PHP Classes
PHP Classes
elePHPant
Icontem

Best WordPress Security Plugin 2017 and 2016 - Comparison of Free and Commercial Versions of New Plugins and Support Services

Recommend this page to a friend!
  Blog PHP Classes blog   RSS 1.0 feed RSS 2.0 feed   Blog Best WordPress Securi...   Post a comment Post a comment   See comments See comments (0)   Trackbacks (0)  

Author:

Updated on: 2017-04-14

Posted on: 2 months ago

Categories: PHP Tutorials, PHP Security

WordPress is the most popular Web publishing platform. Since it is used by many Web site owners, it is also a target of many security exploits.

Many WordPress site owners do not know enough about security to protect their sites from being abused. Therefore they need to use plugins and tools to help them prevent and eventually fix security issues.

Read this this article to compare the features of the most recommended WordPress security plugins so you can pick one that addresses your needs.




Contents

Live Article Notice

Why WordPress Needs Security Plugins?

Important WordPress Security Practices

List of the Best WordPress Security Plugins 2017 and 2016

WordPress Security Plugin Comparison Side by Side

What WordPress Security Plugin should I Choose?

What if I still Have Security Problems Despite using a Security plugin?

Do Not Wait for a Security Attack to Happen

Other WordPress Security Plugins and Support Services

WordPress Security News

Live Article Notice

This is a live article that will be updated over time to include more plugins and list more relevant security features that may help you to decide what plugin suits better your needs.

If you found some inaccurate information or know of another interesting security plugin not listed here, please post a comment or use the site contact link at the bottom of this page to let me know about the information you have.

Why WordPress Needs Security Plugins?

WordPress is the most popular and widely used blogging platform. It is being used by millions of people around the world. 27% of all Web sites globally uses WordPress. Therefore hackers and spammers have also taken interest in breaking the security of the WordPress blogs.

WordPress security plugins are one of the easiest ways to improve security on a WordPress site. WordPress is very secure by itself and is frequently updated to fix any vulnerabilities that are found. But it is never too much have plugins that can detect security problems as soon as possible.

Security plugins can address some important vulnerabilities or at least harden the aspects of your WordPress site that are prone to manipulation by hackers.

Important WordPress Security Practices

In this post I am reviewing and comparing some of the most popular WordPress security plugins either free and commercial.

Keep in mind that even with all the best plugins installed, common security practices for keeping the WordPress site secure should be used. Your WordPress installation should be updated on regular basis to assure you are not using versions that have known vulnerabilities.

List of the Best WordPress Security Plugins 2017 and 2016

Here follows a list of some of the well-known WordPress security plugins that I have tried with a description of their most relevant features.

BulletProof Security

bulletproof

The BulletProof Security plugin secures your WordPress directories with a single click. It provides protection against CSRF, Base64, XSS, RFI, SQL injections. It also provides login security firewalls, database security and backup services.

It is available as a free and Pro version of the that offers BulletProof Security plugin service with more advanced features.

Sucuri Security plugin

sucuri

The Sucuri Security plugin provides several security services like malware scanning, security activity auditing, blacklist monitoring, effective security hardening, file integrity monitoring, and a Web site firewall.

It is a free plugin and they do offer some premium services. Visit the Sucuri Security Web site for more information.

iThemes security plugin

iThemes

The iThemes Security Plugin plugin supposedly provides more than 30 ways to secure WordPress site. It enhances user credentials by fixing common vulnerabilities and automated attacks. iThemes Security Plugin plugin offers both Free and Pro versions of the plugin.

Acunetix Security plugin

accunetix

Acunetix Security plugin is a good fit for securing file permissions, security of the database, version hiding, WordPress admin protection, etc.. It checks the WordPress site for vulnerabilities and suggests the actions needed to be performed to correct those vulnerabilities.

The Acunetix Security WordPress plugin is available for free and they do provide other security services, you can check those out at their web site.

All In One WP Security and Firewall

allinonesecurity

The All In One WP Security & Firewall plugin checks for security vulnerabilities. It implements and enforces the latest recommended WordPress security practices and techniques.

One if its useful features is a meter on your dashboard that gives your site a score of how secure it is. It can detect malicious code in your WordPress site.

It is free plugin but they offer paid consultancy for your site's security, you can learn more about it from their website.

6Scan Security

6scan

The 6Scan Security plugin security scanner goes beyond the simple rule-based protection of other WordPress security plugins. It employs sophisticated algorithms to find and automatically fix security vulnerabilities.

This plugin is available for free version but they do offer some paid services too. Check the 6Scan Security Web site for more information.

Notice that the version of this plugin that is available in WordPress plugin repository has not been updated in 2 years.

WordFence plugin

wordfence

The WordFence plugin provides user login security, IP blocking, security scanning, and Web firewall and monitoring.

This plugin allows mobile sign in that saves your WordPress site from brute force hacks. It provides real time threat defense feed. Wordfence Scan leverages the same proprietary feed, alerting you in the event your site is compromised. This plugin is offered in both free and pro version.

