Security Plugins: More of a Problem Than a Solution? - ManageWP

Security Plugins: More of a Problem Than a Solution?

wp-security-plugins-problems-photo
WordPress security is a hot topic. We all know by now that the world’s highest market share open source CMS, though fantastically wonderful, has security concerns that we all need to be aware of. However, many who use WordPress are not security experts, though we all want to do what we can to make our sites secure.

So a plugin is often resorted to.

However, one thing to know is that when you use security plugins with WordPress, you need to know what you’re doing. Using a security plugin, though seemingly easy, may cause problems, rather than provide solutions for the ‘average’ WordPress user.

After documenting some issues that security plugins can bring up, we rounded up the advice of some  WordPress security experts who graciously donated their time to help us understand this topic better!

Our accolades go out to Jim Walker, The Hack Repair Guy, Howard Carson, the CTO of US Server Net (a managed WordPress hosting company), and Thomas Oliver, who is highly knowledgeable in .htaccess and Regular Expression. They are quoted in this article and helped in its editing process.

This article is not to say that we shouldn’t use security plugins in all instances, but certainly that if WordPress users want to use one, they need to be ready for what caveats may come with it. Understanding the technicalities behind what these plugins do to a site may be confusing for non-technical users.

There are many security plugins available for WordPress, and this article merely summarizes the pitfalls that could come with any of them, in principle. And, as Howard points out:

The quality of coding varies tremendously…There are some plugins that are excellent, work behind the scenes to protect sites, and will never cause problems, in principle or in fact!

With the above said, let’s dive into some of the reasons why you may want to think twice about using WordPress security plugins.

Their Settings Require Security Knowledge

As Howard points out, this is not just a problem with security plugins. Sometimes lots of options exist in a plugin because advanced users want them. Though that’s not to say the user interface or settings are an indication of how well these plugins work. As a great example, Better WP Security tries to minimize  options and simplify what non-technical users need by offering a “Secure my site from basic attacks” button.

But after you get past the “basics,” whoa horsey – how is anyone unlearned in the world of security supposed to know they should “change the wp-content directory”? Or in BulletProof Security, what is the difference between “Default” and “BulletProof Mode”? It takes a lot of reading to figure this stuff out, and if you’re hesitant about pushing buttons you don’t know the effects of (which you should be), you won’t get immediate relief knowing your site is secure once you install these plugins. Instead, you might wonder what on earth you just pressed and if anything is going to detonate soon.

So right out-of-the-box these plugins demand a good working knowledge of what they’re going to do to your site. That’s not easy for the ‘average’ WordPress user. Maybe they’re not meant to be easy, because, as Howard points out,

Website vulnerability management is not an easy topic. Solutions to the wide range of potential problems are varied and complex.

They Send You Spooky Messages

The thing with enabling a function to ban users, detect how many 404 pages they visit, or monitor file changes is that the site admin starts getting e-mails that, in all honesty, sound kind of scary. Like this one (from Better WP Security):

A host, 88.241.170.129 (you can check the host at http://ip-adress.com/ip_tracer/88.241.170.129) has been locked out of the WordPress site at http://my-WordPress-site.com until Friday, October 11th, 2013 at 11:11 am due to too many login attempts. You may login to the site to manually release the lock if necessary.

At first you’re like, “Oh wow this plugin is great, it’s blocking evil people from hacking my site!”

But then you start getting like 1 to 3 of them every day for the rest of your life. It takes a while but you figure out there must be tons of automated machines out there trying to hack WordPress sites all the time. Will they get in to your site? Let’s hope not. But you don’t necessarily have to receive scary e-mails like this to know your site is secure.

Jim says here that he “recommends disabling these messages by ‘unchecking the box’ unless you have a specific reason for receiving them. The messages essentially say, ‘the plugin is working.’ This is a good thing, though they provide no value to the average user.” Howard recommends only a webmaster responsible for security should receive these.

While these messages are sometimes legitimate concerns, you get them from security plugins just by updating another plugin or doing something ‘innocent’ on your site (can we put it that way?). Most of the time they mean nothing (at least we hope so!). Sometimes they may mean something serious, but they’re like the girl who cried wolf; eventually we mentally block out their importance because it’s the ‘usual’ false alarm.

They Create SEO Issues

You can lock down your site to the level of paranoia, but if it stops you from making money, what’s the point of having a website?

