You’re running a website and you’re starting to get very popular. You’ve been hearing about security threats and are worried about the health of your site. You decide you need the best security plugin for WordPress to help manage your site’s health and protect it from attacks. But which one do you choose? There are so many security plugins to choose from? When it comes to something as crucial as security, you can’t just pick any plugin.
Wordfence is a name that keeps popping up when it comes to website security plugins. It’s a popular choice, offering users a range of features designed to protect their sites from malicious threats. But is Wordfence the right security plugin for you? What features does it lack?
All-In-One Security is a security plugin and anti-spam software that’s highly rated and praised for its wide range of features. Not only does it provide all the security features of a security plugin, but it also has plenty of hardening features to make sure your site is as secure as possible. But how does it compare to its competitors? Does it live up to its reputation?
We are not fans of All-In-One Security, as it lacks a cleaner and is essentially just a glorified anti-spam and hardening plugin; Wordfence is without a doubt the better option. The best security plugin for WordPress is neither Wordfence nor All-in-One Security; it is MalCare.
When it comes to WordPress security, there are a variety of plugins to choose from. Two of the most popular are All-In-One Security and Wordfence. In this article, we compare how both plugins handle important security actions, such as installing a firewall or removing malware. Read on to learn about the differences between these two security plugins and why we think Wordfence is better.
Overview: Wordfence vs. All-In-One Security
Wordfence and All-In-One Security are both security plugins for WordPress with free and premium versions, but they have significant differences.
Wordfence has a signature-matching detection mechanism that can detect between 70 to 80% of malware and a firewall that keeps out threats, but the free version is updated later than the premium one.
All-In-One Security has anti-spam capabilities and a two-factor authentication feature, but the free version lacks a scanner to check if the site is hacked, vulnerability detection, or malware cleaner. The firewall relies heavily on the .htaccess file, which can only block certain categories of bad bots.
Overall, Wordfence appears to be a more comprehensive security plugin, while All-In-One Security is more focused on anti-spam features.
Wordfence in a nutshell
Wordfence is a comprehensive free security plugin for WordPress.
Its signature-matching detection mechanism can detect between 70 to 80% of malware, though it does miss most database-based malware. Its firewall does a good job of keeping out threats, but it is worth noting that the free version is updated much later than the premium one. Additionally, it is important to check with your web host if Wordfence is allowed on your site, as it can be a resource hog, leading many hosts to outright ban it from their servers.
All-In-One Security in a nutshell
All-In-One Security has some positive features. For starters, it has anti-spam capabilities, a two-factor authentication feature, and a limit login feature, with no load on the site server or excessive alerts.
Unfortunately, the cons outweigh the pros: the free version does not have a scanner to check if your site is hacked, and there is no vulnerability detection or malware cleaner. Additionally, the firewall relies heavily on the .htaccess file, which only seems to be able to block certain categories of bad bots. We can only recommend All-In-One Security for its anti-spam features, although we prefer CleanTalk or Akismet for those.
The hardening features are alright, but nothing that can’t be easily achieved with a smaller plugin. We find All-In-One Security to be quite similar to iThemes in that the plethora of settings on wp-admin appear to be trying to obscure the fact that the plugin lacks real substance.
Head-to-head comparison of security features: Wordfence vs All-In-One WP Security
In this section, we will compare how both plugins measure up against each other in terms of important security features such as malware detection, two-factor authentication, security hardening, and resource usage.
Anything less than 95% malware detection is not good, but at least Wordfence free is somewhat effective. All-In-One Security doesn’t have a scanner in their free plugin.
Wordfence’s free scanner is only 60% effective, which is not ideal. Scans are completed quickly, as Wordfence uses signature-matching to detect malware by comparing code on your site to a massive database of malware signatures. They do a great job of keeping their signature database up to date; however, it cannot detect zero-day attacks.
Additionally, signature-matching is only effective against file-based malware and cannot detect malware in the database. We found that it only detected 70-80% of malware, and produced false positives to boot. Lastly, the scanner is only able to detect malware in open source or free plugins and themes, as it relies on publicly available code for comparison. Premium plugins and themes are not included in the scan.
