5 Things to be Aware of When Buying WordPress Security

If you are new to WordPress or reevaluating your security strategy, you are overwhelmed by choice in today’s market. The reality is that there are only a handful of tools that truly protect your WordPress website from a hack and help you detect an incident. With all of the claims that vendors are making, it can be tough to choose the most effective product to protect your investment and your customer data.

To help you in your decision making, I’m going to call out 5 things in this post that you need to be aware of before you choose a security plugin, a cloud solution or something that runs in the hosting environment that your hosting provider is selling.

1. Not all security products include a firewall

Many of the best known security plugins for WordPress don’t actually include a firewall. To understand this, it’s important to understand what a firewall actually is. The firewall in Wordfence is known as a Web Application Firewall or ‘WAF’.

For a WAF to be effective, it needs to fulfill a few basic requirements:

  1. It needs to block a wide range of attacks based on it’s ability to recognize website requests as attacks. Types of attacks include SQL injection attacks, remote code execution, cross site scripting and cross site request forgery attacks.
  2. The WAF needs to have a rule-set that is continuously updated. These rules are used to recognize attacks and block them. They can’t be updated only when the software is upgraded. They need to be updated constantly via a ‘feed’.
  3. The WAF needs to analyze ALL requests, not just requests that hit a particular application. In other words, if you have installed a WordPress WAF, it must block requests that try to directly access a script in a WordPress subdirectory along with requests that hit WordPress itself.
  4. The WAF needs to be very high performance. It will be inspecting every request that hits your site and it’s very important it doesn’t slow your site down at all.

Wordfence fulfills all these requirements. It has a comprehensive rule-set that blocks a wide range of attacks and is continuously updated via our Threat Defense Feed. The Wordfence WAF inspects every request made to a PHP application on your website. Whether it’s a WordPress request or a direct attack on a script like Timthumb, Wordfence will see it and analyze it and block it if necessary. Wordfence is extremely high performance. We use core PHP functionality for our rule-set that executes very fast, we pre-filter rules and only execute what is relevant and our rule-set is highly optimized.

Many popular security plugins for WordPress don’t include a WAF, or firewall. They include features like brute-force protection, file change detection, backups, strong password enforcement and so called system ‘tweaks’. But they don’t include the most basic security component of them all: An effective web application firewall.

When purchasing a security product, make sure it actually includes a firewall.

2. Cloud firewalls can be bypassed and don’t have identity data

cloud-waf-diagramBecause cloud firewalls execute on remote servers out on the Internet, it’s possible for an attacker to go around them and attack your site directly. We’ve written about this in some detail.

Because cloud firewalls execute remotely, they don’t have access to your WordPress API and database. That means they don’t know basic things like: “Is a user signed into your website or not?” They don’t have this data so they can’t use it in their decision making about who to allow and who to block.

If you don’t even know whether a request is coming from a site administrator or an attacker, how can you provide effective protection? We’ve written about the cloud WAF user identity problem in some detail.

Cloud firewalls also use a rule-set that is generic. Their rules are designed for all websites. That means they don’t specialize in a specific platform. The result is that they can allow through some of the best known and most basic attacks on a platform like WordPress.

Wordfence Protecting the EndpointWordfence is designed specifically for WordPress, it knows and uses user identity to make it’s decisions and it’s not possible to go around the Wordfence web application firewall because it runs directly on your WordPress website.


3. Some malware scans don’t check very much

When choosing a malware scanner for WordPress, it’s important to choose one that does a deep thorough scan of your site. Malware authors have become very creative in how and where they hide malware once they’ve compromised your website. Without a deep scan, your site may be infected and you won’t be aware of it.

iThemes Security, the second most popular security plugin for WordPress, uses Sucuri Sitecheck to perform a malware scan. You have to pay for iThemes Pro to gain access to this feature, which currently costs $48 per year.

Once you’ve paid for iThemes security and have access to the malware scan feature, you can launch a scan. A Sucuri scan using iThemes Security on my test WordPress site only performed 22 page requests. All the checks are remote, so no source code is inspected.

After doing this scan, this is what my logfile looks like. Click for a larger image.

ithemes sucuri malware scan

As you can see, it didn’t do very much.

Below we show what a typical free Wordfence scan looks like (it’s in reverse chronological order). As you can see we analyze the source code of over 4,000 files on the same site and perform a host of other checks. Click the image for a larger version in a new tab.


When choosing a malware scanner, make sure you pick one that performs a comprehensive scan of your website and doesn’t just do a cursory check. Malware can be hard to find and well hidden. Wordfence performs a deep and comprehensive scan of your site every time it runs.

4. Malware scanning takes a team, forensic work and processes

Forensic WorkHave you wondered why our Wordfence site cleaning service is is so reasonably priced, even though you get your own Wordfence analyst working closely with you to fix your hacked site?

It’s because your hacked website is an amazing source of forensic data for us. We take the footprints that a hacker left behind and add that to our malware scan.

To provide an effective malware scan, you need to perform hands-on forensic analysis of the latest attacks as they happen. That’s what our site cleaning team does.

Then you need to take that attack data and run it through a process to turn it into threat intelligence and distribute it, in real-time to a great malware scanner. That is what our Threat Defense Feed is. The TDF describes our process of gathering, analyzing and distributing threat intelligence to the Wordfence malware scanner and firewall.

