Answers ( 5 )

  1. Ithemes Security Pro Vs Wordfence? What is the Best WordPress Security Plugin?

    Security is a responsibility of your hosting server provider. These plugins do nothing useful, they make your database grow without a reason and while they log dates and IP’s of “attacks” they slow down and put a burden on your site, so in case of a real DDoS attack, they actually help the attacker.

    Best answer
  2. I’m using Malcare but thinking about trying SecuPress or something else. Not having an issue with Malcare just curious if there’s something more feature rich in a free offering.

    Also just as something funny. I just cancelled a Bluehost demo account today. It was running Astra and Elementor, and I loaded the Landscaping and Gardening Astra Starter Page. Then installed Site Origins Widget Bundle. I also installed WPForms.

    They’re up to date. WP, themes, plugins, everything.

    After about 7 – 10 days Malcare was installed, Malcare states, and not after the first scan mind you, that it found an infected file.

    I also have a site, still have a site, with InmotionHosting.
    It is running all the same stuff except minus site origins widget bundle and wpforms. I also didnt load any Astra starter sites.

    ~3 weeks after my Bluehost site was infected, my Inmotionhosting site still isn’t, according to Malcare.

    I just find that amusing.

    Oh, and one of the things I want that Malcare free version (and neither does pro AFAIK) doesn’t offer? WP admin URL change.

    Used WPS Hide Login but I’m still seeing some IPs trying to brute force somehow even after supposedly changing the default login URL.

    Which is just something else I need to dig into more.


    You could be the best security plugin. Try to use plugins from reliable sources and keep a strong password. This does pretty much of your work. WordFence will keep you informed about any outdated plugin or theme. It also helps in scanning and identifying any (may not all) suspicious file on your WP installation.

  3. If you’re on a host with a properly configured web app firewall and follow common security practices, then that will cover most of the day to day protection.

    I’ve personally cleaned dozens of hacked sites over the years and my company must have cleaned many hundreds by now. I can’t think of a single one of them that was using wordfence, yet I’ve seen sucuri on them on occasion. Frequently there’s been ithemes security (it doesn’t seem to do much).

    When it comes to scanning already hacked sites wordfence wins hands down over sucuri. Frequently neither of them get everything but wordfence just about always finds *more* injected files and files which are part of the intrusion kit than does sucuri.

    Just some observations from someone who regularly cleans hacked sites.

  4. I rely on server-side security for the firewall, and the only plugin I install by default on sites is Limit Login Attempts to deal with brute force bot attempts.

    In my own experience, plugins like WordFence slow the site down badly.

    I don’t question the expertise of the developers and analysts who provide these tools or the contributions they make to the community in terms of education about security issues, but in my opinion the plugins themselves are designed to create fear. That fear is what sells the premium product, and in many cases having one of these plugins installed doesn’t prevent a site being hacked, although they might alert you after the fact.

    The most common point of entry for hackers is probably old or outdated plugins, or using nulled premium products that were downloaded from some dodgy site that offer “free” versions of licensed products.

    Strong passwords, decent hosting, regular backups, and keeping everything up to date is the best first line of defense.

Leave an answer