Navigating the world of WordPress security plugins can be daunting, particularly when you’re weighing up highly recommended choices like Wordfence and SiteLock. We, at MalCare, with vast experience in WordPress security, aim to simplify this decision process for you.

Our expertise comes from hands-on experience. We purposefully infected several test websites with malware and measured the efficacy of both Wordfence and SiteLock in response to these threats. It was a controlled, yet revealing experiment, allowing us to assess on-the-ground performance. 

TLDR: There is just no comparison. Wordfence has a vastly better scanner, malware cleaner, and firewall than SiteLock. However, Wordfence is a resource hog, so it isn’t an unequivocal winner. For all the merits of Wordfence, and none of the drawbacks, choose MalCare instead. 

Wordfence in a nutshell

Wordfence is a popular free security plugin for WordPress that offers a decent level of protection for your website. It uses a signature-matching mechanism to detect malware, which can catch around 70-80% of known threats. However, this method is not foolproof and it often misses database-based malware.

One of the major drawbacks of Wordfence is that its free version has a delayed update for its firewall. The premium version, on the other hand, offers timely updates and additional features. It’s worth noting, however, that some web hosts may not allow Wordfence due to its resource-intensive nature.

SiteLock in a nutshell

In all honesty, SiteLock falls short in many areas. The configuration can be challenging, and this is especially true for critical security features, which are noticeably lacking in this plugin.

Furthermore, even the secondary security features, like the vulnerability scanner or 2FA, of SiteLock often fail to deliver the desired level of protection. It raises the question of why this plugin exists at all when it is unable to fulfill its primary purpose effectively.

Head-to-head comparison of Wordfence vs. Sitelock features

Now let’s take a closer look at how Wordfence and SiteLock measure up in these areas:

Malware scanning

Verdict: Wordfence takes the lead with its signature-matching mechanism that effectively detects a majority of file-based malware, whereas SiteLock fails to flag any malware in our tests.

Wordfence utilizes a signature-matching mechanism to detect malware. This method involves comparing the code on your site against a massive database of malware signatures. While Wordfence does a commendable job of keeping its database updated, it must be noted that this approach is not foolproof. It can only detect file-based malware, and it may not be able to detect newer or zero-day malware.

Additionally, Wordfence’s scanner is more effective on open-source or free plugins and themes, leaving out the majority of premium themes. Overall, Wordfence’s scanner is estimated to detect around 70-80% of malware, albeit with a fair amount of false positives.

SiteLock offers a daily malware scanning feature. However, in our tests, it failed to flag any malware on a heavily infected test site. This raises concerns about the effectiveness and reliability of its scanning mechanism. Furthermore, SiteLock only allows one on-demand scan per day, limiting its flexibility in proactive malware scanning.

Malware cleaning

Verdict: Wordfence wins again with its automated options and expert cleaning service, while SiteLock’s cleaning feature falls short due to its ineffective scanner.

When it comes to malware cleaning, Wordfence provides two automated options on its dashboard: deleting all deletable files and repairing all repairable files. Both options were largely successful at removing file-based malware from our website. However, when it comes to malware in databases and premium plugins, Wordfence’s scanner was unable to detect them, rendering the automatic repair options ineffective. The alternative is to request their expert cleaning service, which includes malware removal, security audit, vulnerability assessment, and assistance in getting your site off any blacklist. Though we can’t comment on the efficacy of Wordfence’s malware removal service since we didn’t try it, it offers a comprehensive solution for those needing expert assistance.

We couldn’t test SiteLock’s automatic malware removal tool, SMART, because we had trouble with setting it up with FTP. Additionally, if the scanner is unable to detect malware, which was the case in our tests, then there is no way for SiteLock to remove it. 

Firewall

Verdict: Wordfence’s firewall is more effective and reliable, while SiteLock’s basic plan lacks a firewall feature altogether.

Wordfence’s firewall is known for its effectiveness in keeping out attacks. The firewall is designed to work out of the box and provides a strong layer of protection for your website. It starts with a learning mode that they recommend you keep on for a week.