I once had “Intrusion Detection” enabled in Better WP Security, and while there were no clear signs the plugin was definitely the cause, my site stopped being indexed by Google. I was getting lots of error messages in Webmaster Tools. I found a forum post that said, by the plugin author, that in some cases it could lock out Google, though it shouldn’t.

I disabled “Intrusion Detection” and the problem went away; Google could index my site again. Phew! So it was not the plugin itself, as Howard points out, it was the configuration of the plugin.

With security plugins, it could be this reason or that reason sites are not being indexed. As Howard explains, it depends “on which settings are enabled and which SEO plugin is used.”

As Jim explains very specifically,

Security plugins may not always interact with every WordPress installation as expected. If Google Webmaster reports an error accessing website, I recommend the Intrusion Detection setting be set to no lower than an Error Threshold of 30 or higher, or disabled entirely if more than a few errors occur each month.

There is a similar setting in Wordfence Security, as well, in the Firewall rules section, where I recommend a value of no lower than 30 per minute be set for crawler’s and 404 errors.

They Can Lock You Out of Your Own Site

We know that most hacks on WordPress sites happen because someone didn’t change the “admin” username and used a password like, “password” or something like that. So a plugin that limits login attempts is great (though really, there’s no hope for you if you insist on using “password” as your password).

As Howard explains, this is crucial because,

Limiting login attempts is important to preventing denial of service attacks. WP core doesn’t limit attempts, and hacker bots will run through a dictionary of common passwords if you let them. (Every hacker has the ‘500 most common passwords’ — if you use any of them, you’re begging to be hacked.)

But when a security plugin starts locking you, or your clients, out of their own site, oh, the agony!

For this reason, Howard says,

Yes, this can happen. One of the first things we do on new sites is create a second admin level account, to be used as a back door in the event of an unexpected lockout. A WordPress tech can use phpMyAdmin to fix this, most end users can’t.

You can usually set higher or lower tolerance levels for things like this, but the part that gets annoying is when you get locked out ‘just because.’ You don’t even have to visit a 404 page or use a wrong password. The plugin suddenly ‘feels’ like locking you out.

Ok, ok. Howard makes a legitimate point that computers “don’t ‘feel’ like doing things ‘just because.’ They follow instructions; something in the code is poorly written.”

But Jim confirms this can happen and says, “yes, I have reproduced this as well. And in those cases where it occurs more than once I generally fully uninstall the annoying plugin and try the alternate one.”

If you have an e-commerce WordPress site or a membership site, you’ll want to double-think using this type of feature, because your customers are for sure going to forget their passwords a lot. If they keep entering a wrong password, or visit the wrong URL or do something to tick off the plugin, they’re going to see an error page when visiting your site. That won’t be good for making more sales.

Again, try what Jim says: use another plugin. Or use our advice below and get managed WordPress hosting!

Note: as Howard points out, security is especially a big concern if you are running an e-commerce site. Extensive measures should be taken if you are completing credit card transactions on your site (too big of a topic for this article). You’ll need to find a workaround to this problem of plugins that can lock your customers out.

They Make Hard-to-Reverse Changes

If you don’t know how to reverse their changes, these plugins could create really big, time-consuming and expensive problems to fix. Like for example, the option to change the wp-content directory folder name. At first a new WordPress user might think, “well yeah, if a security plugin says I should do this to make my site secure, why wouldn’t I?”

But this can interfere with other plugins and themes on your site. Thankfully there are clear warning messages on plugins like Better WP Security that tell you this can happen.

Plus these types of changes are not always profitable. Using our example above, Thomas says that:

Renaming WordPress directories really does not provide additional protection. People with malicious intent usually use pre-built scripts to find vulnerabilities in any CMS like WordPress. They look for static files, that for the most part, cannot be changed without breaking their functionality. Like Javascript files.

If I wanted to see if a site was using a vulnerable plugin, I wouldn’t even worry about looking for wp-content. I would look for its changelog, readme, images, stylesheets, and/or any Javascript files. There are many vulnerability scans that do this already.

Changing parts of your installation through a security plugin can be a pain to deal with after you’ve hit the button to do it and need to change it back, especially if you are not using that plugin anymore. In our wp-content folder example, you would not only have to rename the folder again, you would have to take lines out of the wp-config file and scan your entire database to change all the URLs using the old folder name. A non-coder would find this difficult.

In another example, if you set a plugin to force your site to use https and in your “General” settings you have the http version of your URL set as the “Site Address,” your inside pages could be visible but your home page will be blank (or something like that). Un-doing SSL stuff is not easy-peasy stuff if you’re not a tech person.

