WordPress Security Plugin Roundtable On Upcoming Episode Of WPWeekly

Earlier this month, we interviewed Dre Armeda and Tony Perez of Sucuri.net to talk about WordPress security. Both guests shared information from a services perspective. We received a lot of positive feedback on the amount information presented in the episode. We’re going to turn the tables and discuss securing WordPress from the perspective of using plugins.

Security Plugin Roundtable
photo credit: Stuck in Customscc

On Friday April 4th, we’ll be hosting a WordPress security plugin roundtable. Guests scheduled to appear are:

The goal of this episode is to inform users what security plugins are capable of and why you shouldn’t be afraid to use them. We’ll also cover a wide range of good security practices you should be aware of. The guests are monitoring the comments on this post and will answer any questions you have about their plugins or services.


20 responses to “WordPress Security Plugin Roundtable On Upcoming Episode Of WPWeekly”

    • Hey Rob– thanks for this link! We’re currently working on running the Ninja benchmark on BruteProtect, because we’ve seen huge performance boosts on many of our users when they implemented BP.

      • Hi Sam, no matter how good your plugin is, if you’re “joining the party” after PHP has been loaded, after wordpress has been loaded and after plugins have been loaded… then don’t be surprised if something that sits between PHP and wordpress is faster and less memory intensive.

        How Ninja Firewall works:
        Attacker => HTTP server => PHP => NinjaFirewall => WordPress => Plugins

        How all other WordPress security plugins and plugins in general work:
        Attacker => HTTP server => PHP => WordPress => Plugins (security and otherwise)

        Never mind a mention of Ninja Firewall, no one mentioned or talked about this very important factor in wp security during the roundtable discussion. But I may have missed it.

        • I specifically asked Chris of iThemes Security how his plugin performs with WordPress, especially during an attack. I also asked the performance question to Sam I believe during the show. However, I didn’t specifically mention the benchmark numbers.

          • Thanks Jeff but again you miss the *vital* point of distinction that I’m making: where does the protection sit in the sequence of events that is the loading of a wordpress website? before or after wordpress and plugins?

        • Hey Rob– you’re 100% correct, you are going to see a performance boost by sitting in front of WP– we’ve done what we feel is the next best thing (to balance performance and ease-of-installation), and we run IMMEDIATELY when the plugin is loaded, not waiting for the first WP hook, eliminating about 80% of the WP overhead

  1. I have a question about the new iThemes Security plugin. I’ve recently fixed a client’s website, and had myself the same problems on a few websites with BetterWPSecurity. The plugin messed up the file .htaccess at the point that I got a 500 error when visiting the website. The only solution was to access through FTP, clean the .htaccess file and remove BetterWPSecurity. At this point I stopped using the plugin at all for fear of having further problems. Is the developer aware of this? Is this problem fixed in the new version?

    Another question I’d like to ask is what is the position of the experts about the ‘do it all’ vs specialized plugins? For example, I’ve never used the built in function in Wordfence and BetterWPSecurity for securing the login but I use the plugin LoginSecuritySolution. Wouldn’t it be better for security plugins to split separate functions into multiple plugins or addons to the plugin so that the user decides what to use and isn’t left with more code than needed installed?

    • Hi, I had the same problem as you say when I had installed BetterWPSecurity but all was solved when cleaning these files via ftp and I assure you that installed the new iThemes will not have any problem. Greetings Friend :)

    • We’ll be focusing on the plugins/services that these folks offer but I can always ask them if they’re familiar with All In One Security and get their thoughts.

  2. I would love somebody from Sucuri on that roundtable too.

    On the last edition Dre Armeda commented that sometimes they laugh when they see this endless tweaks or checklists you have to do using those plugins, because most of those are not necessary. Maybe not in these exact words, but more or less that was the meaning. I’m interested on hearing his take, too.

    • Well, for this particular roundtable, it’s a different perspective than the one offered by Sucuri. I get what you’re saying but it would be better if we leave Sucuri out of this roundtable for now. Perhaps in the future, I’ll add them all onto one show and we can talk about it.

    • I don’t think that anyone on this panel will tell you that any of the items on those lists are crucial to “good security”, but if you can cut off one script kiddy by creating another hoop they have to jump through, why not? (which is also a point that Dre made)

  3. The only one of these plugins that I would consider using is the one from Sucuri, but only for the file checking service in it. BruteProtect looks like it might have some advantages, but I’m a bit concerned about the extra load caused by having to do checkups all the time.

    • Hey Ryan– we hear from our users over and over again that BruteProtect actually creates fairly substantial load reduction when a site is under attack. Our API calls are cached, so you’re not having to make a new API request on every connection, and once an IP block is established, we’re able to block login attempts very early in the WP load, reducing the number of database calls by 80%+

  4. Hi there!

    Most of the plugins help changing the database prefix, but the downside is that many plugins become unresponsive? Is this a myth or what?

    Also, what are the timings for this live event?


    • I always set a custom table prefix during the installation of WordPress, and I never had any problems with any plugins. Also when I used BetterWPSecurity to do that I never had problems.

      • as for i reverted to BetterWPSecurity 3.6 to avoid the hassle that 4.0 updates had. i realize that it was actually coded best for single installs and not for multisite (which is the case for me)

  5. I really like the idea behind Clef (and two factor authentication in general), but what I always run in to is the problem of third-party access. What do you guys recommend if you want something like Clef, but also still want to be able to use things like the WordPress mobile app, MarsEdit, etc.

    The way it seems to be now is you can either secure your site with Clef (or Authy, etc), but you then either have to leave remote access password protected only or lose it altogether.

    Have any of you attempted to work with the WordPress core guys on getting two-factor built in for remote access?


Subscribe Via Email

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

%d bloggers like this: