Everyone agrees that securing your WordPress sites is essential, but there are a bewildering array of options. Last week I was chatting with Michael Edwin and Nelson Therrien of the Dynamic WordPress group about the security plugins we’ve used and our thoughts about them. This seemed like it would be a useful topic so I’ve prepared this review that compares four options and mentions a few others.
Of course you need to follow best practices or it won’t matter which plugin you pick. Things like picking good hosting, not using themes and plugins from unknown sources, keeping everything up to date, and good password management are essential. Also the sensible steps and best practices for securing your site might depend on the hosting environment or the type of website. For instance, high end managed hosting may provide advanced network and router based firewalls to help with security. Also, a single person blog, a membership site, and an ecommerce store might all have different requirements. In this post I am looking at security plugins of the type that users on shared hosting or people hosting sites on a VPS might use. I have chosen these solutions because they are ones I’ve used and know about. These are also some of the more popular plugins available, so it is not a random selection.
To help clarify differences, I created a chart that compares the nine plugins across 30 features. I grouped the features into Important, Good to Have, and Optional categories. It is my hope that this information will help us to understand more about WordPress security and make informed and sensible choices for securiting our sites.
All in One WP Security & Firewall
All in One WP Security Overview
The All in One WP Security & Firewall (AIOS) plugin is somewhat unique in the WordPress security arena. It is very full featured. This free plugin has more than a million active installs, 1,010 five star reviews, and 68 out of 74 support questions closed in the last two months. Yes, there are a few other security plugins with as many or more installs, but what is special about this one is that it is totally free. There is no upsell.
Video Walk-Through of All in One WP Security
All in One WP Security Ease of Configuration
AIOS has a lot of features and consequently there are a several pages of options, some of the pages have multiple tabs, and on these pages there are several toggles. So there is a lot of go through. Here are the admin menus.
And here is one of the pages with tabs.
The main security functionality is divided into four areas: admin username, login lockdown, file permissions, and basic firewall. On the dashboard you can toggle them on or off and each also has their own page. The plugin provides a strength meter based on the number of available features that you have enabled.
The options are categorized as Basic, Intermediate, or Advanced so as to let users know which ones are the easiest or safest to enable to those that might require more thought and attention.
It also comes with a toggle to put your site into maintenance mode. This is a nice convenience. The maintenance mode configuration consists of an instance of the classic editor where you can add a graphic and/or a message.
And this is what it looks like on the frontend. Pretty basic, but often that is all you need.
All in One WP Security What It Does
AIOS has a number of essential features:
- WordPress firewall
- The firewall has the option to enable the 6G firewall rules (similar to those used by the BBQ plugin)
- Brute force protection of the login page
- Protect the login, register, and password reset forms with Recaptcha
- Can disable XML-RPC if it is not being using
- Can disable the Rest API if it is not being used
- Block bot scanners
- Check and secure file and directory permissions
- Disable directory browsing
It also includes a number good to have features:
- Activity logs (login related only)
- On demand and automated database backups
- Prevent user enumeration
- Spam protection for comment forms
There are additional features that might appeal to users, such as the ability to backup the .htaccess file, enabled maintenance mode, and change the login URL.
All in One WP Security What It Does Not Do
You will need an additional plugin or use some other means if you need to add two factor authentication, perform regular malware scans, or add HTTP page security headers. Also, the firewall does not receive just in time rule updates.
All in One WP Security Discussion and Conclusion
When I setup testing sites I like to try out new plugins and have had my eye on AIOS for a long time. I recently got a chance to install it and so far I am pleased with how it is working. Like many of the more comprehensive security plugins, you need to go through each screen (and tab) carefully. Personally, I find the security meter to be a bit cheesy, but I just ignore it. The descriptions and help blurbs on the pages are not verbose, but probably sufficient.
One thing that struck me with this plugin is that some of the omissions could well be because it is a free plugin and so geared towards tasks that users can manage themselves. For example, there are no just in time firewall rule updates or two factor authentication, for instance.
In the past I used a separate coming soon / maintenance mode plugin for these testing sites, but can now use the simple maintenance mode that AIOS provides. I was impressed that the team is so active in helping users in the free WordPress.org support forum.