If you have enabled any feature that would ban IP addresses from your site, your .htaccess file is going to start getting veeeeery long. This can slow down your site and, when you call your host for support you know what they’re going to say? “Your .htaccess file is really long.”

As Thomas points out,

Some hosts will actually suspend your site if your .htaccess has become resource expensive. It doesn’t necessarily have to be lengthy. You really need to know what you’re putting in your .htaccess and the pros and cons of doing so. Just inserting lines of code without having any idea on what it specifically does, can be more detrimental than helpful.

A security plugin, while locking out potential hackers, can also add IP addresses to your database it has locked out. So if you are locked out yourself, you have to know how to go into your database and delete the line with your IP address in it. If you have never been exposed to PhpMyAdmin, this is going to be a very difficult task for you.

Situations like this bring us to our last point, which is that professionals should be handling this kind of stuff.

They Require Personalized Support

I feel sorry for the people who have to handle the support threads for security plugins. I mean, look at this thread. And look at this thread too (for added sympathy).

In fact, if you visit support forums of any of security plugins, you’ll see similar problems and happenstances where a plugin did some gobbledygook to someone’s files, or locked them out, or wouldn’t uninstall completely, or something. Websites are hosted on different environments, use different themes and plugins, and have all kinds of variable circumstances that could make the answers to these forum posts different for everyone.

The WordPress community is surely glad and thankful for plugin authors that make complicated code-ey things simple for non-coders. What would the world be like without their humanity-helping breed? Not pretty.

However, drawing from the types of issues we’ve described above, we can conclude these plugins should not be marketed to just anybody. If a security plugin is really going to be for the masses, it should ideally be a paid service, where people get paid-for-quality support and a consultant that tells them what to do for their unique situation. Each case may be different and, if you’re not knowledgeable about security or technical things, you shouldn’t be handing a free plugin that comes with that kind of power.

But some people do know what they’re doing and want the control that comes with these plugins, so we can’t take them off the WordPress repository completely.

Here Howard chimes in with a very important point:

There are over 28K plugins in the repository. Selecting the right plugins is what’s most important. The star ratings help. Checking change logs to see how frequently a dev updates helps. Reading reviews helps. But if you select the wrong plugin, you may have problems. Even if you select the right plugin, there may be settings that are not easily understood by a novice. Having a qualified pro to help you is always going to be important. If I have a toothache, I can get a pair of pliers and yank it out. But I’m probably better off if I see a dentist.

What Else Can We Do?

Well, a few things, which don’t require a lot of technical knowledge. For one, check out Tom’s post on The 10 Things You Need to Know to Secure Your WordPress Site (minus 8, 9 and 10, because they conflict with what I’m saying here…lol, sorry Tom).

Secondly, read this article by iThemes which talks about the somewhat recent massive brute force attack on WordPress sites, so you understand the basics of how WordPress sites get hacked in the first place.

You might also want to check out this infographic which explains WordPress security and common vulnerabilities hackers can exploit.

Also check out these resources graciously dug up for us by Thomas:

Then go get a backup system that is tailored for WordPress. If you’re not using the wonderful, amazing ManageWP (which, by the way also lets you check your site for malware and viruses…just had to throw that in there), use VaultPress or iThemes’ BackupBuddy. Howard also uses UpdraftPlus which is a free plugin available in the WordPress repository. A managed WordPress host like WP Engine may have this built into their service for you already.

Think about it, this is your ultimate security. If your site gets hacked, and you have no backup you will have two choices:

  1. Spend hours finding the infected code to clean it up, or more realistically pay someone a premium fee to do this for you.
  2. Rebuild your entire site from scratch, which ain’t gonna be cheap.

If your site gets hacked and you have backups dating back to yesteryear, you have no worries. You just have to restore it to an older version. At most you might have to re-publish a bit of content that is not in the restored files. No biggy. (But make sure you aren’t restoring a version of the site that is still infected…which means your backups should go back a long ways).

Get an Akismet key to prevent spam on your site. It will save you a lot of headaches. Or you can disable all commenting on your site, which is a legitimate route to go in if your business is not in the business of online discussion. Howard especially prefers this solution unless the site is a blog.

If you know how, you should also change your database table prefix so it’s not “wp_.” This is something a plugin can automate for you “so you don’t have to muck around in MySql. Install, activate, change prefix, deactivate, uninstall. Done,” says Howard.

If it suits your fancy, you can also do it manually. If you don’t know how to do this, well, please don’t try this at home folks.

