Because of its popularity, WordPress is a juicy target for malicious actors around the world. Because having a hacked website is pretty much every webmaster’s worst nightmare, it’s a good idea to look for a little extra protection for your site.
In our hands-on Security Ninja review, we’re going to take a look at a popular freemium security plugin that helps you implement both basic hardening tactics and proactive monitoring and protection.
We’ll start with an introduction to what the plugin does. Then, we’ll give you a hands-on look at what it’s like to use Security Ninja on your site.
Let’s dig in!
Security Ninja Review: What the Plugin Does
In a nutshell, Security Ninja aims to be a complete solution for WordPress security. That is, it offers a comprehensive approach to security, rather than only focusing on a single area.
To that end, it offers a few different types of features:
Basic hardening tweaks to follow general security best practices
Login protection to protect against brute force attacks
Firewall to proactively block threats
Security vulnerability scanning/detection to find potential issues
Malware scanning to find and remove malicious files
Visitor logging to track suspicious activity
It also includes features to help you more easily keep track of your website’s security status, such as email notifications.
Let’s go through them…
Basic Hardening Tweaks
First off, Security Ninja can help you implement a number of basic hardening tweaks and security best practices.
This is not a complete list, but here are the types of protections that I’m talking about:
Disable in-dashboard file editing
Hide WordPress version number
Enable security headers
Disable application passwords
You also get a comprehensive set of features to protect your login page from brute force attacks:
Change the login page URL
Limit login attempts (like the security that your online banking uses)
Safelist/blocklist certain IP addresses
Hide login errors that tell people if an account exists
Firewall to Block Threats
To block threats elsewhere on your site, Security Ninja includes its own proactive firewall, including an option to enable cloud-based protection that automatically blocks 600+ million known malicious IPs.
You can also block suspicious page requests, as well as set up geo-blocking rules to block visitors from certain countries.
Security Vulnerability Scanning/Detection
Security Ninja includes a number of different features to detect issues or vulnerabilities on your site.
First off, you can test your site’s configuration against 40+ potential issues, such as the strength of your database password, out-of-date extensions, PHP version, and more.
For many problems, you can fix the issue with the click of a button if you fail the test.
Second, Security Ninja will monitor your installed plugins for known vulnerabilities. If it detects one, it will alert you right away so that you can update the plugin (if the developer has patched the issue) or switch to a different tool.
Third, you can scan the core WordPress files for file integrity. Security Ninja will alert you if core files have been modified or any other files have been added. This is a sign that your site may have been hacked.
Beyond that, there’s also another useful type of scanning…
In case a malicious file somehow makes it onto your server, Security Ninja also includes its own malware scanning feature to detect suspicious files on your server that exist outside the core WordPress files.
If a file is genuine (false positive), you can safelist it to avoid it appearing in the future.
Security Ninja also helps you keep track of what’s happening on your site with two different tools:
An event logger to keep track of the actions that logged-in users take on your site, such as installing a new plugin.
A visitor log to show the actions of every single visitor to your site (along with an option to easily ban the IP address of malicious visitors). For example, you can find people who are trying to access your login page.
Tools to Monitor Security Status
To help you keep track of your site’s security without needing to log into the dashboard every day, you get a few different tools.
First, you can set up automatic email alerts for important issues. That way, you’ll only need to check in if you get a notification to your email address.
Second, if you’re using MainWP to manage multiple sites from one dashboard, there’s an extension for MainWP that lets you manage security for all of your sites from the unified MainWP dashboard.
How to Use Security Ninja to Protect Your Site
Now that you know what the plugin does, let’s get into what it’s like to actually use Security Ninja on your WordPress website.
Complete the Setup Wizard
When you first activate Security Ninja, it will prompt you to run its built-in security wizard, which will help you configure some important baseline settings for your site.
First, you can activate firewall protection to proactively stop threats and ban malicious IP addresses:
Next, you can choose whether to activate an array of default security measures. You can always deactivate some of these later if you don’t want them.
And that’s it for the basic setup wizard!
Configure More Advanced Settings
To access more advanced settings at an individual level, you can next head to Security Ninja → Fixes.
Here, you’ll see a list of all the potential security fixes that Security Ninja can make for you.
For each fix, you get a simple toggle button to enable or disable that specific fix:
The screenshot above doesn’t show the full list of available fixes.
You can also access some firewall-specific settings by going to Security Ninja → Firewall. For example, you can choose whether or not to use the cloud-based firewall rules or set up country-specific geo-blocks for your site:
Further down the page, you get some other options for hardening, including protecting your login page. For example, you can change the login page URL, limit login attempts, safelist/blocklist certain IP addresses, and more:
Run Security Scans
That’s mainly it for the actual settings in Security Ninja.
