Recommended Security Plugin for WP and s2 -- if any

Louisaz · 3 September 2016 17:12

I am the self-taught admin for a military veterans’ membership-based website. We want to keep our website secure, simple and safe.

We have not used any “security” plugins although there are many available. Although we don’t have any classified or very sensitive information posted on our website (or available to Members), we would like prevent potentially malicious individuals from attacking our website.

Does s2 recommend any specific plugins? Are WP and s2 sufficient without any supplemental security plugins?

Any advice will be appreciated.

Thanks,

Louis

KTS915 · 3 September 2016 22:06

The short answer is yes.

The long answer is that trying to boost security from within WordPress is generally a waste of time.

Your site’s security really depends on factors outside of WordPress much more. So the #1 security precaution is to choose a good host. I can’t believe the number of users who choose a terrible host and then rely on a WP security plugin. That’s entirely backwards.

Secondly, you should run https with an SSL certificate. A good host will be able to set you up with a free Let’s Encrypt certificate.

Thirdly, you can implement various security “headers” in your site’s .htaccess file (if you use Apache) or whatever the equivalent is for nginx. This is a good resource: https://www.keycdn.com/blog/http-security-headers/

Fourth, I’d strongly suggest you avoid using the Jetpack plugin. I have seen many sites that were targeted by hackers trying to exploit holes in Jetpack. While you should be OK if you religiously keep it up to date, you might well find yourself the target of sustained hacking attempts looking for known vulnerabilities. I’ve seen these attacks take down a whole network, and I even strip out conditions and filters designed for Jetpack that appear in other plugins and themes precisely so that my sites avoid this risk.

If you still want to run a WP security plugin after that, I’ve found WP Bruiser to be comfortably the best of the ones I’ve tried. The BulletProof Security developer also seems to know what s/he’s doing. But there are just so many that are dreadful …

Louisaz · 3 September 2016 23:07

Tim, thanks a bunch for your thoughtful reply. I’m also fanatical about
backing up, which is essential.

KTS915 · 4 September 2016 00:48

Me too: I keep three copies of everything!

KTS915 · 11 December 2016 00:38

Just thought it was time to bring this thread up to date. Since the last comment here, the specialist WP security company, White Fir Design, has run three different tests on twelve WP security plugins. (These did not include WP Bruiser, which does just one thing but does it well.)

The result? Not one of the twelve proved worth having! See https://www.pluginvulnerabilities.com/2016/09/28/the-tradeoff-that-comes-with-a-wordpress-security-plugins-ability-to-prevent-a-vulnerability-from-being-exploited/ for a summary and links to the tests.

I don’t know of any other company that specializes 100% in WP security and that actually runs tests like this, but I’d be interested to know if any others exist.

White Fir also offers a plugin that checks for known vulnerabilities in WP plugins (https://wordpress.org/plugins/plugin-vulnerabilities/) as well as a service for subscribers (which I have not tried). See https://www.pluginvulnerabilities.com/wordpress-plugin-security-reviews/ That is NOT an affiliate link!

krumch · 13 December 2016 16:49

Best security plugin for WP is the admin Keep all the software up to date (or subscribe for my monthly support as well) and 95% of problems will not touch you. The left 5% are usable|worth for 1% of all the sites, so most likely they will not hit us.