One Best Security Plugin For WordPress or Combination of Plugins?

Share this!
Share On Facebook
Share On Twitter
Share On Google Plus
Share On Linkedin

the best security plugin for WordPress

1. Intro

Let me assume you are concerned about your website safety or have already been hacked. And you would like to know what is the best security plugin for WordPress out there. You might have heard of some of them and you don’t know which one to choose to make your site protected from hackers and malicious bots.

I’ve made a research on WordPress security plugins and solutions and would like to report my results and thoughts.

I’ve written this article with the following aim: to help you protect your WordPress site using security plugins, combinations of plugins and solutions (both free and paid) and help you understand why you may want to choose this or that WordPress security solution.

Although I published an initial version of this article in 2015, all the points of this article are valid today. I keep an eye on the main changes and update the article when anything significant should be added or modified. The conclusion is the first part that I keep up-to-date above all.

This article is one of the most popular ones on my website. And I keep it ever-green for the best benefit of you (my readers).

By the way, you can find a lot of useful information in the comments. (Ctrl+F can be a good friend to save time 🙂 )

This article was last updated on February 19, 2017

 

2. Answers to what questions you’ll find in this article

  • What are the levels of website security? (hint: it’s not just a plugin)
  • How different are WordPress security plugins? (hint: compared features of Sucuri, iThemes (Better WP security), WordFence, BulletProof Security)
  • Which plugin or product for your WordPress website do you need? (hint: compare plugins by their functionality, usability and price)
  • How you can protect your WordPress site to be more confident about its security? (hint: combine security plugins and other tools)

This article is pretty huge, so apart from the table of contents below I’m putting now links to the take-aways for more convenience:

For easy navigation in this post use these links:

Contents

3. Before we get into details… Or what I kept in mind when I wrote this article

Unlike many other bloggers who just list the most well-known security plugins and underline their features and benefits, I’d like to make it more detailed and useful for you.

My uttermost aim in this post is to help you with protecting your WordPress website and make security issues more clear for you so that you don’t just install a plugin or two, but could also understand more details about security.

Otherwise, if you don’t want to see what this or that security plugin or product does, you may get a false feeling of security or even break your website completely.

But you may say, “Hey, I just want the stuff that works and don’t want to read about security or any technical details! Just tell me what is the best WordPress security plugin and I’ll go!”

You desire may be reasonable (and I will answer this question fully in the Plugins and Solutions section), but before all, I’d want to say that I’d like you to become a frequent reader of my blog (and maybe a good friend, why not?)

And so I feel a big responsibility for what I tell you. That’s why I have to explain why this or that security plugin may be a good fit for your WordPress site and what limitations this or that security plugin has.

By the way, if you don’t want to take responsibility for your website safety and you’re not going to learn the basics of WordPress security), then go with managed hosting. A great and comparatively inexpensive choice for beginners is WP Engine (see my review here). They don’t just take care of your website server-side technical and security issues, but they will also fix your site for free if it gets hacked (they use Sucuri service for that; by the way – see more details about this service reviewed below in this article).

But if for some reason you don’t want to use managed hosting or some other mamaged solution (for example, in case you have a small budget or you prefer keep a fuller technical control over your website), then you may find this article very useful for you.

Alright, here we go.

4. The anatomy of WordPress security – general overview

In order to choose the best security plugin or solution for your WordPress site, you need to understand what different plugins do, what vulnerable areas and defensive barriers of your website they are designed for. If you don’t understand the basics of website security, then you may get a false feeling of being secure after installing some plugin that does not protect you as much as you thought (I repeat this idea, because it’s important).

So here’s the general overview of a website security protection nodes (I’m talking about personal or small/medium business websites, not corporate web applications):
wordpress security levels

This picture above will help you understand what you can control directly and what you can not control directly. As you can see on the simple image above, your website security can be presented within the following levels:

  • Outer network level (outside of your server – it may be proxy, software/hardware firewalls)
  • Hosting level (it includes server level and a part of networking)
  • Website application level (your WordPress site) – this is the main part of this article
  • Client level (your computer’s security, safe network environment and your common-sense security measures)

Some information below may be or may be not a breaking news for you, but I include it for consistency so that you could see the whole picture and the ways how your website can be compromised and protected.

5. Hosting and server level of security

Who is directly responsible for your hosting and server level security:
If you use a shared web hosting (not VPS or dedicated server), then hosting and server level security is up to your hosting provider. They should setup properly their servers and protect them, set up network firewalls, organize a safe hosting account environment for you, do constant monitoring, scanning, auditing etc.

What if your hosting is managed not properly:
If your hosting is poorly managed, then you not only get much more threats and attacks on your website (which is theoretically tolerable if you have a good website security), but your website can be hacked on a server level, kind of from the inside environment. And there’s no way you can fully protect from it on your own – only your hosting can do it.

How you can protect your site on this level:
The best thing you can do is to choose your web hosting wisely and take into consideration hosting companies’ professionalism, and do not fall for shining misleading marketing of many hosting providers on the market.

6. Network level of security (web application firewall)

This is kind of filter between outer world and your website. It’s purpose is to additionally protect your website from malicious traffic (spam, bots, DDoS attacks etc) and hacking attempts providing more performance to your website.

Who is directly responsible for your hosting and server level security:
It’s you who decide whether to use this additional level of your website protection.

How you can protect your site on this level:
It’s as simple as subscribing to the cloud/proxy-based and caching service such as Sucuri Website Firewall (the most professional), Incapsula, MaxCDN, CloudFlare etc.

7. Client level of security

How you can protect yourself on this level:
Consider these four areas of client level security:

  1. Protect your computer (use antivirus software plus firewall for your computer).
  2. Use safe network environment (e.g. don’t use sensitive data when using public wifi hotspots).
  3. Take basic security measures to protect your sensitive data (e.g. don’t keep your passwords written on sticky notes that can be lost or stolen).
  4. Be cautious when working online or with alien files and programs (e.g. don’t open emails, files or URLs that look suspicious).

Who is directly responsible for client level of security:
Of course, it’s you 🙂

What if you fail to secure your computer and your action online:
If you fail in this area, your website may be contaminated via the files you upload to your website or simply your password can be stolen by malware program.

8. Website application level of security (Secure your WordPress site!)

Here’s the main part of this post. It’s about hardening your WordPress site and using plugins, products and services to secure you website.

Who is directly responsible for this level of security:
If you do the technical part of maintaining your website on your own, then it’s you who is in charge of it.

But if you don’t want to do WordPress security yourself, the very cost-effective solution is to choose a fully-managed hosting that apart from many other things provides necessary security for your website so you feel confident.

What if you do not secure your website on this level?
Sooner or later you will be hacked. Malicious bots and human hackers first of all target the easiest websites. So if you don’t do proper preventive security measures, it’s very likely that you’ll be hackers’ victim soon.

What you can do to protect your WordPress site:
I will talk about it below in this post. For now, I will just list the areas that you should be aware of in order to be sure that you handle your website security properly.

Here is what you should pay attention to when securing your WordPress website:

  1. Protection (or prevention, i.e. don’t let hack happen in the first place)
  2. Monitoring (watch for suspicious activity like file changes, unauthorized logins etc. – yes, security is not a set-and-forget thing)
  3. Scanning (find vulnerabilities and hacks before they do too much harm for you)
  4. Post-hacking (restore or clean up your hacked online assets the most effective way with the least losses)

The above list is important because different plugins and solutions focus on different areas above. So WordPress security is not a simple thing, but as you can see, it is a complex issue. And all aspects of website security are not covered very well by one single plugin (unlike many people may think).

I know that most people don’t want to do anything until it may be too late. If you one of these people, I’d recommend you focusing at least on basic protection and post-hacking strategy. It will let you avoid most hacking issues and restore your website (almost) without losses.

Having said that, if you think you don’t want to deal with any plugins yourself and you don’t have a budget to go with managed hosting, then do at least some actions and follow approaches from this article about securing WordPress with your own hands and free of charge. It’s basically about updating regularly, having a strong password and always keeping a fresh backup of your site. If you do at least this, then you are already more protected that an average website owner.

Although WordPress itself is a pretty secure thing, there are weak spots in its security which are themes, plugins and a lack of expertise or awareness of an end-user. That’s why WordPress sites get constantly hacked. It makes security plugins a hot topic.

So next sections are about plugins and solutions that will help you enhance protection of your WordPress site.

9. Plugins and solutions to protect your WordPress website

How to choose a security plugin – General factors for consideration

Before all, I’ll emphasize one more time – no single plugin is designed to cover all aspects of WordPress security. For a complete security protection you need to use a combination of plugins and/or paid products and services and be security-concerned while you work online in general. You will see below suggestions on both single plugins and complete solutions.

One of the ideas how I could structure this article was making a comparison table of security features that different plugins offer. But I decided not to go only this way and here’s why:

  • Judging only by a number of features is not the best way to choose a security plugin or product, because the competition of which plugin has more features after some limit becomes kind of marketing game and not really useful reasoning.
  • Features should be taken into consideration, but it’s better if you understand the overall principles of security, otherwise you can be misled by a mass of security slang words and user interface sugar promises that can be really good but not the most important thing.
  • In addition to considering number of features, I believe it makes a lot of sense to focus on the most prominent features and areas that this or that plugin is very well designed for (the areas are listed above, and I repeat them now: protection, scanning, monitoring, post-hacking).
  • The tricky thing is to know (or trust a developer) whether each feature in a plugin works properly.
  • What also matters is efficiency of security plugins (or solutions) and users’ feedback.
  • The convenience of plugin usage plays also an important role (especially for newbies) considering everything else equal.
  • Professionalism of developers is also a very important factor, not only because security is vital, but because it’s a constantly evolving sphere that requires dedication, fast and reliable updates. That’s why it’s not recommended to use security plugins developed by amateurs, for marketing purposes, or abandoned plugins.

The list of cornerstone security plugins that are featured in this article

I’ve chosen the most well-known and established WordPress security plugins developing companies and brands that offer comprehensive security solutions and have a good reputation according to wordpress.org feedback:

  • Sucuri Security
  • iThemes Security (former Better WP Security)
  • Wordfence
  • BulletProof Security

There are also some well-known plugins that are targeted not as comprehensive WordPress security solutions, but focus on some specific areas (for example, firewall, authentication, backup tools). I’ll mention some of them in this article as well.

Disclosure:
Please note that I haven’t tested in-depth the mentioned plugins and solutions against actual malware, backdoors and attacks. But these both free and paid products are very well-established and are ones of the best on the market in this WordPress security segment.

My research results and ratings are based mainly on features that these security plugins and solutions have as well as on information and reviews found on the web and from my readers. Also I take into account my own experience with the products.

 

9.1. Sucuri Security – Auditing, Malware Scanner and Security Hardening (Free)

Sucuri company’s general overview

  • Sucuri is a company that specializes in website security protection, monitoring, scanning and cleaning up.
  • Sucuri’s market advantage is that they have developed a unique functionality of a semi-automated mechanism of website cleaning up. So you can get you website cured (and then protected for a subscription period) for a unbelievably low subscription fee.
  • Sucuri offers 3 products (one of them is free) that covers a full range of protection, monitoring, scanning and post-hack cleanup solutions for WordPress.
  • Sucuri is founded and managed by web security technicians rather than marketers. In my opinion, from many perspectives it may be considered as a huge advantage.

What the free Sucuri Security plugin does

The most prominent features of free Sucuri Security plugin are:

  • Easy (1-click) website hardening (restricting access to some vulnerable WordPress directories, disabling theme and plugin editor and less critical options)
  • Your WordPress core files integrity checking (checks if your WordPress files were changed against a remote sample installation and shows you the changes with option to restore)
  • Comprehensive logging of activity on your website (logins, plugins installing/updating etc)
  • Remote website scanning (powered by Sucuri‘s service SiteCheck) is to check if your site is hacked, contaminated or blacklisted. (Hacking/contamination scanning is not in-depth compared to a paid Sucuri Antivirus, but it’s good and convenient considering it’s free)

For the full list of features see the detailed features comparison table.

User experience

Very easy and beginner user-friendly.
Sucuri Security plugin dashboard:

Sucuri Security Plugin dashboard

You may find some videos demonstrating user interface of this plugin on the plugin’s page on wordpress.org

Other notes

Sucuri Security plugin does not provide the whole range of security measures, so it’s recommended to use it with other plugins (see some solutions below).
Check out free Sucuri Security plugin

Rating chart for free Sucuri Security scanner

Sucuri Security - Auditing, Malware Scanner and Security Hardening (Free)
Pricewww.dyerware.comwww.dyerware.comwww.dyerware.comwww.dyerware.comwww.dyerware.com
Free
Protectionwww.dyerware.comwww.dyerware.comwww.dyerware.comwww.dyerware.comwww.dyerware.com
Quite effective but not as complete as desired
Scanningwww.dyerware.comwww.dyerware.comwww.dyerware.comwww.dyerware.comwww.dyerware.com
Not in-depth, but good as a free product
Monitoringwww.dyerware.comwww.dyerware.comwww.dyerware.comwww.dyerware.comwww.dyerware.com
Neat and good, but providing more utility tools could be an advantage
Post-hackingwww.dyerware.comwww.dyerware.comwww.dyerware.comwww.dyerware.comwww.dyerware.com
Provides just additional hardening measures, but no complete solution
Beginner user friendlinesswww.dyerware.comwww.dyerware.comwww.dyerware.comwww.dyerware.comwww.dyerware.com
Easy, comprehensive, helpful explanations and tips
Overallwww.dyerware.comwww.dyerware.comwww.dyerware.comwww.dyerware.comwww.dyerware.com
Great in conjunction with additional plugins (see Combination of Plugins section below)

 

9.2. Sucuri Website Firewall (CloudProxy)

What it does

In short, Sucuri Website Firewall (CloudProxy) is a proactive (unlike monitoring and malware detection, which is reactive) approach to your website security. It’s a cloud-based protection for your website (all traffic goes through Sucuri cloud environment).

