Over the years, and while helping people out on their websites, I’ve seen a lot of people running various Wordpress security plugins. And unfortunately…

… I have often seen them cause way more problems than they solve.

So, this begs the question: Do we need to run Wordpress security plugins at all?

Honestly, I’ve usually stayed clear of offering advice on this matter. I don’t want people to blindly follow my advice only to get hacked and then turn around and blame me. 🙂

All I can say is:

  • This is my opinion (although pretty well informed one)
  • Every site environment is different, so you need to know your situation and what you need.

Alright, let’s dive in…

The Usual Approach To Wordpress Security Plugins

Here’s how it usually goes down…

You aren’t very technically inclined. And you’ve read stuff out there about security vulnerabilities and sites getting hacked.

So, you read blog posts about security plug-ins. Or you blindly install something your web host recommends. You activate it and you think you’re good to go.

These plug-ins usually do things like:

  • Malware scanning
  • Firewall
  • Login Security
  • Spam protection
  • A bunch of other stuff that usually makes people go cross-eyed 😉

And, it all sounds good. It all sounds important. So, you install it. Better safe than sorry, right?

When Wordpress Security Plugins Cause Problems…

WordPress security

Anybody who has used PCs for awhile probably knows about anti-virus and malware scanning. I clearly remember back in the day when I ran Windows and running anti-virus like Norton and others.

In most cases, those anti-virus utilities caused problems. They caused poor performance, they blocked legit apps from working, caused conflicts, and more.

Almost the entire time I used Windows PCs, I did so without any anti-virus applications for this reason. I figure, if you’re not STUPID and visiting porn sites or downloading random software over the internet, you’re going to be fine. And I barely ever had Windows give me a hiccup from a security perspective.

The same experience often carries over into Wordpress.

Some of the issues that can arise are:

  • Causing SEO issues because the security plug-in is literally banning the search bots from crawling your site
  • Causing major plugin conflicts with other things on your site, where the security plug-in is blocking core functionality from another plug-in.
  • Causing problems with high server load or high memory usage, which can in turn hurt your core web vitals metrics.
  • Locking you out of your own website

It isn’t as if these plug-ins are nothing but problems. If they were, they wouldn’t exist. 🙂 They clearly serve a role. However, when blindly installed by people who don’t know the in’s and out’s of what they’re looking at, they can cause problems.

The Truth About Wordpress Security

Wordpress security plug-ins are a secondary line of defense. When used blindly and without knowledge of the various settings, they can cause annoyances.

The primary line of defense is the hosting and software itself. The security plug-in is really there to guard against a vulnerability in that gap of time between when a problem is found and when it is fixed.

The most important advice I can provide for Wordpress security is:

Use Good Web Hosting

I use and recommend Cloudways. (Here is my Cloudways Hosting Review).

Not all web hosts are equal. I’d be leery of cheaper, lesser known hosts. I also don’t like commodity shared hosting like Bluehost or Hostgator as I’ve seen too many sites get hacked on those (including mine) and they represent a large attack target due to all the inexperienced people hosting their sites on the same server as you.

With Cloudways, your sites are immune to the effects of other Wordpress users because you’re on a virtual private server. Cloudways also has built-in security functionality for Wordpress, including bot protection and login limits.

Run High Quality Wordpress Plug-ins

With Windows, one of the activities that presents the biggest security issue is when you’re downloading random software off the internet. It could have a virus in it, it could install malware, etc. But, when you stick to paid, well-supported applications, you’re usually fine.

It is the same with Wordpress.

Usually, it is the premium plug-ins that work better. They generate revenue which means they have the ability to continually support and update their software. If security issues arise, they are often fixing it before you even know about it.

The Wordpress plugin database has a lot of plug-ins. Many of them are free and done as a passion project by the developer. In most cases, they’re perfectly fine. But, by not generating revenue, the maintenance of the plug-in could suffer. Eventually they just move onto other things and you don’t see plug-in updates anymore. That’s when security issues can arise and there’s nobody there to fix it.

Keep Software Updated

This is so important.

You absolutely need to keep Wordpress updated. You need to keep your themes updated. And you need to update your plug-ins.

I recently had to clean up a malware issue for a client where he was getting text link ads inserted into his footer for pills and other such things. In his case, it was an outdated Divi theme causing the problem. Simply updating Divi got rid of the whole issue, then I could manually remove the link and there was no problem.

In almost every case where I’ve had to come in and fix malware injections on a Wordpress site, the attack vector was an outdated theme or plug-in. The bot was scanning around looking for a known vulnerability and the out-of-date software presented it to them. The other thing I’ve seen is hosting vulnerabilities, but I’ve already mentioned hosting (see above).

If you want to automate plug-in updates, you can. I usually don’t because I also don’t want to run the risk of a plug-in update breaking something when I’m not there to see it. I just make a point to routinely update my software regularly and manually.

