Not The Best WordPress Security Plugins of [Insert Year]
Earlier this week, we wrote about the person behind the website WPCrafter seeming to not understand that a couple of WordPress security plugins don’t provide protection against getting hacked. One of those plugins being the Sucuri Security plugin, as they began a testimonial for another security solution with this claim:
I had been running iThemes, WordFence & Sucuri, but they kept getting hacked.
In looking to see what other security advice they are giving out, we ran across a post on their website titled “The Best WordPress Security Plugins of [yr]: How to Secure a Website & Make It Hacker-Proof“. The “[yr]” in the title looked to be caused by a shortcode no longer working, as in Google’s cached copy of the page, it says 2023 instead. So it looks like the website is presenting old content as if it is recent, by inserting the current year through a shortcode, until that stopped working.
The title also had another glaring issue, which is that you can’t make a WordPress website hacker-proof through WordPress security plugins. It is possible to improve security through them. But it is also possible for them to have no practical impact or actually make the website less secure because the security plugin is itself insecure. It would be helpful to know what plugins can improve security, so the post’s content could be valuable.
Looking over what are claimed to be the best plugins, the first one is none other than Sucuri Security. You know, the plugin they were quoted in the testimonial as not protecting against getting hacked. They start off writing this (emphasis ours):
Sucuri is considered by many small businesses to be the best WordPress security plugin due to its number of ways to protect your website. These include malware scan, brute force and DDoS (denial of service) attack monitoring, and protection against any other security attacks.
What is actually being described there is an unrelated paid service from Sucuri. The plugin doesn’t do those things. Also, claiming that it can protect against any type of security attack is silly. As we noted in the past, Sucuri doesn’t even seem concerned that their paying customers are getting hacked, much less does it provide protection against any type of attack.
With another of the best plugins, it appears the post writer simply copied the claim made by the developer. Here is how WPCrafter describes it:
It scans your themes and plugins for vulnerabilities and looks up the information in the WPScan Vulnerability Database.
And here is how the developer describes it:
This plugin determines whether any of your plugins or themes have security vulnerabilities. It does this by looking up details in the WPScan Vulnerability Database.
In reality, the plugin doesn’t determine if a plugin or theme has vulnerabilities, only if WPScan is claiming there are publicly known vulnerabilities in them. That is very different and anyone one suggesting using WPScan’s data should be warning about its serious accuracy issues (or better yet, recommending relying on a plugin that uses more reliable data).
In between those plugins are two plugins that provide some direct protection against getting hacked, but they are not the best options. In fact, there isn’t any real explanation why the plugins listed are the best plugins. It just reads like someone copied marketing material for several plugins without having much understanding of what security risk WordPress websites face and what role security plugins could play in protecting against them.
For those looking for a WordPress security plugin that will provide real protection, they can take a look at the results of the testing we do to see if those plugins protect against real vulnerabilities in other plugins, which is one of the few things security plugins provide useful protection for the average WordPress website.