WordPress security is a hot topic. We all know by now that the world’s highest market share open source CMS, though fantastically wonderful, has security concerns that we all need to be aware of. However, many who use WordPress are not security experts, though we all want to do what we can to make our sites secure.
So a plugin is often resorted to.
However, one thing to know is that when you use security plugins with WordPress, you need to know what you’re doing. Using a security plugin, though seemingly easy, may cause problems, rather than provide solutions for the ‘average’ WordPress user.
After documenting some issues that security plugins can bring up, we rounded up the advice of some WordPress security experts who graciously donated their time to help us understand this topic better!
Our accolades go out to Jim Walker, The Hack Repair Guy, Howard Carson, the CTO of US Server Net (a managed WordPress hosting company), and Thomas Oliver, who is highly knowledgeable in .htaccess and Regular Expression. They are quoted in this article and helped in its editing process.
This article is not to say that we shouldn’t use security plugins in all instances, but certainly that if WordPress users want to use one, they need to be ready for what caveats may come with it. Understanding the technicalities behind what these plugins do to a site may be confusing for non-technical users.
There are many security plugins available for WordPress, and this article merely summarizes the pitfalls that could come with any of them, in principle. And, as Howard points out:
The quality of coding varies tremendously…There are some plugins that are excellent, work behind the scenes to protect sites, and will never cause problems, in principle or in fact!
With the above said, let’s dive into some of the reasons why you may want to think twice about using WordPress security plugins.
Their Settings Require Security Knowledge
As Howard points out, this is not just a problem with security plugins. Sometimes lots of options exist in a plugin because advanced users want them. Though that’s not to say the user interface or settings are an indication of how well these plugins work. As a great example, Better WP Security tries to minimize options and simplify what non-technical users need by offering a “Secure my site from basic attacks” button.
But after you get past the “basics,” whoa horsey – how is anyone unlearned in the world of security supposed to know they should “change the wp-content directory”? Or in BulletProof Security, what is the difference between “Default” and “BulletProof Mode”? It takes a lot of reading to figure this stuff out, and if you’re hesitant about pushing buttons you don’t know the effects of (which you should be), you won’t get immediate relief knowing your site is secure once you install these plugins. Instead, you might wonder what on earth you just pressed and if anything is going to detonate soon.
So right out-of-the-box these plugins demand a good working knowledge of what they’re going to do to your site. That’s not easy for the ‘average’ WordPress user. Maybe they’re not meant to be easy, because, as Howard points out,
Website vulnerability management is not an easy topic. Solutions to the wide range of potential problems are varied and complex.
They Send You Spooky Messages
The thing with enabling a function to ban users, detect how many 404 pages they visit, or monitor file changes is that the site admin starts getting e-mails that, in all honesty, sound kind of scary. Like this one (from Better WP Security):
A host, 88.241.170.129 (you can check the host at http://ip-adress.com/ip_tracer/88.241.170.129) has been locked out of the WordPress site at http://my-WordPress-site.com until Friday, October 11th, 2013 at 11:11 am due to too many login attempts. You may login to the site to manually release the lock if necessary.
At first you’re like, “Oh wow this plugin is great, it’s blocking evil people from hacking my site!”
But then you start getting like 1 to 3 of them every day for the rest of your life. It takes a while but you figure out there must be tons of automated machines out there trying to hack WordPress sites all the time. Will they get in to your site? Let’s hope not. But you don’t necessarily have to receive scary e-mails like this to know your site is secure.
Jim says here that he “recommends disabling these messages by ‘unchecking the box’ unless you have a specific reason for receiving them. The messages essentially say, ‘the plugin is working.’ This is a good thing, though they provide no value to the average user.” Howard recommends only a webmaster responsible for security should receive these.
While these messages are sometimes legitimate concerns, you get them from security plugins just by updating another plugin or doing something ‘innocent’ on your site (can we put it that way?). Most of the time they mean nothing (at least we hope so!). Sometimes they may mean something serious, but they’re like the girl who cried wolf; eventually we mentally block out their importance because it’s the ‘usual’ false alarm.
They Create SEO Issues
You can lock down your site to the level of paranoia, but if it stops you from making money, what’s the point of having a website?
I once had “Intrusion Detection” enabled in Better WP Security, and while there were no clear signs the plugin was definitely the cause, my site stopped being indexed by Google. I was getting lots of error messages in Webmaster Tools. I found a forum post that said, by the plugin author, that in some cases it could lock out Google, though it shouldn’t.
I disabled “Intrusion Detection” and the problem went away; Google could index my site again. Phew! So it was not the plugin itself, as Howard points out, it was the configuration of the plugin.
With security plugins, it could be this reason or that reason sites are not being indexed. As Howard explains, it depends “on which settings are enabled and which SEO plugin is used.”