We were surprised to learn that malware scanning is a premium feature of All-In-One Security. On the bright side, the scans are carried out on their servers rather than on your own website.
Wordfence’s malware removal feature is average, but at least it exists. Not so with All-In-One Security.
Wordfence offers two automated malware removal options: delete all deletable files and repair all repairable files. If a more thorough cleaning is needed, Wordfence also offers an expert cleaning service.
We tested both automated options and found that they were successful in removing the malware from our website; however, we had to proceed with caution due to the warnings of potential site disruption. Unfortunately, the scanner could not detect any database malware or malware found in premium plugins, so automatic repair was not an option.
Unfortunately, All-In-One Security does not offer a malware cleaning feature or even a recommended cleaning service. The only guidance they provide is advice, which is far from satisfactory. For a security plugin, this is hugely disappointing.
Wordfence’s free firewall leaves a lot to be desired. All-In-One Security’s firewall is proof against spam bots, but little else.
Wordfence’s firewall begins in learning mode, which Wordfence suggests leaving on for a week in order to become more effective. However, due to the lack of live traffic to our test websites, we decided to switch it off immediately.
It does successfully block online attacks, although the free firewall is only 35% effective, according to the dashboard. We looked into why this might be the case and found two possible explanations.
Firstly, the free firewall is loaded as a plugin after WordPress core, meaning it can only defend against some malicious traffic, not all. Secondly, the premium version of Wordfence receives updates in real-time, while the free version gets them after an unknown length of time, possibly leaving a window of vulnerability for hackers. It’s clear from Wordfence’s own assessment that the free firewall is not as effective as the premium version.
All-In-One Security has a firewall-like feature that can stop some bots, spam, brute force logins, and scrapers, and close off access to certain files. However, these features do not constitute a real firewall. The firewall appears to largely rely on the .htaccess file for operations, which is a powerful tool but not suitable for the job of a firewall.
From the dashboard, you can blacklist IP addresses and user agents to protect your site. To enable geoblocking, you must upgrade the plugin.
Vulnerability detection on Wordfence works out of the box and is very reliable. All-In-One Security touts this as a premium feature, as part of their scanner.
Wordfence accurately alerted us to all the out-of-date plugins as medium threats and correctly flagged the vulnerabilities as critical threats.
It appears that vulnerability detection is only available in the premium scanning feature of All-In-One Security. Therefore, as of now, there is no vulnerability detection available.
Brute force protection
Wordfence has great brute force protection, whereas All-In-One Security has a remarkably sophisticated feature with a lot of nice bells and whistles.
Brute force protection is enabled by default on Wordfence and it works effectively each time, locking out users with too many incorrect attempts based on the configuration set on the dashboard. The settings can be found in the firewall section, and there are plenty of options to customize such as the lockout time for incorrect login attempts. Wordfence explains each one of these settings clearly and provides ample documentation.
It is also possible to set password management options here, such as enforcing strong passwords and preventing the use of passwords discovered in a data breach. It is possible to whitelist IPs in this section, however, we are uncertain about their effectiveness since device IPs can be dynamic, meaning a legitimate user could still be locked out.
All-In-One Security offers a variety of settings to prevent brute force on the user login screen and we used the default recommended values to test the feature. We tested incorrect passwords with existing usernames and incorrect usernames and the lockout worked smoothly.
It is possible to tweak the settings according to one’s preferences, and on the whole, this feature is one of the better versions we have seen for limiting logins.
Additionally, there is a separate set of toggles specifically for brute force prevention, one of which is the ability to change the login URL. This is a hardening measure masquerading as brute force prevention. Furthermore, there is a honeypot option, which is only visible to bots, that can be enabled to automatically reject registrations that fall into the honeypot trap. This feature is to prevent spam registrations.
Neither plugin has an activity log.
We were surprised to find that Wordfence does not have an activity log, as it is a crucial component of website security. There is an option to enable debugging in the Diagnostics section of the Tools menu, but this causes the firewall logs to become more verbose, not an activity log. Through extensive research, we were able to locate an activity log specifically for Wordfence events in the Scan section. However, it is a raw log, presumably created for Wordfence developers only.