AntiVirus for WordPress

antivirus

The AntiVirus for WordPress plugin is a very lightweight plugin. It can strengthen the protection of your site against exploits, malware and spam injections. This plugin monitors malicious injections and also warns you about any possible attacks.This plugin works to fix common holes, stop automated attacks and strengthen user credentials.

WPBuffs Security Support Service

WPBuffs

WPBuffs is not exactly a plugin but rather a support service that you can hire to help you fixing many types of problems with your WordPress site, including dealing with security issues using a suite of tools of their own.

They have a team of people that can provide several support services with plans that may include services like:

  • Integrating your site with Google Search Console and Google Analytics

  • Update themes and plugins

  • Perform backup

  • Monitor the site to check if it is up

  • Provide traffic, maintenance and security reports

  • Optimize sites for mobile

  • Test and optimize site page speed

  • Scan and remove malware

  • Protect against brute force login

  • Install SSL certificates

  • Detect malicious file changes

  • Migration to a dedicated server

WordPress Security Plugin Comparison Side by Side

To understand how WordPress security plugins compare, it is better to show you the features they support or not side by side. So here follow several types of comparisons of their security features.

User Login Security

The user login security features are about what aspects for protecting the process login and after the users are logged. Here is a description of the features compared between all plugins.

Brute Force Protection

Brute force is a trial and error method used by program that attack the login pages by trying different passwords until the find one that works for the attacked account.

Strong Password Enforcement

Require that the user uses strong passwords login in the WordPress account.

Block User by IP or by Country

Block users based on their IP addresses or their Country.

User Monitoring

Monitor the actions of logged users and guests.

ReCAPTCHA Integration

Integrate Google ReCaptcha in the login and registration page and any other forms to prevent the access using robot scripts.

Here follows the side by side comparison of the User Login security aspects.


Brute Force Protection

Strong Password Enforcement

Block User by IP or by Country

User Monitoring

ReCAPTCHA Integration

BulletProof

Yes

Yes

Yes

Yes

No

Sucuri

Yes

Yes

Yes

Yes

No

iThemes

Yes

Yes

Yes

Yes

Yes

Acunetix

Yes

Yes

Yes

Yes

No

AIOWS

Yes

Yes

Yes

Yes

Yes

6Scan

Yes

No

Yes

Yes

No

WordFence

Yes

Yes

Yes

Yes

Yes

AntiVirus

Yes

No

Yes

No

No

Database Security

The database is where the dynamically created content and user information is stored. Protecting this information is important to avoid damages that may prevent WordPress to work properly.

Backups

Regularly take backups of database and store them on the server and make them available for download.

Errors Turned Off

Ability to turn off the database related PHP errors.

DB Status and Information

Get the information for the DB in your admin panel and live status of the DB server.

SQL Injection Protection

SQL Injection is a way to add a malicious SQL to database queries from data entered by users the user input field.

Change Table Prefix

Change the table prefix for WordPress tables at any time, not just when installing the script for the first time.

Here follows the side by side comparison of the Database security aspects.


Backups

Errors turned off

DB Status and Information

SQL Injection Protection

Change table prefix

BulletProof

Yes

Yes

Yes

Yes

Yes

Sucuri

Yes

Yes

Yes

Yes

Yes

iThemes

Yes

Yes

Yes

Yes

Yes

Acunetix

Yes

Yes

Yes

Yes

Yes

AIOWS

Yes

Yes

Yes

Yes

Yes

6Scan

Yes

No

No

Yes(Paid Only)

No

WordFence

Yes

Yes

Yes

Yes

Yes

AntiVirus

No

Yes

No

Yes

No

File System Security

WordPress uses files to store its source code of course. Source code files must not be changed by any attacker. WordPress may also generate log files. Logs may be watched to understand what happened.

Disable File Editing

Disable the plugin file editor and the template file editor for administrative accounts, so nohacker with access to the admin account can edit the source files.

Monitor System Logs

Monitor system’s error logs and access logs and others through the WordPress administration panel.

Manage File Permissions

Manage file and directory permissions from admin panel and password protect the wp- directories.

Repair Files

Repair altered files that may contain malicious code.

Here follows the side by side comparison of the File System security aspects.


Disable File Editing

Monitor System Logs

Manage File Permissions

Repair Files

BulletProof

No

Yes

Yes

Yes

Sucuri

No

Yes

Yes

Yes

iThemes

No

Yes

Yes

Yes

Acunetix

No

Yes

Yes

Yes

AIOWS

Yes

Yes

Yes

Yes

6Scan

No

Yes

No

No

WordFence

Yes

Yes

Yes

Yes

AntiVirus

No

Yes

No

No

External Access Features

Threats that may compromise the security of Web site based on WordPress usually come from the outside. Some of the most important security features exist to prevent that malicious external accesses compromise WordPress security.