As Jim explains very specifically,
Security plugins may not always interact with every WordPress installation as expected. If Google Webmaster reports an error accessing website, I recommend the Intrusion Detection setting be set to no lower than an Error Threshold of 30 or higher, or disabled entirely if more than a few errors occur each month.
There is a similar setting in Wordfence Security, as well, in the Firewall rules section, where I recommend a value of no lower than 30 per minute be set for crawler’s and 404 errors.
They Can Lock You Out of Your Own Site
We know that most hacks on WordPress sites happen because someone didn’t change the “admin” username and used a password like, “password” or something like that. So a plugin that limits login attempts is great (though really, there’s no hope for you if you insist on using “password” as your password).
As Howard explains, this is crucial because,
Limiting login attempts is important to preventing denial of service attacks. WP core doesn’t limit attempts, and hacker bots will run through a dictionary of common passwords if you let them. (Every hacker has the ‘500 most common passwords’ — if you use any of them, you’re begging to be hacked.)
But when a security plugin starts locking you, or your clients, out of their own site, oh, the agony!
For this reason, Howard says,
Yes, this can happen. One of the first things we do on new sites is create a second admin level account, to be used as a back door in the event of an unexpected lockout. A WordPress tech can use phpMyAdmin to fix this, most end users can’t.
You can usually set higher or lower tolerance levels for things like this, but the part that gets annoying is when you get locked out ‘just because.’ You don’t even have to visit a 404 page or use a wrong password. The plugin suddenly ‘feels’ like locking you out.
Ok, ok. Howard makes a legitimate point that computers “don’t ‘feel’ like doing things ‘just because.’ They follow instructions; something in the code is poorly written.”
But Jim confirms this can happen and says, “yes, I have reproduced this as well. And in those cases where it occurs more than once I generally fully uninstall the annoying plugin and try the alternate one.”
If you have an e-commerce WordPress site or a membership site, you’ll want to double-think using this type of feature, because your customers are for sure going to forget their passwords a lot. If they keep entering a wrong password, or visit the wrong URL or do something to tick off the plugin, they’re going to see an error page when visiting your site. That won’t be good for making more sales.
Again, try what Jim says: use another plugin. Or use our advice below and get managed WordPress hosting!
Note: as Howard points out, security is especially a big concern if you are running an e-commerce site. Extensive measures should be taken if you are completing credit card transactions on your site (too big of a topic for this article). You’ll need to find a workaround to this problem of plugins that can lock your customers out.
They Make Hard-to-Reverse Changes
If you don’t know how to reverse their changes, these plugins could create really big, time-consuming and expensive problems to fix. Like for example, the option to change the wp-content directory folder name. At first a new WordPress user might think, “well yeah, if a security plugin says I should do this to make my site secure, why wouldn’t I?”
But this can interfere with other plugins and themes on your site. Thankfully there are clear warning messages on plugins like Better WP Security that tell you this can happen.
Plus these types of changes are not always profitable. Using our example above, Thomas says that:
Renaming WordPress directories really does not provide additional protection. People with malicious intent usually use pre-built scripts to find vulnerabilities in any CMS like WordPress. They look for static files, that for the most part, cannot be changed without breaking their functionality. Like Javascript files.
If I wanted to see if a site was using a vulnerable plugin, I wouldn’t even worry about looking for wp-content. I would look for its changelog, readme, images, stylesheets, and/or any Javascript files. There are many vulnerability scans that do this already.
Changing parts of your installation through a security plugin can be a pain to deal with after you’ve hit the button to do it and need to change it back, especially if you are not using that plugin anymore. In our wp-content folder example, you would not only have to rename the folder again, you would have to take lines out of the wp-config file and scan your entire database to change all the URLs using the old folder name. A non-coder would find this difficult.
In another example, if you set a plugin to force your site to use https and in your “General” settings you have the http version of your URL set as the “Site Address,” your inside pages could be visible but your home page will be blank (or something like that). Un-doing SSL stuff is not easy-peasy stuff if you’re not a tech person.
If you have enabled any feature that would ban IP addresses from your site, your .htaccess file is going to start getting veeeeery long. This can slow down your site and, when you call your host for support you know what they’re going to say? “Your .htaccess file is really long.”
As Thomas points out,
Some hosts will actually suspend your site if your .htaccess has become resource expensive. It doesn’t necessarily have to be lengthy. You really need to know what you’re putting in your .htaccess and the pros and cons of doing so. Just inserting lines of code without having any idea on what it specifically does, can be more detrimental than helpful.
A security plugin, while locking out potential hackers, can also add IP addresses to your database it has locked out. So if you are locked out yourself, you have to know how to go into your database and delete the line with your IP address in it. If you have never been exposed to PhpMyAdmin, this is going to be a very difficult task for you.
Situations like this bring us to our last point, which is that professionals should be handling this kind of stuff.
