Introduction
vCanopy offers a lot of security out of the box, and then a whole suite of WordPress specific security measures that you can configure on a per website basis.
A common question we get is: ”Do I still need a security plugin when using all of these features?”.
There’s no right answer to this question, but in this article we’ll provide you with some guidance on making a decision for your websites.
Do You NEED a Security Plugin?
If you’re using either the 7G WAF/ModSecurity WAF, Fail2Ban, and our additional security measures, then probably not. You can also implement additional security and anti-spam measures at Cloudflare if you’re using it for your websites.
However, there are some additional benefits that a security plugin can provide that go beyond locking down your site. Below are some of the benefits as well as some downsides to consider.
Additional Security Benefits Plugins Can Offer
Here are four the main features for you to consider.
1. TWO FACTOR AUTHENTICATION (2FA) AND LOGIN SECURITY
2FA is an excellent additional security benefit that we highly recommend. There are plugins that are specialised specifically for 2FA, such as Wordfence Login Security.
Other login security features that I believe can be useful are:
- Forcing email only based logins.
- Forcing strong passwords.
- Changing the default login URL (sure, this one is security by obscurity, but you can’t abuse what you can’t find).
- Magic link only logins.
Most security “suite” plugins offer some or all of the above.
2. MALWARE SCANNING AND CORE FILE MONITORING
This one is self-explanatory. Monitoring your websites for malware and checking core file integrity is great for peace of mind, and for alerting you to any issues that you need to look into on any of your websites.
Wordfence in particular has probably the best WordPress malware scanner available.
Almost every security plugin offers core file monitoring.
WHAT ABOUT AUTOMATED MALWARE CLEANUP?
Automated malware clean up is hit and miss. Maybe it will get the job done, maybe it won't. Relying on one-click tools for this kind of specialised work is generally something we advise against, and it also won't provide you with root cause analysis. Hiring a professional or restoring a backup that you know to be clean are usually better options.
3. VULNERABILITY PATCHING
The primary reason you may want to considering paying for a security plugin is virtual patching. This is where a service monitors your sites and identifies vulnerabilities in WordPress core, themes, and plugins, and automatically patches those vulnerabilities.
The overwhelming majority of malware infections come via plugin vulnerabilities. Virtual patching and setting vulnerable plugins to automatically update can be excellent additional security measure for your websites.
Many free plugins include a monitoring and alert service, which is still useful even without the actual patching.
Patchstack is a really interesting option for vulnerability monitoring and patching (patching is a paid feature). They are laser focused on this one aspect of security, and you can even use their free plan to update plugins on your websites directly from their dashboard instead of having to do it manually site by site.
4. EMAIL ALERTS
Finally, email alerts can be incredibly useful for passively monitoring your websites. If a security plugin detects your under attack, detects core file changes or malware, these are serious matters that you may otherwise remain oblivious to for some time.
Keeping track of admin logins and user activity can be beneficial on some websites too, especially if you have any “problem clients”.
Potential Downsides to Consider
Security plugins aren’t all upside and no downside. In fact, many of the most popular security plugins have had security vulnerabilities themselves. Some may also:
- Be resource intensive and/or slow your sites down.
- Create false positives.
- Cause database table locking which can literally cause 502/504s across ALL of your websites on a given server.
- Cause fatal errors and break sites when migrating when from host to another.
They can also provide a false sense of security, and implementing security at the application layer is far less preferable to security at the DNS and server layers, before malicious traffic even has a chance to reach your websites in the first place.
Final Thoughts
Opinions on whether to use security plugins with vCanopy vary wildly. Many members of the community use them, others strongly oppose them, and all for wide variety of reasons.
You decide what makes the most sense for your websites and your business, and ultimately what will give you the most peace of mind.
Also, feel free to reach out to the community to discuss with other developers and agency owners what approaches they take over in the forum:
Further Reading and Resources
We have numerous guides on WordPress security over in the Security section of our knowledge, and we also have a learning path with a case study that you can check out here: