Wordfence is NOT the best WordPress security plugin

Photo by Roi Dimor on Unsplash

Wordfence is NOT the best WordPress security plugin for this one simple reason.

This is a redirected post

This post originally appeared on our old blog at wpstrands.com. Please note that some links may be outdated and may not work.

Amazement! That's the reaction of most people when I tell them I know lots of people who don't lock the front door of their home. It seemed strange to me too until I realised it indicated a sense of certainty in their safety. Put another way, it indicates a lack of fear and it says as much about the person as it does about the environment.

Amazement is also my reaction when people tell me they aren't locking the doors to their websites. In the real world, leaving your door unlocked is quaint; online, it's nothing short of irresponsible.

Of course, the real world does have its thieves, but they are few and far between. The online world, in contrast, is literally teeming with automated bots whose only job is to find a way to get past your defences and creep inside your website.

As a WordPress site owner you're more vulnerable to these attacks than others. Vulnerable to DDos attacks, brute force attacks, cross site scripting, SQL injections, malware.

Using a security plugin should be up there among your priorities right after taking backups and installing updates . Among the best of these security plugins for WordPress are Sucuri and Wordfence. (Free and paid versions of both plugins exist. Here, I am talking about the paid service because that’s what we include for our clients in our maintenance plans.)

But which should you choose? At WPStrands we protect our clients using Sucuri and here I’ll explain why.

Why we focused on a firewall

The  security approach of most WordPress professionals is pretty standard. They look at what traffic they should block and on what actions they should prevent. Then they configure that from within your WordPress admin area.

That is, they are protecting your website from inside your website’s front door. They do this believing it provides sufficient protection. That’s because most of these people have never worked on real-life, enterprise-level security problems.

When I managed operations for the largest cloud provider in Switzerland, security was a real concern of every client; how could they ensure security in an always-on internet?

Of course, basic security fundamentals were a must (e.g. strong passwords, access control). But, apart from that, one of the best ways to achieve a predictable level of protection was via the use of a firewall.

The WPStrands approach to security

If a firewall sounds like overkill to you then it's time to change your perspective. Times have changed. The age of internet innocence is past.

Your website is accessible to all parties at all times and it’s vital to use an appropriate form of protection. For your WordPress website, this means filtering what you don’t want before that traffic even reaches your website.

The best protection is one that is independent of your website. i.e. one that does not run on the same server as your website. And the best way to do this is to use a firewall that is independent of your website.

A Web Application Firewall (WAF) filters all traffic to your website and allows only the traffic you want to get through. (How this is done is beyond the scope of this article but WAFs typically have a built-in list of known attack signatures. If a request contains content that matches any of these signatures it will be blocked. For more on this you can check Sucuri’s knowledge-base article here.) This extra layer of security is a sieve between the flotsam and jetsam of the internet and your website.

Our approach at WPStrands is to focus first on the big picture. First protect the perimeter of your online home. Then have a separate mechanism to secure the site itself.

It’s like having a separate security firm patrolling the borders of your home, while you deal with security inside the house.

How the WPStrands-Sucuri WAF works

At it’s most simple, the Sucuri firewall we install

  • takes ALL your website traffic

  • filters out the bad traffic

  • let’s through only the good traffic

WPStrands Sucuri WAF

So, why is this a superior approach?

Shortcomings of Wordfence and other security plugins

Wordfence is undeniably feature-rich. It includes a basic Firewall, malware scans and brute force protection out of the box. It can protect against backdoors, malware, core file tampering, brute force attacks and much more

But there are some big disadvantages to using a plugin-based firewall:

  • Every time someone visits your website the firewall must check that traffic using your web server resources. As a result, plugin-based firewalls like Wordfence are well-known for causing speed problems.
  • To compensate for this performance drop it’s recommended you use a CDN. This involves extra costs.
  • All plugins are useless against DDoS attacks. A DDoS attack is when a hacker floods a website with too much traffic. This increases the work for the web server and causes the website to slow down or even shut down. It’s an easy way to bring down a website.
    Wordfence admits this failing (see their response to a question on this here) but they claim that DDoS attacks are relatively rare.
    This is in contrast to what I see among our own customers at WPStrands. DDos attacks often make up over 50% of blocked attacks and are always among the most common attacks.
  • There’s a learning curve. Configuration can be difficult for less technical users.
  • Support is less than stellar. It can take days to get an answer to your query and more to get it resolved.
  • Cost. If you need to protect many sites, the cost quickly becomes significant. E.g Wordfence licences for 10 websites costs $792 at the time of writing.

