Because WordPress is widely used on many websites, it becomes a bigger target for hackers trying to get into your website. With so many attacks you don’t have the dedicated time or resources to protect your website against every attack that happens. That is why security plugins exist. While there are people who have posted about how you shouldn’t have a security plugin, you most likely should use one.
This it isn’t a 100% fool-proof way to protect your site and it can still be hacked. It’s like you locking your front door because there is a chance someone can kick down the door if they wanted to. It slows down or really stops someone from trying to get in. There are still many things you can do to make your website more secure.
Why should you have a WordPress security plugin then?
It will stop someone from repeatedly trying to login to your website
Yes there are people or bots who try many combinations of usernames and passwords to try and find one that will successfully login to your website. A security plugin will see that and will block them from logging in, and in some cases stop them from accessing the website for a length of time. This is also known as brute-force attacks.
A majority of security plugin’s will allow you to customize when that brute-force attacks gets blocked, one site may want to stop these attacks early, and another may let these attacks go on for a while to gather information on the attacker.
It can scan and remove malware
There are many ways malware could potentially make it into your website and you won’t notice it. Security plugin’s continuously (or on a schedule) scan your website inside and out and will remove any malware they notice, without you having to do anything.
New malware is coming out all the time and security plugin’s have to be contentiously updated (or at least their database has to) to ensure they stay one step ahead and keep your site protected.
How often and how deep a scan goes depends on the security plugin and what you set it up to scan. Some will only scan any new files, and some will go as far as the server that your website is on (which most likely has a number of other websites on it). If you are unsure what your security plugin scans take a look at the settings or contact the company.
Can protect against website attacks
Backdoors, cross-site scripting, SQL injection, are just some threats and attacks that could happen against your website. Security plugin’s can stop these from doing what they set out to do. Some of these plugins will report the attack back to the company that runs it so it can be used to protect others (usually known as participating in their network or sending analytics).
Don’t freak out that these are happening to your website, just about every website in the world gets these kinds of threats and attacks. They do it because many sites are open to these attacks and just getting one site can be considered a success.
Is someone going to too many pages?
There may be bots that want to see what pages you have (or don’t have) and if they go to too many pages too often it can slow down your website. Security plugin’s can throttle or completely stop those bots.
Most security plugin’s that offer this let you tweak the settings as you need, they encourage you to keep the defaults as making the number too low can block legitimate potential customers from your website which would frustrate them.
Can add two-factor authentication
With all the logins that bots try to do, one major way to stop them from getting in is by adding two-factor authentication to all logins.
Two-factor authentication is requiring another piece of information to login, that way even if the bots do manage to find out your login password then they still won’t be able to login because they don’t know the code that is given out by the two-factor authentication. Which also changes every minute, so it’s practically impossible to guess it.
There are additional plugins that let you setup two-factor authentication for all the accounts on your website, why add another plugin to your website when a security plugin can already do it.
Can make sure no login is using a well-known password
People in general are lazy when it comes to passwords. In most security plugin’s there is an option to turn on a setting that will stop logins from using a well-known password and either email the administrator of the site or the user of that account, to get them to change the password.
How do we know what is a well-known password and what isn’t? When sites getting breached, the username and passwords tend to get sent to either researchers or go public. One of the people who collect this information is Troy Hunt and he runs HaveIBeenPwned. Many of these security plugins use the Pwned Password by HaveIBeenPwned so they don’t have to collect all the leaked data themselves, and can tell their customers if one of the passwords is used on their own website.
Can enforce strong passwords
If it’s not a well-known password then the password could be anything else. What about making sure the password is strong? Security plugin’s can do that. There is no standard for what a strong password is, most of the time it’s having a minimum length requirement, don’t require the password to be changed after a set period of time, has a combination of letters, number and symbols, make sure the password isn’t used on another website, don’t have the password be a word from the dictionary, don’t use information that may be associated with that person.