Unfortunately, AIOS does not have an activity log, only a half-baked login log.
Two factor authentication
Both All-In-One Security and Wordfence have decent 2FA features.
Wordfence’s two-factor authentication is easy to set up and customize with a variety of options. It used to be a premium feature, but is now included in the free plugin as well.
All-In-One Security offers the ability to set up two-factor authentication (2FA) for all types of users, or pick the accounts that are most important to secure.
This toggle adds 2FA as an option in the user profile, allowing the user to enable it if they wish.
There are various options the user can choose from, depending on what mechanism suits them best. All in all, All-In-One Security 2FA is a comprehensive feature.
Server resource usage
Wordfence is a blight on a site server. All-In-One Security on the other hand barely uses any resources, since it doesn’t actually scan the site in the free version.
Wordfence can be quite resource-intensive, as each action it performs on a website consumes server resources. This can lead to a spike in disk usage during scans which can cause the disk usage to double or even triple, negatively impacting load time, response time, and user experience, even on relatively small websites.
All-In-One Security is very gentle on the site server as there is no scanning available in the free version. Additionally, you can prevent hotlinking by enabling the setting in the firewall section. This will prevent people from using assets stored on your site server on their own site, which can use up your server space.
Wordfence will bombard you with alerts. With All-In-One Security you can customize the ones you want to receive.
With Wordfence, we were quickly buried under emails and alerts. Unfortunately, this renders them useless because too many alerts can lead to inaction when necessary.
All-In-One Security has a reasonable number of alerts such as locked out users, and you can customize which alerts you would like to receive. However, this is nowhere close to the abundance of alerts offered by Wordfence.
Installation, configuration and usability
Wordfence has the best installation and setup we’ve seen. Even All-In-One Security was easy compared to some of the other horrendous UIs we have seen.
The installation, configuration, and general use of Wordfence are highly praised by many. Their documentation includes step-by-step walkthroughs on each major section, providing detailed explanations of the most important settings and features in an easy-to-understand language.
Additionally, Wordfence provides great recommendations for configuration and the documentation is available through tooltips on the dashboard, making it very user-friendly. Every feature is explained in depth and instructions on how to apply it to your website are accessible instantly.
Installation and activation of All-In-One Security was relatively straightforward compared to the mess that was Bulletproof Security’s UI.
However, due to MalCare being installed on the site already, we were unable to automatically set up the firewall and had to edit the code in the terminal to replace the MalCare firewall with All-In-One Security firewall.
All-In-One Security has a scoring system to determine how secure our website is. The score of 0/505 on the site was a painful surprise, however, this system helps to understand the status of the site. To build up the security and get better points, one needs to enable the basic security features on each of the options in the settings menu.
Wordfence offers a Notifications section to indicate which plugins and themes need to be updated due to being considered critical or medium threats.
Additionally, the Wordfence Central dashboard allows one to manage multiple sites on the same account, however, this may not be very useful for agencies with hundreds of managed sites.
The Live Traffic section logs and classifies traffic, and even offers a “Who is” lookup to view the attacker without leaving the wp-admin.
Last but not least, the Diagnostics section offers comprehensive information about the website in one place, making it an invaluable tool for developers.
All-In-One Security offers partial backups of the site database, .htaccess file, and wp-config file, which is a great idea. But those backups are not enough to rebuild a destroyed site on their own. Plugins and themes can be modified significantly and not backing them up can lead to costly mistakes. To ensure that your site is fully protected, make sure to take an explicit backup and save it to your device.
Plus, the .htaccess file doesn’t change often, but the database certainly does. An automatic backup would be the most effective way to protect your site, as people may not even be aware of changes to the database.
Although All-In-One Security includes some hardening settings, they may not be as effective in protecting a website as some may assume. For example, removing the WordPress version won’t prevent vulnerability, as updating WordPress is the only way to stay secure.
