A stock installation of WordPress is vulnerable to attack. If you don’t want your site to get turned into a zombie in a hacker botnet, you need to install a security plugin to protect your WordPress website. But which plugin should you use?
[Update 4-10-14: in the short time since I posted this comparison, the plugin “Better WP Security” has been taken over by another developer and completely rebuilt. Unfortunately, that change casts doubt on this post’s conclusions. I’ll test the rebuilt plugin and post the results when I have time. Until then, just keep that in mind as you read on.]
Over the past month I’ve been individually reviewing WordPress security plugins, examining their features, flaws, and effects on a user’s system. Now the time has come for a comparison. Which is the best WordPress security plugin? What do the plugins have in common, and where is there room for improvement? Here it is, at long last, my evaluation and comparison of the WordPress security plugins.
Evaluation Criteria
I evaluated the plugins Better WP Security, Bulletproof Security, Wordfence, and All In One WP Security & Firewall based on the following criteria.
Usability & effectiveness
I am looking for a WordPress security plugin that is easy to set up and install, so I can get it running on a client’s website with the fewest possible clicks. It should be unobtrusive to legitimate users, with few nags or error messages. And it should provide the maximum protection from the most common attacks against a WordPress installation.
.htaccess deny rules (Firewall)
Essential WordPress security begins with .htaccess-based deny rules to block bad requests. These types of deny rules can help prevent common attacks, including SQL injection, directory traversal, remote file inclusion (RFI), and cross-site scripting (XSS) attacks. This category of deny rules can also prevent snooping that might reveal the weaknesses of your system to an attacker.
Properly speaking, an .htaccess deny rule is not a firewall. An actual firewall is a piece of network security hardware; and unless you own or manage your own data center, I guarantee you do not have direct access to yours. If you’re on shared hosting, there’s a good chance that your web host’s firewall does little to prevent the sort of attacks that your WordPress website is most vulnerable to. A hardware firewall in a shared hosting environment protects the server infrastructure; it does not prevent SQL injection attacks & so on. For this reason, .htaccess rules have commonly come to be described as a “firewall,” following the naming convention used by Jeff Starr, who created the ever-popular “G” series of .htaccess deny rules, available for download from his website at Perishable Press.
Login security
The most common attacks against a WordPress installation involve brute-forcing the administrator’s password. If an attacker can gain administrative access, they will be able to do all kinds of nasty things, like plant a back door in your theme files, which effectively gives them unlimited access to your server’s resources. (See also, “Why do people hack websites?”)
System vulnerabilities
There are several weaknesses to a stock WordPress installation. The most significant system vulnerability is that WordPress will allow unlimited failed login attempts from a single website visitor, up to and including thousands of failed logins within just a few minutes. To make matters worse, WordPress attempts to be user-friendly by providing an attacker with clues as to whether or not they are attempting to brute-force an account that actually exists. This is overly helpful to an attacker, and therefore these login error messages must be obscured by any security plugin deserving of the name.
Human vulnerabilities
To make matters worse, there are popular WordPress auto-installers (I’m looking at you, Fantastico Deluxe) that set up WordPress with the default administrator username of “admin.” This means that hundreds of thousands of WordPress websites have an administrative username that is already known to an attacker. Since the attacker also knows the location of the login page, this means they only have to guess the password in order to get in.
Finally, a lot of website owners employ weak passwords. They think, “oh, my site is just small, nobody would want to hack me.” (People say this to me all the time.) So these website owners use passwords that are not random, and this leaves them vulnerable to attack. Remember, people, very few hacks are undertaken for the sake of gaining “hacker cred.” The hackers don’t care about you. The hackers want your server resources. Don’t let them get in.
How a security plugin should help
An effective WordPress security plugin will have a mechanism for mitigating or preventing brute-force attacks; changing default usernames; and enforcing strong passwords for all new user registrations.
Alright, so who wins?
