If you’re not paying for a premium managed WordPress host, it’s very likely that you’re the only thing standing between your WordPress site and malicious actors.
Now, if you keep everything updated, use reputable extensions, and lock down your login process, your WordPress site will already be pretty secure. But a WordPress security plugin can help you take your security even further and give you the peace of mind that your site won’t have issues.
In this Security Ninja review, I’ll take a look at a freemium security plugin that can help you secure your website in a ton of different ways, including with malware scanning and a cloud firewall.
Keep reading for a hands-on look at everything Security Ninja has to offer and how it works to secure your site.
Security Ninja Review: The Feature List + Who’s Behind It
Security Ninja originally launched on CodeCanyon all the way back in 2011. The team moved it to WordPress.org in 2016 where it’s become active on over 9,000 websites. You can now get the free core version from WordPress.org and purchase a Pro version straight from the developer.
Speaking of the developer, Security Ninja comes from a developer with a number of popular plugins at WordPress.org, including Under Construction, Maps Widget for Google Maps, and WP Reset.
So how does Security Ninja protect your site? Let’s start with the free core version and then I’ll cover the Pro features.
The free core version doesn’t make any changes to your site. Instead, it runs 50+ security tests against your site’s current configuration and tells you what you’re doing well…and what you need to change. With the Pro version, you can fix many of the issues with a single click, but the free version just provides tips and code snippets to help you manually make the needed changes.
You can view a full list of tests at the WordPress.org page, but in general it will test both broad and specific issues. For example, it will test a broad issue like your site’s file permissions, as well as a specific issue like whether your server is vulnerable to the Shellshock bug #6271.
Then, if you upgrade to the Pro version, Ninja Security gets a lot more proactive with seven new modules:
- Cloud firewall – proactively block malicious IP addresses and requests.
- Country blocking – block specific countries from accessing your site.
- Core scanner – scan core files to find changes or files that shouldn’t exist.
- Malware scanner – scan your server to find malicious files.
- Auto fixer – automatically fix many of the issues that the free version of the plugin detects.
- Events logger – log important events inside your dashboard, like when someone edits a file or installs a new plugin.
- Scheduled scanner – schedule your core and malware scans to run automatically.
Hands-On With Security Ninja
I’ll start by quickly showing you how the free version of Security Ninja works. Then, I’ll install the premium version and take you through that functionality.
Free Version Security Checks
Once you install the free version from WordPress.org, you can head to the new Security Ninja area to run 50+ security checks against your site:
Then, you’ll get a list of what you’re doing well and what you’re failing at:
If you failed a test, you can click the Details & Tips button to learn what you have to do to fix the problem, even including sharing code snippets that you can use:
Or, with the Pro version, you can fix many of these issues with a single click. So…let’s check out the Pro version.
One-Click Fix Security Issues
With the Pro version, you can run all of those same security tests. Only, now, you’ll get an Auto Fixer for a lot of the issues that lets you fix the problem. For example, instead of just a code snippet suggestion like you get in the free version, you get a new Apply Fix button that can solve the issue with a single click:
So that’s definitely more convenient. But you also get those other additions that I mentioned in the feature list…
With the Core Scanner tool, you can scan your site’s core files to see if any core WordPress files were modified or if there are extra files that shouldn’t exist.
Having modified or additional files doesn’t automatically mean there’s a problem, but it is definitely something you should check.
If Security Ninja finds any files or changes that shouldn’t be there, you can fix the problem with a single click:
The Malware Scanner scans your server’s files using a “heuristic analysis method that compares their content to patterns and code samples often used by malicious scripts”.
Again, just because Security Ninja flags a file, that doesn’t automatically mean it’s malware (the developer makes a note of this). However, you will want to look closely at any files to make sure the file is supposed to be there.
If you verify that a file should be there, you can whitelist it so that it doesn’t get flagged in the future. Or, you can also delete a file right from the plugin’s interface if you don’t think it should be there:
The Firewall helps proactively protect your site by automatically blocking known malicious IPs and requests (like SQL injection attempts). Security Ninja updates its cloud firewall list every six hours and the current firewall includes around 600 million known malicious IP addresses.
When you enable the firewall, Security Ninja gives you a special recovery link that you can use to access your site in the unlikely situation that your own IP address gets banned:
Then, you can manually configure the firewall features.
At the top, you get two options to automatically:
- Prevent banned IPs from accessing your site.
- Block suspicious page requests.
Then, further down you get the option to automatically block IPs from certain countries and display a message to those visitors or redirect them to a different page:
You can also configure settings to protect your login form by limiting login attempts. You can temporarily ban IP addresses that fail a certain number of times within a certain time period. For example, if there are five failed login attempts in five minutes, you can ban an IP address for two hours.
You can also whitelist known safe IP addresses to avoid them from ever being flagged:
With the Scheduler, you can schedule both your core scanner and malware scans to run on an automatic schedule. You can choose from several different frequencies:
- Once monthly
- Once weekly
- Once every two days
- Twice daily
- Once daily
- Every 5 minutes
- Every minute
One nice feature here is that you can get the report emailed to you but only if something changes. So if all is good, you won’t get an email. But if a new potentially malicious file appears, you’ll know about it right away.
The Event Log feature helps you keep track of what’s happening on your WordPress site and who’s doing what. Basically, it lets you make sure there’s no funny business going on with your own account or other users at your site.
You can log actions for:
- File editor
- Security Ninja
At the top, you can view the actual log, including an option to search through for important actions. For example, you can see that I recently published a blog post on my test site:
Further down, you can configure the settings for how the log functions.
First, for logistics, you can control how long to store logs for and manually delete the log entries.
Then, you can also configure email reports. You can get a digest of “every X events” including an option to only receive notifications for specific events.
For example, you could tell Security Ninja to send you emails when someone publishes a post or edits a file, but not when someone just leaves a comment:
Security Ninja Pricing
You can get started with the free version at WordPress.org, but most of the proactive features are only available in the Pro version.
The Pro version offers monthly, annual, and lifetime billing options.
- 1 site – $8.99
- 10 sites – $29.99
- 50 sites – $69.99
- 1 site – $39
- 10 sites – $99
- 50 sites – $289
- 1 site – $89
- 10 sites – $29
- 50 sites – $869
The annual and lifetime plans are much more affordable than the monthly plans, so I’d really only use the monthly plan to test it out or run some one-off tests.
All plans also come with a 7-day money-back guarantee.
Final Thoughts on Security Ninja
Beyond the features, one thing I have to compliment is the user experience of the plugin. I think Security Ninja is one of the simplest WordPress security plugins that I’ve used.
It does a great job of not overwhelming you with tons of information, while also making it easy to learn more about each specific tip/feature via a built-in knowledge base widget and helpful interface instructions:
As for the security features, the Pro version gives you a good mix between basic hardening/scanning and proactive measures, like the firewall.
All in all, if you want a lightweight, beginner-friendly approach to WordPress security, Security Ninja could be a great option for your site.