However, it should be noted that while the free version of Wordfence’s firewall is still capable, the dashboard ranks it at only 35% effectiveness compared to the premium version. Load order issues and delayed updates for the free firewall can contribute to this lower efficacy. The premium version of Wordfence’s firewall receives real-time updates, providing a higher level of protection. 

On the flip side, Wordfence has been known to lock out actual users. Also, we should point out that that Wordfence doesn’t offer bot protection which is a crucial layer of login and spam protection. So, we’ll deduct points for that. 

SiteLock’s basic plan does not include a firewall or bot protection. The firewall is only available for the Pro and Business plan. 

Vulnerability detection

Verdict: Wordfence successfully identifies vulnerabilities and flags them correctly, while SiteLock fails to detect any vulnerabilities on the test site.

Wordfence’s approach to vulnerability detection involves flagging outdated plugins as medium threats and correctly identifying vulnerabilities as critical threats. However, Wordfence did show some tendency to throw up false positives, as evidenced by the errors flagged for iThemes and Backupbuddy during our testing.

SiteLock’s vulnerability detection is bundled into the scanner feature, which is supposed to provide information about SQL injection and XSS vulnerabilities on the site. Unfortunately, in our testing, SiteLock’s scanner failed to detect any vulnerabilities, despite their presence on the site. 

Brute force login protection

Verdict: Wordfence’s brute force protection feature works perfectly, whereas SiteLock lacks this essential security feature.

Wordfence shines in this area, with brute force protection enabled by default. It effectively locks out users after too many incorrect login attempts, which can be configured from the dashboard. Wordfence provides a variety of customizable options for this feature, including setting lockout times and enforcing strong password usage.

While there is an option to whitelist IPs, its effectiveness is questionable due to the dynamic nature of device IPs.

SiteLock offers no features or protections against brute force login attempts. This glaring omission leaves sites using SiteLock potentially vulnerable to these common types of attacks.

Activity log

Verdict: Both plugins could improve in this area, but Wordfence at least provides a raw log for developers, while SiteLock does not offer any activity log feature.

Surprisingly, Wordfence does not offer an activity log feature, a standard pillar of website security. While there is an option to enable debugging in the Diagnostics section, which increases the verbosity of the firewall logs, it is not equivalent to a comprehensive activity log. Wordfence does offer a raw log for Wordfence events in the Scan section, but it seems to be intended primarily for their developers in case of support.

SiteLock also does not offer an activity log feature. This absence further emphasizes the lack of comprehensive security features in SiteLock’s offering. Unlike Wordfence, Sitelock doesn’t even offer raw logs or the option to enable debugging. 

Two-factor authentication

Verdict: Wordfence’s two-factor authentication feature works smoothly, while SiteLock’s equivalent feature fails to send verification messages.

Wordfence offers a robust two-factor authentication feature that works out of the box. Previously a premium feature, it has now been added to the free plugin as well. This allows users to add an extra layer of security to their login process.

SiteLock also provides a two-factor authentication feature. However, during our testing, we encountered issues with both the text message and mobile verification options. The text message failed to send, and the mobile verification setup was unsuccessful. These issues raise concerns about the reliability and effectiveness of SiteLock’s two-factor authentication.

Server resource usage

Verdict: SiteLock wins in this category as it has minimal impact on disk usage, while Wordfence is known to be resource-intensive.

Wordfence is known for being a resource-intensive plugin. During our tests, we observed significant increases in disk usage during scans and due to the firewall. These spikes in resource usage can impact your website’s load time, response time, and overall user experience. 

On the other hand, SiteLock’s scanner had a minimal impact on disk usage, suggesting that it is less resource-intensive than Wordfence. However, considering SiteLock’s lack of effectiveness in other areas, this might not necessarily be a positive.

Alerts

Verdict: Both plugins could improve their alert systems, with Wordfence providing too many alerts and SiteLock’s alerts being unclear.

Wordfence’s alert system can be overwhelming. The high frequency of alerts can lead to a flood of notifications in your inbox. While it’s crucial to stay informed about your website’s security, too many alerts can lead to inaction due to the sheer volume.

SiteLock allows users to toggle notifications on and off for security issues from the dashboard. However, given the issues we encountered with SiteLock’s other features, it’s unclear what these alerts might entail.