The most important features are:

  • stops attacks before they reach you website
  • prevents vulnerabilities exploitation
  • optimizes performance (four caching options)

User experience

Sucuri Firewall dashboard

Sucuri Firewall dashboard

 
To activate the Sucuri Firewall all you basically need is to change your A record for your domain. If you don’t know how to do that, you may open a support ticket and the support will do it for you.

Also, you may fasten your website by enable caching option and specifying optionally a server location (for example, if your traffic goes mainly from the North America, you select US server location). By the way, according to my research Sucuri Firewall made my website faster by 2.3 times.

Other notes

Although there’s a separate product Sucuri Firewall, you may want to install a free Sucuri Security – Auditing, Malware Scanner and Security Hardening plugin where Sucuri Firewall’s interface is included as an add-on feature (see the image above).

Also consider using paid Sucuri Antivirus solution, which already includes Sucuri Firewall. (I review it in the next section below.) In this case you can set up the Firewall within Antivirus dashboard.

Check out Sucuri Website Firewall (CloudProxy)

Rating chart for Sucuri Website Firewall (CloudProxy)

Sucuri Website Firewall (CloudProxy)
Pricewww.dyerware.comwww.dyerware.comwww.dyerware.comwww.dyerware.comwww.dyerware.com
$9.99/mo - one of the most affordable options among other cloud-based solutions
Protectionwww.dyerware.comwww.dyerware.comwww.dyerware.comwww.dyerware.comwww.dyerware.com
Great as cloud-based firewall, but not enough for a complete security solution
Scanningwww.dyerware.comwww.dyerware.comwww.dyerware.comwww.dyerware.comwww.dyerware.com
Does not do it
Monitoringwww.dyerware.comwww.dyerware.comwww.dyerware.comwww.dyerware.comwww.dyerware.com
Does not do it
Post-hackingwww.dyerware.comwww.dyerware.comwww.dyerware.comwww.dyerware.comwww.dyerware.com
Does not do it
Beginner user friendlinesswww.dyerware.comwww.dyerware.comwww.dyerware.comwww.dyerware.comwww.dyerware.com
Sucuri support can set everything up for you

The product is great in its niche, but for a complete security solution it’s recommended to use it together with other plugins or products (see Combination of Plugins section below)

 

9.3. Sucuri Website Antivirus (Paid)

What it does

Sucuri Website Antivirus is a comprehensive WordPress security solution that provides a great balance between functionality, usability and a peace of mind.

The advantages of this paid product that add up to the free Sucuri Security Scanner plugin are below.

The most important ones are the following:

  • in-depth scanning,
  • malware and other security issues monitoring and detection,
  • file change detection (the core files),
  • and the most outstanding one – cleaning up in case you gets hacked (unlimited times, no charge).

Antivirus includes Firewall Product (CloudProxy). So its main features are:

  • stop attacks before they reach you website,
  • prevent vulnerabilities exploitation,
  • performance optimization (four caching options; making a website faster by 35%-136% according to my research),
  • premium support.

In my opinion, Sucuri Website Antivirus is the product of choice if you want the most complete and hassle-free security for your website.

User experience

User interface of Sucuri Antivirus product is presented with its easy-to-use dashboard that is available from Sucuri external web application (it’s not a part of your WordPress dashboard):
Sucuri Antivirus dashboard

A free part of this product is Sucuri Security – Auditing, Malware Scanner and Security Hardening plugin which you can access within your WordPress dashboard. But if you use Sucuri Antivirus, then this free plugin is redundant.

Other notes

Although Sucuri Antivirus is quite a complete solution, consider combined solutions below in this article that add up backup system and additional authentication protection.

Also, it’s worth saying once again that Sucuri Antivirus offers unlimited cleaning up service which means that without additional charge in case of your website contamination it will be cleaned up from any malware, blacklisting and everything that goes or may go with it. It’s a winning advantage among other product I review in this article.

Check out Sucuri Website Antivirus

Rating chart for Sucuri Website Antivirus

Sucuri Website Antivirus (includes CloudProxy - Sucuri Website Firewall)
Pricewww.dyerware.comwww.dyerware.comwww.dyerware.comwww.dyerware.comwww.dyerware.com
$199.99/year - Good price for the service
Protectionwww.dyerware.comwww.dyerware.comwww.dyerware.comwww.dyerware.comwww.dyerware.com
Adding two-factor authentication protection would make it 5 stars (see Combination of Plugins section below)
Scanningwww.dyerware.comwww.dyerware.comwww.dyerware.comwww.dyerware.comwww.dyerware.com
Very well covered
Monitoringwww.dyerware.comwww.dyerware.comwww.dyerware.comwww.dyerware.comwww.dyerware.com
Very well covered
Post-hackingwww.dyerware.comwww.dyerware.comwww.dyerware.comwww.dyerware.comwww.dyerware.com
It's great, and adding backup solution would make it even greater (see Combination of Plugins section below)
Beginner user friendlinesswww.dyerware.comwww.dyerware.comwww.dyerware.comwww.dyerware.comwww.dyerware.com
Easy and clear
Overallwww.dyerware.comwww.dyerware.comwww.dyerware.comwww.dyerware.comwww.dyerware.com
Very convenient and practical solution

 

9.4. iThemes Security (formerly Better WP Security) (Free)

General overview

  • iThemes is a company that focuses on web design training and developing plugins, themes and other solutions for WordPress.
  • iThemes security plugin focuses on protecting website. Besides, iThemes suggests using free remote malware scanning virustotal.com service) and post-hacking (third party paid services)
  • iThemes also offers packages that include not only security products, but also backup service, themes, WordPress management and other plugins, which can be cost effective when bought together.

What the free iThemes Security plugin does

The most prominent features of this free plugin are:

  • A prioritized to-do list of security-hardening items to help you protect your site with 1-click for each security item
  • File change detection (it compares files with their versions saved at a previous check to help you find out if the changes were made not by you)
  • Remote website scanning (powered by 3-d party service – virustotal.com) which can identify if your website contains virus or other malicious content. (Note that it’s not in-depth scanning tool and can not be used as a comprehensive alternative to a antivirus/scanning software that is installed locally on your server).

For the full list of features see the detailed features comparison table.

User experience

A screen shot of the plugin front page:

iThemes security entire short to-do list

More screenshots are here.

The plugin may seem to have a lot of settings (which can be a bit frustrating for a newbie), but on the other hand it gives more control and flexibility.

Logging (as a part of monitoring) is detailed but at the same time it may be overwhelming or not friendly for a non-technical newbie.

It may cause some server load when working with file change detection (may cause slowdowns or other issues if your server is not good enough – it’s recommended to have 128 MB of RAM on your server).

Other notes

Since free iThemes Security plugin offers some powerful features, some people experience troubles with their websites when starting using the plugin (in general, any plugin can break something in your website, so make a complete backup before installing plugins).

Rating chart for the free iThemes Security plugin

iThemes Security plugin
Pricewww.dyerware.comwww.dyerware.comwww.dyerware.comwww.dyerware.comwww.dyerware.com
Free
Protectionwww.dyerware.comwww.dyerware.comwww.dyerware.comwww.dyerware.comwww.dyerware.com
Quite good, but would be more efficient with firewall features (see Combination of Plugins section below)
Scanningwww.dyerware.comwww.dyerware.comwww.dyerware.comwww.dyerware.comwww.dyerware.com
Not in depth, but good as a free product
Monitoringwww.dyerware.comwww.dyerware.comwww.dyerware.comwww.dyerware.comwww.dyerware.com
Provides detailed log of file changes which is great if you are a bit tech-savvy, but newbies may find it not friendly
Post-hackingwww.dyerware.comwww.dyerware.comwww.dyerware.comwww.dyerware.comwww.dyerware.com
Not a complete solution - provides only scheduled database backups
Beginner user friendlinesswww.dyerware.comwww.dyerware.comwww.dyerware.comwww.dyerware.comwww.dyerware.com
Some parts are easy and clear, some parts are more technical and settings may seem a bit puzzling for a newbie
Overallwww.dyerware.comwww.dyerware.comwww.dyerware.comwww.dyerware.comwww.dyerware.com
Good plugin. Recommended to use with other plugins and/or solutions (see Combination of Plugins section below)

 

9.5. iThemes Security Pro (Paid)

What iThemes Security Pro does in addition to the free version

Paid product iThemes Security Pro offers:

  • Security activity auditing (logins, logouts, file changes, intrusions etc)
  • Malware/backdoor scheduled scanning/detection (application-side, which is more reliable and in-depth than any remote scan)
  • Scheduled file change detection
  • Adds some protection (e.g. forbids php execution in uploads folder, enforcing strong passwords, anti-spam captcha and others)
  • Database backups management
  • Two-factor authentication
  • Premium support

User experience

Technically it’s the same plugin as the reviewed free iThemes Security plugin but with additional features.

Rating chart for iThemes Security Pro product

iThemes Security Pro plugin (paid)
Pricewww.dyerware.comwww.dyerware.comwww.dyerware.comwww.dyerware.comwww.dyerware.com
$80/year
Protectionwww.dyerware.comwww.dyerware.comwww.dyerware.comwww.dyerware.comwww.dyerware.com
Good, but would be more efficient with firewall features (see Combination of Plugins section below)
Scanningwww.dyerware.comwww.dyerware.comwww.dyerware.comwww.dyerware.comwww.dyerware.com
Very well covered
Monitoringwww.dyerware.comwww.dyerware.comwww.dyerware.comwww.dyerware.comwww.dyerware.com
Very well covered
Post-hackingwww.dyerware.comwww.dyerware.comwww.dyerware.comwww.dyerware.comwww.dyerware.com
Not a complete solution - provides only scheduled database backups
Beginner user friendlinesswww.dyerware.comwww.dyerware.comwww.dyerware.comwww.dyerware.comwww.dyerware.com
Some parts are easy and clear, some parts are more technical and settings may seem a bit puzzling for a newbie
Overallwww.dyerware.comwww.dyerware.comwww.dyerware.comwww.dyerware.comwww.dyerware.com
Good solution, and for more functionality see Combination of Plugins section below

 

9.6. Wordfence Security (Free)

General overview

  • Wordfence is a department of Feedjit Inc. which provides live traffic feed and WordPress security software.
  • Wordfence is famous for its free plugin that has a powerful application-side (i.e. not remote) malware detection/scanning and live traffic audit features.

What free Wordfence Security plugin does

The most advantageous features of this free plugin are:

  • In-depth scanning for malware which runs manually or automatically once per day (paid version offers a scheduled scanning)
  • Live traffic display (including bots, crawlers etc)
  • Firewall which blocks botnet atacks and other common security threats
  • Options to repair files if they have been changed
  • Optimizes your site speed using Falcon caching (you don’t need to use other caching plugins)

For the full list of features see the detailed features comparison table.

User experience

Wodfence Scanning results

Wodfence Scanning results

See more screenshots on the plugins’ page at wordpress.org

Other notes

In my experience Wordfence’s scan did not work (could not start) after I installed Sucuri and iThemes security plugins. Even removing all these plugins and re-installing only Wordfence did not help.

I did not investigate this compatibility issue this time. I just re-installed my test WordPress site, installed Wordfence and its scan did work fine.
It does not mean that either of these plugins is bad or not reliable. However, it means that they may not be compatible with each other in some environment.

You can get free Wordfence plugin here.

Rating chart for free Wordfence Security plugin

Wordfence Security plugin (free)
Pricewww.dyerware.comwww.dyerware.comwww.dyerware.comwww.dyerware.comwww.dyerware.com
Free
Protectionwww.dyerware.comwww.dyerware.comwww.dyerware.comwww.dyerware.comwww.dyerware.com
Thanks to application-side firewall, bruteforce and DDoS protection
Scanningwww.dyerware.comwww.dyerware.comwww.dyerware.comwww.dyerware.comwww.dyerware.com
In depth, of one the best among free options. And paid version offers even more versatile scanning and more convenience
Monitoringwww.dyerware.comwww.dyerware.comwww.dyerware.comwww.dyerware.comwww.dyerware.com
Great live traffic monitoring, file change detection with showing what has changed, automatically once a day, but does not show the logs - e.g. someone deleted a plugin and it does not record it explicitly. (Paid version offers a scheduled scanning)
Post-hackingwww.dyerware.comwww.dyerware.comwww.dyerware.comwww.dyerware.comwww.dyerware.com
It can help you to find what has changed after the incident
Beginner user friendlinesswww.dyerware.comwww.dyerware.comwww.dyerware.comwww.dyerware.comwww.dyerware.com
Clear, easy, with explanations
Overallwww.dyerware.comwww.dyerware.comwww.dyerware.comwww.dyerware.comwww.dyerware.com
Its advantage is in-depth scanning and live traffic monitoring - very good for free product

 

9.7. Wordfence Security Premium (Paid)

What Wordfence Security Premium does in addtion to the free version

The main advantages of paid Wordfence Security Premium product over a free Wordfence plugin are:

  • Scheduled scanning
  • Checks if the domain sends or associated with spam sending-out
  • Geographic IP banning
  • Premium support

User experience

From a technical point of view it’s the same plugin as the reviewed free Wordfence Security plugin but with additional features.

