20 Comments


    1. Hey Rob– thanks for this link! We’re currently working on running the Ninja benchmark on BruteProtect, because we’ve seen huge performance boosts on many of our users when they implemented BP.

      Reply
      1. Rob

        Hi Sam, no matter how good your plugin is, if you’re “joining the party” after PHP has been loaded, after wordpress has been loaded and after plugins have been loaded… then don’t be surprised if something that sits between PHP and wordpress is faster and less memory intensive.

        How Ninja Firewall works:
        Attacker => HTTP server => PHP => NinjaFirewall => WordPress => Plugins

        How all other WordPress security plugins and plugins in general work:
        Attacker => HTTP server => PHP => WordPress => Plugins (security and otherwise)

        Never mind a mention of Ninja Firewall, no one mentioned or talked about this very important factor in wp security during the roundtable discussion. But I may have missed it.

        Reply

        1. I specifically asked Chris of iThemes Security how his plugin performs with WordPress, especially during an attack. I also asked the performance question to Sam I believe during the show. However, I didn’t specifically mention the benchmark numbers.

          Reply
          1. Rob

            Thanks Jeff but again you miss the *vital* point of distinction that I’m making: where does the protection sit in the sequence of events that is the loading of a wordpress website? before or after wordpress and plugins?


        2. Hey Rob– you’re 100% correct, you are going to see a performance boost by sitting in front of WP– we’ve done what we feel is the next best thing (to balance performance and ease-of-installation), and we run IMMEDIATELY when the plugin is loaded, not waiting for the first WP hook, eliminating about 80% of the WP overhead

          Reply

  1. I have a question about the new iThemes Security plugin. I’ve recently fixed a client’s website, and had myself the same problems on a few websites with BetterWPSecurity. The plugin messed up the file .htaccess at the point that I got a 500 error when visiting the website. The only solution was to access through FTP, clean the .htaccess file and remove BetterWPSecurity. At this point I stopped using the plugin at all for fear of having further problems. Is the developer aware of this? Is this problem fixed in the new version?

    Another question I’d like to ask is what is the position of the experts about the ‘do it all’ vs specialized plugins? For example, I’ve never used the built in function in Wordfence and BetterWPSecurity for securing the login but I use the plugin LoginSecuritySolution. Wouldn’t it be better for security plugins to split separate functions into multiple plugins or addons to the plugin so that the user decides what to use and isn’t left with more code than needed installed?

    Reply
    1. eenamorado

      Hi, I had the same problem as you say when I had installed BetterWPSecurity but all was solved when cleaning these files via ftp and I assure you that installed the new iThemes will not have any problem. Greetings Friend :)

      Reply

    1. We’ll be focusing on the plugins/services that these folks offer but I can always ask them if they’re familiar with All In One Security and get their thoughts.

      Reply
  2. Joan Boluda

    I would love somebody from Sucuri on that roundtable too.

    On the last edition Dre Armeda commented that sometimes they laugh when they see this endless tweaks or checklists you have to do using those plugins, because most of those are not necessary. Maybe not in these exact words, but more or less that was the meaning. I’m interested on hearing his take, too.

    Reply

    1. Well, for this particular roundtable, it’s a different perspective than the one offered by Sucuri. I get what you’re saying but it would be better if we leave Sucuri out of this roundtable for now. Perhaps in the future, I’ll add them all onto one show and we can talk about it.

      Reply

    2. I don’t think that anyone on this panel will tell you that any of the items on those lists are crucial to “good security”, but if you can cut off one script kiddy by creating another hoop they have to jump through, why not? (which is also a point that Dre made)

      Reply

  3. The only one of these plugins that I would consider using is the one from Sucuri, but only for the file checking service in it. BruteProtect looks like it might have some advantages, but I’m a bit concerned about the extra load caused by having to do checkups all the time.

    Reply

    1. Hey Ryan– we hear from our users over and over again that BruteProtect actually creates fairly substantial load reduction when a site is under attack. Our API calls are cached, so you’re not having to make a new API request on every connection, and once an IP block is established, we’re able to block login attempts very early in the WP load, reducing the number of database calls by 80%+

      Reply
  4. H. Nagar

    Hi there!

    Most of the plugins help changing the database prefix, but the downside is that many plugins become unresponsive? Is this a myth or what?

    Also, what are the timings for this live event?

    Thanks!

    Reply

    1. I always set a custom table prefix during the installation of WordPress, and I never had any problems with any plugins. Also when I used BetterWPSecurity to do that I never had problems.

      Reply
      1. faospark

        as for i reverted to BetterWPSecurity 3.6 to avoid the hassle that 4.0 updates had. i realize that it was actually coded best for single installs and not for multisite (which is the case for me)

        Reply

  5. I really like the idea behind Clef (and two factor authentication in general), but what I always run in to is the problem of third-party access. What do you guys recommend if you want something like Clef, but also still want to be able to use things like the WordPress mobile app, MarsEdit, etc.

    The way it seems to be now is you can either secure your site with Clef (or Authy, etc), but you then either have to leave remote access password protected only or lose it altogether.

    Have any of you attempted to work with the WordPress core guys on getting two-factor built in for remote access?

    Reply

Leave a Reply