Installation, configuration, and usability

Verdict: Wordfence’s installation and configuration process is user-friendly and intuitive, while SiteLock’s process is convoluted and problematic.

Wordfence shines in this area, with a straightforward installation process and user-friendly configuration. Their dashboard includes walkthroughs for each major section, explaining important settings and features in simple language. Wordfence’s documentation is accessible directly from the tooltips on the dashboard, making it easy to understand each feature and how to use it on your website.

On the other hand, SiteLock’s installation process is far from seamless. The plugin is initially easy to install and activate, but finding it afterward can be a challenge as it goes into the Tools menu on wp-admin. Once located, the plugin requires you to connect to SiteLock’s site, which involves a convoluted process of purchasing a plan, expecting an email, and then returning to your site to configure the plugin. The configuration process includes a SMART setup that requires FTP access to your site, which proved problematic in our testing. 

Extras

Wordfence includes a notifications section for site updates, identifying which plugins and themes need priority updates due to being identified as threats. 

Additionally, Wordfence Central is an external dashboard for managing multiple sites on the same account, providing a high-level view of each site. 

The Tools section includes a live traffic feature that helps you manage the users that browse or access your WordPress site.

The tools section also has a Whois lookup option, and a detailed Diagnostics section that provides granular information about the website. These additional features add value to Wordfence, enhancing its usability and functionality.

SiteLock includes some anti-spam features on its dashboard, but it’s unclear how to manage spam once it’s detected. SiteLock also offers full site backups, which could be a useful feature. However, the backups are stored on the site server itself, which limits their usefulness in the event of a server issue.

What’s missing from Wordfence and SiteLock?

While Wordfence offers a solid range of features and performs well in many areas, it does have a few noticeable gaps. One significant missing feature is bot protection, which can help protect your site from automated attacks. Additionally, Wordfence does not include an activity log feature, which is a standard component of many security plugins. This feature helps site owners track all activities on their site, which can be crucial in identifying and responding to any suspicious behavior. Despite these omissions, Wordfence remains an above-average security plugin, standing out from many of its competitors.

Unfortunately, SiteLock falls short in many critical areas. Its malware scanner and its vulnerability detection is woefully inadequate. The cleaner feature can be risky to use, and the two-factor authentication feature doesn’t work as expected. Moreover, SiteLock lacks login protection, a crucial feature that helps prevent unauthorized access to your site. Essentially, SiteLock is missing many of the key features that are expected in a reliable and effective security plugin.

Pricing

The free version of Wordfence is quite robust, providing a decent range of features without any cost. The premium version, priced at $99 per year, offers additional features and more timely updates. Wordfence also offers Care and Response plans, which include malware cleanup services. The Response plan, priced at $950 per year per site, guarantees a 1-hour response time—crucial when dealing with a hacked site. However, if you choose the $99 plan and your site gets hacked, you will need to pay an additional $490 for malware cleanup.

SiteLock’s plans range from $14.99 to $34.99 per month per site. However, considering the lack of functionality and effectiveness in its basic plan, its value for money is questionable. Furthermore, the process of canceling a subscription with SiteLock can be tedious and time-consuming, which may be off-putting for potential customers. It’s worth noting that companies making it difficult to cancel subscriptions is often not a good sign of their customer service or user experience.

Which security plugin is worth your money?

When it comes to choosing a security plugin for your WordPress site, certain features are essential to consider. These features include:

• Malware scanning: A good security plugin should be able to scan your website for any malicious code or files. It should have a robust scanning engine that can detect both known and unknown threats.
• Malware cleaning: If malware is detected, the plugin should be able to remove it effectively and restore your website to a clean state.
• Firewall: A firewall acts as a barrier between your website and potential threats. It monitors incoming and outgoing traffic, blocking any suspicious activity. A security plugin with a strong firewall can provide an extra layer of protection for your site.