You can also visit posts that talk about things you can add to your .htaccess file. I found a few for you already by doing a quick Google search, but please make your code-inclusion decisions wisely:

Again, we emphasize, in Howard’s words, if you are a novice user, “kids, don’t try this at home.”

Finally, and most importantly, get a good host! I particularly am fond of, and use WP Engine, but there are others out there that I believe could do an amazing job as well. They are big on security over at WP Engine, and are also WordPress specialists, which means when you have a problem with WordPress, especially a security problem, they can help you and not be all like, “we don’t support WordPress, you have to contact WordPress support,” like some hosts out there (not that I want to mention any names…).

In fact, it says on their site that if your site gets hacked while hosted with them, they’ll fix it for free! You see, our anxiety problem is now solved, and we didn’t even have to install a plugin or do all that above-mentioned fancy footwork to get a good night’s sleep.

It’s Time For Your Input!

Now we’re throwing the baton over to you: what are your best tips for keeping a WordPress site secure? If you use and love your security plugins, please share which ones they are and why! We love all kinds of opinions on the ManageWP blog and everyone’s input and differing views keep us all the more informed.

Photo Credit: Darwin Bell

Joyce Grace

A Vancouver Internet marketer and freelance writer who loves making WordPress websites, writes with pencil, owns a paper agenda (still), gets ignited by anything Dutch, and is probably the only person on the planet who doesn't like cheesecake. Follow Joyce on: Instagram: @thoughtsofjoyce YouTube: /thoughtsofjoyce Twitter: @thoughtsofjoyce Google Plus: +JoyceGraceontheweb

12 Comments

  1. webmaster

    Well, i believe that you can’t run a big wordpress site without using some of the security plugins. The “thing” is to get one that is working well for your needs. I am using the BPS Security and seems that it doesn’t make any trouble, while it protects correctly. So my advice is, choose one that works correct and you’re good to go

  2. security guard company

    enabled in Better WP Security, and while there were no clear signs the plugin was definitely the cause, my site stopped being indexed by Google. I was getting lots of error messages in Webmaster Tools. I found a forum post that said, by the plugin author, that in some cases it could lock out Google, though it shouldn’t.

  3. Chucho

    All those security plugins made zero use for my site. Actually Ithemes security plugin even caused me more problems than good things. All the time it wrote bad codes in my htaccess file..a few times even deleted my whole code from htaccess file causing errors for inner pages…not a fan of those plugins at the moment…

  4. Paul G.

    Hey,

    I think this article is leaning towards not installing a WordPress “security” plugin at all… and you’re right, you probably shouldn’t install one of those that potentially break your sites altogether.

    Jim from HackRepair (who you feature in your article) also reviewed WordPress Simple Firewall plugin and scored it as the least likely to ever break/lock you out of your site. It never writes to the wp-config, .htaccess or any other WP files, it doesn’t let you change your wp-login, it doesn’t rename wp-admin/wp-content etc., and it has a fail-safe hard switch to turn the whole firewall off “just-in-case”.

    That plugin is worth checking out if you want good site security features (spam, login brute force attacks, data-firewall etc.) but don’t want the risk of burning your site to the ground. :)

    It’s on the WP.org repo: http://wordpress.org/plugins/wp-simple-firewall/

    Cheers,
    Paul.

  5. Karen

    Hi, I found your post because I got into this trap. I’m new to wordpress and worked on my website for the past 48 hours almost in a row. WP recommended the Better WP Security plugin and I thought “cool” and I did just like you said “if they recommend this this and that, it’s because it should be good”. How I regret that? I’m locked out and have no idea what to do. It is a self hosted website but when I accessed the files today, they were dated from the day I bought the package! That means no back up, right? anyways, I wasn’t using the website and wasn’t all ready so I did not care about the back up. It could be good or bad, if I had backed up after the damn plugin who knows what would have happened. I’ve read and read, but just can’t figure it out. I was wondering if there is really a way around if I hadn’t backed up anything. The solution is to re install it and start from scratch?
    I wish I had read your post before :/

    Thanks anyway!

    1. Tom Ewer

      Hey Karen,

      You should definitely get in touch with the plugin’s developer and see what he might be able to do to help. It may also be worth talking to your hosting company and seeing if they make backups for you.