Rating chart for Wordfence Security Premium plugin

Wordfence Security Premim plugin (paid)
Pricewww.dyerware.comwww.dyerware.comwww.dyerware.comwww.dyerware.comwww.dyerware.com
$39/year and less - the least expensive among the reviewed paid plugins with recurring payment
Protectionwww.dyerware.comwww.dyerware.comwww.dyerware.comwww.dyerware.comwww.dyerware.com
Thanks to application-side firewall, bruteforce and DDoS protection
Scanningwww.dyerware.comwww.dyerware.comwww.dyerware.comwww.dyerware.comwww.dyerware.com
The core functionality is as in the free version, plus scheduled scanning
Monitoringwww.dyerware.comwww.dyerware.comwww.dyerware.comwww.dyerware.comwww.dyerware.com
Great live traffic monitoring, file change detection with showing what has changed, automatically once a day and scheduled, but does not show the logs - e.g. someone deleted a plugin and it does not record it explicitly
Post-hackingwww.dyerware.comwww.dyerware.comwww.dyerware.comwww.dyerware.comwww.dyerware.com
It can help you to find what has changed after the incident
Beginner user friendlinesswww.dyerware.comwww.dyerware.comwww.dyerware.comwww.dyerware.comwww.dyerware.com
Clear, easy, with explanations
Overallwww.dyerware.comwww.dyerware.comwww.dyerware.comwww.dyerware.comwww.dyerware.com
Affordable for more convenience compared to the free version

 

9.8. BulletProof Security (Free)

General overview

What the free BulletProof Security plugin does

The main security features of this free plugin are:

  • Protecting your website by hardening your .htaccess files
  • Checking files/folder permissions
  • DB backups
  • Brute-force protection (via max login attempts)
  • Providing useful monitoring logs

User experience

  • The plugin has built-in tips for setting up which is convenient, as well as how-to-setup video tutorials
  • At the same time setting up the plugin may seem a bit complicated and too technical at first glance for a total newbie (but once you get over it, you’ll enjoy it 😉 )

Bulletproof Security screenshot

More screenshots are here.

Video overview of the plugin and its settings is here.

Other notes

Apart from set-and-forget protection via htaccess files and backing up database, it’s also like a set of utility tools that users should be able to handle easily if they do their website security themselves.

Don’t be afraid of seemingly complicated interface (if it seemed to you so). Even if you find it not very friendly at first, it’s totally worth making an effort and spending some minutes learning it to start enjoying its performance.

You can get free Bulletproof Security plugin here.

Rating chart for free Bulletproof Security plugin

Bulletproof Security plugin (free)
Pricewww.dyerware.comwww.dyerware.comwww.dyerware.comwww.dyerware.comwww.dyerware.com
Free
Protectionwww.dyerware.comwww.dyerware.comwww.dyerware.comwww.dyerware.comwww.dyerware.com
Brute-force and protection via .htaccess
Scanningwww.dyerware.comwww.dyerware.comwww.dyerware.comwww.dyerware.comwww.dyerware.com
Not in-depth, but good as a free product (Sucuri's remote scanning is used)
Monitoringwww.dyerware.comwww.dyerware.comwww.dyerware.comwww.dyerware.comwww.dyerware.com
Security log, helpful in case of attacks
Post-hackingwww.dyerware.comwww.dyerware.comwww.dyerware.comwww.dyerware.comwww.dyerware.com
Provides only scheduled database backups
Beginner user friendlinesswww.dyerware.comwww.dyerware.comwww.dyerware.comwww.dyerware.comwww.dyerware.com
May seem complicated at first for a total newbie
Overallwww.dyerware.comwww.dyerware.comwww.dyerware.comwww.dyerware.comwww.dyerware.com
Provides good protection via .htaccess and contains helpful tools for users

 

9.9. BulletProof Security Pro (Paid)

What the paid version does in addition to the free one

  • more protection (IP firewall, forbidding crawling scanning, forbidding script execution, etc; allowing only valid images in upload folder, anti-DDoS, anti-spam, locking files)
  • better alerting system
  • database changes audit
  • more options for monitoring (alerting and logging options)
  • tools for hacking analysis (decoding malicious scripts, code/db/dns finder etc)
  • quarantine folder and logging (view/restore/delete options etc)
  • WordPress files (including root folder files and custom folders) backup and restore
  • premium support

In my opinion, it is the product of choice if your primary concern is protection (the product focuses on protection. Monitoring is also a solid feature. Other aspects such as in-depth scanning, or after-hack cleanup are less developed. This is a fantastic software in the right hands (the plugin provides the best value for technically -skilled users). In addition it’s very affordable.

See the full description of the BulletProof Security Pro plugin here.

User experience

It’s the paid version with one-click install and with additional functionality based on the free Bulletproof Security plugin that I reviewed above.

Here’s the how-to-install-and-setup video tutorial.
Other useful video tutorials are here.

Check out Bulletproof security Pro version.

Rating chart for paid BulletProof Security Pro plugin

Bulletproof Security Pro plugin (paid)
Pricewww.dyerware.comwww.dyerware.comwww.dyerware.comwww.dyerware.comwww.dyerware.com
$59.95 one time payment - the most affordable among premium options
Protectionwww.dyerware.comwww.dyerware.comwww.dyerware.comwww.dyerware.comwww.dyerware.com
IP firewall, anti-DDoS and anti-spam protection and others added in addition to the free version
Scanningwww.dyerware.comwww.dyerware.comwww.dyerware.comwww.dyerware.comwww.dyerware.com
Not in-depth, but good as a free product (Sucuri's remote scanning is used)
Monitoringwww.dyerware.comwww.dyerware.comwww.dyerware.comwww.dyerware.comwww.dyerware.com
Good, especially for specialists and analysts
Post-hackingwww.dyerware.comwww.dyerware.comwww.dyerware.comwww.dyerware.comwww.dyerware.com
Provides scheduled database backups and WP files backups
Beginner user friendlinesswww.dyerware.comwww.dyerware.comwww.dyerware.comwww.dyerware.comwww.dyerware.com
Goes with easy 1-click install
Overallwww.dyerware.comwww.dyerware.comwww.dyerware.comwww.dyerware.comwww.dyerware.com
Provides good protection via .htaccess, DB and WP files backup and restore and contains helpful tools for users

 

9.10. Other plugins

For this article I have reviewed some of the most-well known, comprehensive and established WordPress security plugins. But there are more plugins. Many of them do not cover WordPress security quite fully, but they do their work well on their targeted areas.

If you want to protect your WordPress site on your own (especially without using paid products), then you may want to maximize protection of your website by combining plugins. I describe some effective combinations of security plugins below.

 

10. Combination of plugins/solutions to maximize effectively your WordPress security

Why one plugin may not be enough

When it regards security protection and malware/contamination detection, no single plugin (even a paid one) can give you a complete solution and 100% preventing, protection and detection. Different software work in different ways, covering just a part of security threats and issues. And if you want to maximize the effect, you may want to use more than one plugin.

A note about how I combined plugins into suggested security solutions

  • In the sections below I describe combinations of plugins trying to find a good balance between price and functionality.
  • In each suggested solution below I put one of the paid products from the reviewed companies as a starting point.
  • Also I suggest fully free (but still effective) security solutions.

Warnings before combining security plugins or solutions

There are several issues that you need to keep in mind when making a decision on combining plugins for your final security solution:

  • Security plugins from different providers are not promised to be 100% compatible;
  • Some security plugins may conflict or break other (non-security) plugins;
  • The more plugins you use, the more work you need to do and more time to spend managing/monitoring the plugins;
  • There’s risk that using many security plugins will do more harm than good (e.g. blocking you or the whole traffic or even break your site, excessive information, wasting time dealing with it and so on).

So how many and which plugins do you need?

It’s the question of the balance between your expertise, the level of your website security you need and the efforts/time/money you want to spend setting it up and managing it.

Here are some effective WordPress security solutions that I have compiled below.

 

10.1. Free minimalistic no-heavy-security-plugin solution

Overview

Some people find it difficult or reluctant to setup and manage powerful security plugins. Also, people may want to minimize the number of plugins they use (for example, to avoid risks of damaging website with the plugins and/or have more control over the website).

In this case I suggest applying minimalistic (but effective) security measures for WordPress that I describe in article Protect Your WP Site From Hacking Step-by-Step – Easy And Very Effective

It contains mostly protection measures (that need to be set just once) and important solid pieces of advice on website security.

Rating chart for free minimalistic no-heavy-security-plugin solution

Minimalistic security solution (free)
Pricewww.dyerware.comwww.dyerware.comwww.dyerware.comwww.dyerware.comwww.dyerware.com
Free
Protectionwww.dyerware.comwww.dyerware.comwww.dyerware.comwww.dyerware.comwww.dyerware.com
Effective, but not complete compared to other suggested solutions
Scanningwww.dyerware.comwww.dyerware.comwww.dyerware.comwww.dyerware.comwww.dyerware.com
Does not do it
Monitoringwww.dyerware.comwww.dyerware.comwww.dyerware.comwww.dyerware.comwww.dyerware.com
Does not do it
Post-hackingwww.dyerware.comwww.dyerware.comwww.dyerware.comwww.dyerware.comwww.dyerware.com
Does not do it (however, the article reminds you to have a fresh backup)
Beginner user friendlinesswww.dyerware.comwww.dyerware.comwww.dyerware.comwww.dyerware.comwww.dyerware.com
Some protection measures may seem a bit complicated for a total newbie since it requires editing core files

This solution suggests some effective protection measures (need to be set only once) as well as explains some underestimated website security threats and safe onine habbits that everyone should consider.

 

10.2. Free Solution To Protect, Scan and Monitor

Overview

It’s a free solution which focuses on protection, monitoring and powerful scanning.

In brief, this solution includes the following parts:
Bulletproof Security (free) – simply effective plugin for great protection (my review is here)
Sucuri Security – Auditing, Malware Scanner and Security Hardening plugin (free) (see my review above)
WordFence security plugin (free) – for better protection and monitoring (my review is here, how to fix compatibility issue with Sucuri is here)
– Two-factor authentication (use e.g. free version of Duo Two-Factor Authentication plugin, also see a relevant section with similar plugins suggestions in my article here)
– Backup (if your hosting provides an independent backup solution, then it’s great. Otherwise, the simplest free option is to make full backups from your hosting account’s cPanel manually and store them somewhere outside of your hosting – e.g. on your home computer)
– Anti-spam solution (there are many free options to fight spam, e.g. Invisible Captcha plugin or similar which I find very convenient and effective against automated spam)

Rating chart for this free solution

Free solution which focuses on protection, monitoring and powerful scanning
Pricewww.dyerware.comwww.dyerware.comwww.dyerware.comwww.dyerware.comwww.dyerware.com
Free
Protectionwww.dyerware.comwww.dyerware.comwww.dyerware.comwww.dyerware.comwww.dyerware.com
Quite solid option
Scanningwww.dyerware.comwww.dyerware.comwww.dyerware.comwww.dyerware.comwww.dyerware.com
Powered by WordFence (in-depth, server-based) and additionally Sucuri (not in-depth, but good as an alternative)
Monitoringwww.dyerware.comwww.dyerware.comwww.dyerware.comwww.dyerware.comwww.dyerware.com
Powered by WordFence (live traffic, file-change detection) and additionally by Sucuri
Post-hackingwww.dyerware.comwww.dyerware.comwww.dyerware.comwww.dyerware.comwww.dyerware.com
Some measures are offered by Sucuri, but it's not enough – consider at least making and downloading a fresh backup if your hosting does not offer backup solution for you
Beginner user friendlinesswww.dyerware.comwww.dyerware.comwww.dyerware.comwww.dyerware.comwww.dyerware.com
Quite clear and easy
Overallwww.dyerware.comwww.dyerware.comwww.dyerware.comwww.dyerware.comwww.dyerware.com
Even with no money you can make your website pretty secure

 

Other notes

  • I also suggest reading this article – it can help you as well in addition to this solution.
  • If you have issues with plugins compatibility or you need other features, consider replacing plugins with other ones. When you do website protection yourself, you’ll need to gain expertise (if you don’t have it yet) by learning and trying.
  • Feel free to use features comparison table for reference when adjusting your solution according to your needs.

– General overview of full solutions based on a cornerstone paid product

The advantages of the full solutions:

  • Advanced protection, scanning and monitoring (each solution below features one or more leaders in WordPress security)
  • Full backup solution which means that you can restore your website from any point or restore single files. (Imagine, that experienced hacker or a new hacking script broke down your site, or even it was you who made some unwanted changes like breaking a website or deleting some data, or your hosting did a bad job and lost your data – you’ll need the most recent backup)

 

10.3. Full Sucuri Protection and Backup Solution

Overview of the solution

This solution features Sucuri‘s product, which apart from a lot of other useful things allow your website get cleaned up from malware and other contamination, restore ranking in search engines, getting whitelisted again etc in case your site was hacked and blacklisted.