Keep Backups

In the rare occasion your site is hacked, you can always revert to a backup. It is like the big magic eraser. 😉

Of course, when you restore a backup, you’re still installing the vulnerable site. So, it is important that you know HOW the site was hacked. Again, if you’re not using any questionable themes or plug-ins and you’re keeping them updated, then look to your hosting.

If you have a web host where things get hacked and all they do is inform you and act like you’re the guilty one, time to look for a better host.

Need A Security or Performance Audit On Your Site?

I’d be happy to pop into your site and advise you on your best approach to security, or even help recover your site after a hack. Just put at least one service credit on your account, then we can get in there and do what needs to be done.

When To Install (And Not Install) A Wordpress Security Plugin

People who write about security and create security software are notoriously paranoid. 🙂 They’ll scare the crap out of you if you don’t know any better.

Here is MY opinion…

For most people reading this post, I would say you are perfectly safe not installing a security plug-in. Just use good hosting, quality themes and plug-ins, and keep everything updated and you’re going to be fine!

Most smaller Wordpress sites (the ones without a ton of traffic) just aren’t interesting enough to be a hack target. So, what is usually happening is that bots are scanning and you just gave them an “in” for some reason. Look at your hosting and your software for what is giving them an “in”.

In the case of busier sites or sites that may operate in markets more likely to make them a target (i.e. controversial topics, etc.), it might be worth installing a security plug-in.

When you do so, be prepared to have a busier server environment with more resources. In other words, don’t just blindly install a security plug-in without looking at your site holistically.

You may need to beef up your server. You may need to set up some specific security exemptions and even make a few configuration changes at the server level. If you have no idea how to do any of that, you could run into issues. Merely activating a security plug-in is no magic bullet.

Which Security Plug-ins I Recommend

Well, if it wasn’t clear already, I’m a fan of not running one at all and instead just doing proper diligence.

But, if I was going to install one, I’d probably look at Wordfence. It has the best reputation.

Wordpress Security Plugins WordFence

If you have public-facing forms (like blog comments), you might need some spam protection. I have found that using Thrive Comments helps ward off a lot of comment spam. I don’t think it is any particular power of Thrive that does that but likely more that the bots that are out there scanning for comment forms to spam don’t recognize the Thrive forms so readily.

On this site, all commenters are required to be logged into a member profile (you can get a free account here). That almost completely alleviates comment spam.

Using Akismet for spam filtering on comments is a good idea. And, of course, if you don’t really get many comments, considering disabling it altogether and the spam issue disappears.

If you have a contact form on your site and you keep getting blasted with spam from that, consider using a different contact form setup. Many of the freebie contact form plug-ins are so common and present predictable code that the spam bots look for. In my experience, using something like Fluent Forms or Gravity Forms makes the problem disappear.

If your form has the ability to use a honeypot, do that. A honeypot is a hidden form field that bots would stupidly fill out (since they’re bots) while regular users would not. So, if that honeypot field has something in it, you know it’s a bot. Most recent form plugins have honeypot functionality built right in, but you just need to ensure it is turned on.

If you absolutely have to,  you can use some kind of spam prevention on the form itself, but I generally try to avoid that. Recaptcha is the most annoying thing on the planet. 😉 I literally want to stuff those fire hydrants up places I shouldn’t… after running them over with the bus. And the bike. 😉

I would clobber whoever invented this over the head with a traffic light.

Also, running your domain DNS through Cloudflare provides an extra layer of security against DDOS attacks and the like. Just using the free Cloudflare plan gives some security protection against such things.

Final Thoughts

A Wordpress security plugin has a role. But, in too many cases, I see users rather blindly installing them without understanding many of the terms. They just trust that the plug-in works. Then, wonder why they’re having issues with plugins not working or sites being slow.

In most cases, all you need to do is use quality hosting, use supported themes and plug-ins, and keep everything updated. You do that, you are 99% proofed up against problems.

Don’t blindly give your site a 100% chance of slower operation and more annoyances just for that extra 1% security protection.

In the end, Wordpress security plugins definitely serve a function. But, it is no substitute for the primary line of defense. And you certainly need to know what you’re looking at when you install one so as now to have unexpected issues.

Every site and every host is a little different. So, don’t blindly follow my advice and turn off all your security plug-ins then turn around and get mad at me if something happens. 😉 You’re the one in the driver seat.

If you want me to get in and advise you on the matter on your site specifically, pick up at least one service credit and we can do a consultation about your site and I can recommend ways to speed it up.

Need A Security or Performance Audit On Your Site?

I’d be happy to pop into your site and advise you on your best approach to security, or even help recover your site after a hack. Just put at least one service credit on your account, then we can get in there and do what needs to be done.

UPDATED 3/23/23: Made a few minor updates and added info about a form honeypot.


Got A Question? Need Some Assistance?

Have a question about this article? Need some help with this topic (or anything else)? Send it in and I’ll get back to you personally. If you’re OK with it, I might even use it as the basis of future content so I can make this site most useful.

Question – Lead Form