As I’ve mentioned in a couple of previous posts on security (Basic and Advanced DIY), most folks don’t need anything fancy to provide effective security for their sites (unless you are Verizon, or ExxonMobil, or a celebrity blogger).
However, if you are getting just a bit more popular (say, 50 followers or more and more than a couple of comments per post), then you will become a more lucrative target for hackers. In that case, you may want to look into a specific security plugin for WordPress. All of these plugins provide enhanced versions of the brute force login attempts defense provided for free from WordPress’s Jetpack feature package, as well as actual firewall systems, malware scans and fixes, monitoring reports, and backups.
I have gathered some info on three of these for you to review and decide if you want to try them. I also tested two of them on different sites because they start with free features. My results follow.
Sucuri
Sucuri looks like it has a robust set of security measures and support that would be great for an individual with an active site, an established ecommerce system, and regular income from their site. Sucuri has a free version that comes as a WordPress plugin. You can see a good, balanced review here at Elegant Themes. Unlike other security services, though, the basic firewall feature requires payment. I also noticed that at the Sucuri website, no mention of a free plugin appears and the focus is entirely on paid products. So, yes, the WordPress plugin starts as free, but Sucuri doesn’t make it easy to get there from their main site. To get the freebie, you need to use your Plugins option in the left panel of your WordPress dashboard and search for Sucuri.
WordFence
I tried out the free version of WordFence on one of my sites for several months. Definitely got the feeling of having more than I needed, but I can see it would be a good product for folks with active sites. They do keep bothering you about upgrading to premium, and the email notifications (if you activate them) are a bit more frequent than I like. I did benefit from their blog posts on website security in general, though. They provide a heads-up to technical changes that can affect security and just operability of your site.
I found their interface and settings to be straightforward and with options for defaults that kept me out of the “weeds” of more complex settings if I didn’t want to go to that level of control. Made me feel more relaxed about the basics being taken care of.
All in One WP Security
All in One has quite a few features for a total freebie plugin. It doesn’t just monitor your site, but provides a firewall option, protection against bogus login attempts, and keeps your .htaccess file safer from hacking (the hack that can send everyone to that porn site). I am not sure if they can handle a serious denial of service attack that might be made against an enterprise site, but for individuals with robust blogs, they will probably do just fine.
I do have one beef with them, and that is that their interface is a lot more geeky and has tons of options to go through to set the thing up.
That’s just a bit overwhelming in my opinion, so if you don’t have a geek hat or skill set, you may find something like WordFence a lot easier to understand. And this is something that I’ve found with free plugins and themes in general: they can have a lot of useful functionality, but they can also be difficult to set up or have way too many options to manipulate. Simplicity of code still seems to be one of the key features of software excellence.
Up to you if you feel comfy or not with messing with your .htaccess and wp-config files.
My current plan is to stick with basic preventive practices and a good back up system. I think when I do get big enough to need this level of active defense, I will lean in the direction of WordFence for the knowledge base, the simple interface, and the ability to get a bit more for free than with Sucuri.
Do let me know your experience with these or other site defense systems. I’d love to know!