What You May Not Know about WordPress Security Plugins

By Charles Costa
We teamed up with SiteGround
To bring you the latest from the web and tried-and-true hosting, recommended for designers and developers. SitePoint Readers Get Up To 65% OFF Now

When it comes to securing your WordPress install with a security plugin, it can be tempting to enable every feature of the plugin to harden your site. If you start enabling features blindly, you can end up bringing your site to a halt.

This is because security plugins such as iThemes Security and Wordfence Security automatically modify core elements of WordPress such as the database, file paths, permissions, and more to harden the install from attacks.

In a previous article on managed WordPress hosting pros and cons, I briefly went over common security plugins which are used to harden WordPress, however it didn’t discuss how many of the security features work and how they impact your site.

Although one-click WordPress security plugins are a great way to streamline WordPress security, they often have unintended side effects which can hinder the performance of your sites. You can avoid seeing the dreaded WordPress ‘white screen of death’ by paying attention to the details below.

File Change Detection

In the digital security space, intrusion detection systems (IDS) and integrity monitoring are critical tools for server administrators because they allow server administrators to detect malicious activity which happens due to preventive measures failing. In the past, IDS tools were cumbersome and expensive to maintain, however many WordPress security plugins provide similar tools to monitor your website for changes with a few mouse clicks.

In theory, this feature is a great safeguard against subtle attacks which happen behind the scenes, but if not configured properly, your inbox will be flooded with thousands of false positive notices regarding your site. For example, if you have a caching plugin installed on your website, you’ll receive emails documenting every single change as it occurs.

In general, the best way to get around this issue is to avoid change detection all together if you aren’t an experienced WordPress developer. Since every server and WordPress configuration is different, this feature is only beneficial if you can decipher the alerts.

Country Blocking

It can be tempting to use country blocking to prevent rogue traffic from hitting your site, however this feature often does more harm than good. The biggest reason is that it’s pretty easy for attackers to get around these blockers simply by spoofing their IP address or using readily available VPN services. In fact, this is something many consumers do themselves in order to get around copyright restrictions on multimedia content.

WordPress Security Example - Country Blocking

In theory, country blocking might help if you’re an online merchant who is very concerned about fraudulent transactions. However, if a consumer can spoof their IP to watch a video clip outside of their country, then a fraudster probably is going to use the same technology to access your site.

Shipping restrictions usually are a better way to protect your company from fraudulent transactions. Additionally, while country blocking can block some botnets, an entire cottage industry has spawned around malicious people selling access to compromised systems in developed nations.

Long story short, country blocking may have once been a valid way to reduce your websites threat exposure, however today it’s only good at providing a false sense of security.

Forced SSL for Logins

Forced SSL is one of the best features many WordPress security plugins provide because it is a relatively simple change which can make a huge difference in protecting yourself and users. One of the biggest reasons many websites used to have logins unencrypted is because servers couldn’t handle the overhead for frequent transactions. As computing power became cheaper, SSL became more common.

Today, encryption has become so important that Google recently said it is integrating it into their SEO criteria. The rise of wireless Internet and recent concerns over protecting privacy mean that website operators need to protect their users. Even if you don’t encrypt your entire website, ensuring users have secure login pages is a must in today’s society.

Before you enable forced SSL on your WordPress site, make sure that you have a SSL certificate installed and configured. Most web hosts will handle the installation for you, and you can test the certificate simply by adding https:// to your site name and then visiting it. If you get a certificate error, then you’ll know you shouldn’t go forward with enabling this option. On the other hand if your site goes through as usual, feel free to go forward with it.

Keep in mind that you’ll need to keep your SSL certificate paid up to ensure the functionality of your site. If you’re on a development server, you could technically use self signed certificates, however they’ll often trigger browser warnings when individuals attempt to visit your site.

The Importance of Common Sense

Just as you wouldn’t change settings blindly on your workstation, you shouldn’t enable security features on your WordPress site without knowing exactly what they do.

Randomly enabling security features not only increases the odds of encountering the dreaded ‘white screen of death’ but also can result in giving you a false sense of security.

As with any tools, they only are useful if they are used properly. If you don’t fully understand the power of common security plugins, then you could be doing more harm than good.

Further Reading

It’s worth mentioning that many experienced WordPress administrators don’t rely on any security plugins at all, they prefer to manually harden WordPress and their servers themselves. If you’re interested in learning more about WordPress security, I’d recommend starting with the official WordPress documentation:

Finally, make sure to exercise common sense when selecting and installing themes and plugins. I’ve also written some tips that can be found below that you may find useful:

We teamed up with SiteGround
To bring you the latest from the web and tried-and-true hosting, recommended for designers and developers. SitePoint Readers Get Up To 65% OFF Now
  • JenilK

    Very good article !!!
    Hardening WordPress (WordPress Codex) http://codex.wordpress.org/Hardening_WordPress%3Cbr%20/%3E
    But Link is not working

  • Ivan Bayross

    Hi Charles,

    When I read what you had written about File Change Detection, I had a touch of Dejavu.

    My Inbox gets flooded with alerts indicating that my CAPTCHA image has changed. While this reassures me that my security plugin is working, its really a pain.

    What’s worse is that there is a plugin configuration via which you can inform the security plugin what not to monitor. Regretfully, it cheerfully ignores my instructions to ignore changes in CAPTCHA images.

    That said, the plugin does a really great job of protecting my WordPress site hence I tolerate this issue.
    Perhaps the people who created this plugin have a wicked sense of humor.

    Wow, I certainly learned about about how people get around Country Blocking. While this facility in the WordPress security plugin

    looks most impressive, I understand now just how unimpressive it truly is. I guess nasty people can always find a way around the checks and controls protecting a WordPress website.

    Your content on SSL was really helpful. I’ve been thinking of getting a security certificate for my website for a while but was sitting on the fence wondering what to do. Now I feel a ton more confident in handling SSL for my website.

    Thank you for sharing such excellent content.


    Ivan Bayross

    • Hey Ivan,

      Thanks for the feedback! As far as your issue with alerts goes, if you really need to have them turned on – try enabling a filter to have them go to a dedicated folder/label. That way you can check it at your leisure rather than have it interfere with your standard workflow. I’ve done that a few times before when I wanted to have more control over my website security.

      • Ivan Bayross

        Thanks Charles, that was exactly what I did.

        That said, there is a setting in the tool via which one can tell the tool what events to ignore. I’ve followed the tools configuration instructions to the letter, to add the CAPTCHA exception ( heck even I trigger CAPTCHA errors myself ) but for some reason or the other it does not work.

        Perhaps, I’m doing something wrong.

        Thanks for sharing an idea that definitely reduces Mailbox stress :-) though

  • Thanks for letting us know JenilK, the links has been fixed :)

  • Would you be interested in giving The WP Security Firewall a close look? Unlike any of the plugins you mentioned it doesn’t modify core files so your users wont be calling you for support every time it updates. And, you can knock it offline with FTP write access if the world ends.

    I’d be happy to demo it for you so you can see more and have something user friendly to recommend to your clients.

    The plugin is here: https://wordpress.org/plugins/wp-simple-firewall/