There are currently 50,416 plugins available in the WordPress repository. Out of these, roughly seven percent are security-based plugins. At the same time, when you search Google for "WordPress security plugin," 14,600,000 results come up. How can you choose a plugin from all these options? To answer that question, it's important to understand what a security plugin does. There are four main areas of functionality – these are as follows:
Understanding these four categories and the differences between them allows you to ask better questions, think more clearly about our needs and more thoroughly evaluate the tools you are using. Let's explore these areas in greater detail.
Security Plugin Categories in WordPress
To understand the categories mentioned above, it's worth first mentioning the "Information Security Wheel." Generally, the wheel is divided into three categories: Detection, Protection and Response.
We can take this wheel and apply it to WordPress websites – especially those used for large enterprises – doing so adds a fourth category: Utility. Let's now look at what each of these categories entails.
Prevention-based security plugins assist with perimeter defense of your WordPress website. Their main function is to prevent hacking. As such, they act as a firewall of a website. The biggest loophole in these plugins is twofold: 1) They are behind the influence curve; and 2) They are limited to the application layer. This means if a hacker wants to neutralize these plugins, they can do so by attacking them at the server level. Prevention-based WordPress security plugins help defend against the following types of attacks:
- Cross-Site Scripting
- Remote Command Execution
- Denial of Service
- Brute Force Attempts
- Remote File Inclusion Attack
Some of the plugins that fall under the Prevention category are BruteProtect, Limit Login Attempts and WP Limit Login Attempts.
Some of you might be thinking, “If I am protected, then why do I need threat detection capabilities?” The simple answer? You need to protect your website against viruses that are known. You cannot expect a plugin to prevent 100 percent of all threats. How do you choose an appropriate detection-based WordPress security plugin? To save you time and money, go with a plugin's popularity. Some plugins do file integrity checks, some do malware scans, and some do both. Some examples of plugins that assist with threat detection are Theme Authenticity Checker (TAC), Exploit Scanner, Sucuri Security and WP Antivirus Site Protection.
Security is not as we used to think, namely, set it and forget it. It's a process, which means you need to invest time and resources into it, observe the results, and make changes if necessary. If you’re an site administrator, then you also have to consider the following:
- Who is logging in?
- Should they log?
- What changes are they doing on a post?
- Did anyone install a plugin they shouldn't have?
These questions may sound basic but they are very important in terms of identifying, responding to and preventing a compromise. So, to audit your WordPress security, you should use a few plugins like WP Security Audit Log, Audit Trail and Simple History.
This is one of the biggest and diverse buckets in the realm of WordPress security plugins. Much of this category is reserved for maintenance tools. Think of a plugin that allows you to create backups or allows you to manage and administer your WordPress website remotely. The best part about these plugins is that you can configure them in the way you want them to function. Do it Yourself (DIY) kinds of features actually make them do almost everything you want them to do. Some WordPress security slugins in this categories include Wordfence Security, All In One WP Security & Firewall, and Acunetix WordPress Security Plugin.
Which WordPress Security Plugin Is Right for You?
By now, you know what types of WordPress security plugins there are and some examples of each category. So, all you need to do is index your expectations, needs, and necessities according to these four types and choose a plugin that's best for you.
About the Author: Kerin Miller is a WordPress expert by day and geek by night. She is associated with Stellen Infotech, where you can find her working on WordPress plugin development and theme customization for small business and corporate clients. She also likes to dedicate her time to blogging about her area of expertise. You can follow her on Facebook and Twitter. Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.