This solution includes:
Sucuri Website Antivirus (it already includes Sucuri Website Firewall – CloudProxy)
CodeGuard Backup service (I use it) – backup and restore from any point, monitor changes. Alternatively you may want to use BackupBuddy, BlogVault or VaultPress (it checks backups against malware/contamination). A backup solution is also offered by Sucuri Website Firewall for additional price. (By the way, there’s a in-depth article about website backup solutions.)
– Two-factor authentication (you may use free version of Duo Two-Factor Authentication plugin, also see a relevant section with similar plugins suggestions in my article here). Also, two factor authentication using Google Authenticator is offered by Sucuri Website Firewall as a free option.
– Anti-spam plugin (in addition to Sucuri’s firewall spam protection, consider using an additional solution, e.g. free Invisible Captcha plugin or something similar which I find very convenient and effective against automated spam)

Rating chart for the solution

Full Sucuri Protection and Backup Solution
Pricewww.dyerware.comwww.dyerware.comwww.dyerware.comwww.dyerware.comwww.dyerware.com
$259.99/year = $199.99/year (Sucuri Antivirus) + $60/year (CodeGuard). A good price for a great functionality
Protectionwww.dyerware.comwww.dyerware.comwww.dyerware.comwww.dyerware.comwww.dyerware.com
Great
Scanningwww.dyerware.comwww.dyerware.comwww.dyerware.comwww.dyerware.comwww.dyerware.com
Very well covered
Monitoringwww.dyerware.comwww.dyerware.comwww.dyerware.comwww.dyerware.comwww.dyerware.com
Very well covered
Post-hackingwww.dyerware.comwww.dyerware.comwww.dyerware.comwww.dyerware.comwww.dyerware.com
Everything from restoring from any point to cleaning up poisoned rankings in search engines
Beginner user friendlinesswww.dyerware.comwww.dyerware.comwww.dyerware.comwww.dyerware.comwww.dyerware.com
Easy and clear
Overallwww.dyerware.comwww.dyerware.comwww.dyerware.comwww.dyerware.comwww.dyerware.com
Very effective and beginner user-friendly solution

 

10.4. Full iThemes Security with Sucuri Firewall and Backup Solution

Overview of the solution

This solution implies more active participation of you in the hardening of your website (thanks to iThemes Security’s to-do list).

The solution includes:
iThemes Security Pro – protection, scanning, monitoring
Sucuri Website Firewall (ProxyCloud) – more proactive protection
CodeGuard Backup service (I use it) – backup and restore from any point, monitor changes. Alternatively you may want to use BackupBuddy, BlogVault or VaultPress (it checks backups against malware/contamination). A backup solution is also offered by Sucuri Website Firewall for additional price. (By the way, there’s a in-depth article about website backup solutions.)
– Anti-spam plugin (in addition to Sucuri’s firewall spam protection and if you don’t like iThemes’ option (Google reCaptcha), consider using an additional solution, e.g. free Invisible Captcha plugin or something similar which I find very convenient and effective against automated spam)

Rating chart for the solution

Full iThemes Security and CodeGuard Backup Solution
Pricewww.dyerware.comwww.dyerware.comwww.dyerware.comwww.dyerware.comwww.dyerware.com
$259.88/year = $80/year (iThemes Security Pro) + $119.88/year (Sucuri Firewall) + $60/year (CodeGuard). A good price for a good functionality
Protectionwww.dyerware.comwww.dyerware.comwww.dyerware.comwww.dyerware.comwww.dyerware.com
Great
Scanningwww.dyerware.comwww.dyerware.comwww.dyerware.comwww.dyerware.comwww.dyerware.com
Very well covered
Monitoringwww.dyerware.comwww.dyerware.comwww.dyerware.comwww.dyerware.comwww.dyerware.com
Very well covered
Post-hackingwww.dyerware.comwww.dyerware.comwww.dyerware.comwww.dyerware.comwww.dyerware.com
CodeGuard backup solution allows to restore a website from any point
Beginner user friendlinesswww.dyerware.comwww.dyerware.comwww.dyerware.comwww.dyerware.comwww.dyerware.com
Some parts in iThemes security can be a bit puzzling for a newbie
Overallwww.dyerware.comwww.dyerware.comwww.dyerware.comwww.dyerware.comwww.dyerware.com
A good solution that is based on more control (to-do list of protection measures)

 

10.5. Full WordFence solution with Sucuri Firewall and Backup Solution

Overview of this solution

Functionality of the paid WordFence plugin is different from its free version mainly because of more convenient scanning functionality and additional checking if you are exploited to send out spam.

This solution utilizes the most of WordFence product and adds up to it more protection measures from other products.

The solutions consists of:
WordFence Security Premium (Paid)
Sucuri Website Firewall (CloudProxy) (paid)
– Free Sucuri Security – Auditing, Malware Scanner and Security Hardening plugin. (Also, see this article about compatibility between Sucuri and Wordfence scanning)
– Two-factor authentication (if you don’t like WordFence’s option for any reason, you may use e.g. a free version of Duo Two-Factor Authentication plugin, also see a relevant section with plugins suggestions in my article here)
CodeGuard Backup service (I use it) – backup and restore from any point, monitor changes. Alternatively you may want to use BackupBuddy, BlogVault or VaultPress (it checks backups against malware/contamination). A backup solution is also offered by Sucuri Website Firewall for additional price. (By the way, there’s a in-depth article about website backup solutions.)
– Anti-spam plugin (in addition to Sucuri’s firewall spam protection, consider using an additional solution, e.g. free Invisible Captcha plugin or something similar which I find very convenient and effective against automated spam)

Rating chart for the solution

Full WordFence solution with Sucuri Firewall and Backup Solution
Pricewww.dyerware.comwww.dyerware.comwww.dyerware.comwww.dyerware.comwww.dyerware.com
$218.88/year = $39/year (WordFence Premium) + $119.88/year (Sucuri Firewall) + $60/year (CodeGuard). A good price for a good functionality
Protectionwww.dyerware.comwww.dyerware.comwww.dyerware.comwww.dyerware.comwww.dyerware.com
Pretty solid solution
Scanningwww.dyerware.comwww.dyerware.comwww.dyerware.comwww.dyerware.comwww.dyerware.com
Powered by Wordfence: in-depth, server-based
Monitoringwww.dyerware.comwww.dyerware.comwww.dyerware.comwww.dyerware.comwww.dyerware.com
Very well covered
Post-hackingwww.dyerware.comwww.dyerware.comwww.dyerware.comwww.dyerware.comwww.dyerware.com
CodeGuard backup solution allows to restore a website from any point
Beginner user friendlinesswww.dyerware.comwww.dyerware.comwww.dyerware.comwww.dyerware.comwww.dyerware.com
Quite clear and easy
Overallwww.dyerware.comwww.dyerware.comwww.dyerware.comwww.dyerware.comwww.dyerware.com
A good solution

 

10.6. Full BulletProof solution with Sucuri Firewall and Backup Solution

Overview of this solution

Funсtionality of the paid BulletProof plugin features mainly adds more detection and protection from spam and DDoS attacks, as well as more utility tools.

Apart from the BulletProof paid plugin this solution includes full backup solution, scanning and some more protection:
BulletProof Security Pro (paid)
Sucuri Website Firewall (CloudProxy) (paid)
Wordfence Security (free)
CodeGuard Backup service (I use it) – backup and restore from any point, monitor changes. Alternatively you may want to use BackupBuddy, BlogVault or VaultPress (it checks backups against malware/contamination). A backup solution is also offered by Sucuri Website Firewall for additional price. (By the way, there’s a in-depth article about website backup solutions.)
– Two-factor authentication (you may use e.g. a free version of Duo Two-Factor Authentication plugin, also see a relevant section with plugins suggestions in my article here)
– Anti-spam plugin (in addition to Sucuri’s firewall spam protection, consider using an additional solution, e.g. free Invisible Captcha plugin or something similar which I find very convenient and effective against automated spam)

Rating chart for the solution

Full BulletProof solution with Sucuri Firewall and Backup Solution
Pricewww.dyerware.comwww.dyerware.comwww.dyerware.comwww.dyerware.comwww.dyerware.com
$239.83 first year ($179.88 second and next year) = $59.95 (BulletProof Security, one time payment) + $119.88/year (Sucuri Firewall) + $60/year (CodeGuard). Great price for good functionality
Protectionwww.dyerware.comwww.dyerware.comwww.dyerware.comwww.dyerware.comwww.dyerware.com
Good solution
Scanningwww.dyerware.comwww.dyerware.comwww.dyerware.comwww.dyerware.comwww.dyerware.com
Powered by WordFence, in depth, of one the best among free options
Monitoringwww.dyerware.comwww.dyerware.comwww.dyerware.comwww.dyerware.comwww.dyerware.com
Great live traffic monitoring, file change detection with showing what has changed, automatically once a day
Post-hackingwww.dyerware.comwww.dyerware.comwww.dyerware.comwww.dyerware.comwww.dyerware.com
CodeGuard backup solution allows to restore a website from any point
Beginner user friendlinesswww.dyerware.comwww.dyerware.comwww.dyerware.comwww.dyerware.comwww.dyerware.com
Quite clear and easy
Overallwww.dyerware.comwww.dyerware.comwww.dyerware.comwww.dyerware.comwww.dyerware.com
A good cheaper solution

 

11. All-in-one interactive score table for WordPress security plugins and solutions

Hints for the interactive table above:
– Click on the name of a solution in the table above to display scores for that solution.
– Move your mouse over the table above to see score summary.
– You can sort the table by clicking on the area above or below the columns.

If you have issues with the interactive table, see the screenshot of the table below.

Please note that the given scores are just approximate estimations of the plugins/solutions functionality. Besides, ‘Overall’ column is calculated automatically and its value is rounded, so it’s also an approximate evaluation.

 

12. WordPress security plugins compatibility

I have not researched compatibility issues in-depth, but there are some notes that can be useful to you

Some features of plugins may overlap or not compatible between each other, as well as not compatible with some hosting/server configuration. If issues arise, support tickets or plugins’ support forums may help.

And here are a pair of compatibility issues and resolving tips:

  • iThemes Security/Better WP Security is not compatible with BPS or BPS Pro (some more details here)
  • BulletProof Security & Sucuri – scanning compatibility issue and how to resolve it is here
  • Sucuri and WordFence Scanning Conflict and how to resolve it – see here
  • Sucuri’s forbidding PHP execution in wp-content directory may stop Wordfence from working. If you experience this issue, you need to make sure you don’t forbid PHP execution in wp-content directory (it will weaken your protection though). Some more details are here

 

13. WordPress security plugins and products features comparison table

While working on this article I’ve put together features of the security plugins/products for comparison to see what functional areas they cover.

Here’s a link to the comparison table in a Google Sheet.

And here’s a screen shot of it (click on the image to enlarge):
WordPress Security Plugins Features Comparison Table

 

14. Conclusion

Website security is the thing that can not be too perfect. There’s always room for improvement.

You may start from a free security measures if you are tight on your budget and have time to do WordPress security yourself.

If you want a more convenient solution or need more robust security protection, then consider a paid security service or product.

If you have read the article and still don’t know what solution you want to go with, then perhaps the following part can give you some ideas.

 
To help you decide on each individual plugin/product, here are their strong sides very briefly:

1. Why Sucuri Security – Auditing, Malware Scanner and Security Hardening, free.

It has friendly beginner user interface, does a good monitoring (in the class of free monitoring solutions presented in this article). And it’s free.

Check out Sucuri Security plugin or go to the section above to read about it again.

2. Why Sucuri Website Firewall (CloudProxy), paid

It’s great true Website Firewall solution (i.e. it secures from attacks and malicious traffic before they reach your server or website).

Check out Sucuri Website Firewall (CloudProxy) product or read again about it in the article above.

Also, Sucuri Website Firewall can make your website really faster (see my research here).

3. Why Sucuri Website Antivirus, paid

It’s the most hassle-free solution that covers the entire security of your website with functionality of unlmited curing your website in case of contamination accident.

Check out Sucuri Website Antivirus or read about it again.

4. Why iThemes Security (formerly Better WP Security), free

It’s one of the best solutions when it comes to dialogue between the complicated topic (website security) and a consumer (user). Its breakdown of protection measures in a to-do list manner is just very natural (and even educational) and so intuitively loved by users. Also it has a good monitoring functionality. And it’s free.

Check out iThemes Security plugin or click here to read again about this plugin above.

5. Why iThemes Security Pro, paid

It’s a great solution. A strategically better thing is just additional website firewall and backup solution.

Go to the product or click here to read again about it in the article above.

6. Why Wordfence Security, free

Great scanning and monitoring (in the class of free solutions) and it’s user friendly.

Check out Wordfence Security plugin or read about it again.

7. Why Wordfence Security Premium, paid

It’s technically like its free version, but it has some more features and more convenient in using.

Check out Wordfence Security Premium or read about it again.

8. Why BulletProof Security, free

it’s very lightweight and truly efficient in terms of protection (and it’s free!). I just love such solutions that work very well without side effects.

