A few days ago a friend asked me to take a look at a new security plugin for WordPress. I was not impressed. Let me tell you how I evaluate a new security service, most are little tips you can do yourself without needing to know code.
How much is it
I don’t much like prices outside the middle ground.
Too cheap means they won’t have the money to pay for a decent support team, and with a security plugin (which are more complex and error prone than most) you’re going to need good support backup.
But, too expensive is also a problem. A service at $30, $60 or even $100 a year isn’t pocket change (okay, it might be pocket change to some people, but it’s enough that expectations get raised). A lot of plugins sold around these price points, and you have a right to expect them to work and fulfil all the promises on the sales page. Most don’t, of course, nature of pretty much any information or software product.
Does it actually protect you?
Here you have to play detective a bit. The tricky bit is that with clever marketing you can spin one actual feature into 6 or 7 benefits or features with no trouble at all. So we have to read between the lines a little and think about the types of attacks your site faces and how to stop them.
Types of threat
- Code injection (can an asshat get their own HTML saved into your WP settings and output)
- SQL injection (can they delete your database, or edit your posts)
- Bruteforce (password guessing)
- Specific, know vulnerabilities (like the TimThumb remote file upload bug)
- Unknown threats (vulnerabilities we don’t know about yet, but that follow a pattern of an earlier vulnerability)
Does it protect?
Read the feature list carefully, even without expert knowledge you can make a pretty good guess at which category each feature falls under.
What doesn’t it protect against?
This is the most important part of your analysis. Only when you know what the plugin/service doesn’t protect against will you know what you still need to protect against, and if the commercial plugin you’re considering is worth the price.
Can free plugins do the job?
There are a lot of free security plugins for WordPress in the repository. Of course, many are crap. A few are excellent. Often, commercial plugins will use code from the repository for their own product. This is perfectly legal and ethical (as long as it is acknowledged in the code), I don’t have a problem with it at all, but you might and it is nice to know when someone is making money off other people’s volunteer efforts.
Does it do anything stupid?
My two top indicators for “this person should burn in hell” (in the context of security plugins, at least J ) are disabling the right click and “securing” wp-admin with a password. Why? Because disabling the right click is harmful to users (there’s a lot of reasons someone might want or need to right click, and taking that away without a damn good reason is not kosher), and it doesn’t even fulfil its stated purpose of “protecting” your content from getting copied – getting around a right click disabler takes about 3 seconds, and any thief who’s passed kindergarten will know how to do it, so all you do is hurt innocent visitors.
Passwording wp-admin is equally stupid. Not only does it do little to nothing to improve the security of your site, it completely blocks AJAX for visitors of your site (interactive tools). Not cool.
Is the code secure?
Finally, look at the coder themselves. What qualifications do they have to be writing any plugin – let alone a security plugin, which should be the most secure code possible. Pretty much anyone can write a plugin, hardly anyone can write one correctly and securely. Has the code been audited by an expert, like Mark Jaquith?
Does the coder use modern best practices, like using the data escaping tools WordPress provides? If they don’t, they have no business calling themselves a coder, much less and security system coder. Write and ask them.
I hope you’ve found this article useful. Is there anything you’re wondering about that I haven’t covered?