In this guide, we will look at my different security layers for WordPress. What I do, why I do it this way and how you can set it up yourself.
Note: We are not looking at server security in this article.
You will also learn why most security setups out there simply are not appropriate.
Chances are high that your current setup hurts your performance or even makes your site vulnerable.
Be aware – the marketing skills of some of those “WordPress security companies” are actually better than their security skills. (looking at iThemes and Wordfence specifically)
Why different layers of security?
Security comes at a cost, always. Those might be:
- Usability (tedious setup process, loss of functions)
- Performance (latency in loading times, less possible total load)
- Ressources (Euros, Dollars, Bitcoins, Dogecoins, Melons, Gold, whatever)
This implies that one security setup won’t be perfect, or better said appropriate, for everyone.
I broke things down into different tiers – though I believe that basic + advanced is the optimal setup for 95% of WordPress websites out there.
I believe that my setup is still fairly easy to implement and won’t take you longer than an hour to set up. Especially the paid services are super easy to set up, but well, they cost actual money.
I completely set up the basic and advanced stuff (+ some other tweaks here and there) for sites I built or care plan clients.
The paid services are for you if you just can’t be bothered, at all.
The setup process is a few hairs faster than basic + advanced stuff, they provide very basic malware removal options (which will work for very basic hacks, but will not secure the vulnerability or give you insights on what the vulnerability was and they sure won’t work for sophisticated attacks).
Why your security setup isn’t appropriate:
Because I say so, duh!…
If you’re interested in more information than I list, please leave a comment and especially read the articles I link. They’ll open in a new window, no need to right-click, no worries.
First – put your favorite security plugin into WPScan (search at the top right corner)
Does it have multiple entries? Guess what that means.
Wordfence:
Wordfence is super popular and was the first thing I installed back then when I started with WP. But it is not a good choice, because:
- your database will become bloated, WF is known for this
- in the free version, you’re open to new known threats for 30 days (as stated on WP Repo)
- data submission to their US servers (like IP addresses…GDPR *cough*)
- slow response times (of the firewall, IDK about their support)
You can read further about the performance penalty on PluginVulnerabilities
iThemes Security:
Also a pretty popular option. Was called “Better WP Security” before it was acquired.
But iThemes doesn’t have extensive security expertise in-house. This is not a real security plugin anymore. See more on WPScan.
- No real security expertise
- well, not a real security plugin
- even brings in security issues
All In One WP Security & Firewall:
Also a pretty popular option. Was acquired by Updraft in 2021, though that still isn’t disclosed (RED FLAG!).
Updraft also doesn’t have security expertise in-house. See more on WPScan.
- No real security expertise
- acquired without disclosure
- even brings in security issues
Sucuri:
If you’re using the free version this is a scanner only but doesn’t provide a firewall. Premium isn’t cheap – keep the money and the scanner. Or in other words, the premium version is not worth the money and performance drop.
Changing your login URL:
This is NOT a good idea. It will not make your website more secure. The login isn’t the most used vulnerability anyways and with a strong password + the following solutions, your login is secured very freaking hard. By changing your login URL you’re only asking to break things, or even worse, forgetting where you placed it.
The WP-Login isn’t even the most used entry point. 2FA and NinjaFirewall provide plenty of protection.
Add that there are many sites that were hacked even with ithemes security or Wordfence installed.
About performance and response times:
In the “load average” graph you see the /net versions with pretty low resource usage, this is because they processed like 5- 15 requests per second only and as they’re connecting to their network they’re not processing much on the CPU.
The /net versions are configured for “real-time network protection” which means the requests will be sent to i.e. Wordfence servers live and processed, then sent back to your Wordfence endpoint. You can also read the full article*.
Easy and free, but not much protection
First things first, thank you @ Jeff Starr. He provides the two solutions that will be used here. He is the man behind perishablepress.com and plugin-planet.com (and a few other projects).
Those two plugins come in a free and a premium version and even though they’re super cheap I only use the free versions.