Check out BulletProof Security plugin or read about it again

9. Why BulletProof Security Pro, paid

It’s a more powerful version of its free plugin, with more monitoring and backup options.

Check out BulletProof Security Pro product or read about it again in the article above.

 
And here are my recommendations regarding not individual plugins, but complete website secure solutions:

  • If you make just very first steps in securing your website, or don’t want to deal with serious security plugins for any reason, then look at the free minimalistic solution.
  • If you had to install only one security plugin and you want it for free, check out Bulletproof Security (free). This plugin is not heavy, effective in its performance and focuses on protection which is the most important part of your website security. Click here if you want to go back to the description of this plugin in my article above.
  • If you want a more comprehensive solution that covers also other sides of WordPress security, but you don’t have any budget, then consider this free solution to protect, scan and monitor.
  • If you had to install only one plugin or product and price is very important to you, then I recommend Bulletproof Security Pro which is super affordable, focuses on protection (the most important part of your WordPress security) and does its work very well. Its monitoring options are also very good. Click here to go back and read about it in the article above.
  • If you want a solution that is both very effective and does not require any technical experience from you, then Full Sucuri Protection and Backup Solution can be a good no-worries option for you.
  • And in case you want to avoid dealing with any security and other technically complicated things, then consider managed hosting that will be doing necessary technical maintenance for you.

For my websites I use Sucuri and Bulletproof Security products. And by the way, this solution does not only slow my website (like with some security plugins), but thanks to Sucuri Website Firewall the performance of websites improves.

WordPress security is a broad topic. Only a part of it has been covered in this article. Feel free to let me know in the comments, if you have any questions or thoughts.

Subscribe to Free Researches
Get smarter and work on your blog and small business more efficiently

subscribe
BTW, I respect your privacy, and of course I don't send spam, affiliate offers or trade your emails. What I send is information that I consider useful.

Comments

  1. Hi Michael ,
    This is Vrey Interetsing Article Really Ammezing Information and Guide lines , I agree with You Superb and Good Points , very Long WordPress Informative Plugin Best Security Guide , Thanks a lot For Sharing me , its my First Visit Your Blog i am Really inspire Keep it up
    Have a great week,

    • Hey Jassica,
      Thanks for your feedback!
      By the way, it’s not your first visit to my website 😉 – I see you have already left a comment for the article about hosting companies to avoid.
      And I’ll be happy to see you again!

  2. murad abuseta says:

    Hello again i visit your site every time to see if it has a new posts like that one… protect your site…
    thank you, you’v saved me two times now.

    one thing here i need to know
    how i can made a post like this one
    you did a
    For easy navigation in this post use these links:
    i mean how i can made a navigation links like you did here ?

    • Hello Murad,
      Thanks for visiting my website again. Feel free to subscribe to the updates (if you have not subscribed yet) to get notifications to your inbox about my new posts when they come out.
      As regards links you are asking about, it’s a free plugin “Table of Contents Plus”.

      • murad abuseta says:

        i have subscript now I’ll verify it when i open from my personal pc.
        thanks for the plugin.

        one thing here i need to make sure of, before i was only using one plugin “Wordfence”, but after this great research i need to ask you.
        if i use Wordfence with Sucuri Security and BulletProof Security, does this affect my website slow ?
        i mean did this three plugins make my site slow ? mention that i use hostgator hosting plan.

        • In brief, BulletProof Security does not slow down your website since it’s a neat firewall on a .htaccess level.

          SucuriSecurity (free) includes a scanner that is not heavy, so I would not bother about loading your website too.

          But Wordfence may be a heavy-loader for some websites, since it’s a in-depth scanning tool. It depends on your website though – the more you website is, the heavier the more noticeable the load may be. So you will just need to run the scanning and see how long it lasts for your website and if it loads your website site during this time.

          Hostgator is EIG brand that is not respected at all by professionals. EIG can turn off your website without any prior notice if they think you can be using some heavy plugin. I’ve seen cases when Hostgator switched off sites blaming that some plugins including Wordfence are loading the server without looking into the issue properly. A decent hosting company should assist you to resolve the load issue if there’s such and not just cut you off without letting you know.
          But if you have not a big site, perhaps it can be ok for you.

          • Phil Yonge says:

            I have VPS hosting with a company owned by EIG. When I recently upgraded Apache and PHP there were warnings in the PHP installation logs. The culprit was a Worpdress rule in an HTACCESS file in the root drive of the server. I couldn’t get a proper response from the company due to the PHP upgrade warnings and this file. I have been considering moving my clients websites for a while and this has jus confirmed my good reasoning for moving. Thanks for the list of decent providers in your other article.

            • Thanks Phil for your comment.
              EIG is definitely not the company that I would stay with.
              Feel free to let me know if I can be helpful to you in any way.

              • Can you post a link to your article with the “list of decent providers” as mentioned in the comment above? Thanks!

              • Excellent article and I am really glad that I found your site, a lot of interesting reading there. I am wondering whether your conclusions re best security combo still stand almost 2 years after writing this? I run my website on VPS and considering switching the firewall from ModSecurity to Sucuri WAF. Yet, I still have to make the decision regarding going with Sucuri AV “package” (10.3) vs. Sucuri WAF + Bulletproof” (10.6. BTW, you mentioned in another article that this is what you’re using). One very important criteria for evaluation that is missing in your article is performance penalty for implementing these security solutions. Obviously, nothing comes for free but I would be interested to learn which out of these two has heavier toll on performance. In other words, what is less performance intensive the monitoring/scanning part of Sucuri AV or Bulletproof?

                • Hi Mike,

                  Thanks a lot for your feedback.

                  Your questions and my answers:

                  > I am wondering whether your conclusions re best security combo still stand almost 2 years after writing this?

                  Yes, this article is up-to-date. This is one of the most popular articles on my blog. And I update it each time when I notice anything needed to be changed.

                  > Sucuri AV “package” (10.3) vs. Sucuri WAF + Bulletproof”

                  Bulletproof security (BPS and BPS Pro) requires some technical knowledge for the most efficient use.
                  Sucuri WAF and Sucuri AV are very easy to use. At the same time Sucuri (both AV and WAF which is included in AV) is considered to be the most efficient product on the market in this segment (website and web applications security). There are more professional services for bigger enterprise usage, but their prices are like 10x times bigger (i.e. simply another market segment).
                  Also, as regards the most important differences that matters a lot for a typical user, option 10.3 (AV) includes among others unlimited and free clean-up in case of virus,malware etc contamination. Option 10.6 does not include it (Sucuri WAF does not go with clean-up option).

                  > 10.6. BTW, you mentioned in another article that this is what you’re using

                  I’d go with Sucuri AV, but this is too expensive for me right now. In fact, I decided for now sort of to wait till I get hacked (if this happens one day) and then I will order Sucuri AV which includes clean-up from then and forever 🙂 Maybe I will go with Sucuri AV sooner (as soon as I get more budget). After all, option 10.3 is my desired aim. For now I ignore monitoring and scanning options, focusing on protection and backups (that’s why Sucuri WAF (external firewall) + BPS (internal firewall) + Backup solution is enough for me for my website at present time as a minimum accepted solution for my website).

                  > One very important criteria for evaluation that is missing in your article is performance penalty for implementing these security solutions.

                  That’s true. I don’t have a detailed research on performance for these options. But meanwhile I mention in the article which options are significantly more resource-intensive. Sucuri (WAF and AV) and BPS (BPS Pro) are the least demanding from this perspective. In fact Sucuri WAF even improves performance thanks to caching level (sort of CDN, but not really a CDN). I even have a test-based research on it. And BPS plugins are super light-weight (it does no scanning, so it’s quite seamless).

                  As regards iThemes and especially Wordfence, they are making harm too often IMO to limited resources of the server, since all the works is done on your server (these guys are the plugins). Especially on shared hosting. Although on VPS it can be fine. But again it depends on your website size. I haven’t tested these guys on VPS nor I haven’t paid special attention to reviews from VPS users. But I know for sure shared hosting users often complain about performance issues (especially this is so for Wordfence).
                  Sucuri’s core software is based on their servers, which makes it very comfortable for your server to use it.

                  > what is less performance intensive the monitoring/scanning part of Sucuri AV or Bulletproof?

                  I have no research on this, unfortunately. But in fact I don’t really think this should be a question. Both options raise no issues with performance, although these two product do different things. BPS does no scanning as Sucuri AV does (the most resource intensive operation is scanning). And Sucuri AV does the scanning very carefully and gently (e.g. compared to Wordfence).
                  However, if we compare options 10.3 and 10.6, then 10.6 is much more heavier because it includes Wordfence which features scanning. Option 10.3 includes Sucuri AV which does the scanning much more efficiently from a server performance point of view (and also AV is more efficient from contamination- and other security malfunctions-finding perspective).

                  Also, compared to plugins, Sucuri AV is the next (or simply another) generation of products. Option 10.3 is not only the best and easiest practical solution for most users (especially without deep knowledge and desire/ability to analyze server logs), it’s the least server resource-demanding. The only its disadvantage is the price.

                  Hope it helps.

                  • Thanks for such a detailed response. I’ll follow your advice and switch to Sucuri AV package, it is $80/year more than Sucuri WAF but I want simplicity and a piece of mind, I run business website and any outages/downtime cost us a lot. Once again, thanks for such a great website, you got another dedicated subscriber here 🙂

                    • Hi Mike,

                      Just wanted to notice about the Sucuri prices for e-commerce:

                      Sucuri Firewall (WAF) (for e-Commerce websites you need PRO plan since it covers https and custom SSL) costs $19.88/mo * 12 months = $236.76/year.

                      Sucuri Antivirus (you need PRO plan as well for the same reason) costs = $299.88/year.
                      So the difference is $63.12

                      Anyway, Sucuri AV is absolutely the right choice. Especially for e-commerce.

  3. A pretty good plugin: Ninjafirewall http://ninjafirewall.com/wordpress/overview.php
    Can you give me a comment of it and itheme sercurity?

    • Thanks Triều for your comment.
      Ninjafirewall is especially great against distributed DDOS attacks.
      As regards iThemes Security plugin I think I covered it in my post. Or what do you mean?

      • Triều says:

        Hello Michael,
        I’m talking about the combination between ninjafirewall and iThemes Security. Is there a better combination between iThemes Security and Full Sucuri Protect? I think it’s a more save money solution.

        • Oh I see now.
          Full Sucuri Protection includes is a powerful and hassle-free solution – it’s not just a firewall, but also in-depth scanner and unlimited auto-hack cure service. So you can’t replace it with Ninja Firewall.
          But if you meant Sucuri Firewall (which is a part of Full Sucuri Protection), then yes, to some extent (only to some extent) Ninja Firewall can replace it. For instance, Sucuri Firewall is an external service that sanitizes your traffic, whereas Ninja Fireall is still a part of your WordPress site (which is less secure).

          • Triều says:

            I tried to use, sucuri on my website! However, I have a feeling my website became slower after IP pointing to Sucuri (1-1,5s & ping my website from 4ms increased to 60ms)! I am considering between security and performance! This is really not easy! Why i don’t see you mention CloudFlare? Is it not good?

  4. Just wanted to drop a note to say thanks for putting together this in-depth article.

    I use iThemes Security Pro on several sites & Wordfence on a couple of others. They both seem to be effective for what they do. I am also going to add the Sucuri WAF Firewall to all sites…it’s hard to argue with it at that price.

  5. Great round-up. Really good effort. My only question is that iThemes is not recommended at all in your conclusion? Is there are reason it doesn’t make the cut in comparison? I’ve had good experience so far using Sucuri, WordFence, and iThemes – individually, and together. You do seem to favour Bulletproof above the others? (And the link to the Pro version is an affiliate link). I don’t mind you making a $$$ either as all the other links are free/direct links. BUT does that bias your conclusion? I guess the Conclusion I want is almost a 1-liner for each product, about why one is 1st, 2nd, 3rd, or 4th? Don’t get me wrong, great article – but WHY Bulletproof above all the others? And why not iThemes at the finish. 🙂

    • Sorry – I stand corrected. It’s not an affiliate link to Bulletproof. It’s their stoopid domain name!!! So I take back anything relating to $$$ bias. BUT my questions still stand about why one over the other – in 30 seconds…. GO! 🙂

      • Hi Damian.

        Thanks for your comment and questions.

        I’ve got no affiliate links to any security plugin at all. So far at least. But I’d add them if I could, because all of these products are great.
        Update from October 22, 2015: I do have some affiliate links now.

        As regards one-liners, it’s a good idea to make such, although it would be a (sort of misleading) simplification. I even hesitated very much whether to include a final comparison chart with star rating or not. It makes more sense to me to compare stronger/weaker sides of each solution like I did when analyzing them one by one.

        Anyway, here are summaries emphasizing the strong sides of each product:
        click here (will open in a new window – I added it in the article)

        Besides, it’s true that I favor BulletProof security, because it’s very lightweight and truly efficient in terms of protection, and absolutely not expensive (or even free). I just love such solutions that work very well without side effects. And its free version is very good. Maybe even too good to be free 🙂
        One big caveat though that many beginner users mention is that it seems too technical for them from the first sight.

        By the way, it’s not Bulletproof above all the others in the conclusion, but Full Sucuri Protection and Backup Solution as a complete and easy-to-use solution 🙂 But it’s expensive.

        And here’s about iThemes.