While there are a few features missing, All in One WP Security & Firewall seems like a good free option for a single user blog or other simple site.
iThemes Security With The BBQ Firewall
iThemes Security is one of the longtime security solutions and is available in both a free and premium version. However, iThemes doesn’t include a firewall. The BBQ Firewall plugin is a light weight and trouble free firewall that also comes in a free and premium version. The two plugins complement each other and this is Nelson Therrien’s go-to solution. I also have used and been happy with this combination. They are considered together below.
iThemes and BBQ Firewall Video Walkthrough
BBQ Firewall Overview
I am a big fan of the BBQ Firewall plugin. It is very lightweight with virtually no impact on your server. It is based on the popular and well respected 6G/7G PHP firewall and allows you to use most of the rules from that firewall in WordPress without needing to modify the .htaccess file. The rules are carefully chosen and tested so as to avoid false positives, making it very stable and trouble free. The plugin has more than 100,000 active installs, an almost perfect 110 five star review rating, and 2 of 2 support questions closed in the last two months.
BBQ Firewall Ease of Configuration
The free version has zero configuration options. You literally just install it and it works. Here is the admin page for the free version.
Here is a screen shot from a section of the pro version. As you can see, the Pro version allows you to turn off rules and shows stats for the number of times each rule has been invoked. You are also able t add your own rules.
BBQ Firewall What It Does
The BBQ Firewall plugin scans incoming URL requests and checks the Request URI, query string, user agent, and referrer against known attack patterns and blocks bad requests. It helps protect against directory traversal, cross-site scripting, code injection and file inclusion attacks, for instance.
BBQ Firewall What It Does Not Do
Remember that the BBQ Firewall is based on the 6G/7G PHP firewall. This means that its rules are not WordPress specific. It does not have rules related to specific plugin vulnerabilities nor does it has just in time updates to protect against the latest threats. It does not provide login form protection, two factor authentication, malware scans, and many of the other important lockdown security measures.
BBQ Firewall Discussion and Conclusion
The BBQ Firewall is one of those plugins that focuses on doing just one thing well. For that reason I would not use it alone as there is not even any login form protection. I suppose if you really wanted to go bare-bones, you could combine BBQ with a plugin like Limit Login Attempts Reloaded, though I think pairing it with iThemes security provides a lot more coverage. BBQ is so lightweight and reliable that I think it is safe to combine it with any other WordPress security plugins if they don’t have something like the 6G/7G firewall already.
I did a full walk-through and review of BBQ here. I have reached out to the plugin author, Jeff Starr, with support questions when I wanted to add my own rules and he always responded quickly and was helpful.
iThemes Security Free and Pro
iThemes Security Overview
This plugin has been around for a long time. It provides a pretty full list of features. It has more than a million active installs, 3,360 five star reviews, and 2 of 29 support questions closed.
iThemes Security Ease of Configuration
iThemes Security can be a bit tricky to configure. It has a lot of options and they have tried various ways to simplify the interface. Currently there is an install wizard that helps step through some of the main features, but there are a lot of setting that are hidden in tabs and behind various small icons. Here is a screenshot of the admin menus.
There is a dashboard where you can see stats, lockout out IP addresses and clear locks if needed.
The settings are generally divided into two groups. In the first there are login security, managing lockouts, site check, and additional features. The second group focuses on managing the login security of site users.
Here is an example of the levels of settings. From the general configuration screen I clicked on Lockouts, which opens another page with features and toggles. There is a small gear icon above the toggles and I clicked on the one for Ban Users and there is another configuration screen. When you go through the wizard, if you missed something, it might be hard to drill down to find it later.
iThemes Security What It Does
iThemes security has a number of essential features. This includes:
- Login form brute force protection
- Vendor aggregated brute force protection
- Two factor authentication
- Disable XML-RPC if it is not being used
- Blocking bots
- File and directory lockdown
iThemes Security also provides an option for scheduled database backups. The Pro version adds:
- Recaptcha protection for login, register, and password reset forms
- Activity logs
- Several additional features for password security and managing user logins
- The option to auto-update plugins or themes with known vulnerabilities.
iThemes Security Discussion And Conclusion
Years ago when I was first testing security plugins I tried both WordFence (discussed below) and iThemes Security. I ended up using iThemes Security because WordFence had a reputation for using a lot of server resources. I’ve been using iThemes Security on some of my sites for a long time. For the past few years I’ve been pairing it with the BBQ Firewall. I have some sites that I take care of that I’m not paid for and on these I’ve used iThemes Security free and BBQ free. On sites where I was being paid I used my licenses for the pro versions.
