Recently, we looked at one inaccurate recommendation by a major web host, SiteGround, suggesting that you shouldn’t use WordPress security plugins that can actually protect against vulnerabilities. Along those same lines, they have some troubling advice when it comes to whether you need a security plugin. They wrote this:

The answer depends on whether you’re willing to put in the work to secure your site manually. If you’re on board with that idea, then no. If you don’t feel like you can put in the work to secure your WordPress manually, then yes, installing an all-in-one security plugin

This is quite an odd statement. There are plenty of elements of security that you can not implement manually. For example, you are not going to manually block malicious requests to a website, as a firewall plugin can do in an automated fashion.

It sounds like SiteGround doesn’t have a great understanding of what security plugins can do, which is troubling considering they are pre-installing their own all-in-one security plugin on their customers’ websites, but in line with them seeming to not understand WordPress security generally.

What is, in our view, good advice, is to not use an all-in-one security plugin and instead use plugins that only provide the functionality you need. A recent test we did of security plugins ability to protect against a vulnerability that was in one of those all-in-one security plugins showed that most of the plugins that provided protection against this were firewall plugins, not all-in-one plugins.