The WordPress security plugin market is crowded. Wordfence, Sucuri, iThemes, All-In-One WP Security, Solid Security — they all promise to "protect your site." But when you look under the hood, most of them are doing the same 5 things and marketing the other 50 as premium upsells.
Here's what actually matters.
The 6 Things That Actually Stop Attacks
Based on post-mortem analysis of 200+ hacked WordPress sites we've cleaned:
1. Login Protection (Prevents 23% of breaches)
The absolute minimum:
- Brute-force rate limiting — lock out IPs after N failed attempts
- 2FA — email codes or TOTP authenticator apps
- Custom login URL — moves your login page away from /wp-login.php
What doesn't help much:
- CAPTCHA on login (bots solve them; real users hate them)
- Login page decorations and custom backgrounds
- "Login attempt logging" without rate limiting
2. A Request Firewall (Prevents 67% of breaches)
This is the big one. Most successful attacks come through vulnerable plugin endpoints — not through the login page.
A good WordPress firewall should:
- Filter malicious request patterns before they reach PHP — SQL injection, path traversal, remote code execution payloads
- Rate limit per IP — prevent enumeration and DoS
- Block known bad user agents — script kiddies, vulnerability scanners, botnets
What doesn't help:
- "Cloud firewalls" that require DNS changes and proxy all your traffic through a third party
- Firewalls that only check POST requests (attackers use GET too)
- Blocked country lists as your primary defense (attackers use VPNs)
3. File Integrity Monitoring
When an attacker modifies a file or drops a backdoor, you need to know immediately.
A useful file monitor:
- Compares core files against WordPress.org checksums — catches modifications to wp-includes and wp-admin
- Detects new PHP files in uploads/ — these are almost always malicious
- Monitors theme and plugin files for changes — especially functions.php and index.php
What's less useful:
- Monitoring CSS and image file changes (too noisy, rarely malicious)
- "Real-time" monitoring that actually runs once per day
- File monitors that can't tell you what changed (no diff view)
4. Security Headers
These are free protection that most sites don't have:
| Header | What it prevents |
|---|---|
| X-Frame-Options: SAMEORIGIN | Clickjacking attacks |
| X-Content-Type-Options: nosniff | MIME type confusion attacks |
| Referrer-Policy: strict-origin-when-cross-origin | Leaking URLs to third parties |
| Content-Security-Policy | Inline script injection (XSS) |
| Strict-Transport-Security | SSL downgrade attacks |
A security plugin should add these with one checkbox, not require you to edit .htaccess manually.
5. WordPress Hardening Defaults
Simple changes that reduce your attack surface:
- Disable XML-RPC — unless you specifically need it (most sites don't)
- Disable the file editor — prevent code editing from wp-admin
- Block PHP execution in uploads/ — .htaccess rule that stops uploaded backdoors from running
- Hide login errors — don't tell attackers whether the username or password was wrong
- Block username enumeration — stop attackers from discovering valid usernames via ?author=1
6. Activity Logging
You need an audit trail. When something goes wrong, you need to answer:
- When did the attack happen?
- What changed?
- Which accounts were involved?
- What was the entry point?
A good activity log captures: logins, failed logins, file changes, plugin activations, user creation, and option changes.
What's Mostly Marketing
Features that security plugins sell hard but don't meaningfully improve security:
- "Malware database with 50,000 signatures" — the number doesn't matter; what matters is whether it catches real infections without false positives
- Security "grades" and scores — a green A+ score doesn't mean you're protected; it means you checked some boxes
- "Powered by AI" scanning — marketing buzzword; pattern matching works fine for known malware
- Uptime monitoring — useful, but not a security feature; use a dedicated service
- Performance optimization — has nothing to do with security; don't let a security plugin manage your cache
What We Built (and Why)
WO Security Shield focuses on the 6 things above. No bloat, no upsells disguised as features.
- Firewall with rate limiting, request filtering, and IP blocking
- Login protection with brute-force limits, email 2FA, and TOTP authenticator support
- File integrity monitoring with diff views and quarantine
- Security headers with one-click configuration
- WordPress hardening — XML-RPC, file editor, uploads protection, enumeration blocking
- Activity logging with filtering, export, and GDPR compliance
No cloud dependency required. Your security runs inside your WordPress installation.
Published April 2026. Updated as the threat landscape changes.