I’ve been reading so much about security plugins lately, and now I don’t know what’s true anymore. Some people swear by them, others say they’re useless. Here are some things I’ve heard:
Don’t mess with core files or coding yourself … use trusted plugins that stay updated.
Good hosting means you don’t need security plugins, and they might even slow your site down.
Some sites actually got hacked because of bad plugins.
You clearly know your stuff. Most people don’t understand why going with the basics is better than relying on plugins. I feel the same frustration about people misunderstanding WordPress.
Also, always keep backups in multiple places: on the server, in external storage, and even on your own PC. I do full backups weekly and smaller ones daily. If you don’t want to manage all this, hosting services like Kinsta, WPEngine, or Cloudways can take care of it for you.
@Gray
That’s great advice, but let’s be real—many people who build their own sites don’t understand half of what’s in that guide. For them, plugins like Wordfence might be the easiest option.
Shan said: @Gray
That’s great advice, but let’s be real—many people who build their own sites don’t understand half of what’s in that guide. For them, plugins like Wordfence might be the easiest option.
Plugins can definitely help if you’re not comfortable with managing servers. But some plugins are overkill—like that Simple SSL one, which doesn’t really do much.
Honestly, most security plugins are terrible, especially Wordfence. I usually rely on server-side solutions and only use plugins if absolutely necessary.
Thorne said:
Honestly, most security plugins are terrible, especially Wordfence. I usually rely on server-side solutions and only use plugins if absolutely necessary.
Security plugins like Wordfence or Sucuri are useful. Wordfence free version is enough for most people. A few key settings I recommend: block PHP in the uploads folder, hide the WordPress version, and let scans keep running even if you tab away.
For hosting, go with a solid provider. Self-hosting can be risky unless you know what you’re doing. Managed hosting like WP Engine or Kinsta takes away most of the headaches.
Security plugins aren’t your only option. Have strong passwords, set up two-factor authentication, and make regular backups. If you’re really concerned, consider using a WAF like Cloudflare.
Also, always have a plan for what to do if you do get hacked. It’s not a matter of ‘if’—it’s ‘when.’