The Limitations of Website Security Plugins

website security plugins limitationsIf you’re a website owner, you’re probably using a myriad of plugins either to add additional functionalities to your website or simply enhance its aesthetics. You might even be using a security plugin on your site. However, though affordable and convenient, website security plugins may cause complications and may not even be protecting your site as well as you’d desire them to.

As the most popular CMS, WordPress’ depository is filled with hundreds of security plugins. Many users assume that simply installing a security plugin will prevent their sites from getting hacked. While we don’t intend to discourage the use of security plugins, users should be aware of the possible downsides associated with the plugins. The following are potential issues you may come across:

1. Login inaccessibility

For any CMS, the admin login page is undoubtedly the most highly targeted by hackers since it can allow them unauthorized access to your website. That is why a plugin that limits the number of login attempts can be useful to many website owners. However, certain security plugins have the potential to lock admins out of their own site, and as a webmaster or admin, nothing is worse than being unable to access your website.

Though they can help prevent brute force attacks or even denial of service (DoS) attacks at times when the high traffic is aimed at the admin login page, these security plugins have their setbacks. If you forget your password and attempt to login multiple times or if multiple logins are happening at once, this might trigger an issue with the plugin.

2. Customer support issues

For most CMS platforms, there is rarely a specialized technical support team that handles inquiries in real time to deal with issues you may face with these security plugins. Typically, customer support comes in the form of support threads and forums or something similar. WordPress for example has one that like looks like this. Because users are utilizing different themes and using a combination of different plugins, each situation is unique. This makes it difficult to get a clear cut answer most of the time, which also means your ability to respond promptly to hacking incidents is restricted. Oftentimes, you’ll already be too late.

Another major downside with security plugins is not having a platform to report a security issue. Security these days is offered as a service, either paid or unpaid. And because it’s a service, it typically comes with quality technical or customer support, guiding users each step along the way, unlike with security plugins.

3. The “untrustworthiness” factor of security plugins

While there are a number of plugins available, not all come from a trusted entity. These days it’s easy for anyone to develop a plugin and make it available for anyone to download online.

As a website owner, it is up to you to evaluate the plugin and decide if it’s reliable. When a plugin has not been updated in months or years and has been left in the wild, so to speak, it opens up the possibility of it messing with your current CMS version or exposing you to potential risks and threats that come with the outdated plugin. Just because a plugin was highly commented and reviewed in the past doesn’t mean it will be a good fit for your current website.

4. Inability to handle zero day vulnerabilities or modified attacks

Security is never perfect, but relying solely on security plugins exposes you to certain kinds of attacks that can’t be thwarted with a mere plugin. There is no straightforward way to address zero day attacks for example, because the hacker has already exploited a vulnerability before the security vendor even takes notice.

This means that even if your security plugin updates automatically, you won’t be entirely protected. Even a highly rated Web Application Firewall (WAF) plugin would not be able to capture the full scope of potential attacks. In addition, false positives, which refer to legitimate traffic mistakenly identified as malicious, may cause you to lose precious site visitors among other things.

Perhaps the fact that a security plugin is free is appealing to many, but sometimes that can do more bad than good, especially when you care about securing your website. Plugins are great if you are a casual blogger, but if you have a huge following or run an ecommerce site, security plugins may not be adequate. Luckily there are other ways to secure your site which offer amplified protection at little to no cost at all. We are not suggesting to take a passive approach to security but are in fact encouraging the adoption of other security alternatives. For more on what you can do to actively protect your website, check out this blog post on a guide to the three layers of website protection.