Optimal Free Security Plugin Combination? Sucuri + Wordfence? iThemes Security?

  • I don’t consider myself an “Expert” Linux Admin but I’ve been doing it as necessary for 20 years as just one part of my overall Full Stack development service. I have Configsever/LFD running on my host to start.

    One of the questions that has always perplexed me is what is the best Free Security Plugin or more importantly, best combination? I’m a minimalist when it comes to plugins.

    After a few years of trying different solutions I gravitated towards iThemes Security mainly because it gave me the most granular control over what it was and wasn’t doing. Later I added Sucuri just to get their outside scanning service (not the paid firewall.) I later really liked the log and email notifications for things like plugins being updated, etc as then I was able to remove a standalone plugin that did that. (I give some clients admin access and like to keep tabs on what they are doing.)

    However recently I noticed despite changing the admin username someone was able to keep finding out the admin username and there would be lots of failed login attempts that bugged me. I found that a plugin I was testing was putting a small JS code with the author username in my blog posts so I got rid of that plugin and they no longer are finding the new admin username. However I still was getting the login attempts from many different IPs (which I now is pretty common.) I tied putting recaptcha on the login page but that still generated a failed login attempt in the Sucuri log.

    So I decided to give Wordfence a try and enabled the immediate lockout on wrong username. That stopped the invalid login attempts from appearing in my Sucuri log (you can see them in the WF log of course though.)

    My concern now is that it sounds like Wordfence is fairly server intensive mainly with all its scanning, and Sucuri has a scheduled scan too. Even though I have plenty of server capacity having an SSD based VDS with 4 cores and 8GB of ran with only 6 WordPress sites, I hate the idea of plugins overlapping and doing the same tasks.

    I have since disabled iThemes security and am wondering if I’m missing the Network Security function which blocks based on IP addresses shared from other websites identified as being Bad. My understanding is Wordfence, the free vesion the ban list is 30 days old?

    I’m also wondering if I should either disable the Wordfence scanner, or disable the Sucuri scanner (sucuriscan_scheduled_scan) and not run them both? But does that disable the external scan Sucuri performs?

    The challenge is most all of us really don’t understand technically the specific details of what is going on with these plugins as the documentation doesn’t get that detailed. It’s almost like I need a server load monitor to do A/B comparisons to see what kind of resources these plugins are using during their scanning. While I have good server resource capacity, I’m kind of finicky about “running a tight ship.”

    • This topic was modified 4 years, 9 months ago by Jan Dembowski.
Viewing 2 replies - 1 through 2 (of 2 total)

  • Content is King! Horsepower is cheap!

    I run WordFence with iThemes Security. They behave well together without too much overlap of capabilities and that setup has served me well.

    I usually install Sucuri but only enable it if I have any suspicions then disable it again. Just leave it installed, disabled, and ready.

    Your other friend in this is cron… adjust your cron tasks to run when traffic is lower.

    One more thing is to discourage anyone from creating content with an admin-level account. Or let WordFence do its job and deal with those bad actors as they come. It’s still a bad idea to create content with an admin account.

    • This reply was modified 4 years, 9 months ago by JNashHawkins.
    Thread Starter consultant1027

    (@consultant1027)

    I like using Sucuri as mentioned for the user activity logging feature without having to install an additional plugin (posts updated, plugins activated/deactivated, etc). I also like it’s external malware scan as I’ve seen posts when researching these plugins that in some cases Sucuri found some malware javascript on pages which Wordfence’s server-side scan didn’t. However Wordfence has FAR more hardening features where Sucuri is pretty basic and just makes a lot of recommendations for manual hardening config tasks.

    Right now I’m trying to determine how much the Wordfence WAF (extended mode) increases the server load. I tested the scan by manually running it and on my server it only takes a minute and took the CPU load from 0.8 to 1.3 during the scan, virtually insignificant, which was refreshing.

    The only reason I’m not using iThemes anymore is because it doesn’t have the ability for immediate lockout of users attempting to login with invalid username. I need that to de-clutter the user activity log in Sucuri from having tons of failed login attempt messages.

    The only thing missing is real-time IP blacklist as that is a paid feature in Wordfence but is free in the Network Security feature in iThemes. However my Configserver firewall protecting the entire host through IPTables subscribes to all the major blacklists so that is protecting the server before the requests even get to WordPress so I don’t think I need to be concerned about a plugin for an individual WP site having that capability.

Viewing 2 replies - 1 through 2 (of 2 total)
  • The topic ‘Optimal Free Security Plugin Combination? Sucuri + Wordfence? iThemes Security?’ is closed to new replies.