They Require Personalized Support
I feel sorry for the people who have to handle the support threads for security plugins. I mean, look at this thread. And look at this thread too (for added sympathy).
In fact, if you visit support forums of any of security plugins, you’ll see similar problems and happenstances where a plugin did some gobbledygook to someone’s files, or locked them out, or wouldn’t uninstall completely, or something. Websites are hosted on different environments, use different themes and plugins, and have all kinds of variable circumstances that could make the answers to these forum posts different for everyone.
The WordPress community is surely glad and thankful for plugin authors that make complicated code-ey things simple for non-coders. What would the world be like without their humanity-helping breed? Not pretty.
However, drawing from the types of issues we’ve described above, we can conclude these plugins should not be marketed to just anybody. If a security plugin is really going to be for the masses, it should ideally be a paid service, where people get paid-for-quality support and a consultant that tells them what to do for their unique situation. Each case may be different and, if you’re not knowledgeable about security or technical things, you shouldn’t be handing a free plugin that comes with that kind of power.
But some people do know what they’re doing and want the control that comes with these plugins, so we can’t take them off the WordPress repository completely.
Here Howard chimes in with a very important point:
There are over 28K plugins in the repository. Selecting the right plugins is what’s most important. The star ratings help. Checking change logs to see how frequently a dev updates helps. Reading reviews helps. But if you select the wrong plugin, you may have problems. Even if you select the right plugin, there may be settings that are not easily understood by a novice. Having a qualified pro to help you is always going to be important. If I have a toothache, I can get a pair of pliers and yank it out. But I’m probably better off if I see a dentist.
What Else Can We Do?
Well, a few things, which don’t require a lot of technical knowledge. For one, check out Tom’s post on The 10 Things You Need to Know to Secure Your WordPress Site (minus 8, 9 and 10, because they conflict with what I’m saying here…lol, sorry Tom).
Secondly, read this article by iThemes which talks about the somewhat recent massive brute force attack on WordPress sites, so you understand the basics of how WordPress sites get hacked in the first place.
You might also want to check out this infographic which explains WordPress security and common vulnerabilities hackers can exploit.
Also check out these resources graciously dug up for us by Thomas:
Then go get a backup system that is tailored for WordPress. If you’re not using the wonderful, amazing ManageWP (which, by the way also lets you check your site for malware and viruses…just had to throw that in there), use VaultPress or iThemes’ BackupBuddy. Howard also uses UpdraftPlus which is a free plugin available in the WordPress repository. A managed WordPress host like WP Engine may have this built into their service for you already.
Think about it, this is your ultimate security. If your site gets hacked, and you have no backup you will have two choices:
- Spend hours finding the infected code to clean it up, or more realistically pay someone a premium fee to do this for you.
- Rebuild your entire site from scratch, which ain’t gonna be cheap.
If your site gets hacked and you have backups dating back to yesteryear, you have no worries. You just have to restore it to an older version. At most you might have to re-publish a bit of content that is not in the restored files. No biggy. (But make sure you aren’t restoring a version of the site that is still infected…which means your backups should go back a long ways).
Get an Akismet key to prevent spam on your site. It will save you a lot of headaches. Or you can disable all commenting on your site, which is a legitimate route to go in if your business is not in the business of online discussion. Howard especially prefers this solution unless the site is a blog.
If you know how, you should also change your database table prefix so it’s not “wp_.” This is something a plugin can automate for you “so you don’t have to muck around in MySql. Install, activate, change prefix, deactivate, uninstall. Done,” says Howard.
If it suits your fancy, you can also do it manually. If you don’t know how to do this, well, please don’t try this at home folks.
You can also visit posts that talk about things you can add to your .htaccess file. I found a few for you already by doing a quick Google search, but please make your code-inclusion decisions wisely:
- Cool WordPress .htaccess Tips to Boost Your WordPress Site’s Security
- WordPress Security Through .htaccess
Again, we emphasize, in Howard’s words, if you are a novice user, “kids, don’t try this at home.”
Finally, and most importantly, get a good host! I particularly am fond of, and use WP Engine, but there are others out there that I believe could do an amazing job as well. They are big on security over at WP Engine, and are also WordPress specialists, which means when you have a problem with WordPress, especially a security problem, they can help you and not be all like, “we don’t support WordPress, you have to contact WordPress support,” like some hosts out there (not that I want to mention any names…).
In fact, it says on their site that if your site gets hacked while hosted with them, they’ll fix it for free! You see, our anxiety problem is now solved, and we didn’t even have to install a plugin or do all that above-mentioned fancy footwork to get a good night’s sleep.
It’s Time For Your Input!
Now we’re throwing the baton over to you: what are your best tips for keeping a WordPress site secure? If you use and love your security plugins, please share which ones they are and why! We love all kinds of opinions on the ManageWP blog and everyone’s input and differing views keep us all the more informed.
Photo Credit: Darwin Bell
Leave a Reply