I’ve been using the WordPress plugin, iThemes Security, to protect my WordPress powered websites for some time now. This plugin delivers some great features like checking for modified files, changing the default WordPress login page, banning suspicious users (e.g. with multiple failed login attempts or multiple 404s), and much more.
Recently, I evaluated the plugin WordFence. This plugin has many of the same features as iThemes Security plus the ability to compare your site’s files with those stored at WordPress.org. It can check for modifications in core, plugins, and themes found in the WordPress repository. Very cool. iThemes Security can compare WordPress core files but doesn’t compare any others. WordFence also scans site files for malware.
Both plugins share information about globally banned IPs and about attacks in progress and so can ban those attacking IPs. Both plugins also have very full featured free tiers and additional features at a paid tier. Both iThemes Security and WordFence are actively developed and have large user communities which suggest they will be around for some time and will be updated to address new threats.
I like that both plugins do a good job of educating the user. Instead of just presenting a bunch of options (or worse, no options), explanations accompany most options so that the site administrator can better understand what he or she is doing.
So, which is better? Both plugins are excellent tools. I’m a big fan of iThemes since I started using their BackupBuddy plugin for WordPress and iThemes Security seems to add less additional load on the server so my inclination is towards iThemes Security.
Like with anti-virus and firewall on your computer, no one solution is best or all encompassing. Sometimes you need a variety of tools. Install iThemes Security AND a few other plugins which you can activate and use as needed. Once finished with them, just deactivate them so that they don’t use additional system resources. Try:
- Theme Authenticity Checker (TAC) – to scan theme files for malicious code
- Exploit Scanner – to scan WordPress core files
Security has become an ongoing concern for web developers which requires regular attention. How are you securing your site?
Keep reading
Why you need a private notes page on your website with details on how to do tasks.
Many times, clients contact me because they've received an email or even something printed in the mail, typically about renewing their domain name. Is it a scam or is it real?
How do you evaluate your site's speed? The most obvious way is to load the website in the browser and gauge how quickly it appears. But why am I going to tell you that's not the best way?