Three factors combine to make WordPress particularly problematic where security is concerned. It’s hugely popular. It has a large plugin ecosystem. Its users tend to be non-technical.
Because of its popularity, it’s an obvious target for online criminals: if they find a vulnerability in WordPress, they have the key to millions of website. Plugin developers are of mixed quality and ability, and even the most diligent plugin developer can make a mistake — the thousands of plugins in the plugin repository receive less scrutiny than WordPress Core and are more likely to contain undiscovered vulnerabilities.
WordPress was built to be easy to use. One the one hand, that brings web publishing within the reach of almost everyone. On the other hand, many people who use WordPress have little understanding of security, including how to choose secure passwords. That also make WordPress a juicy target for hackers and criminals.
WordPress security plugins exist to make WordPress security less hassle for experts, and achievable for non-experts. The best WordPress security plugins include a range of features that limit the effectiveness of the most common types of attacks. They don’t make WordPress impervious to attack, and some argue that they give users a false sense of security and disincentivize them from learning how to properly secure a website.
I think that’s an overly gloomy view. WordPress security plugins are a net positive for the WordPress ecosystem. But what should a WordPress user expect from a security plugin?
Firstly, a Web Application Firewall. WAFs are firewalls that specifically target threats at the HTTP layer, including common threats like cross-site scripting attacks and SQL injection attacks. A WAF monitors incoming connections and disallows or filters those it deems risky. One advantage of a WAF is that its rules can be quickly updated to cover newly discovered vulnerabilities — WordPress sites can be protected by a WAF until they’re able to patch a vulnerability.
Next on the list of essentials is malware scanning. The typical WordPress hacker wants to inject their own software into a WordPress installation. There are numerous motivations: to infect visitors with malware, to send them to advertising sites, to create so-called SEO spam, to use the site’s resources as part of a botnet.
Brute force protection is also important. The web is rife with bots searching for WordPress sites with weak — read guessable — username and password combinations. Brute force prevention systems monitor incoming connections for suspicious login activity and block dubious IPs.
There are several high-quality security plugin available for WordPress, each of which provides the features we’ve discussed here:
I’m not going to come out in favor of a particular plugin — there are plenty of reviews available online. But I am going to suggest that if you aren’t a WordPress security expert, installing one of these security plugins is a sensible move.