There is lots of advice out there on dealing with the security risk posed by WordPress plugins, much of it is written by people who likely don’t have your best interest at heart when providing it. Take one example we recently looked at, where bad advice was being handed out and was used to promote security solutions paying out affiliate revenue to the advice giver.

On a post on the website of Elegant Themes, it was claimed reputable security plugins can protect websites if a vulnerable plugin is in use:

We’ve written plenty about WordPress security plugins, so I won’t belabor this point too much. But using a reputable security plugin can protect your site if a vulnerable plugin manages to slip through the cracks.

Don’t use it as your only line of defense. But as a last line of defense. It’s an absolute must.

If you look at the results of testing we have done of security plugins, many of the best known ones don’t even have a capability to protect against vulnerabilities in other plugins. Even the ones that do, don’t provide a lot of the protection that they could provide. Considering we are the only ones that have done that type of testing, this advice was being given by someone who almost certainly didn’t know if what they were saying was true.

The quoted text linked to a post for the “7 Best WordPress Security Plugins in 2023”. The first thing you see on that page is the following info box promoting three plugins:

Well, actually two plugins, as the third item being promoted is a service, not a plugin.

Beyond one of those being a service, not a plugin, those three are an odd assortment. One of the plugins is a logging plugin. Also, the two plugins would not likely be considered the best ones.

What explains those choices? The links for all three are affiliate links. So this is basically marketing being promoted as helpful information. As we noted recently, one of those, iThemes Security, under a new name Solid Security, is promoted mainly as protecting against a threat that isn’t happening. That hardly seems like something you should be able to say about the best security plugin.

The rest of the information in the post is unsurprisingly not all that helpful. Here is who they say the plugin Wordfence Security is for:

… you’re looking for a premium tool with flexible pricing. The cost varies depending on how many licenses you’ll need. As such, it’s a solid option if you plan to use it on multiple websites or for your clients’ sites.

The more sites you plan to use this plugin for, the less expensive the premium version becomes. Of course, the free version also comes with many helpful features and can be a great solution.

Wouldn’t you want the best plugin, not one that has flexible pricing? Among the plugins they listed, Wordfence Security is the best at protecting against vulnerabilities in other plugins. But it leaves a lot to be desired, including providing real-time protection that is months or over a year behind better options.