Do your clients need a WordPress security plugin?

Products mentioned
Coded or plugin security?

This article was originally published on October 4, 2017. It was updated on August 14, 2018.

Discussing WordPress security with your clients is a crucial step in the development process and one where you might want some advice. Whether you’re evaluating a WordPress security plugin or a manual solution, both options have their pros and cons. Choosing the best path can be tricky.

Initially, you should consider what’s possible with both methods, and then select the approach that best fits your goals. Your client’s specific needs and budget will undoubtedly come into play here, meaning some coding knowledge will be useful.

In this post, we’ll discuss the available options for bolstering a site’s security. Next, we’ll offer three common security elements that can be implemented, both manually and with a plugin. Finally, we’ll consider whether a dedicated security plugin or the hands-on approach is the best option for your clients.

Let’s get started!

Do you need a WordPress security plugin or another solution?

WordPress Security Plugins Listed on WordPress.Org

It might be obvious, but there are plenty of reasons for making the extra effort to protect your clients’ websites. Bulletproof security should be a part of your overall service. After all, your reputation is at stake. And as for your methods, there are two main options:

  1. WordPress Security Plugins — This is an easy strategy to implement, regardless of your level of expertise. Many plugins are ready to protect a website straight out of the box. However, they usually won’t be tailored to a website or server’s unique needs, meaning there might be some work involved.
  2. Manual coding — This is where your knowledge pays off, and you can also bill the extra hours it will take to implement bespoke security. However, you’ll also have to offer ongoing support, which could eat into your available time.

On the whole, the plugin approach is straightforward, but some clients may be averse to it. In these cases, you’ll want to know what your options are to provide a well-rounded security solution.

3 security features that don’t require plugins

When you start using solutions like WordPress Hosting from GoDaddy, you quickly see that manual coding methods usually require site access through File Transfer Protocol (FTP). Meanwhile, backing up your site is critical in case something goes wrong. Also, for some of the manual approaches featured here, you’ll need to add code to the WordPress .htaccess file.

1. Allowlisting approved IPs

Allowlisting (as opposed to blocklisting) is the process of letting certain IPs access your server. This enables you to tightly control access, meaning you can easily pinpoint the source of an issue.

Jetpack’s Protect module is a quick and simple offering. The process is straightforward: activate the module, navigate to its settings, type in the IP, and then save your changes.

As for manually allowlisting IPs, you’ll need to open the site’s .htaccess file, and then add the following for single sites and static IP addresses:

ErrorDocument 401 /path-to-your-site/index.php?error=404
ErrorDocument 403 /path-to-your-site/index.php?error=404
<Module mod_rewrite.c>
RewriteEngine on
RewriteCond %{REQUEST_URI} ^(.*)?wp-login\.php(.*)$ [OR]
RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$
RewriteCond %{REMOTE_ADDR} !^IP Address One$
RewriteCond %{REMOTE_ADDR} !^IP Address Two$
RewriteCond %{REMOTE_ADDR} !^IP Address Three$
RewriteRule ^(.*)$ - [R=403,L]

Of course, you’ll need to make sure any placeholders are swapped out for the correct URLs. For Multisite users and dynamic IP addresses, add the following code:

ErrorDocument 401 /path-to-your-site/index.php?error=404
ErrorDocument 403 /path-to-your-site/index.php?error=404
<Module mod_rewrite.c>
RewriteEngine on
RewriteCond %{HTTP_REFERER} !^http://(.*)? [NC]
RewriteCond %{REQUEST_URI} ^(.*)?wp-login\.php(.*)$ [OR]
RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$
RewriteRule ^(.*)$ - [F]

Again, any placeholders will need to be swapped out, including the reference to

2. Obscuring your login page URL

As you might know, WordPress login and admin pages have default URLs (such as wp-login.php). Unfortunately, hackers also know this. That means every WordPress site is an easy target. Obfuscating your login page’s URL is one way to combat brute-force attacks.

Your WordPress security plugin options are numerous here, with solutions such as iThemes Security or Cerber Security & Limit Login Attempts offering the feature. However, the coding method is just as simple to implement. Again, the following will need to be added to your .htaccess file for a single WordPress install:

# BEGIN Hide login page
RewriteRule ^mylogin$ https://%{SERVER_NAME}/wp-login.php?key=123&redirect_to=https://%{SERVER_NAME}/wp-admin/index.php [L]

RewriteCond %{HTTP_REFERER} !^https://%{SERVER_NAME}/wp-admin
RewriteCond %{HTTP_REFERER} !^https://%{SERVER_NAME}/wp-login.php
RewriteCond %{HTTP_REFERER} !^https://%{SERVER_NAME}/login
RewriteCond %{QUERY_STRING} !^key=123
RewriteCond %{QUERY_STRING} !^action=logout
RewriteCond %{QUERY_STRING} !^action=lostpassword
# END Hide login page

Depending on your installation, there are a few different permutations to consider. In any case, the only placeholder that needs changing here is mylogin, which should contain the slug where you’d like to direct users.

3. Amending the WordPress database prefix

By default, the WordPress database uses the wp_ prefix. As with your login page, this is a proverbial open window to your site.

But unlike other security aspects, there aren’t many quality dedicated WordPress security plugins to use here. However, multipurpose solutions such as iThemes Security or All In One WP Security & Firewall do enable this feature, so they’re worth checking out.

It’s worth mentioning that changing the default prefix is possible when installing WordPress, so this should be your first port of call. However, if that’s not possible, the manual process involves three parts:

  1. Access the wp-config.php file, find the $table_prefix variable, and amend the prefix.
  2. Access the database (for example, through phpMyAdmin), and then change each table’s prefix.
  3. Search the options and usermeta tables for any other instances of the default prefix.

This is probably the most cumbersome manual solution, as you’ll need to develop an SQL query in order to save time. However, once implemented, you shouldn’t have to carry this out again (unless you’re creating a fresh installation).

Deciding when to use a dedicated WordPress security plugin

While there are plenty of reasons to manually code security provisions, WordPress security plugins exist for a reason.

You’re technically able to implement any security aspect manually, but in many cases, you’ll have to do more than simply add lines to a core file. In most cases, a dedicated WordPress security plugin can be used to do the donkey work, while simple fixes such as amending the database prefix can be handled without a plugin.

In our opinion, a combined approach may be best. However, depending on the client’s needs and budget — and your own working relationship with them — you may be better off recommending a quality all-in-one plugin such as Sucuri Security, Wordfence Security, or iThemes Security.

Selecting from the top WordPress security plugins

Below are the most popular security plugins for WordPress. All have an extensive list of features — too many to list here. Each has similar functionality while offering varied additional benefits of hardening, notifications, and automation. Be sure to review each security plugin’s detailed description on the WordPress Plugin Directory so you can find the plugin(s) that will work best for your setup.

Some WP security plugins are completely free. Others are considered “Freemium,” which means they‘re free but you have the option to upgrade to a more feature rich “Pro” version with extended support for a price.

1. Sucuri Security

This free WordPress plugin offers a number of features including security activity auditing, file integrity monitoring, remote malware scanning, blocklist monitoring, effective security hardening, post-Hack security actions, and security notifications. A website firewall can be added as a premium feature.

Editor’s note: Looking for a comprehensive website security solution? Check out GoDaddy Website Security, powered by Sucuri.

2. All in One WP Security & Firewall

This plugin is easy to use and understand and gives you a security point breakdown and pie chart so you see what needs fixing. All in One WP Security & Firewall includes restricting access with an IP blocklist and allowlist, as well as, the ability to hide important URLs.

3. Wordfence Security

This plugin is a solid contender that provides firewall protection, a malware scanner, and login security. Premium options allow users to take advantage of additional features and protection.

4. BulletProof Security

This automated, one-click-setup WordPress security plugin covers all the basics including firewall security, login security, and database. While the Freemium version offers you all the basics you will need, a feature-rich Pro version is also available.

5. iThemes Security (formerly Better WP Security)

This security plugin works to lock down WordPress, fix common holes, stop automated attacks and strengthen user credentials. As with the previous two plugins, a premium option is available for more advanced features.

6. Shield Security

Shield Security is a full-on Freemium WordPress security plugin that’s easy to set up. A neat feature is how it auto-blocklists hosts with bad reputations. Rather than just tell you what you need to do, this plugins offers users an exclusive membership to a private security group where you have the opportunity to learn more about WordPress security.

7. Cerber Security & Limit Login Attempts

Cerber tracks user and intruder activity and sends email, mobile and desktop notifications. Includes IP blocklisting and allowlisting along with built-in reCAPTCHA for protecting registration, comments and WooCommerce and WordPress forms.

8. WP Hide & Security Enhancer

This security plugin for WordPress offers an easy process to completely hide your core files, theme and plugins path from being shown on the front end. It allows you to change default Admin URLs for wp-login.php and wp-admin to something else, while also, not announcing to the world that your site is on WordPress.

Before you install any plugins

Some of the intermediate and advanced features of these security plugins might break your site if they conflict with other plugins or themes already on your site.

As always, do a thorough backup before installing any new plugins.


Advanced features might not work correctly on your site if your hosting provider’s configuration doesn’t support them, either in native configuration or the RAM necessary to power these types of plugins. Before installing any WordPress security plugin, run it by your website host first to:

  • Make sure it’s compatible with your hosting plan
  • Confirm you have sufficient RAM to install it

Some Managed WordPress hosting partners like GoDaddy already integrate similar features on the server side, negating the need for some of these plugins.

After installing security plugins

Plugins alone can’t guarantee you will never be hacked. But combined with best practices like these security tips, WP security plugins will hinder hackers and reduce your risk. Make an effort to stay informed to keep your site safe, as new security gaps are discovered all the time.

Installing a security plugin or two on your WordPress website doesn’t give you an excuse to not understand the rules of the game.

Remember to review support and version compatibility before installing any WordPress plugin on your website.


Your client’s website security concerns can sometimes require ditching the plugins and creating bespoke solutions. However, you might not have the right experience to correctly implement some of the more common security aspects. This means you’ll have to consider a hybrid approach to safeguarding your client’s website.

In this article, we’ve looked at three aspects of security that can be implemented either with WordPress security plugins or code. As for the question of whether your clients need a plugin, the answer isn’t totally clear cut. We recommend an apprclear-cut combines both practices, depending on the project’s budget, and how willing you are to offer support and aftercare.

Do you have any security elements you prefer not to use a plugin for? Share your thoughts in the GoDaddy community.

Image by: Adam Hollin on Unsplash