I’ve contacted the iThemes support team in the past. They were always polite though I didn’t always sense that they were driven to solve problems. Perhaps that is reflected on the free support forum where only a few of the issues were closed. In any event, the plugin has been problem free.
Patchstack is a company focused solely on website security and it is primarily a firewall product. It includes a plugin that you install on your site and a central dashboard where you can monitor and configure your sites. The company maintains a vulnerability database, supports researchers through a bug bounty program, and will handle responsible disclosure with vendors and assure researchers they are credited with discovery.
Patchstack Ease of Configuration
I’ve found Patchstack to be one of the easier security products to configure. The settings are presented in a well organized and straightforward manner. When the plugin is activated you get a “Security” submenu under Settings. Here there are several screens. Most of the choices are on three screens. The first is for site hardening.
On the second screen you configure the firewall.
And on the third screen the Login Protection.
A cool thing with Patchstack is that you can configure most of the settings also from the central dashboard. Here is a screenshot of the online dashboard. You can see buttons at the top to jump to the settings areas.
Patchstack What It Does
Patchstack has a large number of features. Some of the essential ones include:
- Just in time firewall rules
- Login form brute force protection
- Recaptcha for registration, login, password reset, and comments forms
- The ability to disable XML-RPC if you are not using it
- The ability to disable the REST API if you are not using it
- Blocks bulk penetration scans
- Disables directory listing
- Stops user enumeration
- Add page security headers
- Option for Two Factor Authentication
- Activity logs
- The option to automatically update vulnerable themes and plugins.
You are also able to add you own firewall rules from the central dashboard. You can see plugins and themes that need to be updated and update those from the online dashboard also.
Note that Patchstack has a free version that will notify you if any of your installed plugins, themes, or core WordPress have known vulnerabilities. I have not used this.
Patchstack What It Does Not Do
Patchstack does not check file and directory permissions or enforce strong passwords. Probably the biggest gap is that there is no malware scanning.
Patchstack Discussion and Conclusion
I am a fan of Patchstack and use it on my most important sites. I like the central dashboard because I can enable two factor authentication for the sites, but in the unlikely event that I lose my phone, I can disable it from the online dashboard. You can also view the firewall and user activity logs from the central dashboard.
I’ve communicated with support several times: a few times when I had general questions and then a couple of times when there were vulnerable plugins discovered on a site which had not yet been patched. The team was always helpful and informative.
Wordfence Free And Pro
Like Patchstack, Wordfence is focused 100% on WordPress security. Wordfence is the reigning king of WordPress security plugins with more than 4 million active installs of the free version, 3,426 five star reviews, and 254 out of 305 support questions closed in the last two months. The company communicates frequently with the community through in-depth blog posts reporting security issues as well as through weekly livestreams.
Wordfence Ease of Configuration
Like the other comprehensive plugins, Wordfence has a lot of options. They too have worked to simplify the configuration process, but it can still be daunting. Here is a screenshot of the dashboard page where there are graphics showing the current extent of feature activation, links to the feature categories, and ads for their premium services. The feature categories are divided into firewall, scan, tools, and login security.
When you first activate the firewall it is put into “learning mode” which seems to be designed to see how the site is being used so as to avoid false positives. After a few days it is supposed to automatically switch on. Note that there are several subsections for different categories of firewall options, which are quite extensive.
For example, here are the firewall rules, which you can toggle off or on individually and below that some of the settings for brute force login protection.
Here is the page for the scan section. As you can see, some of the options are premium only and then there are a number of issues that Wordfence scans for.
Wordfence adds several nice convenience features that let you see and research site traffic.
Here are the login protection settings, which is where you can enable two factor authentication.
Wordfence has an online dashboard, even for the free version. It is very full featured. You can set and change options, initiate a scan, and use a template for applying settings across sites. This is a very nice feature especially if you have more than one site.
Wordfence What It Does
Wordfence free comes with a large number of security features, including:
- WordPress firewall
- Login form brute force protection
- Recaptcha for registration, login, and password reset forms
- Recaptcha and two factor authentication for WooCommerce registration and login forms
- Two factor authentication option
- Disable XML-RPC if not being used
- Regular malware scans
- Check file and directory permissions / lockdown
- Disable directory listing
- Activity logs (logins only)
- Disable directory traversal
The premium version of Wordfence adds additional features such as:
- Just in time firewall rule updates
- More control over the scanning schedule and the ability to run scans on demand
- Login form brute force protection (vendor aggregate IP list)
Several of the solutions considered here have the ability to block by country. Wordfence premium has the ability to whitelist the login page by country, which is a nice feature.
Wordfence What It Does Not Do
Wordfence is very full featured. There are some less important / optional features which it does not provide:
- Disable Rest API if not being used
- Remove malware
Wordfence Discussion And Conclusion
Besides the maze of configuration options, Wordfence has a reputation for being resource intensive. There are options to rate limit the speed and extent of scans, but high resource usage means that users should probably keep an eye open to make sure their sites don’t become bogged down, especially on low end hosting.
Wordfence free is very full featured and the premium version is the most feature rich option considered here. The impressive list of features is one reason for its number one spot, but there are several other reasons as well.
The company seems very aggressive about adding and rolling out just in time firewall rules for the premium version. The just in time rule updates are only available for premium subscribers and the constant reminder of that rubs some people the wrong way, though of course it is a strong benefit and reason to sign up.
The Wordfence team also presents itself as very focused on helping its users and if you read the comments on the blog posts from users it is something of a love fest. Perhaps a good way to illustrate the commitment to support is to point out that with more than 4 million active installs of the free version the team got 305 questions in the last two months in the WordPress.org support forum, of which 254 were closed. That is a huge support commitment that the company extends to its free user base. I also like the online dashboard.
Patchstack versus Wordfence Video Face-Off
Conclusions from Video Comparison
Main Feature Differences:
Patchstack = $80.88 yr
- Just in time firewall rules
- Hide login URL
- Auto update vulnerable components
- Easier to configure
- More performant
Wordfence = Free
- Malware scans
- Auto malware cleanup
- More lockdown options
- Better online dashboard
Wordfence = $99
- Just in time firewall rules
- Network brute force
- Malware scans using current rules
- Auto malware cleanup
- More lockdown options
- Better online dashboard
Ease of Configuration
- The Wordfence presentation of options was something of a maze-way.
- The Patchstack simple layout of options within the WordPress admin made it easier to configure.
- Both let you view and change config options from the online dashboard.
- The overview and settings details are better organized in the Wordfence dashboard.
- The Wordfence dashboard is full featured even for the free version.
I used the P3 performance plugin to compare the amount of memory used on page load across a few options. Patchstack uses more than with no security plugin, but not much. The iThemes average is almost twice when no security plugin is installed. With Wordfence use is almost double that of Patchstack. According to this test, Wordfence deserves the reputation for using lots of server resources.
No Security Plugin
AVG: 7.946 MB
AVG: 9.33 MB
AVG: 14.36 MB
AVG: 18.463 MB
Patchstack versus Wordfence Conclusions
They both do a good job and are good choices. Patchstack’s main weakness is the lack of malware scanning / cleanup. I suggested to the Patchstack team that they add malware scanning. Doing so would be a great feature upgrade.
Wordfence’s main weakness is performance. If Wordfence was more performant the pro version would be a no brainer vs Patchstack. As it is, the high resource usage means that you need to be careful that Wordfence doesn’t show down your sight.
If you have a malware scanning option like Malcare or VirusDie then Patchstack is a good solution as both of those are more performant than Wordfence.
Two Additional Options I’ve Used
There are two other security plugins that I’ve used and can briefly share information about: Malcare and WP Security Ninja Pro.
Malcare includes a malware scanner and a firewall. It makes an incremental backup of your site to the Malcare servers and Malcare scans those offsite backups for malware. The beauty of this is that the scans are done off-site, so that your server is not impacted. If malware is found you can view it and it will try to automatically clean the files. Malcare has a firewall, but this has seemed to me to be rather basic.
Malcare is from the same company that makes BlogVault, a great backup solution. You can use the two services separately or together. When used together, Malcare scans your BlogVault backups instead of taking special Malcare backups. If you use the two together you also get a nice activity log and the option to create a staging site.
Configuration is very simple. There are no settings on the WordPress site, just a link to login to the Malcare dashboard. I have both BlogVault and the Malcare addon, so the screenshots show the features of both. You can update WordPress, themes, and plugins from the online dashboard. There is a dashboard overview for each site:
When you click on the Review Security button you go to this screen showing a security overview, scan overview, and traffic history.
I mention Malcare here because if you are using the BlogVault backup, this is a nice way to get malware scans and automated malware cleaning.
Note, Malcare has a free version which includes its basic firewall, will do an off-site malware scan, and provides recaptcha for your login form. I have not used this.
WP Security Ninja Pro
While I do most of my testing on localhost, I have a few testing sites online and have used WP Security Ninja Pro on these sites. There is actually a free version also. The difference between the free and the pro version is that the free version does the scan and checks a long list of possible security issues, but doesn’t fix them. The pro version gives you the option to address those issues so as to lockdown your site. It also adds a firewall.
It is not the easiest to configure, but I thought that it was adequate. More than a year ago the company moved the product to using Freemius. One day I logged onto one of these testing sites and discovered that for some reason the plugin was not able to communicate with the Freemius license server and it reverted to the free version. Yikes! The plugin had been able to connect with the Freemius server when it was installed and configured and I don’t know why it could not communicate with the Freemius server, but I was very concerned that my site was not protected. I stopped using WP Security Ninja after that experience.
Video Looking at Combining iThemes Security with Wordfence, MalCare Free, BlogVault + MalCare, and WP Security Ninja
Some Comments on Resource Usage
The website WP Hive checks the free plugins in the WordPress directory across a number of areas:
- Minimal impact on memory usage
- Minimal impact on page speed
- No PHP errors, warning, notices
- Latest PHP 7.4.8 compatible
- Latest WordPress 5.9 compatible
- Optimized database footprint
- No activation errors
- No resource errors
- Frequently updated
I looked at plugins mentioned here and this is what I found listed:
- All in One WP Security: No issues
- BBQ Firewall Free: No Issues
- iThemes Security Free: Uses on average 1.2 MB of memory, more than 89% of plugins
- Malcare Free: No issues
- Patchstack Free: No issues
- Wordfence Free: Uses on average 4.4 MB of memory, more than 99% of plugins
- WP Security Ninja Free: Unable to complete tests
Some Comments on Pricing
Here are some prices as of the end of March 2022. Note that some of the products have additional tiers for things like site cleanup.
- BBQ Pro: The BBQ Pro plugin is available for lifetime purchase at $25 for one site, $50 for 3 sites, $100 for 10 sites, and $200 for unlimited sites.
- iThemes Pro: The premium version of iThemes Security is $80 a year for 1 site and $199 for unlimited sites.
- BlogVault with Malcare: The BlogVault with Malcare combination is $149 a year for one site and $359 for 5 sites.
- Patchstack: Patchstack is $80.88 per site per year.
- Wordfence: The premium version of Wordfence is $99 a year for a single site license. There are discounts if you pay for multiple years or purchase for multiple websites.
Feature Comparison Chart for the Nine Plugins
I’ve done my best to identify common features and correctly mark those for each plugin. Please let me know if you see any corrections or have suggestions.