The weakest point of the Wordfence plugin

But here's the main reason we don’t recommend Wordfence and most other security plugins:

Wordfence runs only on your server.

This means the main protection for your website is running on your website. This is bad news for your site’s security and performance if you come under attack! While your site is trying to fend off an attack, it is also using resources to display your website. This can very quickly result in your server being overloaded and shut down by your hosting provider.

We’ve seen this happen so often - especially on shared hosting plans - that we decided to just include the best firewall in our plans at no extra cost to our customers.

Advantages of a cloud-based firewall

When you use a cloud-based firewall, the main protection for your website is NOT running on your website. This is great news for your site’s security and performance if you come under attack! Your web server is using only the resources needed to display your website. The firewall is independently fending off the attack. So, your server will not be overloaded and your site will not be shut down.

Who is Sucuri?

Sucuri is a Delaware-based company that offers complete website security via the cloud. They are veterans in the security world and have an excellent reputation. Their team of security experts monitors and protects 24x7 around the globe.

And, since I work with them regularly, I can tell you first hand that their support is excellent!  Knowledgeable, responsive and professional.

Sucuri is not just a WordPress plugin. They are a full-blown security platform used by businesses both large and small.

Sucuri Products

The company only has 2 main products; Sucuri Firewall and Website Security Platform. With such narrow focus, you can be sure they're serious about what they do.


The feature list is extensive and includes

  • Website Application Firewall (WAF) / Intrusion Prevention System (IPS),
  • Distributed Denial of Service (DDoS), Brute Force, and automated attack protection
  • continuous malware scanning for common malware, website errors, outdated themes and plugins. and whether your site has been blacklisted on any services that flag malware infected websites.
    They also provide a free SSL certificate to all customers

The free plugin also has a very simple user interface which cuts down the learning curve.

sucuri waf

As a WordPress user searching for solutions you have probably come across WPBeginner. It's the largest WordPress resource site with over 8 million visits each month, founded by Syed Balkhi. Read why he switched to Sucuri here. Said says:

We can honestly say that Sucuri is hands down the best and most cost effective security service in the WordPress industry.

Syed also says:

Whenever we’re asked about WordPress security tips, our top 2 recommendations are get a good WordPress backup solution and start using Sucuri website firewall.

It's not coincidence that these are the same two pillars of sound WordPress maintenance that I’m continuously preaching ...

There is another major advantage to using the Sucuri firewall that they should highlight more. Instead of slowing down your WordPress site, it makes it much, much faster. This is because Sucuri security services operate on top of a CDN. They block attacks and cache your static content at the nearest server, rather than on your web server.

Our choice

If you’ve read this far it’s probably clear to you why we chose Sucuri to protect our customers. Sucuri offers superior threat detection, a greater feature set and a large team of security experts at your disposal. But what I love most is that this is all delivered via the cloud.

I recommend Sucuri Security to any business that is serious about keeping their websites fast and secure.

That should be everyone, including you.

Disadvantages of Sucuri?

The Sucuri firewall costs more than the free version of Wordfence. But it is this paid version that we include in our packages - and it doesn’t cost you anything extra. These costs are borne by WPStrands, not passed on to you. In effect, for WPStrands customers there are no disadvantages to using the Sucuri firewall.

We couple this firewall with the Sucuri plugin on your website itself.  So Sucuri is protecting your website externally (with the firewall) and internally (with the Sucuri plugin).


Of course, there are advantages to using a plugin-based firewall. A free one is better than none at all (usually).  They are made especially for WordPress, so are generally easy to install and use.

But don't be fooled into following the majority. Wordfence is not the best WordPress security plugin simply because it cannot offer the level of protection provided by a real firewall like Sucuri can.

Keep in mind that nothing, firewalls included, can offer perfect protection. No firewall can protect against user issues like weak usernames and password.

Security is a shared measure. A good partner backing you up will relieve you of most of the burden. You must also do your part and take every precaution necessary.

Click Here to Leave a Comment Below

Leave a Comment: