Bye bye bye, WordPress Security Plugins

Much Like 00’s pop song catchphrases, WordPress Security Plugins may be out-of-fashion.

On Shifter, WordPress plugins of any kind are no longer needed or necessary Security Plugins themselves can offer features like Audits, Login Hardening, Backups and more.

While premium features on top of those plugins offer services such as Web Application Firewalls, CDNs for traffic resilience, and malware scanning.

Simply put, WordPress Plugins are not needed while using Shifter hosting because WordPress is not accessible to bots or malicious activity.

Your WordPress install sites behind our firewall in a secure container that runs on-demand. It’s available when you need as an admin while the live version of your site is served entirely as static HTML, JS, and CSS.

By separating these two environments WordPress can do what it does best for managing your content and our static hosting service prevents common attacks like SQL Injections and Brute Force Attacks.

While Security Plugins do offer a lot, not all the features can be lumped into one group. For example, here’s a few of the most common and how Shifter can help.


Protection against Distributed Denial of Service Attacks, also known as DDoS is a service included with every Shifter site. It works by protecting your site at the topmost network level filtering traffic before it can reach your files.

It’s common for DDoS protection to come at a cost from a 3rd party service providers since it’s not something a plugin can provide. We’ve decided to include this by default and there’s nothing to configure or manage.


Adding a Content Delivery Network is often thought of as a performance feature but it’s also a security one. When traffic spikes occur they help distribute traffic keeping your site up.

Whether you’re under a Brute Force attack or your site’s gone viral on Twitter, a CDN will help keep you up and running.

CDNs is another one of those premium services from hosting providers. With Shifter, CDN is included for all sites at no-cost and again, nothing to configure.

Brute Force Attacks
You can’t hack what you can’t see. WordPress only runs when you need it as an admin or author. The URL and port for your WordPress install is always changing and on-demand too.

Brute force attacks happen when a site is idle open for hundreds or thoughts of login attempts through automation. Since Shifter sites are not actively running WordPress this type of vulnerability is no longer a concern.

SQL Injections

This type of hack would be possible if MySQL was running but it’s not for static Shifter sites. Once your WordPress site is converted to static HTML forms, comment sections and other types of input fields no longer run PHP and MySQL.

Instead, you can to shim those features with 3rd party apps or JavaScript to process that data. It never has the opportunity to affect the database of your WordPress site directly.

SQL Injections most commonly occur on WordPress comments. A popular and great way to combat that on Shifter is by using Disqus, a 3rd party commenting service which offers a free WordPress Plugin. It works great on Shifter and it’s easy to install!

Another common form plugin which is typically vulnerable to SQL Injections is Contact Form 7. We’ve developed an Open Source plugin called WP Serverless Forms which brings back the functionality of CF7 to static WordPress sites.

It’s now listed in the WordPress Plugin directly too!