        Before all, I did not mean don’t use it. Quite the opposite – I recommend it, if it’s what you need. And see the analysis in this article to see if it’s what you need.

        The point is that the solutions presented in this article are doing their work differently and sometimes target different segments of website security (such as protection, monitoring, scanning etc). User is better to understand these segments to make a right choice without being misled by a false feeling of security.

        So, each plugin has its weak sides (for example, price, server load, compatibility, or the fact that they cover some segments of website security worse compared to other plugins).

        iThemes is a strong solution, so if you use it and it works well for you well (no conflicts with other stuff etc), then it’s really fine.

        If you use its paid version, then the only thing to enhance is taking care of your backups (a must for everyone). Also you may consider using a true website firewall (e.g. Sucuri CloudProxy) if you experience heavy ddos/botnet attacks and other malicious traffic assaults that load your server.

        The reason why iThemes is not in the conclusion section, because the conclusion is my personal recommendation for those who finds the article difficult. I could include iThemes paid version to the conclusion, but then it would be logical to include paid version of Wordfence as well etc. But in this case it will be a sort of repetition of “Combination of plugins/solutions” section. I needed to make choices narrower.

        Also, iThemes is not compatible with Bulletproof Security that made it impossible to mention it in combination with other plugins.

        The conclusion part is just my own answer to the question “Ok, all of these plugins/products/solutions are great, but what would you finally recommend after all from your point of view for different kinds of users?”
        So I answered it my way, considering balance between efficiency, priority (which is protection IMO), budget and user-friendliness for different kinds of users.

        But again, iThemes Security Pro is a great choice.

  6. If I have 30 domains under one cPanel account (1 root domain and 29 “addon domains”) and I am about to subscribe to Sucuri WAF Pro… do I need to pay 30 x $19.98 per month… or just $19.98 per month?

    • Hi Ray, I guess $19.88 is the price for one installation (website). So, in your case I guess it will be 30 x $19.88. But go and ask them directly (e.g. via online chat form). Maybe in your case they will give you a bulk discount (why not try asking? 😉 )

  7. Jason Press says:

    Hi Michael, thanks so much for this comprehensive article!

    Do you have any experience with the All In One WP Security & Firewall plugin (https://wordpress.org/plugins/all-in-one-wp-security-and-firewall)? I’m at the stage where I will need to increase security measures on 20+ WordPress sites and we’re looking for the best fit in terms of a free solution that will work across the board to supplement a couple other paid security products (SiteLock through GoDaddy and HackAlert through SiteGround).

    I’d love to hear if you have any thoughts about the AIOWPS plugin and how it might rank against (or in combination with) your other recommendations. The main reason I ask is that we already have this plugin installed on all our sites, though we have little experience with the other plugins in terms of comparison. The easiest approach for us would be to simply add on another plugin or two in addition to AIOWPS, but we are ready to start fresh with a whole new configuration if needed.

    Thanks again,
    JP

    • Hi Jason,

      I’ve wanted to include All in one WP security & Firewall plugin in this article, but it just overlaps other plugins, so I decided not to clatter my article which is already too big for one read 🙂 Anyway, AIOWPS is a good thing.

      If you want to increase the security and do it for free, and if you use Appache (and not ngnix), then the best thing I can recommend for you is Bulletproof Security plugin. It’s very light and very effective from protection point of view. Its free version is very powerful, and its paid version costs comparatively very little and has unlimited license (it can be installed on as many websites as you want).

      However, I have not investigated very deep, if it’s compatible with AIOWPS. But I think it should be. If you decide to use a free version of Bulletproof Security plugin, you may install it on one of your websites and check if it works fine. And if you want a paid version, I think you can also contact its author and ask him to make sure about compatibility with your environment. You are welcome to let me know in the comments how it will go for you.

      Also, I’d recommend above all is to have backup strategy, because it’s much more important than any other measures (it’s obvious, but just in case). If you already do backups regularly, then that’s great, I’m repeating this for other readers 🙂

  8. Jason Press says:

    Thanks so much for this recommendation Michael.

    I explored BulletProof a bit and have ended up purchasing the Pro version. It really is, like you said, a fantastic deal and the support has been top notch. There’s definitely a learning curve but, while discovering how to use this plugin, the instructions are also teaching me a lot of things about website security that used to seem quite foreign (it’s almost like you get a free web security training class along with the plugin!)

    I reached out to the developer of BulletProof and he didn’t think there would be any conflicts with AIOWPS. However, since BulletProof basically generates the .htaccess file for the site, I would need to place any AIOWPS .htaccess code (such as IP blacklists) into the BulletProof “custom code” area manually. This wouldn’t be too difficult but I’ve actually removed AIOWPS for now anyway as it seems BulletProof has us well covered.

    I am still planning on using the “BBQ: Block Bad Queries” plugin and possibly the “WP Security Audit Log” plugin as well for extended protection and functionality. We do have great backup systems on our GoDaddy Managed WordPress and SiteGround shared hosting environments, so if we can combine great backups with a good security system that has great monitoring, then even if something does get hacked we will hopefully find out about it right away, be able to revert to a backup, and patch the issue swiftly.

    Thanks again,
    JP

  9. Great article ! I gonna buy your solution 10.2… for free. Exactly what I was looking for. Thank you so much. You’ve made me save precious time for a WP beginner carrying a huge project to change the world 😉

  10. I prefer combination of plugins. I am using iThemes security, Wordfence security, Anti-malware by ELI. These 3 can offer you great protection. Scan every week with Anti-malware by ELI and block IP’s manually in Wordfence security, add 404 protection and protect your important WordPress folders with iThemes security. why iThemes because iThemes Security now uses Sucuri SiteCheck. 🙂 My site speed is great so no problem if you use combination of security plugins.

  11. Thank you very much for all the effort you’ve put into this research, it was very useful. I chose the 10.2 option. I was just wondering why you recommend all three plugins (BulletProof, Sucuri and WordFence). I know it’s never too much security, but some functionality is redundant, like the Login Security, and now I’m confused what I should be setting up on each plugin. I’m a newbie and I’m eager to learn how to protect my WP websites. Could you help me out? (more than you already have)

    • Thanks Ricardo for your comment.
      I recommend all these plugins because they together cover different segments of security (protecting, scanning and monitoring) for free.
      For redundant functionality, just choose what you like most or what suits you better. Section 10.2 covers all these segments for free.

      When you just beginning learning WordPress security, start with protection (read minimalistic solution 10.1 and the corresponding post Protect Your WP Site From Hacking Step-by-Step – Easy And Very Effective) and install BulletProof security plugin. That should be enough for beginning.

      And if you think that you need more functionality for free (more scanning, more monitoring, anti-spam), go on with other 10.2 recommendations.

  12. Thanks for sharing such a informative information with us .GOOD work..
    For more information: http://www.labstech.org/wordpress-captcha-plugin-protect-website-2014-08-24/

  13. Hey Michael!

    I just wanted to drop in and see if you would be interested to put our security plugin (WP Simple Firewall) through it’s paces and compare how it stacks up against the ones you’ve got in this list?

    We have stacks of features loaded into the plugin, which you can turn on/off as you need. Given the criteria you’re examining, I think you’ll like what you see. Would love for you to take a look!

    Thanks for your time.
    Paul.

    • Hey Paul,
      Thanks for your suggestion.
      WP Simple Firewall is indeed worth looking at. It’s pretty popular and highly rated plugin.
      But this article is already over populated with information.
      I’ll think how to review more security plugins.

      • Hey Michael,

        Thanks for your consideration on this. I know it’s a big enough job to review 1 plugin, nevermind all that you’ve covered already. I totally get that.

        I appreciate you taking the time to at least consider us 🙂

        Let me know if you have questions or need clarification on anything.
        Cheers!
        Paul.

  14. IMPRESSIVE !
    That’s the only thing i can say. Impressive amount of data. I don’t even know if so called expert know as much on WP security and i have just read the google sheet comparison table.
    KJeep the good work.

  15. I personally like All in One Security as well as Sucuri.

    I tried Wordfence and was put off by the confusing UI and the fact that some of its key features (namely, IP blocking of bots using usernames like “admin”) failed when conflicting with some of my other plugins. Full review here: https://wordpress.org/support/topic/ok-but-needs-improvement?replies=1

    Michael, I hate to ask but… did you receive any incentive or product licenses for this review? It’s very impressive and in-depth, but I was surprised All In One didn’t make the list. (I have no connection with AIO.)

    • Hi there,
      Thanks for your comment and your question.

      The story behind this article is quite simple.
      I just wanted to compare very well-known and popular security plugins or products and make up a couple of strategies for securing the WordPress website.

      Since there are many security plugins, I just took some of them. I could not take many, because it would make my article even bigger, which was not what I really wanted.

      So, I’ve chosen the plugins and products to review simply by how popular they seemed to me after quick overview in Google search and in different blogs. Those four products I’ve selected just seemed to me more frequently noted and recommended by both marketing and technical bloggers. That’s it.

      And the article already took so many time and I wanted to finish it as soon as possible without sacrificing the quality of the article. The idea to include some more security products or plugins into the article just made me sick 🙂

      That’s why AIO, as well as many others just did not get into the list.

      Answering your question about compensation – no, I did not have any connection with companies or the plugins developers or compensation for writing this article.
      However, I’ve become an affiliate of Sucuri and BulletProof premium products because after my research I have come to the conclusion that these products are the best in what they do among the others in my article. But I joined these affiliate programs only after several months after I published this article when I realized that these products had affiliate programs 🙂

      As regards your issues with WordFence, I see you make valid points regarding functionality and UI. Let’s see if (how) the support will answer you. Anyway, if there’s something not functioning, it should be fixed.

      I hope I answered your question.
      And thanks again for stopping by!

      • thanks Michael! & thanks for the speedy reply.

        sounds good — I thought your work was too indepth and personal to be a marketing effort, and I’m happy to hear you did this honestly and properly.

        glad you liked my comments about WordFence — hopefully they improve! honestly, none of the products have had 100% of what I wanted, but AIO + IP Blacklist is what I’ve settled on for now. I hope they all improve so I can reduce the number of plugins on my sites!

  16. Hi,
    In 10.3. Full Sucuri Protection and Backup Solution you mention that you use CodeGuard in addition to Sucuri which has a backup option. Since I understand Sucuri now includes the backup option in the pricing, is there no need for CodeGuard with Sucuri?

    • Hi John,
      As far as I know Sucuri backups is an additional service.
      However, I’ve just asked Sucuri support about it to make sure, and here’s the reply:

      Hammer: Hi Michael how are you today?
      Michael: Hi, do you include backup option in full Sucuri protection price? Or is backing up payed additionally?
      Hammer: Backup is an addon runs 5 per month per site or 60 a year 🙂
      Michael: Okay , I’ve got it! Thanks
      Hammer: No problem happy to help

      Anyway, CodeGuard is a more powerful and backup dedicated solution. And CodeGuard is even cheaper 🙂

  17. What about WP All In One Security & Firewall plugin?

  18. Great article Michael, I have my site on a shared window hosting server, so I think Bulletproof is not a good solution for me as it uses .htaccess. Do you suggest any plugin which will work good for window hosting. I also don’t want to slow down my site while protecting it.

  19. Orlando says:

    Michael, Very good job in this research.
    It´s the kind of work that save you time.
    I suscribed to your list.

  20. Hi Michael,

    After trying all of the above plugins independantly on a local install of WordPress I opted for bullet proof security pro. I am wondering why you only gave a post-hack of 2 stars with regards to my two points below:

    1) It’s file monitoring and file backup restoration looks excellent. On a live site any changes in the WordPress backend to my Gantry 5 framework custom made theme files were immediately quarantined. Even with a manual restore of new or altered files within bullet proof security these files were again immediately quarantined as they should be. I then went through the proper procedure to mark these files as safe.

    2) The DB backup scheduling can be set to hourly with the backup sent by email so surely this should warrant more than a 2 star rating – can you elaborate more on why you gave it such a low score please?

    Many thanks,

    Phil

    • Hi Phil,

      First of all, thanks a lot for your thoughtful comment.
      And I appreciate you taking security things seriously.

      As regards the score for BPS Pro.
      Above all, BPS is a great stuff and I’m glad you also have this opinion after checking it out.

      Regarding post-hack score particularly, BPS Pro indeed has feature to backup standard WP files. It’s not a complete website backup as CodeGuard makes, but anyway this is much better than simply scheduled DB backups. Not sure how I missed files backup feature of PBS Pro, but this is a good reason to make a score for BPS Pro’s post-hack higher.

      As for quarantine, this feature is eligible for Monitoring in the first place. And monitoring score for BPS Pro is pretty high.
      Of course, quarantine feature can assist with post-hacking procedures as well.

      After all, I agree with you, that considering files backup restoration option, the post-hack score should be higher for BPS Pro. I will fix it and make appropriate amendments in my article soon.

      Thanks again for your comment and asking your questions.

      P.S.: I updated my comment by removing irrelevant information regarding Sucuri free plugin (In my comment I messed it up with free plugin from CodeGuard 🙂 )

      • Many thanks for your reply. I was a little premature in my post as I have had more time to really look at the pro version of BPS.

        I am interested in your reponse about the BPS pro backup feature. I’m not sure what you mean by saying that it doesn’t have a complete website backup. It does have individual functions for backing-up, deleting and restoring all root files; wp-admin folder files; wp-include files; wp-content files and even functionality for creating back-up’s of custom files and folders.

        The quarantine function of files is so good it became a nuisance as I was working on a site and edits and additions weren’t viewable on the front end. Using the in-built auto-restore just leads to an automatic quarantine again unless the proper procedure to mark files as safe is implemented. This is fantastic monitoring and post-hack functionality is it not? The database also has a monitoring tool that can be set to check changes to a combination or all of the database tables as often as one minute with email alerts. If the database is compromised it also has an in-built database comaprison tool to check and see changes to the database – couple this with regular database backups sent by email this seems to be an excellent monitoring and post-hack restoration solution.

        I would be really interested on my thoughts about this as I’m new to WordPress after many years as a Joomla user.

        Many thanks,

        Phil

        • Hi Phil,
          Before all, I’d like to thank you for your valuable comment and let me note that although you are new to WordPress, you are more skilled than a vast majority of WordPress users. Most people simply are afraid of using BPS since it is not that sexy from a beginner user’s point of view. You can easily deal with BPS and you are kind of a user this software was exactly created for.
          As regards BPS Pro backup option, it’s great, but unlike CodeGuard backup (or some other backup services) its user experience is not that smooth, and as far as I know, it does not allow to send backups to a safe off-site place (sort of a cloud storage). Sending backups by email is cool, but this is limited or more risky by design (e.g. possible issues with backup size, not incremental backups, dependance on email functionality).
          As regards post-hacking, before all, a typical user will find BPS Pro more difficult to use to restore a website after a hack. The user needs to be technically skilled enough to use BPS Pro properly so that when a disaster happens, the user could have everything under control, organized and at hand to restore the website without any hassle.
          Also, BPS Pro does not have malware clean up functionality that Sucuri product has (it’s probably does not look so cool for users who are skilled anough to compare files and database changes and do the clean-up by themselves though and thus analyze the holes in securuty). Again, most users want to have a sort of one-click clean-up or 1-click restore functionality with very little or no prior work with as little skills and knowledge as possible. And BPS Pro is just targeting more professional and tech-savvy users like you. Most other users want much easier, user errors prone solution with cleaner UI and smoother UX.
          Thus, I totally agree with you that BPS Pro is a fantastic monitoring and post-hack functionality, but I have to add that this is so for quite advanced users who know very well what they are doing. For less technical users (i.e. the majority of users, they have even never ever opened cPanel in their life) dealing with BPS is simply not their cup of tea, too difficult and too error-prone because of lack of technical skills or time to devote to managing it.
          As a final note, I’m sure that BPS Pro is an awesome tool in the right hands (like yours:)) And the fact that BPS is very affordable makes it a favourite choice of many advanced WP users.

          • Hello Michael,

            Thank you for your reply and sorry for my late reply. Having thought about it I completely agree with you. I am fully comfortable with htaccess and php.ini files and why they are so important, yet I had to spend a considerable amount of time configuring and understanding BPS Pro as there is so much functionality to configure properly. I feel a beginner with their first WordPress site would really struggle to understand and configure BPS Pro to make the most of it and be able to recover from a successful attack in a short and painless manner. The support is excellent though and for the multi-site license price it is a fantastic tool for more experienced users that may not have a budget to afford Sucuri.

  21. Hello Michael, Thanks for the great article! It was very helpful.
    I had a question regarding the MOST secure solution regardless of price.
    Would you say that would also be BulletProof Security? And I was also wondering IF I could combine WordFence Premium with BulletProofs to cover the holes in BulletProof Scan wise and such.

    • Hi Kenneth,

      Thanks for your feedback.

      There are some conflicts between security solutions. Some of the conflicts can be resolved. See this section for more details.

      BulletProof security is a great plugin, but mixing all the possible security solutions altogether is an overkill.
      In my article I’ve suggested balanced solutions.

      I have not heard of unresolved conclicts between Wordfence and BPS. However, potentially mixing these security plugins can interfere.

      If you already have Wordfence premium, I also suggest looking at this solution.
      Basically, in addition to Wordfence, the solution has offsite web application firewall (very efficient!) and fast reliable backup solution.

      Thus, you can try adding BPS to your arsenal, but you will need to check if there are any issues after you start using it. The more security plugins/services you use, the more it’s risky to get a conflict.

      And for the most secure solution regardless of the price and without risking to get a headache of compatibility, I suggest this solution based on Sucuri product.

      Adding BPS to it is an overkill in my opinion, and you will need to resolve a compatibility conflict.

      • Kenneth says:

        Thank you Michael! Wordfence has been good but based on the price and your review of the protections of BPS and Sucuri I think I’ll go with that combo. I’m training in Offensive security myself so I can’t help seeing every opportunity for exploitation now, and there’s a lot! I like the fact that these two groups seem to take it seriously.

        • Kenneth, just wanted to note that before all make sure you have a backup solution (or at least the newest backup at hand all the time). I would put it number one website security preventive measure 🙂

  22. Great article, but the NinjaFirewall is one of the best options and few talk about it.

  23. I tried to subscribe, but I keep redirected to feedrunner.google and it doesn’t let me proceed. Perhaps because I have two google accounts, personal and work.

    • Hi Frank,
      Sorry for the issue. Not sure why it does not work for you, I will need to check it out additionally.
      Meanwhile, I’m sending you an email and will gladly subscribe you manually.
      Thank you for letting me know about it.

  24. saajan bedi says:

    I want to use Sucuri Security , iThemes Security and All In One WP Security & Firewall (& clef for two factor authentication) , can you tell me these plugins are compatible with each ohter or not &
    Is All In One WP Security & Firewall is better alternative of BulletProof Security

  25. wow great and detailed information with proper solution.I am new to wordpress and I have tried many security plugins but each and every time my blogs got infected . To overcome this i read many articles, followed huge number of blogs but most of them ended up saying choose whatever suits you . Finally i ended up using iTheme security + wordfence and ninjafirewall . But i was not satisfied with my this combination and finally your article and proper solution mentioned by you is totally satisfactory for me .
    My current setup is :
    Https + cloudflare free plan + iTheme security + wordfence + Ninjafirewall with changed login page and two-factor authentication .

    Please suggest should i replace wordfence with Sucuri Security (mentioned in 10.2) , and remove ninjafirewall or not ? After reading your article your suggestion really means a lot to me .

    Thank you soo much .

    • Hi Saurabh,

      Thanks for your comment and your question.

      I’m not a fan of free Cloudflare plan since as I know from reviews it can decrease the site performance (particularly make your site unavailable). But it works as one more free level of protection. I use a paid website firewall security solution from Sucuri (CloudProxy (WAF)) which is the most efficient website firewall on the market in the affordable pricing range.

      As regards your configuration, I don’t know your concerns, but I think it’s too heavy and can affect negatively your site performance. if the speed is not the issue for you, then it may be okay.

      The free configuration I suggest in 10.2 is optimized for performance with all sectors (protection, monitoring, scanning) being covered.
      However, if you have some budget, I’d recommend simply get rid of the most heavy plugins (e.g. especially wordfence, ithemes) and just use the paid website firewall.

      I try to make my website as fast as possible (as well as highly protected) for a reasonable price. So, I use WAF, BPS (very light weight and effective for protection) and incremental backup solution. It’s the fastest (and very secure) combination I know without paying extra.

  26. You should try LCS Security – works really well. My site was under a barrage of failed login attempts and some adware content got injected somehow. This plugin looks like a newcomer, but it really got rid of most hacking attempts and content injection within just a few days after installation.

  27. Frans Kemper says:

    Hello Michael,

    What a great read. It took me 2 coffee’s to get through it, but worth while the time. Thank you. It made a lot of stuff clear to me.
    For my sites I am using impossible complicated passwords of 25 characters; random admin login name; Cleff 2-factor; pro version of updraft backups; A2 hosting protection; and AIOWP.
    I am very poisoned to purchase the BPS PRO. Do you think that this could be complementary and not a lot of conflicts? And is there anything else you like to add to complete the hardening package?
    I played around with Wordfence, but that is using a lot of memory resources at the server level.
    Thank you in advance and very best regards,
    Frans

    • Hi Frans,

      Thanks for your comment and your question.

      BPS would duplicate a lot of functionality of AIOWP. Not sure about conflicts, but anyway I’d use either one or the other. After all, my choice is BPS, because it’s more professional. But at the same time AIOWP has a more beginner user-friendly user interface which can be a deal breaker for some users.

      Also, if you have budget, it makes sense to go with an off-site firewall from Sucuri which is the most powerful and absolutely hassle-free offsite firewall option among affordable solutions on the market. Plus it makes your site faster thanks to its caching level located at Sucuri’s servers (I will publish a post about it in a day). It will be complementary to your security arsenal and that would be enough for your website protection.

      • Just to add to my previous reply, here’s the post about how Sucuri Firewall can make a website faster (and a comparison to some other caching options).

      • Frans Kemper says:

        Hello Michael,

        Thank you. I already decided to acquire BPS Pro. After all this is a one time investment and very affordable.
        Regarding the Sucuri Firewall, this is way to costly. I run about 8 sites, mainly for artists, associations and NGO’s. Not a lot of budget there.
        More over, I am based in Brazil and with the USD very high at the moment, the cost of this is higher than a minimum monthly salary here.
        Can you please suggest me another firewall solution that complements BPS Pro and is more affordable?
        And also, are you saying that BPS Pro’s firewall does not cover enough protection?
        Thanks again and very best regards,
        Frans

        • Hello Frans,

          Protection can never be enough. Anything can be hacked. The point is to make it too difficult for a hacking script or hacker to deal with your website.

          Sucuri Firewall is different from others because it serves as an off-site firewall (a true website firewall). So this is a layer of protection that is located outside of your website and servers. BPS and other plugins is the protection that is located already within your website and it works a bit different way.

          It could be a very rough comparison, but think of Sucuri as the protection suite for a doctor who deals with deadly contamination, and plugins as an immune system of the doctor 🙂

          I have not heard of a more affordable solution that could replace Sucuri in your situation.

          With multiple websites and limited budget, BPS Pro would be the best choice for you. Just one BPS Pro license allows you using it on as many websites as you want. Also, if you buy it, feel free to ask its support about your hesitations about the conflicts with other plugins. BPS Pro’s support is superb and will tell you everything you need.

  28. Wow What an Article, you’ve covered each and every detail in providing valuable information. Definitely going to share among all beginners. Thanks a lot mate 🙂

  29. Thank you Michael for the very comprehensive article. It made me wonder if my setup with iThemes Security Pro is sufficient or should I start looking into some additional plugins. I have backup with Backup Buddy and I’m happy with it. Also, what is your experience of switching from one security plugin to another? Have you encountered any issues in that area?

    • Hi Michael,

      iThemes is a plugin, so it stays inside of your WP installation and has all disadvantages and risks that any plugin has inside your WP installation and inside your hosting environment. A true website firewall such as Suciri WAF (the one I use) will definitely make your website more secure, protects from DDOS and other malicious traffic and saving you a lot of bandwidth traffic.

      A great bonus of Sucuri WAF is that it can also make your website faster thanks to its caching level (here’s my research on it)

      As regards BackupBuddy, I’m not really a fan of it, although it’s quite popular among bloggers. I explain in this article why. In short, it’s less efficient than incremental backup alternative solutions, more risky regarding how fully it backups and more expensive if you are on a subscription.

      Switching from one security solution to another is not a problem at all. It’s a matter of uninstalling a current plugin or/and adding/installing another product.

      If you want to add another security solution, then you need to look after possible conflicts between plugins. I have this covered to some extent in this article in this section.
      And Sucuri WAF is 100% safe to add, since it’s an off-site and off-you-hosting firewall.

      Feel free to contact me if you have an idea of your new security solution and I can confirm you that you are safe on your intentions 🙂

  30. I am using wondfence but wondfence using high CPU how to set cpu limit on wondfence?

    • Hi Acil,
      Thanks for your question.
      You can not control CPU usage consumed by WordFence.
      The only things you can do are:
      1. In order to reduce CPU load time you can scan your website less frequently than once per 24 hours (you can change it only in paid versions of WordFence)
      2. Reduce interval of how often the live traffic data is updated (read more here).
      3. Upgrade your hosting to have more CPU resources, e.g. take a managed VPS or self-managed VPS (if you know Linux well) .
      4. Change your hosting provider and use managed WordPress hosting that takes care of your website security.
      5. Use an alternative solution to WordFence. In this article you can find information about it. You can find some recommendations above.

  31. Hi Michael,

    great article, thanks. I am setting up my webpage and testing some security plugins.

    What about the plugins that hide the wp-adimn or wp-login-php?! Should we install them as first security level? In the Bulletproof forum I found this answer from Bulletproof staff:
    “Trying to hide things would probably stop a human from clicking around and finding your login page or wp-admin page/folder, but this is not an effective security measure against hacker Bots. 99% of all hacker recon, hacker scans and hacker attacks are automated and done with Bots (not a human). You cannot hide things from Bots because they do not look for things visually. ”

    What are you thinking about that?!