XSS Protection

Cross-site scripting (XSS) is a way to inject JavaScript code in HTML that is displayed on Web pages and be used to steal user data or othet type of sensitive information.

WAF (Web Application Firewall)

Web Application Firewall (WAF) filters, monitors and blocks HTTP requests sent to pages that supposedly should not exist in a Web site but may have been installed by code that exploited a vulnerability.

DDOS Protection

DDOS stands for Distributed Denial Of Service attack. This is a kind of a security attack for compromising the ability of a server to handle requests due to many computers that are used from different world locations to perform attacks at the same time.

DDOS protection is needed to detect when an attack is going on and prevent that it causes the WordPress site be unusable by regular users.

Here follows the side by side comparison of the File System security aspects.


XSS Protection

WAF

DDOS Protection

BulletProof

Yes

Yes

Yes

Sucuri

Yes

Yes

Yes

iThemes

Yes

Yes

Yes

Acunetix

Yes

Yes

Yes

AIOWS

Yes

Yes

Yes

6Scan

Yes

Yes

Yes

WordFence

Yes

Yes

Yes

AntiVirus

No

No

No

Best Free WordPress Security Plugin

All the plugins mentioned in this article have free versions apart from premium versions that may provide better system.

If you compare all the listed plugins on the criterion that matter most to you, you can find out which is the best free WordPress security plugin.

What WordPress Security Plugin should I Choose?

All the plug-ins mentioned in this article provide good support to the most important security matters that you should be concerned when detecting and mitigating security problems that may arise.

So rather than recommending a specific plugin, let me list the features I think are more important when it comes to security services that a WordPress plugin may provide.

Take a look at these features, look at the side by side comparisons above and see which plugins provide those features and at the same time provide them at price and support level that you desire.

Some of the plugins only support certain features in the premium versions. But at the time of despair when something bad already happened the money that the premium version costs may be well worth compensated by the possibility to get support from qualified professionals.

  1. Brute Force Protection and Strong Password Enforcement because you do not want an attacker to simply access your administration panel due to weak passwords

  2. Automated backups sent to secure places, preferrable to a different server because if something bad happens you do not want to be unable to recover your WordPress site at least partially.

  3. Monitor changes in files such as source code, templates, JavaScript and repair from secure backups because many site defacements are basically that, files that were changed by attackers to make it look different or look the same but spread malware in a way that you cannot notice looking at the pages.

  4. A good Web application firewall because even if plugins can protect from some kinds of exploits, other exploits may still be performed on the server and new malware files may be installed on the system to make it act in a way that is not intended. A Web Application Firewall will block the access to those new malware files, so their code cannot be executed.

What if I still Have Security Problems Despite using a Security plugin?

Well these security plugins are great but there may always be cases that they did not anticipate. Most newer security exploits were created by people that was smarter than the developers and abused from holes that were foreseen.

So, when the security attacks happen, you will need the help of a security expert. Some plugin developers provide additional services that you may contract to have people solving your specific problem.

Hiring on demand may often be more expensive than hiring an ongoing support service that is ready to act by the time you find about a security incident.

This is why this article lists also one (one for now, more be listed later) support service, in the case called WPBuffs. They provide several plans of subscription based WordPress support service. It includes security services but it also includes other non-security related services such as maintenance. 

WPBuffs services are affordable and it may bring you some piece of mind and less headaches when the incidents happen. They have a free trial service for 30 days that you can try to evaluate them without having to commit any payment.

Do Not Wait for a Security Attack to Happen

Security is a very sensitive topic. Many developers wished they never had to deai with security issues but every project will have their own set of security problems, especially large projects like WordPress that is a very visible target due to its popularity.

So, if your WordPress site is very important to you and you must not lose time, money and effort with eventual security problems, do not wait until you have those problems to start acting. Spend some time now and install any plugins you feel that are necessary to keep you more protected.

Other WordPress Security Plugins and Support Services

There are more WordPress Security Plugins out there. Some may be old and not be updated for a while. Others may be new and were not covered in this article yet.

If you know about any other relevant plugins or support services dedicated to WordPress security, please post a comment below or use the contact link at the bottom of the page.

If you liked this article share it with your developer or WordPress site owner friends so they can also be aware of how to protect their sites from security issues.

WordPress Security News

If you want to know all about the releases that implement or fix security aspects of WordPress, the best place to find about that is the WordPress news blog Security category.

There you can file the list of the latest releases of WordPress that reference security features or fixes.




You need to be a registered user or login to post a comment

1,444,617 PHP developers registered to the PHP Classes site.
Be One of Us!

Login Immediately with your account on:

FacebookGmail
HotmailStackOverflow
GitHubYahoo


Comments:

No comments were submitted yet.



  Blog PHP Classes blog   RSS 1.0 feed RSS 2.0 feed   Blog Best WordPress Securi...   Post a comment Post a comment   See comments See comments (0)   Trackbacks (0)