It shouldn’t matter if you use a premium or free version of a plugin. The free version should also be safe! That is the responsibility of the plugin builder.

That’s how we think about it.

But…

Unfortunately, we have come across several examples that show that a premium / pro plugin is updated sooner in the event of a leak than the free version.

Various plugins have vulnerabilities not fixed for months in the free version!!

Some examples where the premium / pro version is more secure than the free version:

WordFence Security

WordFence is a plugin that protects your WordPress website. And yes, the free version is pretty safe and up-to-date as well.
But..

they update the free version once a month

As they say themselves “every thirty days“.

The premium / pro version you get paid for live updates. So immediately when it is needed. Both the files and the firewall that prevent hacks are kept up-to-date live.

iThemesSecurity

Also a plugin with which you secure WordPress. iThemes Security gives the paid version much more attention than the free version. A security update is implemented quite smoothly in the premium version but..

sometimes an exploit hangs for weeks to months in the free version

Various other plugins

There are many examples of plugins where leaks occur that the plugin builders get reported.
The patch (fix against the hack) will then be implemented in the premium / pro version after 5-10 days, but the free version will be left behind.

Sometimes a leak remains in the plugin for months after a leak is known and it even disappears from the WordPress plugins database

The good news

When free plugins are on WordPress.org, they will be removed until the leak is fixed.
There are several parties that report leaks to WordPress and there is a zero tolerance policy regarding leaky plugins.

A leak / exploit, what should I imagine?

Some examples of recent plugin vulnerabilities:

1. The administrator leak
   It often happens that a vulnerability in a plugin allows an administrator account to be created.
   If a hacker or script has access with administrator rights, they can do anything they want.
   Usually advertising is placed in your website, or a script is uploaded that allows advertising to be sent through your website to thousands of addresses.
   And then the rest of the administrators will be removed. In short, you no longer enter your website to undo the hack.
   It goes without saying that when this vulnerability becomes known, it must be resolved as soon as possible and must not sit in a website for weeks or months.
2. The database injection
   Plugins often have input fields on the front-end of your website. Think of review plugins, contact forms, etc.
   If those fields are not properly secured, a hacker or script can simply misuse them to put data in your database.
   Within 1 second, such a script can create administrators in the database, implement text changes throughout your entire website, with all the consequences that entails.
3. The newsletter hack
   Do you have a newsletter form? Where visitors can register? In the past, leaks in such plugins have been found that allowed the hacker to add their email address as a login address. This means that every registration of a visitor was also known to him. You wonder what a hacker can do with that, but large numbers of email addresses with names are worth money. Advertising is sent to it. There are people who buy lists of email addresses and first + last names.
   Another leak that you don’t want to be exploited. You don’t realize it quickly, but your users suffer a lot because they get the spam.
4. The WooCommerce leak
   Plugins that improve your webshop often have access to the database. Your database contains all the accounts of your customers. There have been several leaks in the past where plugins gave hackers access to the database and all customer information.
   It goes without saying that such a hack must be fixed immediately or ASAP once it becomes known!

Who tests my website for leaks?

Of course you don’t expect your webshop to be tested often. And that a leak can therefore not be abused so quickly.

Unfortunately, this doesn’t work the way you think.

When a leak becomes known, hackers write scripts that work like this:
1. The script searches for webshops on Google (You are also listed there)
2. The script makes requests on the websites to the known leaky plugins
3. When the leaky plugins found, use the script that known vulnerability to perform a hack

Safe with a security plugin, right?

Even when your website is secure, such a vulnerability can still be exploited. Security allows the (out) operation of plugins, otherwise your website could not function! Keeping the plugins up-to-date so that there are no leaks is therefore very important.

Conclusion

Now that you know that plugin builders are more likely to make the premium / pro version more secure.. you should consider buying a premium. Especially if you depend on your website for income, or if you have a webshop with many customers.

Premium still does not guarantee 100% security, but the examples have shown that it does make a difference.

This plugin hasn’t been tested with the latest 3 major releases of WordPress. It may no longer be maintained or supported and may have compatibility issues when used with more recent versions of WordPress.

If you see this message when searching for a plugin on WordPress.org, you may be wondering if the plugin is still safe to use and whether you can install or continue using it.

First of all, if there is a known vulnerability, you can check it on the website wpvulndb.com. Use the search bar to see if the plugin is listed and if there is a vulnerability. A vulnerability means that hackers have found a way to modify your website through insecure code in that plugin.

