These question comes up every now and then in any of these varieties:
- How do I harden WordPress to make it hack-proof?
- Which security plugins do I need?
- Do I need all these security plugins?
- Is there a security plugin that does it all?
Before we begin demystifying things, here’s the rule of thumb, especially as far as security is concerned.
Security is not a plugin — Security is a mindset.
That’s because security is more of an outcome of security “practices” than software “functionality”. No software is perfect but we make do and that’s what determines the outcome… pretty much like everything else in life.
Table of Contents
Stopping a Real-Life Hacker
Let’s keep things simple. Instead of focusing on advanced attack vectors, here’s a simple diagram of how an attacker tries to get inside your website. And there’s a solution for each step along the way.
1. Firewall for Network
A hacker needs to access the website using the network. This is the first step along the way. A firewall will prevent attacks before they hit your website. There are several types of firewall. At the very least you need a software firewall which could come as a plugin, module, addon etc. Wordfence, Sucuri, Ninja Firewall are some of the best plugins for setting up a firewall.
2. Server, Application Hardening
No firewall is perfect. This implies that a certain amount of malicious traffic will still manage to reach your hosting, website or application. If your hosting or website is misconfigured, chances are that the hackers will be able to get in. In order to implement proper security at the hosting and application level you need either manual audit and configuration or you can use a software plugin to help you do that. That’s where you can use a plugin which can automate in part the security hardening. Other configurations will still need to be done manually.
3. Security Breach: The Hackers Are in Already
Once the attackers are in, the best you can do is to clean up your website and reinstate it. In the worst case you throw it away and start afresh: on a new hosting and fresh code.
If you do want to clean up a hacked website, you can again either do it manually or use a software plugin to automate some steps. That’s where malware removal plugins come in.
4. Is There a Plugin That Implemented Firewall, Security Hardening as Well as Malware Scan / Removal?
We all wish there was a one stop solution to keep things simple. However that would be a challenge to build, implement and still maintain to deliver top level functionality.
To quote Doug McIlroy on Unix programming philosophy:
Write programs that do one thing and do it well. Write programs to work together.
The idea behind this is to kill software bloat and deliver top-quality functionality.
So the short answer is, while you can install one or more security plugins, you should be careful on what you need and what works. Installing multiple plugins without any afterthought would result in bloat and software conflict even slowing your website or making it dysfunctional.
Installing one plugin and leaving the entire security domain to it would result in huge security gaps.
Installing one plugin for each specific security levels is your best bet.
- 9 Tell Tale Signs That Your WordPress Website Is Hacked
- Step-by-Step guide to efficiently reinstalling infected WordPress Core using WP CLI
- Malcure Forums
- 10-Step Guide to Removing Malware from Your WordPress Site