|All in One WP Security||BBQ (Free and Pro)||iThemes Security Free||iThemes Security Pro||MalCare||Patchstack||WordFence Free||WordFence Pro||WP Security Ninja Pro|
|Just in time firewall rule updates||Y||Y||Y|
|Login form brute force protection (local)||Y||Y||Y||P||Y||Y||Y||Y|
|Recaptcha for login and password reset form||Y||Y||Y||Y||Y|
|Disable XML-RPC if not being used*||Y||Y||Y||Y||Y||Y||P|
|Disable Rest API if not being used*||Y||Y||Y||Y||P|
|Regular malware scans||P||P||Y||P||Y||Y|
|Block bot scanners||Y||Y||Y||Y||Y||P||P||P|
|Check file and directory permissions / lockdown||Y||Y||Y||Y||Y||P|
|Disable directory traversal||Y||Y||Y||Y||Y||Y||Y||P|
|Add page security headers*||Y||Y|
|IMPORTANT - ESPECIALLY FOR ECOM & MEMBERSHIP|
|Enforce strong passwords||Y||Y||Y||Y||Y|
|Refuse compromised passwords||Y||Y||Y||Y|
|Two factor authentication||Y||Y||Y||Y||Y|
|IMPORTANT - OFTEN SETUP THROUGH OTHER MEANS|
|GOOD TO HAVE|
|Login form brute force protection (vendor aggregate IP list)||Y||Y||Y||Y|
|Change admin name||Y||Y||Y||P|
|Automatic malware removal||Y||Y||Y|
|Lock out invalid user names||Y||Y||Y||Y||Y||Y|
|Prevent user enumeration||Y||Y||Y||Y|
|Recaptcha for comments form||Y||Y||Y||Y||Y|
|Change login URL||Y||Y||Y||Y||Y|
|Hide that WordPress generator tag*||Y||Y||Y||Y|
|Change WordPress Salts||Y||Y||P|
|Disable theme and plugin file editor*||Y||Y||Y||Y||Y||Y|
|File change monitoring||Y||Y||Y||Y||Y||Y|
|Change database table prefix||Y||Y||Y||Y||P|
|Auto update vunerable themes and plugins||Y||P||Y|
|P = Partial|
|E = Extra cost|
|* Can be enabled with a simple code snippet|
Quick Summary, Conclusions, and Recommendations
In this review I’ve provided four main plugin options for securing your sites. I’ve also shared my experience that thoughts about a few others. Here is a summary of my assessments and also my recommendations based on what I’m using.
All In One WP Security: This is a solid free option that is a good choice for a single user site. I recommend two factor authentication for administrators of ecommerce and membership sites and AIOS does not have this feature, so I wouldn’t use it for those types of sites. I’m liking AIOS and plan to use it more.
BBQ Firewall Free and Pro: This is a great plugin that pairs well with iThemes Security, which does not include a firewall. It is lightweight and problem free. I use both versions of the BBQ Firewall plugin and consider them 5 star.
iThemes Security Free or Pro Together with BBQ Firewall: This is a good, workable, option. The iThemes Security lock-down options and login protection are solid. BBQ provides a basic trouble free PHP firewall. The pro version of iThemes has extra options for managing user login security, which might be attractive for membership or LMS types of sites. I use both versions of iThemes Security, though I think I’m liking All in One WP Security better than the free version if iThemes. AIOS also uses less memory. I may switch the sites where I am using the free version of iThemes Security over to AIOS.
MalCare Free: I have not used this, but it seems like it might be good free option to add malware scanning.
BlogVault with MalCare Pro: I really like the BlogVault backup service and the off-site malware scanning makes it a nice combination. I use BlogVault as my main backup solution. It is more expensive than a simple backup plugin, but it has been problem free and am I very happy with it.
Patchstack Free: I don’t see much point in the free version of Patchstack, though I have not used it.
Patchstack Pro: I like Patchstack Pro and use it on my sites. It is from a team focused solely on security, is fairly easy to configure, and has a lot of good options. The central online dashboard is also nice. It is performant, though you will need to pair it with a malware scanning options.
Wordfence Free: The free version of Wordfence is the most popular security plugin solution in the WordPress plugin directory. It is a bit difficult to configure, but has a good set of features. Be wary of too much memory usage. The Wordfence team is focused on WordPress security and seems to do a good job supporting its free users. It is a solid option. The online dashboard is nice if you have more than one site using Wordfence.
Wordfence Pro: The pro version of Wordfence is the most feature rich single security plugin. It is backed by a team of professionals whose only job is security. It is a bit difficult to configure, is the most expensive stand-alone security plugin, and also uses a lot of server resources, but is probably the most popular paid option and its users are very happy with it. It is also a solid option.
WP Security Ninja Pro: I included this plugin because I used it for a while. It is not something I’d use now.
So that is my review and share about WordPress security plugins. Please let me know if you see anything that needs correction, have suggestions, or questions. I hope you found this review interesting and that you got some good information from it.