What does “hasn’t been tested with the latest 3 major releases of WordPress” mean? It means that there have been new releases (updates) of WordPress and the plugin developer hasn’t confirmed testing the plugin on the latest versions of WordPress. This is not uncommon because WordPress releases updates frequently, and it can be challenging for busy plugin developers to keep up. It doesn’t necessarily mean there will be a problem if the plugin hasn’t been tested yet, but the yellow notification appears with every new WordPress release. Since WordPress is often “backwards compatible” and maintains older code to ensure compatibility with plugins and themes, the plugin will usually continue to function on newer versions of WordPress.

What does “It may no longer be maintained” mean? It means that the plugin may not be actively maintained or supported by the developer. You can check if the plugin is still being updated by looking at the last updated date on the plugin page.

5-10 months is generally not a problem. If a plugin hasn’t been updated for 1-3 years, it’s safe to assume that the developer has abandoned it and there will be no more updates.

If there are no updates at all, it is advisable to look for an alternative plugin.

What does “may have compatibility issues” mean? Compatibility issues can arise when plugins are not kept up-to-date. The plugin may no longer work at all, or it may disrupt the styling of your website or cause other functionalities to fail. Sometimes the plugin itself still works fine but triggers an error that affects the functionality of other plugins. As a result, you may mistakenly remove the wrong plugin, thinking it’s causing the issues.

Conclusion: If you see a yellow warning message stating that the plugin is outdated or hasn’t been tested with the current version of WordPress, you should check the last updated date of the plugin. Based on that information, you can determine whether you still want to use the plugin.

The yellow notification itself is not a reason to immediately remove or avoid installing the plugin.

This message provides information about the most downloaded/active security plugins available in the WordPress plugins section on WordPress.org.

What is the most downloaded/active security plugin at the moment?

1. WordFence has 3,000,000 active users.
2. iThemes Security has 1,000,000+ active users.
3. All In One WP Security & Firewall has 800,000+ active users.
4. Sucuri has 700,000+ active users.
5. Cerber Security has 100,000+ active installations.

WordFence

It is surprising that WordFence has three times more users compared to iThemes Security. This could be due to the extensive configuration options of iThemes Security, which may seem a bit complicated for first-time users, or it could be attributed to the marketing efforts of WordFence.

It’s also possible that iThemes Security transitions to a different plugin for its premium version, making the free version inactive. When you upgrade to the pro version, you get a different plugin with the same functionality but with additional features.

WordFence offers a license that provides more features within the plugin itself, which contributes to their higher user numbers.

Is WordFence better than iThemes?

This is a subjective matter of preference and experience. We have been using iThemes for years, and it works well. They collaborate with Sucuri for scanning, and iThemes Security has all the necessary features. We are familiar with these features because we extensively analyzed the 2015 release of iThemes Security to understand its functionality and workings in detail.

iThemes is simply good, and as the saying goes, if something is good, you shouldn’t change it. It could only get worse.

Other security plugins

There is “All In One WP Security,” which is excessively all-encompassing in my opinion. There is also “Cerber,” which, as mentioned earlier, has a relatively low number of active installations. Cerber is an excellent plugin with impressive features that WordFence and iThemes can learn from. It’s surprising and unfortunate that it has fewer users. However, from a marketing perspective, “CERBER” doesn’t sound appealing, does it? It’s not easy to remember.

Is the most downloaded/active security plugin the best?

Well, WordFence and iThemes are currently the best. They have a good cash flow, allowing them to maintain a strong team. Whether they perform better than Cerber or All-In-One Security is still debatable. In the rapidly evolving world of hacking, the best security plugin is the one whose team consistently resolves vulnerabilities first, time and time again, week after week.

A product is only as good as the team behind it, and numbers are only relevant if the team continues with passion. After all, hackers around the world are constantly at work.

In that regard, kudos to all the builders of security plugins!

If you’re looking for a good security plugin

, go for WordFence or iThemes Security.

If you want to ensure that your website is secure, keep in mind that a product is only as good as the team behind it, and you are the weakest link.

Configuring the security plugin correctly is crucial, and this can be a daunting task, not only for website owners but even for WordPress developers.

Why?

You need to enable/disable settings such as XML-RPC, the REST API, directory browsing, and logs.

We spent years perfecting these configurations because certain plugins require XML-RPC or the REST API, and blocking all 404 IPs may not be beneficial.

It’s a specialized skill, a fascinating one. But it’s not something you can do on your own.

Feel free to hire us or ask questions

If you have a serious business website, you can hire us to secure your website. Security is a necessity, especially if you have an online store, not a luxury!

We will provide an affordable invoice with VAT that you can give to your accountant or declare for tax purposes.

If you decide to tackle it yourself, do thorough research like you’re doing now by reading this entire article (kudos to you!). You can learn more on our website in the news section or by searching on Google.

You can also ask questions in the comments. Sometimes, we have busy weeks, but we always do our best to respond within a few days.