Defender plugin, do I really need it?

Not Events + But Defender Plugin...

I wondered about site security once before with another seemingly popular website plugin that helped change to vsecure all your sites vulnerabilities, but my Dev told me not to bother.
My site is located within WP-Engines walls, as I understand it their security is good, my site is backed up each day, so why should I bother or worry?

Is defender a plugin I can live without or is it an absolute must, I do not know?
Whatever the advise, my site is not yet live so I am just seeking in advance, thanks for all your feedback in advance people :slight_smile:

  • Luís

    Hi Justin ,

    Hope you're doing well today!

    In my opinion you should always use a security plugin, even all the security measures of any host.

    Defender will give you all the basic tools to protect your website, another way to turn your website secure.

    Also, it will allow you to schedule scans and the integration with the HUB is a good feature too.

    I hope this information has been helpful. If I can help you in this or other questions, please let me know!

    Cheers, Luís

  • Justin

    OK, I feel as though I need to come @ this from a different angle, so I have copied & will paste the info that flowed to & from my Dev, will be interesting to see the different responses I get with reference to my Dev's opinions on relevant aspects to site security so here go's.

    The Plugin I was looking to use @ the time was the Ithemes security plugin to which @ the time was scoring well in the plugin depository, although this was some time ago, my views on whether a security plugin is still essential still remains a big ? in my way of thinking.

    So without further adue, here is the response my Dev gave me when I mentioned this particular security plugin.

    My Job given to Dev:
    Align Ithemes security as much as possible for better security of my site|
    I am aware that some functions such as admin logins are being disabled.

    My Dev's Response:
    I really wouldn't worry about this. WPE is a high quality host that takes care of security scanning and automated backups for you at the server level. You're not using many plugins, and you keep everything up to date. Both WPE and your plugins protect against brute force attacks, and WPE will actively remove any known-bad plugins.

    Even if the site was hacked, recovery would be as simple as a one-click restore.

    If you want to invest in additional security, I'd recommend looking into two things: VaultPress, which can create a real-time backup and changelog of the site, and SSL, which will encrypt your login/admin.

    Several of the items iThemes lists are either inaccurate or unnecessary. For example:
    The front page of your site is not using a safe version of jQuery or the version of jQuery cannot be determined. – Already addressed, but not reported correctly on the iThemes panel.
    Your website is not protected against bots looking for known vulnerabilities. Consider turning on 404 protection. - Not really a concern if you're running up to date code and a good host.
    Your WordPress Dashboard is available 24/7. Do you really update 24 hours a day? Consider using Away Mode. – That's just silly, and bound to be inconvenient if you ever go anywhere or have someone else login.
    Your site is performing scheduled database backups but is not backing up files. Consider purchasing or scheduling BackupBuddy to protect your investment. – Yes, it is backing up files.
    Your WordPress Dashboard is using the default addresses. This can make a brute force attack much easier. – Not really true. This is called security by anonymity, and is poor protection. IP addresses that have more than a couple failed logins are blacklisted.
    XML-RPC is available on your WordPress installation. Attackers can use this feature to attack your site. Click here to disable access to XML-RPC. – XML-RPC is already disabled.
    Your database table prefix should not be wp_. – Also security by anonymity. And a big headache/buggy to change. Protecting the DB is done through escaping user inputs and ensuring proper file permissions.

  • Justin

    May be Defender addresses different aspects of wp security, I am unaware of its under the hood capabilities, but I am trying to minimise plugin use, I wish not to have unnecessary, as I am aware that this can also strain a sites speed & you have more chance of conflicts.
    I do need to address my current use of plugins to determine whether there are plugins I can actually remove at my current stage of development but this is all part of my learning cycle.

  • Ivan Shulev

    Hey Justin ,

    I hope you are having a nice day so far!

    WARNING: The following message is my personal opinion :slight_smile:

    You and your Dev have very good points, regarding security, user experience and the careful balance between having a bulletproof site and unnecessary heavy pages.

    If you feel confident in the security you have so far, I would advise in moving forward without Defender. As you said, you don't need double-checks which will only make your site slower and add a big amount of functionality over which you have little control and that might eventually cause conflicts.

    Since you have daily backups, it will be easy to rollback. I would follow the advise of your Dev for using a plugin for backing up your files just to be extra safe. If you feel adventurous, you can skip this :slight_smile:

    Since you have a dev by your side and a good idea of what you want and what your site might need, you won't have much trouble.

    That was all from me and I wish you an awesome day ahead!


Thank NAME, for their help.

Let NAME know exactly why they deserved these points.

Gift a custom amount of points.