In addition to these essential features, some good-to-have security features can further enhance your website’s security:

• Vulnerability detection: A plugin that can identify vulnerabilities in your website’s software and plugins can help you remediate them before they are exploited by hackers.
• Brute force login protection: This feature can protect your site from automated login attempts by limiting the number of login attempts allowed within a certain timeframe or by implementing CAPTCHA challenges.
• Activity log: An activity log can keep track of all actions taken on your website, allowing you to monitor and identify any suspicious or unauthorized activity. It provides valuable insights into who is accessing your site and what they are doing.
• Two-factor authentication: Enabling two-factor authentication adds an extra layer of security to your website login process. This requires users to provide an additional piece of information, such as a unique code sent to their mobile device, in addition to their username and password.
• Impact on server resources: When considering a security plugin, it’s also important to assess its potential impact on server resources. Some plugins, like Wordfence, have a reputation for being resource-intensive, which can slow down your website or cause other performance issues. A plugin must strike the right balance between security and performance.

The better alternative to both Wordfence and SiteLock: MalCare

While Wordfence and SiteLock are popular security plugins, they both have their limitations. If you’re looking for a more comprehensive, reliable, and user-friendly solution, we recommend considering MalCare.

MalCare is a powerful WordPress security plugin designed to offer superior protection for your website. It boasts an advanced malware scanner that uses over 100 signals to detect even the most complex malware, instead of relying on signature-matching malware databases which depend on the continual vigilance of those maintaining it. Unlike Wordfence and SiteLock, MalCare’s scanner is designed to detect both file-based and database malware, ensuring comprehensive coverage.

In addition to its superior scanning capabilities, MalCare also offers a one-click automatic cleaner that can remove malware swiftly without needing any technical expertise. This feature sets MalCare apart from Wordfence and SiteLock, whose cleaning capabilities either come with caveats or could be more effective.

MalCare also features a robust firewall that blocks malicious traffic in real time, keeping your site safe from brute force and complex attacks. Unlike Wordfence, MalCare’s firewall does not slow down your site as it operates on MalCare’s servers, ensuring your website’s performance is never compromised.

Additionally, MalCare includes features such as login protection, and an activity log, covering areas where Wordfence and SiteLock fall short. It also offers white labeling and client reporting, ideal for agencies managing multiple client sites.

Lastly, MalCare’s pricing is straightforward and value for money. Starting at just $149 per year for a single site, you get access to all premium features including unlimited automatic malware removal, website hardening, and priority customer support.

Final thoughts 

In the world of WordPress security plugins, three essentials matter: scanning, malware removal, and a robust firewall. After extensive testing, Wordfence prevails as reliable thanks to its comprehensive approach. SiteLock, unfortunately, fell short in functionality, bringing its reliability into question. 

However, neither of them is as comprehensive as MalCare. MalCare offers the best malware scanner, malware removal, and firewall. It is a complete security solution at affordable prices. 

FAQs

What is better than Wordfence?

While Wordfence is a robust security plugin, our testing found that MalCare provides an even higher level of security with advanced algorithms and firewall protection capabilities.

Is SiteLock worth the money?

In our view, SiteLock’s functionality does not equate to the level of investment required, especially when compared with other superior options such as MalCare or Wordfence.

Can SiteLock and Wordfence be used together?

Using two security plugins simultaneously may cause conflicts. It’s recommended to use one that completely meets your security needs, such as MalCare.

Which one offers better malware protection?

Though both Wordfence and SiteLock offer protection, Wordfence’s deep-diving scans and reliable elimination process outdo Sitelock.

Do SiteLock and Wordfence have firewall capabilities?

Yes, both SiteLock and Wordfence offer firewall capabilities. Yet, Wordfence’s firewall is more robust and customizable.

Are SiteLock and Wordfence effective against brute force attacks?

Only Wordfence can fight against brute force attacks. SiteLock does not provide any such feature.

Are SiteLock and Wordfence compatible with various CMS platforms?

SiteLock and Wordfence were designed specifically for WordPress websites. For other CMS platforms, different security solutions would be recommended.

Can SiteLock and Wordfence improve website performance?

Wordfence slows down your WordPress site because it is a resource hog. On the other hand, SiteLock has no perceptible performance impact on your website.

Are SiteLock and Wordfence suitable for small businesses or larger enterprises?

While both plugins can work for businesses of all sizes, Wordfence’s comprehensive security solutions make it a better choice, especially for larger enterprises that require a more robust security protocol. For ultimate security, both small businesses and larger enterprises may find MalCare to be the best option.

​​