expensive security plugins for WordPress: 200$.
Securi Security is a good WordPress plugin and probably has one of the best firewalls.
The plugin also provides server-level scanning and monitor new and potential security threats. However, it increases load-times and people are really infuriating about this.
My advice: it’s not worth to pay 200 bucks for something that slows down your website. Keep reading!
| Overall | |
| Features | |
| Performance | |
| Ease of Use | |
| Support | |
| Pricing | |
The WPScan WordPress Security Scanner plugin scans your website daily to find security vulnerabilities listed in the WPScan Vulnerability Database.
Unlike other plugins, WPScan does not slow down your WordPress websites. The database is maintained by 3 people, 100% dedicated to WordPress security.
WPScan main features also include:
The plugin has monthly pricing: from free to 25$ per month.
WPScan has fantastic reviews and WPScan users look happy about the quality of the support provided.
WPScan doesn’t offer some security features such as WordPress Brute Force Protection or WordPress Firewall, but it’s an amazing scanning plugin.
| Overall | |
| Features | |
| Performance | |
| Ease of Use | |
| Support | |
| Pricing | |
SecuPress is another great security plugin for WordPress. This plugin will protect your WordPress website with malware scans and block bots & suspicious IPs.
SecuPress gives its users a useful set of security features:
With 69$ (= 60€), SecuPress is the most affordable security plugin for WordPress.
SecuPress has some great reviews from the French WordPress community, where Julio Pottier (SecuPress CEO) contributes to assisting WordPress developers in securing their code.
| Overall | |
| Features | |
| Performance | |
| Ease of Use | |
| Support | |
| Pricing | |
And you? What’s your favorite security plugin for WordPress?
