GridPane is pleased to announce that we’ve accepted a strategic investment from Automattic: Read all about it

Do I Need a Security Plugin When Using GridPane’s Security Features?

4 min read

Important

This article and its recommendations have been updated since it was originally published. More information on this will be published in the future.

Introduction

GridPane offers a lot of security out of the box, and then a whole suite of WordPress specific security measures that you can configure on a per website basis. 

A common question we get is: ”Do I still need a security plugin when using all of these features?”

There’s no right answer to this question, but in this article we’ll provide you with some guidance on making a decision for your websites.

Table of Contents

  1. Do You NEED a Security Plugin?
  2. Additional Security Benefits Plugins Can Offer
  3. Potential Downsides to Consider
  4. Final Thoughts
  5. Further Reading and Resources

Do You NEED a Security Plugin?

If you’re using either the 7G WAF/ModSecurity WAF, Fail2Ban, and our additional security measures, then probably not. You can also implement additional security and anti-spam measures at Cloudflare if you’re using it for your websites.

There are some additional benefits that a few security plugins can provide that aren’t actual security measures. Below are some of the benefits as well as some downsides to consider.

Additional Security Benefits Plugins Can Offer

The additional benefits that a plugin can offer outside of the GridPane feature set and HTTP security headers are generally related to keeping you informed about the status of your websites.

1. Malware Scanning and Core File Monitoring

This one is self-explanatory. Monitoring your websites for malware and checking core file integrity is great for peace of mind, and for alerting you to any issues that you need to look into on any of your websites. 

Almost every security plugin offers core file monitoring.

What about Automated Malware Cleanup?

Automated malware clean up is hit and miss. Maybe it will get the job done, maybe it won't. Relying on one-click tools for this kind of specialised work is generally something we advise against, and it also won't provide you with root cause analysis. Hiring a professional or restoring a backup that you know to be clean are usually better options.

2. Vulnerability Patching

The primary reason you may want to consider paying for a security plugin is virtual patching. This is where a service monitors your sites and identifies vulnerabilities in WordPress core, themes, and plugins, and automatically patches those vulnerabilities.

The overwhelming majority of malware infections come via plugin vulnerabilities. Virtual patching and setting vulnerable plugins to automatically update can be excellent additional security measure for your websites.

Many free plugins include a monitoring and alert service, which is still useful even without the actual patching.

Patchstack is a really interesting option for vulnerability monitoring and patching (patching is a paid feature). They are laser focused on this one aspect of security, and you can even use their free plan to update plugins on your websites directly from their dashboard instead of having to do it manually site by site.

3. Email Alerts

Finally, email alerts can be incredibly useful for passively monitoring your websites. If a security plugin detects your under attack, detects core file changes or malware, these are serious matters that you may otherwise remain oblivious to for some time.

Keeping track of admin logins and user activity can be beneficial on some websites too, especially if you have any “problem clients”. 

Potential Downsides to Consider

Security plugins aren’t all upside and no downside. In fact, many of the most popular security plugins have had security vulnerabilities themselves. Some may also:

  1. Make your websites far less secure.
  2. Be resource intensive and/or slow your sites down.
  3. Create false positives.
  4. Cause database table locking which can literally cause 502/504s across ALL of your websites on a given server.
  5. Cause fatal errors and break sites when migrating when from host to another.
They can also provide a false sense of security, and implementing security at the application layer is far less preferable to security at the DNS and server layers, before malicious traffic even has a chance to reach your websites in the first place.

Final Thoughts

You shouldn’t rely on a plugin for securing your websites.

They can have some side benefits (as noted above). Speaking for myself, I now use Patchstack for email notifications on plugin vulnerabilities, and then I mass update them via their UI. 

For further discussion, please feel free to reach out to the community to see how other developers and agency owners approach securing their sites over in the forum:

GridPane Community Forum

Further Reading and Resources

We have numerous guides on WordPress security over in the Security section of our knowledge, and we also have a learning path with a case study that you can check out here:

  1. Knowledge Base: Security
  2. Learning Path: WordPress Security Step by Step