Most of the other features involve scanning your site.
Security Ninja gives you a few different options to scan your site:
Security Tests – these let you test specific aspects of your site’s configuration to detect potential issues. For example, you can test whether there’s out-of-date software, if debug mode is enabled, response headers, and more.
Vulnerabilities – this tab automatically checks your plugins for known vulnerabilities.
Core Scanner – this test scans the core WordPress files to see if they’ve been modified or files have been added.
Malware – this lets you scan your site for malware.
For the Security Tests option, you can first use the checkboxes to choose which tests you want to run. For a comprehensive test, you can easily check all of the boxes.
Then, you can click Run Tests to start the test:
After a short wait, you’ll see the results of each individual test, as well as a summary at the top.
If you click the Details option next to a test, you can see specific information about that test. For some tests, you’ll also get a one-click option to fix the problem:
The Vulnerabilities test will automatically check your WordPress plugins and themes for known vulnerabilities.
Unlike the previous test, you don’t need to manually run it – it will always alert you. You’ll see large alerts in your dashboard and you can also configure email warnings:
I think this is a really handy feature because plugin vulnerabilities are a common way for sites to get hacked. By getting these alerts right away, you can promptly update the affected plugin and avoid problems.
For the Core Scanner test, you just need to head to that tab and click the Scan core files button.
Security Ninja will then check all of the files. If everything looks good, you’ll see a “No problems found” message:
To run a malware scan, you’ll head to the Malware tab and click the Scan your website button.
You’ll now have a short wait – it could be anywhere from a few seconds to a few minutes depending on the size of your site:
When it’s finished, you should see the results of the test.
In some cases, Security Ninja might flag a file that’s legitimate. To avoid these false positives in the future, you can safelist that specific file so that it no longer shows up in the scan.
How to Schedule Tests
In addition to running tests manually, you can also schedule tests to run on certain schedules and automatically send yourself an email report with the results.
You can set this up from the Scheduler tab:
The last bit of key functionality is Security Ninja’s logging functionality, which comes in two main formats.
First, you can see a log of specific events that have happened on your site by going to the Events tab.
For example, you can see that it was already able to log a failed login attempt:
Second, you can go to Security Ninja → Visitor Log to see each individual visitor to your site, along with the actions that they’ve taken. You can also quickly ban an IP address if you detect malicious activity:
And that’s pretty much it for what it’s like to use Security Ninja to protect your site!
Security Ninja Pricing
Security Ninja comes in both a free version at WordPress.org as well as a premium version that adds more advanced features.
In general, the free version focuses mostly on basic hardening strategies, including 50+ security tests across a range of areas.
For more comprehensive protection, you can upgrade to Security Ninja Pro. Here are some of the most notable features that you get with the Pro version:
Firewall, including blocking suspicious page requests, countries, and so on.
WordPress core scanner.
Automatic fixing for some tests (the free version requires you to manually make changes).
Scheduled security scanning.
If you want access to Security Ninja Pro, there are four different paid plans that are available on a monthly or annual payment basis.
All of the plans are full-featured – the only difference is the number of sites upon which you can activate the plugin:
Starter – one website – $39.99 per year or $6.99 per month.
Plus – three websites – $99.99 per year or $12.99 per month.
Pro – five websites – $149.99 per year or $18.99 per month.
Agency – ten websites – $199.99 per year or $29.99 per month.
Here are the yearly plans:
And here are the monthly plans:
You can also test out the premium features with a 14-day free trial. You will need to enter your credit card to activate the trial, but you won’t be billed until after 14 days. The plugin will also send you a reminder before billing starts and the cancellation process is frictionless – you just need to click a few buttons.
Final Thoughts on Security Ninja
Testing security plugins is always a bit tricky because it’s hard to simulate a real security attack. That is, a malicious actor trying to infect my site with malware.
With that being said, I can make a few hands-on conclusions based on my experience.
First off, I think that the Security Ninja interface is really well done. It’s clean and easy to use while still giving you a good amount of detail.
Second, you get a good number of features to protect your site.
Third, you get tons of basic hardening rules. I would say Security Ninja makes it easy to implement pretty much all the basic stuff, such as disabling in-dashboard file editing and properly configuring response headers.
You also get more proactive protection, especially with the premium version. For example, firewalls, login protection, malware scanning, and more.
I also really liked that it was able to automatically detect known vulnerabilities in installed plugins. I think this feature can really help encourage people to apply updates quickly, rather than waiting to update their plugins.
Based on those experiences, Security Ninja seems like another quality option for WordPress security.
If you want to test it out, you have three options:
You can install the free version from WordPress.org to access the basic features.
You can use the 14-day free trial to test out all of the features in Security Ninja Pro.