I’m not currently aware of a single WordPress specific malware scanner that combines a high performance scan engine with a team and process like Wordfence does.

5. Watch out for ‘automated‘ malware removal

Some companies offer an ‘automated’ fix if they detect malware on your website. When we first heard about this we viewed the concept with deep skepticism. If malware is detected on a website, it has been compromised. The definition of a ‘compromised’ site is that someone unauthorized has gained access to the site.

Incident response is a complex field. We have certified forensic investigators on our team who have developed our site cleaning process. To get an idea of how the a typical incident response process works, you can reference NIST publication 800-61 “Computer Security Incident Handling Guide” [PDF].

In general, forensic analysts will divide incident handling into three phases:

  1. Detection and Analysis: This includes analyzing attack vectors, documenting the incident, prioritization and notification.
  2. Containment, eradication and recovery: This includes evidence gathering, identifying what has been attacked and evidence gathering.
  3. Post incident activities: In this phase forensic data is analyzed, evidence is retained and the data is used to prevent future incidents.

There are several different approaches to incident response and you can visit OWASP to learn more about how they tackle the problem.

If a site is compromised, an automated fix would leave out many of these steps. For example, it would not be able to determine how an attacker gained access and so the site may be repeatedly hacked.

We currently recommend that you avoid products that claim an automated fix is possible for a compromised website. Instead we suggest that you use a security analyst trained in incident response to help fix your hacked website. One of our human analysts would be glad to assist you.

Did you enjoy this post? Share it!


  • Hi. Thanks for the info. Comparing security products' pros and cons is not always easy. So many options and so many settings available can obscure things.

    Is there any webinar/video (or other resource) on basic computer security incident handling that you recommend?

  • I gather that you are not that found of iThemes Security, but what would you consider as reasonably good alternatives to Wordfence?

    BTW I like Wordfence and use it on quite a few sites.

    • The free version of Wordfence. :-)

      Jakob there is no other security plugin that provides a firewall and malware scan with real-time updates. I don't even have to add "...that is as good as Wordfence." to the end of that sentence.

      iThemes does not include a firewall. And as we pointed out their malware scan uses Sucuri and just does a few remote requests without any source code inspection.

      The rest of the products out there are a mixed bag, often written and supported by individuals and they don't include even the basics.


  • I'm new to blogging and the very first plugin that I installed without knowing it's capabilities was wordfence. Now that I have been running it for over a month now and learning about what it does on a daily basis I am very glad that I have installed it on my wordpress. I love that it perform daily scans but that I can also do manual scans of my blog whenever I feel something isn't right. Reading articles like this one leaves me with a peace of mind knowing that my site is always secured.

    Thank you!

  • Love your plugin! I am still trying to figure out how to configure the firewall, though. Can you offer any guidance? Thanks!!!

  • I don't know maybe it's my days as an IT/Network Admin & with everything my professor drilled into my brain about network security. Things have improved since I was in school in 2004 but principals are still principals.

    Hackers come up with the latest and greatest, therefore you have to try to stay 1 foot ahead of them by using the best encryption possible.
    You don't make it easy for them by not using a firewall, you most certainly don't make it easier for them by not using a malware checker.
    If you are using both of those make sure it's a good one not a piece of crap.

    What other security companies are doing to their WP customers is tantamount to being an Alarm company that has a customer with an unfortunate history of constantly being broken into and constantly losing money in those burglaries... The alarm company goes out to check the building and then leaves the keys in the door of the building and leaves the alarm turned off and puts up a glaring red sign that says "unsecured building at 49th and Main Street, Keys in door and Alarm off - have fun bad guys."
    WordFence is like an alarm company that has the latest techno alarm with lazer beams and finely tuned motion detectors and door alarms that send a 10 inch thick steel door to the ground if someone attempts to enter. Oh and did I say they also have male gorrillas as on site guards that have been fully trained in martial arts and carry lazer scoped uzi's?

    • We have female gorillas and chimps and orangutans too. Wordfence is an equal opportunity employer.

      • Mark, not fair I was drinking coffee when I read your response and now I'm breathing coffee. :-)

        It's nice to see that after being wrongly accused of breaking political detante protocols that you still have your sense of humor and your whits about you...

        We don't go into IT or Development to make friends do we?


  • Hi Mark, good read as always. But I want to ask that how Wordfence handles security of multiple sites hosted under 1 user/cpanel? Client hasn't enough money to buy security for all sites then how would you tackle infection from neighboring sites?

    • If those sites are installed in subdirectories under your base WordPress installation, they will receive some degree of protection from the firewall on the main site. However they won't be included in malware scans by default - you have to enable an option for this. Please see our docs for details or ask in our support forum. Thanks.

  • I've always loved Wordfence and have used other security plugins (including iTheme Security and Sucuri's own plugin for WordPress) but since Wordfence introduced there Firewall, it has been my default Security Plugin ( even though it is a bit difficult to configure on some servers). What would be nice is if 'COUNTRY BLOCKING' was a free feature which would mean I could less plugins on my site?

  • I must say, I use the free version of Wordfence and I was amazed at how much it contained!

  • Thank you for this useful post. It shocks me to know that "not all security products include a firewall" I assume this is a must, not an option. I appreciate Wordfence that this was highlighted to educate the community.