Can alert about plugins that should be updated
Plugins get updated and it’s hard to stay on top of them. Many security plugin’s can alert the site administrator when a plugin is out of date, and briefly tell them why it should be updated. It can be configured how often these alerts get sent out and certain plugins can be ignored.
Security plugin’s do this to help ensure your site is more secure, and it’s one of the features they can promote.
Block a user-agent without having to worry about messing up your entire site
Is there a bot or a user-agent that is constantly going to your website and you want to block it? There could be numerous reasons why you want to block it, could be a competitor, could be an SEO tool.
You could block these within .htaccess, if you aren’t used to the way it is, it can be confusing and overwhelming so security plugin’s offer you to ability to block user-agent’s within their settings. Granted the security plugin will have to load before the block goes into place but it can be much easier for some.
Have any of your WordPress files been changed?
There could be security flaws or bugs in your website and sometimes they attach themself to a file to try and remain hidden. Common examples could also include added unwelcome links to the bottom of each page, or adding an invisible code that a bot (like Google) can see. Security plugin’s will see that a file has been changed and will alert the site administrator so that it can be fixed.
When these files are changed, the security plugin can show you what the changed version looks like vs what the good copy looks like, that way you can take a look to see if the change is something you want or not. If not the security plugin can remove the changed file and bring in the good copy.
If you are unsure the change is good or not, think about if the site had anything installed or upgraded recently. If not then go with the old good copy. If something has changed then take a look to see if why there is a change. Then you can decide to keep the updated copy or get the old good copy.
Has a plugin you are using been removed?
Plugins can be removed from WordPress.org for a variety of reasons, from breaking one of the plugin guides, to security vulnerabilities, to the plugin creator requesting for it to be deleted, or any number of issues.
Security plugins should alert you when this happens to a plugin you are using, that way you can decide what action to take. That action could be finding the website of the developer to see where they are going to publish new versions, to getting the newest update (which could be a forced update), to finding an alternative plugin.
Slow down contact form spam
Getting spam to your contact forms is annoying, and some security plugin’s can help to slow down how much spam you get in your inbox.
Yes you can set these up yourself, however for some people it’s worth it to pay for a security plugin rather than spending the time to set it up.
Block a country
While we don’t suggest you do this, you can use security plugin’s to block people from selected countries from your website. What will happen instead is that they will get a message on the page that says the country is blocked and it may give them an option to contact the website administrator.
Get help from professionals
A major selling feature of some premium security plugin’s is that if you get hacked or need some help with your security you can contact them and their team of professionals will help you. This is great for those that want that safety or want to support the company.
These prices range in value, and some companies offer a one-time price to help with your hacked website, a majority offer a monthly (or yearly) price for this.
Know when your website is down
Some security plugin’s can alert you when your website is down so that you can work to get it back up. Each plugin that offers this has their own way of checking, and how often they check.
This works the best if the email address to get the alert isn’t the same email address you use for your website, because that could go down as well.
The major thing to check before enabling this, is the system that checks and alerts you, on your own website or from a server somewhere else? If it’s on your own website then it won’t do any good because it won’t be able to alert you because it will be down as well. Best practice to have a server somewhere else check to see if your site is down and alert you. There are also many companies which offer uptime monitors, with a majority of them offering to check from multiple locations in the world to make sure your site is down before alerting you.
Which security plugin should you use?
There are many security plugin’s and systems that you could spend years looking through all the different companies to see what they offer and their pricing. Which one should you choose? You should use one that you trust, one that fits your budget, one that’s easy for you to use, one that works with your hosting company (as some don’t allow certain plugins due to the way they have their systems setup), and of course one that actually protects your website.
If you aren’t sure which one to use, ask your hosting company if they have a recommendation, or any that they suggest you don’t use. If they give you one, then try it and see if it fits for you, if not then try a different one.
The main reason for all these different ones is to provide options and allows someone to use whichever one works for them and their needs.