Wordpress Security Plugins

Joined
Sep 3, 2015
Messages
813
Likes
583
Degree
2
Do you run one, and which one?

I don't, currently, but a BF offer for AIOS got me thinking.

Not so concerned about the price, more about whether they are actually needed, can slow down sites, could potentially block legit traffic, etc.

Thanks!
 
I'm looking at the feature set here and here's my thoughts:

- Web Application Firewall - protects you from things that shouldn't be an issue if you aren't using crap plugins and are keeping everything updated, possibly slows you down by filtering and analyzing traffic first, even through their servers.

- Content Protection - All of this can be done with security headers and functions. Stopping people from right clicking is silly. Disabling feeds can be done with a simple function.

- Comment Spam Protection - just use Akismet, it's free and lightweight (or turn off comments). Akisment protects you from email spam too. Works flawlessly.

- Supports best practice - Won't let you use "admin" as your admin username, etc. Just don't do these things.

- Hide login page from bots - There's better solutions to this, and bots will still hammer your site regardless.

- Change default wp_ prefix to a value of your choice - you can do this on your own in MySQL, it's a one-time deal and quick to do.

- Login lockout - waste of time and resources and all they need is a bunch of proxies. There's better ways of dealing with this (like .htpasswd which acts like a 2nd layer of authentication where they can't even reach your login page. Takes 5 mins tops to set up, and less once you've done it before)

- Reporting - database bloat

- Force logouts, Password Strength Tool, Two-factor Authentication, Password Strength Tool - illusion of having more features which aren't needed

- General visitor lockout - already exists in Wordpress where the site goes into maintenance mode during upgrades

- Stops user enumeration - This is interesting. They say "Prevent external users and bots from fetching user information via author permalink." I'd like to know what info they're talking about and what they do to protect that info.

----

I don't know that I think this is worth your time. A lot of this is one-and-done that you can do yourself and then save the procedure in a text file so you can do it to every site you launch upon launching in a matter of minutes. The rest is bloat.

I think this is probably not a horrible idea for someone that couldn't chase down the leads and solve the issues themselves. For all the benefits they get, they'll get some negatives out of this too.

I'm a fan of a lot of these features, but I'm not a fan of packaging them this way and making users take on a lot of bloat. All of the good stuff has better, lighter ways of doing it.
 
Back