Yes, they absolutely do!
WordFence is the #1 plugin I install on any new WordPress sites I create, and it's installed on every single one of my existing WordPress websites.
- A security plugin can monitor a lot of things for you as the site owner or admin:
- Monitoring successful logins,
- Login attempts
- Throttling login attempts,
- Preventing PHP execution in the uploads folder
- Firewall to detect malicious traffic and "protects against a number of common web-based attacks as well as a large amount of attacks specifically targeted at WordPress and WordPress themes and plugins" - especially useful because it's learning in real-time from 100s of thousands of websites around the world
- Protect against SQL Injection, Malicious File Upload, Cross Site Scripting (XSS), Directory Traversal, Local File Inclusion, etc
- Malware scanner to scan files on your website to make sure neither WordPress or other files have been compromised (" checks core files, themes and plugins for malware, bad URLs, backdoors, SEO spam, malicious redirects and code injections")
- IP banning (both manual as well as database-learned)
- Hiding WordPress version (which can be used by hackers to target vulnerabilities in older versions)
- Brute-force protection
- Locking out invalid username login attempts
- Banning certain usernames
- Enforce strong passwords
- Preventing users from using usernames like "admin" when registering
- Prevent discovery of usernames
- Block IPs who send POST requests with blank User-Agent and Referer
- Blocking fake Google crawlers trying to spoof Google user-agent
- Country-based blocking
The list goes on.
You can no longer afford to run a WordPress website without WordFence installed. That’s just... begging to get hacked 🙂