This is the first step in the right direction. You can combine those with whatever you’re currently using, whatever it may be.
Block Bad Queries (BBQ)
A great plugin that acts as an endpoint firewall and blocks plenty of bad traffic right at the doorstep. Install, no config needed, sleep tighter.
You can find an extensive article about this plugin on Jeff’s website here.
Also, a free vs pro comparison can be found on the Pro Version page linked above.
Though this is unnecessary if you’re using 7G Firewall on the server level because BBQ is based on 6G and 7G.
Blackhole for bad bots
A little trick to lure bad-acting bots into a trap. Please also install the Cache-Helper-MU-Plugin. That’s it, no config needed.
What this does is insert a non-visible link and if this link is hit the client’s IP address will be banned. Do not worry – this will not happen with Google. You have to add a disallow rule into your robots.txt file for this link and Google is a nice-acting-bot and will follow those rules, hence not hitting the trap-link. Doc on how-to is in the plugin’s settings or in the WP-Repo Installation notes.
After you’re done, check if it is working correctly – check the guide here.
Again you have the free vs pro comparison in the Pro Version link above.
Note: I used Blackhole with SwiftPerformance and LiteSpeed Cache with the Cache Helper without issues.
Two-Factor
You may know 2-FA from other Apps. This is the plugin to get this into WordPress (will likely soon be part of Core).
Incl. support of hardware 2FA.
That’s it, you’ve got the basics covered.
Well, besides using a strong password of course. Please always use strong passwords.
I recommend using a password manager (KeePass, Bitwarden, etc.) and auto-generating passwords.
Advanced, still easy to setup AND free
This is where things start to get interesting. We’re blocking even more bots – this also frees up server resources. And we’re blocking bots even before they reach WordPress, so it frees up a lot of resources. This config can decrease your bot traffic by up to 90% and will greatly reduce their impact on the server.
NinjaFirewall
Please refer to this setup-guide – props to Daniel Ruf for this. He also has a blog here.
Probably your best bet for a free WordPress WAF. There is a pro version (pro vs free comparison included, click the Pro button above), but the free version is sufficient if you don’t need centralized logging.
Now let me tell you why NinjaFirewall is so great:
First, Nintech has real security expertise (there are plenty of articles where NF was the only security plugin to actually protect a site on PluginVulnerabilities).
Second, NinjaFirewall has a full WAF mode, where WordPress isn’t even touched when processing a request. It “sits in front of” WordPress.
Third, they’re super responsive toward 3rd party security researchers (like Daniel).
+They’re security researchers themselves.
Fourth, check the article about performance linked above*. Yes, it is a little old, but the older comparison is from 2013 and the results haven’t changed, NinTech confirmed this, and newer articles on PluginVulnerabilities also show this.
NinjaFirewall is the fastest responding firewall and doesn’t impact your site’s performance.
Details on how the firewall works are linked here*.
And again, most importantly, it actually provides security. In numbers, if I’d have to guess, Wordfence and iThemes Security would together probably cover around 20-40% of what NF offers. At a much higher cost of performance.
They also provide a Plugin called NinjaScanner* which is a great tool. Be sure to exclude /cache/ from the scan. An article about how it works can be found here*.
But be aware that this tool doesn’t scale super well and if your site is very heavy (let’s say 25GB+) and receives a lot of traffic you probably should swap it out for one of the following paid solutions.
If you have server access, you should certainly use maldet and ClamAV.
Does NinjaFirewall full WAF mode work on every Webserver?
Yes, but some fine-tuning or config may be needed, depending on your setup.
How to fix CDN detection error?
If you’re getting the CDN detection error and are using Cloudflare then you need to check this documentation.
Might not work on OLS, please check this OLS doc.
Does NinjaFirewall work with reverse proxy? (Varnish for example)
Check the documentation in the above question.
7G Firewall (with addons)
A well-established solution. Complete guide included. But this is not a plugin, so a little more work on your side.