I created this convenient chart to help me determine which WordPress security plugin fulfills the most of my criteria.
| Better WP Security | BulletProof Security | Wordfence | All In One WP Security & Firewall | |
|---|---|---|---|---|
| Ease of Setup | ||||
| Are the plugin’s features turned on when it is activated, or if not, does the plugin have a simple one-click setup? |
Yes |
No |
Yes |
No |
| Is it immediately clear to the untrained user how to modify the plugin’s settings? |
No |
No |
No |
No |
| Does the plugin preserve existing user settings and data? |
Yes |
No |
Yes |
Yes |
| .htaccess deny rules (firewall) | ||||
| Does the plugin create .htaccess rules to deny bad requests? |
Limited |
Yes |
No |
Yes |
| Does the plugin supply .htaccess rules to ban known bad user agents? (Less effective, but still helpful) |
Yes |
No |
No |
Yes |
| Login Security | ||||
| Does the plugin provide a way to limit failed login attempts? |
Yes |
Yes |
Yes |
Yes |
| Is the login attempt limiter enabled by default? |
Yes |
Yes |
Yes |
No |
| Are the default settings adequately restrictive? |
Almost |
Yes |
No |
Almost |
| Does the plugin provide a means for changing the default “admin” username? |
Yes |
No |
No |
Yes |
| Does the plugin enforce strong passwords? |
Yes |
No |
Yes |
No |
| Does the plugin have a function to obscure default WordPress login error messages? |
Yes |
Yes |
Broken |
Yes |
| Does the plugin obscure login error messages by default? |
No |
No |
No |
No |
| Traffic | ||||
| Does the plugin monitor traffic for suspicious activity? |
Yes |
Partial* |
Yes |
No |
| Can the plugin automatically block visitors based on unwanted behavior? |
Yes |
No |
Yes |
No |
| File System Security | ||||
| Does the plugin include a feature that will restrict the file permissions for sensitive files? |
Yes |
Browser |
No |
Broken |
| Does the plugin include a feature that will monitor changes to the file system? |
Yes |
No |
Yes |
Yes |
| Code Quality | ||||
| When tested, was the plugin free of obvious coding errors? |
Yes |
No |
Yes |
Yes |
| Irritants | ||||
| Is the plugin free from nags? |
No |
No |
Yes |
Yes |
| Additional Features | ||||
| Does the plugin include additional features beyond the minimum listed here? |
Yes |
No |
Paid upgrade |
Yes |
Based on this assessment, I’m going to have to say that Better WP Security is the clear winner. Based on my criteria, it got an overall score of 78.9% based on an unqualified “Yes” rate of 73.7%. Clearly even the best WordPress security plugin has room for improvement, but it looks to me like Better WP Security is the fundamental starting point for securing your WordPress website.
Additional Notes
*Bulletproof Security got partial credit for “traffic” because it logs 400 Bad Request and 403 Forbidden errors. However, it does not log 404 Not Found errors unless you manually edit some source code. And really, the point here is that while it blocks bad requests based on .htaccess deny rules, it does not lock out bad bots that ping the site with a large number of requests for files that aren’t there (which is almost always an attempt to look for security vulnerabilities.)
Additional Features
Several of these plugins boast additional features that were not evaluated under my core criteria.
All In One WP Security and Firewall
AIOWPSF has a feature to add CAPTCHA to a login page, which could help deter automated brute force attacks, but could also increase the number of false positives. Personally, I always get those darn things wrong, because I can’t read them.
AIOWPSF has an interesting Brute Force Prevention tool (requires a unique cookie in order to even access the login page). Some readers may recall that in my review I felt the implementation was not flawless; nevertheless it could be a very useful feature for a fine-tuned website.
AIOWPSF also logs successful logins, which could be helpful in identifying a vector for a successful attack, but is also a bit creepy.
Wordfence
Wordfence has a fancy two-factor authentication (cell-phone sign-in) option; but this feature requires the paid upgrade.
Better WP Security
Better WP Security has an “away mode” that prohibits logins during those times when you know you won’t be accessing your site.
BWPS also has an option to force SSL for all logins, if your site has SSL available.
And BWPS allows you to rename your wp-content and wp-admin folders to obfuscate the location of your login pages and plugins.
Think I missed one?
I evaluated the top WordPress security plugins based on arbitrary criteria such as the system’s recommendations when I search for “security” on the plugin installation screen. There are many other WordPress security plugins available. If you think there is an important one that I should have included in this review, please leave a note in the comments and I’ll look it up in the repository for potential consideration. Cheers!