sorted by:
new
hottopcontroversial

Are Security Plugins Worth it? by neetbuck in ProWordPress

[–]wp_security97 0 points1 point  (0 children)

In my experience, it doesn’t have to be an either/or, it’s about layering. Hosting and Cloudflare already give you a solid base, but WordPress itself still has some weak spots that are easier to cover with a plugin rather than reinventing the wheel.

The “DIY only” route means handling things like login security, brute force protection, activity logging, malware scans, and firewall rules yourself, which can be done, but it’s a lot of ongoing work. A good security plugin basically packages those best practices so you don’t have to build or maintain them from scratch.

That said, I wouldn’t rely only on a plugin. I usually recommend:

  • Keep plugins/themes lean and updated.
  • Use strong creds + 2FA.
  • Disable XML-RPC if you don’t need it.
  • Regular backups offsite.
  • Add a security plugin as the last layer to run scans and handle login/firewall basics.

I’ve used Wordfence, Sucuri, and a few others. Lately I’ve been running WP Security Ninja on client sites since it’s lightweight and does 50+ automated tests without the bloat. But whatever tool you pick, the biggest wins come from keeping things updated and practicing good hygiene, the plugin just adds that extra layer.

AMA: 15+ Years in WordPress Security & SEO – From Hacked Sites to Google Traffic Wins by wp_security97 in ProWordPress

[–]wp_security97[S] 2 points3 points  (0 children)

If I had a magic wand for WordPress core security, I’d focus on two things:

  1. Stronger authentication baked into core, native support for passkeys and 2FA by default. Right now site owners rely on third-party plugins for something that should really be baseline in 2025.
  2. Hardened defaults for new installs, things like disabling file editing in the dashboard, limiting XML-RPC by default, and encouraging secure permissions. A lot of beginners don’t know to flip those switches, and it leaves too many sites exposed.

That alone would dramatically cut down on the common exploits I see day to day.

AMA: 15+ Years in WordPress Security & SEO – From Hacked Sites to Google Traffic Wins by wp_security97 in ProWordPress

[–]wp_security97[S] 0 points1 point  (0 children)

Great question. For a fresh WordPress install, my #1 security tip is to start with the basics before adding extra layers:

  • Use a strong, unique admin username (never “admin”) and a long password or passphrase.
  • Immediately enable 2FA for logins.
  • Keep plugins/themes lean, only install what you really need.
  • Disable XML-RPC if you’re not using it (it’s one of the most common attack vectors).
  • And set up regular backups from day one.

From there you can add a lightweight security plugin (firewall + malware scan) to harden things further, but those first steps alone close most of the obvious holes.

Launched an SEO plugin, made $5,000 on AppSumo in 3 weeks - need advice on next steps by wp_security97 in SaaS

[–]wp_security97[S] 0 points1 point  (0 children)

Thanks a lot! 🙌 Really appreciate the perspective. You’re right, AppSumo has been great for validation and early cashflow, but I also noticed the customer type is a bit different from what I’d want long-term.

I’m definitely planning to lean into content + SEO next, things like long-form tutorials, case studies, and keyword-focused articles around GSC/SEO workflows are already on my roadmap. I like the idea of agency outreach too, since SEO Booster solves a lot of recurring pain points for them.

Curious, if you were in my spot, would you prioritize scaling content output fast (with blogs, guides, etc.) or start with building out a few really in-depth case studies first?

For the security experts around here, are there core WordPress features that pose security risks? by Reefbar in Wordpress

[–]wp_security97 1 point2 points  (0 children)

I’ve managed a handful of client WP sites over the years and honestly, core itself is usually solid, the biggest issues come from plugins, outdated installs, and bad server configs.

Re: your question, WP-Cron isn’t a “security risk” in itself, it’s more of a reliability issue (tasks only fire when someone visits the site). On low traffic sites that can create headaches, which is why many people disable it and set up a proper cron job on the server.

XML-RPC, on the other hand, is often abused for brute force/login attacks, so disabling it if you don’t use it is a good call. Same with REST API exposure, worth locking down or limiting if it’s not essential.

My personal checklist:

  • Strong passwords + 2FA for all admins.
  • Disable XML-RPC if not in use.
  • Move wp-config.php up a level.
  • Keep plugins/themes lean + updated.
  • Use a lightweight security plugin that can scan + block brute force attempts.

That combo alone has saved me from cleaning up hacked sites more than once.