      Cheers,

      Tom

  6. Chris Finnegan

    Hi Joyce,
    You certainly make a good point in this article. I find issues multiply when folks add multiple security plugins.
    Like most things it’s worth learning some basics before reaching for more plugins.
    One thing often missed when updating WordPress plugins is to check a plugin’s code is maintained! Just because there are no updates available does not mean a plugin is actually up to date and secure. It could be that a plugin has been abandoned by the developer. Visiting the plugin page at the WordPress plugin directory will tell you the time it was last updated, and you’ll see a message on pages where the plugin has not been updated in over 2 years,

    Cheers
    Chris

    PS +1 for the Limit Login Attempts plugin;)

  7. Dan Knauss

    Why change the db table prefix? That’s kind of a voodoo practice people hang onto because years ago some SQLi exploits assumed the default prefixes. The root problem was vulnerability to SQLI of course, and that’s not likely to be an issue if you pick good plugins and keep everything updated. Trying to hide your username is pointless, inconvenient and unproductive. .htaccess trickery can be a fun learning experience but of very limited real security benefit in return for the time invested. If you want to do it, check out Jeff Starr’s site, book and annually updated models. Mika Epstein’s blog is another good source of advice about security and WP.

  8. dj

    Please get rid of that fixed meta pop-up crud. It certainly isn’t for convenience of users who have just begun reading your hard-fought content. It’s distracting and the fact that you choose to slam it right on the margin connecting with the content at the eye-level reading point is the most distracting “fluff” that I’ve seen on the net since \

    1. Bart

      Agree with that. When I was setting my site http://bart.volgers.eu I tried a social sidebar and dismissed it for exactly those two reasons. Distracting and not at the right spot. I now use the AddAny plugin to put social icons at the bottom of the post. The place where the really belong.

      For security I use:
      Limit Login Attempts plugin: it’s a fire an forget plugin and works fine
      Login Security Solution: When I have more users on a site. It can be set to force users to use strong passwords.

      When they lock me out, I just go to my hosting panel and change the plugin folder name, to switch them off.

      One thing I really miss in this post is: Two factor authentication / One Time Password (OTP) This is a very good method to secure your site.

      I use: Duo Two-Factor Authentication which give a great user experience and is free upto ten users. I also supports setting “save IP’s” from which two factor is bypassed.

      You can also use a generic OTP plugin that works with google auth.

      I also miss some quite important things in this post:

      1) Alway use unique and strong passwords. This is easy by using a password manager, like 1Password for OSX

      2) Never use the username “admin” If it’s there make a new user with an other name and with admin privelages and delete the “admin” user name. You will be prompted to transfer existing posts to a other user.

      3) Always keep your WordPress installation up to date! There are plugins to mail you if there are updates, like: Update notifications. Or use ManageWP.

      Wrapping it up, this isn’t the strongest post I have read on teh ManageWP blog.

      1. Joyce Grace

        Hi Bart!

        Thanks for your added tips. Truth be told, articles are never going to be as strong as when the community gives their added input in the comments.

        This article wasn’t meant to be a post about how to secure your site – that was beyond the scope of what it was trying to say.

        We do mention passwords earlier up in the article, and I link to resources about how to secure your site, which mention the things you’re talking about. The last section mentioning security tips was really a concluding word, not the ‘meat’ of this article. So I hope you found the rest of it more useful for thought and consideration among the WordPress community.

        Thanks again for letting us know your preferred security methods for WordPress!

    2. Joyce Grace

      Hi dj!

      Thanks for your passionate feedback :)

      Since this article isn’t about our site design I would recommend that in the future, if you have feedback of this nature that is off-topic, to write to us directly. That way your recommendations will be seen by the right eyes at the company. Right now your message is not going to get very far in making a difference because it’s written as a comment to an article about security plugins. I personally don’t make decisions about the site’s design, I am just a writer at ManageWP. But I do see what you mean. However, I think there are worser evils committed on the web that distract users :) This is hardly top of the list :)

      Anyway, feel free to carry this conversation on further by contacting the folks at ManageWP directly.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

Over 17,000 WordPress professionals are already using ManageWP

Add as many websites as you want for free, no credit card required. Sign up and start saving time!

Have questions? Get in touch!

Over 17,000 WordPress professionals are already using ManageWP

Add as many websites as you want for free, no credit card required. Sign up and start saving time!

Have questions? Get in touch!

Over 17,000 WordPress professionals are already using ManageWP

Add as many websites as you want for free, no credit card required. Sign up and start saving time!

Have questions? Get in touch!

Over 17,000 WordPress professionals are already using ManageWP

Add as many websites as you want for free, no credit card required. Sign up and start saving time!

Have questions? Get in touch!