Additionally, attempting to hide the admin username won’t stop brute force attacks, as they still consume server resources. All-In-One Security’s password tool can be helpful in creating a strong password, however, changing the database prefix and changing file permissions are both ineffective measures. Disabling access to XML-RPC is a useful feature, but file change detection has limited use.
Being able to change file permissions would have been a useful feature to have if it wasn’t so toothless. You can only change the file permissions for certain files and folders, and can only change them to AIOS recommended permissions. Talk about idiot-proofing a feature, and making it completely useless.
It is interesting to note that user registrations on a website can be limited to help protect against hackers. This tactic can prevent hackers from creating user accounts and escalating privileges to gain unrestricted access to the site. Additionally, there are a variety of options available to prevent spam comments, which is a great feature to have as spam comments can be very annoying. A firewall should prevent spam bots from posting, but having an additional filter in place is beneficial.
We clearly like the free version of Wordfence, but it comes with some drawbacks. It does not include bot protection or an activity log. Its scanner is above average compared to the other security plugins available, with the exception of MalCare. MalCare has both protection and an activity log, making it the better plugin.
You can guess what we’re about to say about All-In-One Security. It lacks a cleaner. We sound like a broken record but unfortunately, due to the lack of clean-up options, it is difficult to consider this plugin a viable security option.
The free version of Wordfence is quite comprehensive, and the $99 yearly subscription fee is a good value. Previously, customers had to pay an additional $490 for malware clean-up, along with the subscription fee. However, customers can now choose between the Care and Response plans, with the Care plan offering no additional cost. The Response plan offers a guaranteed 1-hour response time in the event of a hack, at the cost of $950 per site per year, which can be invaluable.
At first glance, All-In-One Security’s price of $70 per year for two sites seems reasonable. However, it should be noted that there is no malware clean-up included, meaning it will be an extra cost. Additionally, it is difficult to assess the effectiveness of the scanner.
Better alternative to Wordfence and All-In-One Security: MalCare
While we like Wordfence, MalCare is a much better security plugin. The most comprehensive security plugin with everything you need and more is MalCare. It provides bot protection and an activity log that Wordfence lacks and is much more reliable. MalCare also covers the database, which other plugins do not.
Recommended read: Wordfence vs WP Cerber security
What makes a security plugin good?
Our extensive knowledge of WordPress security has enabled us to create a concise and informative guide of essential security features to look for in a security plugin. We have excluded any features that are not directly related to security in order to provide you with a more focused list.
- Malware scanning: This feature helps to detect any malicious code, files, or scripts that have been added to the website, alerting the user of any potential threats and providing them with peace of mind.
- Malware removal: It helps to remove any malicious code that has been detected, making it a crucial step in keeping the website safe and secure.
- Firewall: It helps to block malicious traffic and requests from reaching the website, as well as keep potential threats from entering the website. Additionally, it can alert the user of any suspicious activity, such as attempted brute-force attacks, providing them with early warning and extra protection.
Good-to-have security features:
- Vulnerability detection: It helps to identify any potential vulnerabilities in the website that could be exploited by hackers, making it crucial to identify and patch them as soon as possible.
- Brute force login protection: This means blocking any attempts of brute-force attacks on the website, making it difficult for hackers to gain access and providing an extra layer of protection for your website.
- Activity log: Monitor and track any suspicious activity on the website, such as malicious requests or failed login attempts, allowing the user to take action and block the threats before any serious damage is done.
- Two-factor authentication: This adds an extra layer of security to the website by requiring the user to enter an additional code before they can access the website. This makes it more difficult for hackers to gain access to the website, giving users greater peace of mind.
- Impact on server resources: It is important to consider the resource intensity of security plugins when making your decision, as they can cause slow loading times and other performance issues.
When selecting a WordPress security plugin for your website, you should assess the scanner, cleaner, and firewall, since these three features are essential for a robust security plugin. You’ll find all those features in MalCare. At MalCare, we strive to make security effortless and pain-free so that you can focus on growing your business. Let us take care of the security while you take care of the rest.
You may also want to see our guide on Sucuri vs Wordfence to choose the right security plugin for your needs.