    Best regards

    Laith

    • Hi Laith,

      Edward from Bulletproof Security knows his stuff very well. And I agree with him.
      I don’t think that hiding your login page should be your first level of security.
      On the first level you should have a strong password and updated software from a reliable developer (and backups). Then you security plugin plugins come into play.
      Hiding your login page is not very effective for the reason Edward mentioned. And in this scenario (bot or human hacker attack) 2-factor authentication or even a free plugin Stealth Login Page in conjunction with login limit attempts functionality work much-much better.
      At the same time hiding your login page can be an additional (and not compulsory) measure. But anyway, it’s not the first level of security.

  32. Hello Michael,

    Thanks for your comment. Indeed I use Generator for user name and for Password.

    I like the combination: Sucuri + Backup. But it is really expensive! I have two domains and this would cost 500 $ a year. Sucuri does not offer any discount neither for start-up nor for Student! I think their main target group are companies not private persons.

    Thus I moved to BulletProof. It is indeed not very intuitive, hard to setup and configure, but they have the best price for a pro version and they said, in the last 5 years, none of their over 30.000 customers has had a security problem!

    Thank you a gain for this great article. It helped me choose the right security plugin and it is for me definitely Bullet Proof Pro.

    • Hi Laith,
      BPS Pro is a superb security plugin for very affordable price.
      Sucuri indeed targets website owners who can afford at least $10 per month (this is how much their Website Firewall costs). And this company offers the best security products on the market in its segment.
      BPS Pro’s support is fantastic. Even if something is not very clear from a technical point of view for you, you’ll get the assistance you need.

      • Hi Michael, I purchased BPS Pro. It is indeed great, but really hard to install and to configure! I don’t have the time to understand each warning and logs take care about it! It is logging my pro plugins. and to add exception for that ist really not inutiative. I must read the docs. I think Sucuri has user-frienldyl UI. I am thinking to keep BPS Pro for my second site and purchase Sucuri for my other site, which ist informative site and I will offer there services. So what plan do you recommend the basic or the Pro plan from Sucuri? Best regards, laith

        • Hi Laith,

          Sucuri Basic and Pro differ by support time response, frequency of scanning and type of SSL certificate. And from a security point of view, there’s not much difference. So, Basic plan is enough if the above points are not important to you.

          As regards BPS, indeed it frightens off non-technical users. But even if you just install it (running Install Wizard) and leave it as is after that, it does its work well. And the warnings you see in your WordPress dashboard are additional measures for even more security.

          Anyway, of course Sucuri products are a higher-level security/monitoring product and it has unlimited clean-up option included with a beginner user-friendly interface. Sucuri is the best choice a website owner (individual and small/middle business) may have.

          By the way, don’t forget to take care of your website backups. And then you are covered from any disaster and attacks.

  33. If I may submit a suggestion regarding security: I had myself very good experiences with Sucuri (https://sucuri.net/): not only it does allow for a firewall (one that visitors won’t notice) and is very compatible with WP (minimal configuration required), but cleaning your site in case of hacking is included. However, it depends of your needs. And also, not all WP hosting services allow for Sucuri (the current one that I am using, for instance, has its own safety measures that are not compatible with Sucuri). Anyway, just wanted to report that I had only good experiences with Sucuri: reliable company and products. (Sucuri is not only meant for WP, but for any site.)
    A newcomer to the security field, and one meant for WP only, is Secupress (https://secupress.me/): this is from the same company behind WP Rocket (cache) and Imagify. But I have only made minimal testing, thus I cannot provide a well-founded evaluation.

    • Thanks for your thoughts and sharing your experience, Jean-Francois.
      As regards incompatibility of Sucuri Antivirus product with some hosts, I guess this is quite a rare case, especially with a typical hosting. For those managed or premium hosts which offer alternative website firewall or cleaning up solutions I assume it can be a case.

  34. Hi,
    I read carefully each line of your article and I want to congratulate you! It’s written and contains very useful information that once implemented make your life easier thousand. I want to tell you that I chose Blogvault because allows me to see live the backup that i want to use it. I have only one question, can you please recommend a good solution for security? Thank you

  35. Hello Michael,

    what do you think about combining Sucuri Pro Plan with Wordfence Premium paid plan?

    Sucuri is one of the best security for WP and their support is amazing!
    Wordfence has some very interesting & useful tools.
    Do these combinations work well? or does this slow down the loading-time
    or do these both block each other 🙂

    Is this like computer malware scanners? It is not allowed to install two at the same time
    they block each other and have a lot of conflict.

    What do you think? Looking forward your answer.

    Best regards

    • Hello Laith,

      I’ve seen Sucuri and Wordfence conflicting. But it kind of can be resolved. You can read more about it here.

      However, I think it’s not a good idea to combine these two products. In my opinion Sucuri is a more preferable choice for many reasons including performance. WordFence is known to slow down your site because it’s a plugin all the intensive work is done on your server.

      Sucuri Pro includes the best options that you can expect from a website security product including scanning your website back-end. And yes, a part of security products (scanning functionality) can be compared to computer malware scanners.
      By the way, if continuing the analogy with PC protection, Sucuri also has an external proactive protection (sort of a firewall or internet security you may use on your PC). Sucuri has Website Application Firewall included into its Pro plan. And WordFence does not have it because it’s not possible due to the fact that WordFence is just a plugin installed INSIDE your WordPress.

      I described the best configuration for website security and peace of mind in this section.

      However, if you love some specific features or tools from WordFence, I’d try to find a more performance-friendly replacement for them if possible to avoid using the whole WordFence if you use Sucuri Pro.

      Also don’t hesitate to contact Sucuri’s support to know what they could suggest you.

      the bottom line, using these both products at the same time is sort of overkill. I’d stick with just one of them (and I definitely prefer Sucuri because of better results, more peace of mind and better performance).

      • That’s a very interesting information. I have Wordfence on my website and it really does slow it down! According to P3 Plugin Profiler it takes about 40% of my website speed! This happens even though I have done some research and changed some settings (improved about a couple %). So, Sucuri is faster than Wordfence and still gets the job done? Where’s the catch;)?

        • Hi Dave,
          Thanks for your comment and your question.
          WordFence is the plugin that works completely inside of your WordPress and all work is handled by your server. Shared hosting suffers from such load.
          Sucuri is the product that runs its software on its servers, not yours for almost any activity (firewall, monitoring, scanning), and it affects your server to a very little extent. It connects to your server for scanning, but the software does not load your server even close as much as WordFence. You can have a look at these two articles (1, 2)

  36. Hi, Michael 🙂

    I just would like to mention that in times of lower and lower and lower content quality on the internet your posts are a miracle. You run an upstream trend that I hope will win some day. Be proud of what you do, really. Thank you for this post. Maybe people do not want to read long text, but I do. 🙂

    Best,
    Mike

    • Hi Mike,
      Thanks a lot for your comment!
      Yes, I’m proud of what I do 🙂
      Of course, it takes time to gather all the information and write the long posts, but I guess my efforts will pay me back.
      People find my posts useful and it makes me feel I’m on a right way.
      Also, I try to make my posts scannable and I add table of contents so people could easily skip what they don’t need and get to the most wanted parts of the writings.
      And thank you for reading!

  37. I notice the Sucuri WordPress Security Plugin is only compatible to WP 4.6.2.

    • Hi Shirley,
      Thanks for the information.
      By the way, I’ve noted that some plugins are still not compatible officially with the newest WP version. For example, W3 Total Cache. But they work 🙂
      Anyway, I don’t see any issues raised in the Sucuri plugin support thread about incompatibility.

  38. This is the best security plugin post ever!
    GREAT JOB!!!

    Thanks for posting this info

  39. Hello Michael,
    Your article has become my reference. It is the most comprehensive available and often referred to in the various FB groups.
    My only doubt is why you did not include AIOWP. This security plug in definitely belongs in the short list of big ones, although too little known.
    I would be very curious, and many with me, how they stack up against the others,
    Love all your research and honest opinions,
    Best regards,
    Frans

    • Hello Frans,
      Thanks for your question and sharing my article 🙂

      Answering your questions:

      > why you did not include AIOWP?

      I also answer this question in this comment. The resume is that writing this article was a real challenge and it took much more time than I planned). Including more plugins into the list to review looked like a nightmare 🙂

      Also, AIOWP is mentioned several times in other comments (Ctrl+F and search for “AIO” on the page).

      After all, I have not looked very deep into AIOWP, but it looks good. I’d say it very roughly, that AIOWP from an ordinary user’s perception is something inbetween iThemes, Wordfence and BPS. AIOWP’s strongest side is its combination of firewall options (not very clear topic to most users) and other nice features (familiar to most users), plus friendly user interface.

      BPS offers better advanced security options IMO, but lacks some familiar to beginner users options that AIOWP has.

      At the same time AIOWP looks more user-friendly (and sexier) than BPS and this is a big advantage in the eyes of most users.

      However I favour BPS (especially BPS Pro) more since it’s a more professional tool with more advanced options. But if someone finds BPS too difficult to deal with, AIOWP looks like a good alternative to use.

  40. Hello Michael
    You’ve heard this over and over again but I will say this one more time:
    Your content is king!
    King in value, in relevance, in it’s super logical organization, and it’s efficiency.
    Keep it up!
    I found you on Quora while I was looking for answers about website security, and was immediately hooked over your content.
    And yes, I had also subscribed to your newsletter, Thanks!
    Here is my question which I assume could also relate to many other users:
    I am looking to backup and secure my website with Sucuri and Codeguard, but I have a problem connecting to CodeGuard:
    Codeguard provides FTP or SFTP connections, while my host does not enable FTP (plain text) on their shared environment – they provide FTP over SSL/TLS (FTPS) which is not supported by Codeguard.
    Now, I very much want to have Codeguard’s “time machine.”
    What would you suggest?
    Is it worth perhaps to move my website to another hosting service, isn’t that too risky?
    (My WordPress-based website is connected to a database that is hosted on Amazon AWS).
    Could you please advise, and if possible, I would also appreciate if you could suggest me a good tech guy or company that could do this transfer, and maintain my website and add features to my web application.
    Thanks!

    • Hello Nissim,
      Thanks a lot for your kind words.
      As regards CodeGuard, have you contacted these guys? I guess they should support your hosting security configuration.
      Transferring website to another hosting is usually free and is done by your new host. But switching hosts only because of backup system incompatibility is sad. Try to contact both CodeGuard and your current hosting so that the tech guys in both companies could resolve the issue if there’s any.

      • Yes Michael, I have obviously tried both support teams, CodeGuard and my hosting and they have both said that these are their given limitations of their systems.
        My hosting suggested that I could transfer my account to their VPS package if I would want to use FTP, but that package is more expensive so I’d rather configure my site all over again with a host that provides SFTP.
        Do you think that this is my better option if I want the CodeGuard service, or else?
        Thanks,
        Nissim

        • Hi Nissim,
          Well, I see. Very sad that you can’t use CodeGuard with your current hosting plan.
          So, I don’t see much of a choice here apart from either a VPS with your current hosting or going with a new hosting.
          By the way, in addition to files backup, there can be issue with your database backup as well (I don’t know if CodeGuard can handle the AWS database configuration with your current hosting). If backing up database is also an issue, then switching hosts is the only choice to use CodeGuard fully.
          If you decide to switch your host, then I suggest contacting the new host and CodeGuard to make sure both files and database can be backed up by CodeGuard.

  41. First of all, thank you for this informative article. This is helpful for my website. By the way, I’m using itheme security before its wordfence.

  42. The Gunman says:

    Thanks for sharing your knowledge, I think I’ll stick with standard wordfense free version.

  43. Miguel Ángel says:

    Hello Michael,

    Thank you very much for all of your hard work gathering accurate information about this important issue.

    I’m developing a site on Siteground.

    For now I’m using free Cloudflare proxy.

    I have no budget at this moment.

    I’m considering the 10.2 free solution but I’m not sure about installing Wordfence because I don’t want to slow down the website.

    What do you think about leaving out Wordfence plugin ?

    Of course, after reading carefully your excelent post, as soon as I have budget, I’would change to Sucuri WAF or Sucuri AV.

    Thank you very much in advance.
    You are doing a great work helping beginners like me.

    • Miguel Ángel says:

      BTW, what do you think about replacing Wordfence by NinjaFirewall ??
      Is Ninjafirewall a heavy plugin which could harm the performance of the site ???

      Thank you again Michael.

    • Miguel Ángel says:

      Sorry, a last question.

      If I remove Wordfence, would I need another plugin for brute force login protection ?

      Thank you.

      • Hello Miguel,

        WordFence’s strong side is scanning (and the most resource-demanding by the way). Of course, you can leave it out.

        As regards Ninjafirewall, I don’t think it’s a heavy plugin (especially compared to Wordfence). Although Ninja’s functionality is overlapping with Bulletproof Security. I’d use either one of the other.

        As regards brute force attacks protection, Bulletproof does it for you. But remember that like any other plugin (including Ninjafireall, Wordfence) its protection is located on your WordPress (server) level. True brute force protection can be done only with an external web application firewall (e.g. Sucuri WAF).

    • Miguel Ángel says:

      Sorry Michael, I can’t see your answer here on the blog.

      I’m browsing with ingonito mode.

      Thank you.

  44. Came across this article recently. I am using wordfence. It does the job pretty well but I have a feeling that it slow down my websites. After reading this, I am planning to switch to Sucuri. Thanks for this wonderful article

It's important for me to know what you think

*

Show Buttons
Hide Buttons