Security is the buzzword today. The number of discussion threads that are created everyday on various forums gives a clear indication of its significance. With the growing number of attacks on WordPress sites every year, there is no easy way of securing our sites. Security plugins emerge as a must have for improving WordPress security. The fact that I saw nearly 2500 plugins listed in the WordPress repository on looking up security is proof enough. But how easy is it to setup and use these plugins? The User Interface (UI) plays a crucial role while using these plugins. A wrong or incomplete setting can make all the difference when it comes to securing your site.
In our article Does your WordPress Security Plugin really secure your site? we saw how the latest exploits weren’t prevented by most plugins. In some cases this was merely because they didn’t support good defaults. For example, the iThemes security plugin supports the disabling of PHP execution in uploads folder. This feature is very effective to prevent vulnerabilities like the MailPoet hack that upload malicious scripts to the uploads folder. However, this setting is not enabled by default. Unless users understand why this setting is required and enable ti explicitly, they will be susceptible to attacks.
I picked up some of the top plugins based on their popularity in the WordPress plugin repository and used them on my site. Here is a list of UI specific features that differentiates a good plugin from an average one.
Lack of Good Defaults
Security plugins support a host of features ranging from login security to malware scanning. Having the important options enabled by default can make setup really easy. Many plugins enable only the basic features by default. They rely on the users to decide on the more advance features like script execution and htaccess protection. While caution is needed while working with these features as they often break existing functionality, it may also overwhelm most users. Such an approach may also result in some feature being left out thus making sites susceptible to attacks and defeating the purpose of having the plugin itself.
Here is a screenshot of the Wordfence security plugin that enables the necessary features by default at the top level. This makes it very easy for users to turn on a set of options that will form the basic security layer right at the start. You can enable all the firewall specific options and everything related to login security at one go. Should you need to make any further changes to the individual settings, you can do that further down the page.
Classification of Features
A good security plugin should make a clear distinction across the different features and their level of complexity. The All In One WP security is a good example. It classifies its features into basic, intermediate, and advanced categories. The basic features are non-invasive and will not break any functionality. The more complex features that fall under intermediate and advanced categories can break functionality depending on your setup and the plugins installed. So you can progressively enable features on your site without breaking functionality at any point. The plugin also maintains a Security Points Score system that tells you how secure your site is based on the currently enabled features.
It may not always be feasible to enable all the required features by default. However, the plugin can make life easier by supporting a one-click enable button a set of options. Here is an example of the User Login protection feature supported by the All In One WP Security Plugin. The pre-populated defaults can be applied with a single click. However, if you want to alter the individual settings, you can do that too.
No matter how good a product is, it is of little value if users don’t know how to use it. Having good supporting documentation in the form of detailed feature descriptions and FAQs is really helpful. Though we rarely read through documentation, it can bail us out when we are stuck without having to call customer care or wait for an email response. It also warns us about tricky features that need to be enabled with caution as they have the potential to break things.
Let us consider iThemes security plugin’s Admin User page. We can see different types of documentation in a single window. We have one line that describes the importance of the feature. However, it could also bring some collateral damage as it is the core component of your WordPress site. Hence a warning has been added to caution the user before proceeding with this step. There is also a side-effect to this step. Changing the admin username will log you out and that too has been added a notice. Each one has been color coded appropriately, based on their severity.
Many security plugins expect users to have an in-depth understanding of WordPress security. But security is a very vast and complicated area that takes years to master. The average WordPress user will rarely possess that kind of knowledge. Hence setting up and using these plugins is an overwhelming and cumbersome experience for most of us. Implementing all the key points that we’ve listed so far will improve the user experience in a big way. The bottom line is to understand that the plugin team is the security expert and not the end user.
The need of the hour is to have good security plugins with great UI. Users should be able to clearly distinguish between different features, understand their importance, and which need to enabled for their site. After all, as far as the customer is concerned, the interface is the product.