Why you should not use security plugins for your WooCommerce website

WordPress security plugins are incredibly popular. A quick search for “security” plugins on WordPress.org reveals the five top options have over ten million active installs combined. However, despite that popularity, we’re here to tell you that you don’t have to use security plugins for a WooCommerce website (and in fact, you shouldn’t).

Security plugins aren’t magic. They help you secure your website in ways that you can do yourself. Learning how to protect your WooCommerce website without relying on a security plugin will make your website much safer in the long run.

In this article, we’ll go over four reasons why you shouldn’t use security plugins in WordPress and WooCommerce websites. Let’s get to it!

1. Security Plugins Will Impact Your Site’s Performance

With most plugins, there’s a small tradeoff between enabling you to add new features to your website and “bloating” it with scripts that you might not need. Usually, that tradeoff is barely noticeable.
By “noticeable” we mean that most plugins won’t have a visible impact on your site’s performance. However, security plugins are among the exceptions to that rule because they tend to be massive. To give you an idea, here’s a quick overview of all the options that Wordfence – the most popular security plugin among WordPress users – offers you:

With Wordfence, you get a WordPress firewall, scanning, and IP blacklisting tool all in one. That’s without counting features such as activity reports, performance optimization tools, website scan scheduling, and more.

WordPress security plugins as a whole try to pack as many tools and features as possible into one box to outcompete each other. That translates to bloated plugins that add dozens or hundreds of scripts to your website, which can slow loading times considerable. If your WooCommerce store is already a bit slow, adding a security plugin to the mix will only make things worse.

2. There Are Better Firewall Options

Most WordPress security plugins offer some type of firewall functionality. That means they’re capable of detecting and blocking malicious traffic to your website, which protects you against Denial of Service (DDoS) attacks or attempts to “infiltrate” your admin.

The problem with plugin firewalls is that they’re often limited in terms of functionality. To get the best possible features and defense, you need to pay for a premium license. A far better alternative is to use a service such as Cloudflare which offers both Content Delivery Network (CDN) and firewall functionality, and it does come with a free plan:

To be fair, most firewall software for websites tends to be premium and Cloudflare does offer paid plans with additional features. However, having access to a free firewall is perfect for a new WooCommerce store.

Additionally, using a third-party solution means less work for your servers and better overall store performance. Combine that with a CDN and your store should load blazingly fast regardless of where customers visit from.

3. You Can Disable The Option to Edit Theme and Plugin Files Manually

If an attacker gains access to the WordPress admin, they can do pretty much whatever they want with your store. The biggest targets when it comes to attacks tend to be plugin and theme files. Attackers can add malicious code to your website by modifying these files and it will remain there until you notice or update them.

Technically, WordPress security plugins prevent that from happening by helping you limit access to the admin. However, you don’t need a security plugin to do that as there are plenty of ways to protect your theme and plugin files, including:

  1. Restricting permissions for user roles. Not all user roles need access to every tool within the WordPress admin. As a rule of thumb, only administrators should have full access to WordPress tools.
  2. Use strong FTP and login credentials. Strong credentials for your admin account are the best line of defense against attackers. As a rule of thumb, you should update passwords often, add Two-Factor Authentication (2FA), and use strong passwords.

Disabling the WordPress plugin and theme editors is easier than you might think. All you have to do is add a single line of code to the wp-config.php file, which only you should have access to:

define( 'DISALLOW_FILE_EDIT', true );

That code will remove the option to access both the theme and file editors from the WordPress dashboard. The editors will disappear for you too, but to be fair, there’s no reason to use them when you can edit files manually using FTP.

4. WordPress Enables You to Disable Plugin and Theme Uploads

Another advantage of the previous method is that it also disables the option to upload plugins and themes from the dashboard:

That might seem overboard, but there’s no reason why users other than you should be able to upload plugins or themes. In our experience, poorly-coded plugins are one of the biggest factors contributing to adding vulnerabilities to WooCommerce stores.

You also have outdated plugins and themes, options that can cause compatibility issues among each other, and performance issues to consider. All in all, it’s far safer to disable the option to upload plugins via the dashboard. You’ll still be able to install add-ons via FTP, which is far safer and it means you’ll be the only person with access to that functionality.


WordPress security plugins can be useful tools. However, they seldom add any features that you can’t implement for your store manually. A seasoned WooCommerce developer will be able to increase security at the server level, without installing plugins that slow your website down or open you up to further vulnerabilities.

Let’s recap some of the many reasons why you don’t need to use a WordPress security plugin for your store:

  1. Security plugins will impact your site’s performance.
  2. There are better firewall options.
  3. You can disable the option to edit theme and plugin files manually.
  4. WordPress enables you to disable plugin and theme uploads.

Do you have any questions about how to protect your WooCommerce website without using security plugins? Let’s talk about them in the comments section below!







Leave a Reply

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.