I’ve been using the Better WP Security plugin for almost a full year on sites I develop and, to date, I’ve had only good things to say. I’ve also recommended it as one of the top security plugins available for WordPress (plus it’s completely free). However, given some recent issues the plugin has caused, I have reevaluated whether I think it is suitable for average use.
First, I am not declaring that the plugin sucks because it doesn’t. It does a great job securing your site. The amount of security features are huge and range from simply deleting the User ID of 1 and changing the wp-login URL to much more advanced things, like changing your database’s prefix and removing writing permissions to your .htaccess and wp-config files. When setting up the plugin, it’s easy to get carried away because it’s cool to lock your site down like Fort Knox. Although security is important and Better WP Security does a good job in securing your WordPress site, users need to know that taking advantage of all the plugin’s features can have a serious impact on your search engine rankings (i.e. Google page rank).
If you’re site depends on ranking well in Google, you need to be careful with security plugins. You obviously want some security measures in place but if you get carried away, your rankings will likely take a hit. With Better WP Security, the main factor is the banning feature. With it, you can set things like 404 detections and how long they should be remembered. If someone tries accessing pages that don’t exist too many times, they can be locked out of your site. You can also set a limit on number of lockouts per I.P. that will place that I.P. address on a banned list once that threshold has been met. Here are some issues I’ve encountered that I know are a direct results of using the Better WP Security plugin:
- A lot of 403 errors in the content. Using the Broken Link Checker plugin, I was noticing that a lot of links and images were under 403 errors.
- Site lockouts. For whatever reason, my I.P. was being put on the Ban list and I couldn’t access a site from my network. For me, the whole site was under a 403 error.
- Google cannot read your sitemap. When submitting a sitemap to to Google, I would get error notices that the file could not be read due to permission reasons (403 errors). This was causing indexed pages to decreases and a major drop in rankings. The most likely reason was that the I.P.s of Google bots founds their way onto the banned list.
There are many security solutions available for WordPress but users need to be careful with them. Better WP Security is a great one and I definitely recommend it for a site that isn’t dependent on Google rankings (i.e. client portals or protected membership sites). If you cannot afford to drop in search rankings, I’d suggest something more scaled down because, ultimately, unless you’re running something like a client portal or private membership site, you probably won’t need all that security. For hiding your WordPress backend, I’d recommend something like Hide My WP. If you need backups for your site (which you do!), then something like BackupBuddy is great. Just remember, if your site is dependent on search rankings, security is not your primary concern and to not get carried away with all the bells and whistles a plugin like Better WP Security offers.