GridPane is pleased to announce that we’ve accepted a strategic investment from Automattic: Read all about it
Do I Need a Security Plugin When Using GridPane’s Security Features?
BySteve B
- Updated
Important
This article and its recommendations have been updated since it was originally published. More information on this will be published in the future.
Introduction
GridPane offers a lot of security out of the box, and then a whole suite of WordPress specific security measures that you can configure on a per website basis.
A common question we get is: ”Do I still need a security plugin when using all of these features?”.
There’s no right answer to this question, but in this article we’ll provide you with some guidance on making a decision for your websites.
Table of Contents
Do You NEED a Security Plugin?
If you’re using either the 7G WAF/ModSecurity WAF, Fail2Ban, and our additional security measures, then probably not. You can also implement additional security and anti-spam measures at Cloudflare if you’re using it for your websites.
There are some additional benefits that a few security plugins can provide that aren’t actual security measures. Below are some of the benefits as well as some downsides to consider.
Additional Security Benefits Plugins Can Offer
The additional benefits that a plugin can offer outside of the GridPane feature set and HTTP security headers are generally related to keeping you informed about the status of your websites.
1. Malware Scanning and Core File Monitoring
This one is self-explanatory. Monitoring your websites for malware and checking core file integrity is great for peace of mind, and for alerting you to any issues that you need to look into on any of your websites.
Almost every security plugin offers core file monitoring.
What about Automated Malware Cleanup?
Automated malware clean up is hit and miss. Maybe it will get the job done, maybe it won't. Relying on one-click tools for this kind of specialised work is generally something we advise against, and it also won't provide you with root cause analysis. Hiring a professional or restoring a backup that you know to be clean are usually better options.
2. Vulnerability Patching
The primary reason you may want to consider paying for a security plugin is virtual patching. This is where a service monitors your sites and identifies vulnerabilities in WordPress core, themes, and plugins, and automatically patches those vulnerabilities.
The overwhelming majority of malware infections come via plugin vulnerabilities. Virtual patching and setting vulnerable plugins to automatically update can be excellent additional security measure for your websites.
Many free plugins include a monitoring and alert service, which is still useful even without the actual patching.
Patchstack is a really interesting option for vulnerability monitoring and patching (patching is a paid feature). They are laser focused on this one aspect of security, and you can even use their free plan to update plugins on your websites directly from their dashboard instead of having to do it manually site by site.
3. Email Alerts
Finally, email alerts can be incredibly useful for passively monitoring your websites. If a security plugin detects your under attack, detects core file changes or malware, these are serious matters that you may otherwise remain oblivious to for some time.
Keeping track of admin logins and user activity can be beneficial on some websites too, especially if you have any “problem clients”.
Potential Downsides to Consider
Security plugins aren’t all upside and no downside. In fact, many of the most popular security plugins have had security vulnerabilities themselves. Some may also:
- Make your websites far less secure.
- Be resource intensive and/or slow your sites down.
- Create false positives.
- Cause database table locking which can literally cause 502/504s across ALL of your websites on a given server.
- Cause fatal errors and break sites when migrating when from host to another.
Final Thoughts
You shouldn’t rely on a plugin for securing your websites.
They can have some side benefits (as noted above). Speaking for myself, I now use Patchstack for email notifications on plugin vulnerabilities, and then I mass update them via their UI.
For further discussion, please feel free to reach out to the community to see how other developers and agency owners approach securing their sites over in the forum:
Further Reading and Resources
We have numerous guides on WordPress security over in the Security section of our knowledge, and we also have a learning path with a case study that you can check out here: