We love talking about website security here at hosting.com. Without a doubt, it’s one of the most essential ingredients for a healthy and trustworthy website. You want your site protected from attacks and for your visitors to rest assured that their data is safe.
It’s such an important and interesting topic that bears revisiting often. One of our Office Hours livestream viewers seems to think so as well. They asked an excellent question regarding site security, specifically WordPress, during the November 20, 2025 livestream.
If you set up Cloudflare properly, do you need a security plugin?
Hosting providers and edge networks have evolved significantly over the past decade, so we are not surprised this topic was brought up. WordPress security plugins are still a vital part of the CMS, and chances are you have used or are aware of the most well-known ones, such as Wordfence.
But with Cloudflare being so powerful nowadays, do you really need one? Nathan Ingram, our Agency Success trainer and livestream host, has the perfect answer: you don’t need a security plugin for the things Cloudflare does.
In other words: yes, you still need a security plugin. But what are these things that Cloudflare does? Let’s break it down further and show you precisely the type of security plugin you want.
How Cloudflare changes everything
Ten years ago, WordPress needed big, heavy security plugins that did everything: blocking brute-force logins, malicious IPs, bot traffic, DDoS attacks, and whatever else you could think of.
However, Cloudflare has evolved so much in recent years that such resource-hogging plugins are no longer necessary.
Today, Cloudflare sits in front of your website–if you imagine the connection between your site and visitors as a line–and filters a lot of the malicious noise.
These things reach your site extremely rarely, if at all.
Malicious IPs
Bots and botnets
DDoS attacks
Suspicious traffic patterns
Known exploit attempts
Scripted login attempts
General “junk traffic”
And since all of this happens before it even touches your hosting server, your visitors never notice them. Speaking of your hosting server, it also plays a significant role in security.
Hosting security is also vital
We already talked about this in our blog about how hosting security keeps your site safe, but here’s the short version.
Good hosting providers like hosting.com offer a security layer of their own, on the server level. That means if anything reaches the server, it will catch and stop it before any damage is done.
Every modern hosting provider must have at least some of these security features (preferably all) for the services they provide.
Layered firewall filtering
File/malware scanning
Activity logging
Site hardening
Real-time traffic checks and blocks
So, between Cloudflare being so good and modern hosts sporting some serious protection, what’s the point of WordPress security plugins anymore? Aren’t the scariest attacks already taken care of?
Yes, they absolutely are, but if you have ever heard Nathan talk about site security, you might already see where this is going.
WordPress security plugins should focus on the application itself
When it comes to protecting your website from malicious traffic, hackers, and attacks, there are three “levels” to consider: network, server, and application. Nathan has talked at length about them on our Office Hours streams (particularly in the WordCamp US insights and practical security episode).
In the context of the question we are discussing–If you set up Cloudflare properly, do you need a security plugin?–a WordPress security plugin should focus on the application layer exclusively. That means no firewalls, no malware scanning, no traffic filtering, nothing that should live on the other two levels.
Instead, since Cloudflare can’t see in your dashboard, a good WordPress security plugin should focus on these things.
User security & behavior monitoring: First and foremost, the plugin should enforce strong passwords, monitor login attempts and suspicious user activity, and alert you to new admin accounts.
Login page protection: Next, if necessary, it should enforce Two-Factor Authentication (2FA), add a CAPTCHA to the login page, and limit how many times users can attempt to log in with incorrect credentials.
Vulnerability monitoring and patching: Finally, the big one. Cloudflare has no idea which plugins you are using, let alone how to protect you from known exploits. To combat this, you need a plugin that alerts you to known plugin vulnerabilities and (ideally) virtually patches them until an update comes along.
As you can see, all of these things are measures within the WordPress application itself. There are no firewalls, no malware scanners, nothing that can comfortably exist on any of the other two layers.
The biggest reason we recommend against plugins that add such functionalities is resource management. They are resource-intensive and can slow down your website. If your host and Cloudflare already handle the functionality a plugin provides, get rid of the plugin.
Strive for a smarter security stack
Hosting and Cloudflare security measures have become incredibly powerful; there is no doubt about it. So, if you set up Cloudflare properly (and your host is on point), do you need a security plugin?
Yes. Yes, you absolutely do. However, it should only handle WordPress-specific threats. Leave server firewalls and malware scanning to the host; leave WAF rules, DDoS attack mitigation, and traffic filtering to Cloudflare.
By removing unnecessary plugins and keeping the essentials, you reduce script bloat, improve site speed, and ensure every layer does its job efficiently.
