There are so many people out here selling security products for WordPress.

They all have one thing in common – they will give you the impression that their solution is the right one for your website. Products like WordFence, iThemes Security, AIOS, Malcare, Sucuri, and Patchstack all have different approaches and reasoning for their way being the best solution.

A recent post by Dan Knauss at iThemes with the fiery title “Why WordPress Malware Scanners Are Worthless” points out what should be obvious – that WordPress security plugins aren’t stopping the problem until it already exists on your website.

Knauss includes the following quote from Thomas Raef, CEO of WeWatchYourWebsite, which was part of a report:

“Over the last 60 days, 52,848 sites got hacked (through any means) with WordFence installed prior to infection. The installed Malware tampered with WordFence files in 14% of the cases (7,399).

Other popular services had even higher percentages; MalCare coming in at 22%, and VirusDie at 24%.”

Those numbers are scary but not shocking to anyone involved with WordPress security. WordFence, by far the most popular WordPress security plugin with over four million active installs for the free version alone, has been profiting off of giving folks a false sense of security for years.

Say it ain’t so, Wordfence!

You may be wondering how this could happen. How could a site protected by the most popular WordPress security plugin get infected and even have the plugin itself compromised? Well, there are a few reasons.

First, no security tool can catch everything. New threats are created all the time, and most security tools can’t detect them immediately. They rely on a set of “signatures” – sort of like a database of known exploits – that let the plugin know when something is malicious. Some include heuristic capabilities that allow the tools to detect malware more dynamically, but these are far from perfect.

Second, tools like WordFence can only detect issues that already exist. In other words, your site has already been compromised when they flag an issue. How can you trust your security tool to clean things up properly when it allows the threat in to begin with?

Finally, WordFence does something really shocking – they purposefully delay sending their free users the latest malware signatures for 30 days. You may not realize this because the description for the free version in the WordPress plugin repository states:

WordPress security requires a team of dedicated analysts researching the latest malware variants and WordPress exploits, turning them into firewall rules and malware signatures, and releasing those to customers in real-time.

What they don’t make clear until further down is that those “real-time” signatures are for paying customers only. It’s one of the primary upsell methods they use to get people to upgrade from their free version; it’s even listed prominently on their premium product page. The same applies to their firewall functionality – protective rules are also delayed by 30 days for free users.

We understand that freemium plugins need to hold back on certain features to generate interest and revenue from their paid versions, but when the entire purpose of the plugin is to secure the websites it is installed on, and you significantly limit its ability to do that properly, we really question their commitment to security.

Update 7/14/23: All-in-One Security (AIOS) just recently patched a “bug” where they stored all passwords from login attempts in the database in plantext. This is exactly the kind of thing that no plugin should ever do, let alone one of the leading WordPress security plugins. It was fixed in a recent update. 

Motives Matter

When Dan Knauss at iThemes writes a long post titled “Why WordPress Malware Scanners Are Worthless,” it’s worth remembering that he’s trying to get you to buy their product, iThemes Security Pro. The large call to action at the bottom, touting it as “The Best WordPress Security Plugin,” isn’t exactly subtle. The post’s content is a direct attack on their competitors and ends by essentially telling readers that iThemes is the best alternative.

Thomas Raef, who was mentioned in the report that Knauss based his post on and provided the frightening quote about the tens of thousands of compromised sites, owns a company that sells WordPress security services, including malware detection and removal. Most, if not all, of the other people involved with the report, have skin in the game as well.

The problem with what Knauss is doing here is that iThemes Security Pro isn’t the solution. At best, it could be part of a solution. Its product focuses on helping people implement best practices around strong password enforcement and blocking known spam and bots. iThemes Security doesn’t detect or remove malware at all, nor does it stop your site from being infected if it becomes compromised, which, again, it can’t even detect.

WordFence and iThemes security are two different products that overlap in a few areas and shouldn’t be directly compared, no matter how much iThemes wants you to think they should. In a bizarre attempt at gaining some organic traffic, fellow competitor Malcare crowned WordFence the winner against iThemes Security while managing to not-so-subtly mention over and over that their product is actually the best solution.

We have no problem with companies posting content that paints their products or services in a positive light – in a way, that’s what we’re doing here with this post – but when the content is misleading or engineered to guide people to think they are a solution for a problem they don’t solve, that’s when we get testy.

How To Properly Secure WordPress

No one product or service will fully protect your WordPress website. That’s the plain truth.

The best solution has several layers of active and passive protection:

  1. Choose a reputable host – A good WordPress hosting company will have hardware and software-based firewalls and anti-malware setup on their server and network, keeping your site from becoming infected in the first place. While this is an important first step, no host should ever be relied on solely to secure your site.
  2. Properly harden your WordPress installation – Follow best practices with the file structure and ensure you’re running the latest versions of PHP and SQL available.
  3. Lock down your users – Follow the principle of least privilege with your users, use 2FA as much as you can, and block bot traffic at the network level.
  4. Make sure that all of your plugins and themes are up to date and stay up to date – Compromised plugins are WordPress’ Achilles heel, but knowing that means you are already on your way to a more secure website. Manually check the version numbers against the changelogs to be sure you’re fully updated, as sometimes plugins won’t show updates available in WordPress Admin (especially premium plugins). Be sure WordPress core is up to date as well.
  5. Keep your theme up to date as well – Outdated themes are just as risky as plugins, though, for some reason, a lot of folks don’t keep them current. Make sure you have a child theme, as well.
  6. Scan your site for existing malware, and if any exists, clean it – Once the scan is complete, perform regular scans to be sure that nothing new crops up. We use a custom solution for our members that has proven to be reliable, but if you’re doing this on your own, take a look at some of the products we’ve mentioned in this post. They can clean known issues, but after you’ve taken care of everything else on this list and with proper ongoing maintenance, they may not be needed once your site is confirmed to be clear of malware.
  7. Setup a CDN and WAF – We recommend Cloudflare Pro for this, although Cloudflare Free is a solid option for those on a tight budget. Not only will your site load faster on Cloudflare, but you’ll also have an extra layer of network security that can filter out threats before they ever reach your server.

Strong WordPress security takes time, money, and ongoing effort to maintain. There are no one-and-done solutions. If you adhere to these best practices, you’ll have a website that’s protected from the vast majority of the threats typically seen in the WordPress ecosystem.

Want a team of experts to handle wordpress security for you?

We’ll take care of all of your WordPress security needs.

Would love your thoughts, please comment.x