As this is .htaccess based it won’t work with NGINX webservers – but no worries, there is an NGINX-version but this can only be installed if you can manage the server. Otherwise, ask your hoster.
I also recommend adding the 7G addon and this ruleset.
Setup Cloudflare Nameservers, if you haven’t already, for a performance boost.
Proxy your site through Cloudflare to get some security benefits (there’s some other cool stuff in the configs). You may also set up page rules with “cache everything” for a real performance boost.
Note: my opinion is that any Cloudflare product isn’t GDPR compliant at the moment, so proceed at your own discretion.
Guide for setting up Firewall Rules and Page Rules
Advanced done, you can sleep tight now.
This is waaaay more than I found on some websites I take care of – which were “professionally built” beforehand. So please, make this a regular practice if you’re a freelancer or agency.
With this setup, you’re now way better off than with Wordfence or iThemes – and it’s still free. Plus it’s impacting your performance less.
“Enterprise”, kind of.
Three of the solutions I will present to you offer a free version, of which you should use two (Patchstack and VirusDie or Malcare) as they’re free and provide another layer while not impacting performance heavily. EDIT- Probably not, check the controversy section
Bonus: None of those actually run on your server.
Note before you read on: my opinion is that none of these products are GDPR compliant, besides probably CodeGuard, so proceed at your own discretion.
Their Backup solution is crazy good. This service basically transfers your whole site over to their servers and scans it there (free is once a month). The WAF isn’t bad but not particularly good either. Since you can’t turn off the WAF I do not use this.
Virusdie
The free version scans your website once a month. Pretty extensive suite in the paid version – recommended.
You might remember them from an LTD they offered on AppSumo. Man do I regret missing this. Only heard about it when it was gone, would’ve for sure grabbed it.
Definitely a better security suite than Malcare, but doesn’t offer backups.
CodeGuard
A company by Sectigo. A great backup solution that also has great anti-malware solutions.
If you didn’t know, Sectigo is one of the companies that issue those high-level SSL certificates that get you a green URL bar and other great stuff.
Patchstack
Marketed to patch zero-days, notifies you if you run vulnerable plugins.
I use their free version to notify me if a plugin I use is vulnerable.
They are security researchers and offer a bounty program for security researchers to submit vulnerabilities to them, which is cool.
The paid version includes “vPatches” which are actually firewall rules written on the fly for vulnerabilities that aren’t patched yet.
Controversy in privacy compliance and trust
With CodeGuard, BlogVault, and VirusDie you’re uploading your whole site onto their servers. Incl your database which may include sensible data or personally identifiable information.
So if one of those providers was to be hacked or had a security breach, your site would be affected too. Or the connection might be hijacked.
To secure your PC / phone connections from being hijacked, check out our partner NordVPN
This means there is a lot of “trusting the provider” involved here.
On top of this, you have to take into account that you’re uploading user data to those services and they need to be fully privacy compliant (and you also have to include those in your privacy policy!!) – if the infrastructure runs on AWS or Google Cloud, for example, they sure aren’t GDPR compliant for now. This is a huge problem and one of the biggest reasons why I’ll stop using those services if the EU and US do not set up a new Privacy-Shield-like situation.
On top of this you also have to include them in a directory of service providers or data processors and have to explain how they’re using the data, how and for how long they’re storing it, etc. etc.
In case of an audit, you would surely fail to provide all this information for those services. At least I have not gotten the information needed yet from support, but I’m still trying.
How do you feel now?
Do you still feel like Wordfence is enough or a good idea performance-wise?
I believe the basic and advanced stuff should be done on every website. It’s free and doesn’t tax performance.
If your site is generating serious money I’d consider spending some of it on one or two enterprise solutions. Or even better, getting somebody on your team to handle security. I’m open to talk or refer you to somebody I recommend.
Why? Because 2 offsite backups are better than one. And since malware cleanup starts at around 150$ and goes up to x.xxx$ or even xx.xxx$ plus all the revenue that was missed because of malware, I would rather spend resources on preventing this from happening.
