The Ultimate Guide to finding the best WordPress plugins to protect your website
Most small website owners who don’t use WordPress security plugins believe that only those websites with a huge traffic base are prone to malicious attacks. The reality is that just because your website is small, doesn’t mean that your site is not a target.
(I'll soon tell you the story of when a site I inherited got hacked with incredibly frustrating results)
On the contrary, small websites are an easier target for hackers for just that reason. Because most website owners don’t take any (or enough) safety precautions to protect the site from attack.
If you don’t believe us, check out this page of sobering statistics.
Here are some highlights:
- A website is hacked every 39 seconds
- On average 30,000 new websites are hacked every day
- 98% of WordPress vulnerabilities are related to plugins
- 75 data records are stolen every second
- Hackers create 300,000 new pieces of malware daily
This page takes a wider view of hacking and data loss. If you don’t protect your website already, you should do it right now!
(Please read) That time we had to fix a sneaky hack
So a few months back, somebody came to us with a problem they had on their site.
The business owner came to us and told us, Google has a problem with our site. They had lost a bunch of organic traffic and sales because this was what their results on Google looked like:
Scary stuff right? No wonder they had lost almost all of their traffic.
Because who would want to go past that huge red warning that the site contains malware or is deceptive?
So, why the warning?
Well, Google has this mechanism in place that is able to identify sites that have been hacked and will show a warning both on search results, and when a user tries to proceed to the site, to ensure the visitor doesn't get infected.
But here is where it gets even better!
The owner of the site obviously went past that warning but there were none of the usual tell-tale signs that the site had been hacked. No additional users, no dodgy new pages with pharma links, or foreign languages pages, links to fake Jordan's, or any of the usual stuff that usually happens when a site was hacked.
No matter how deep we looked, we couldn't find anything dodgy on the site.
We even ran multiple WordPress security plugins to detect any malicious files. But there were none to be found!
But when logging to Google Search Console to get more information on the message the site was displaying on the search engine results, it was clear that some pages where showing external links to dodgy pages.
See, this was a really sneaky hack.
After several hours of investigation, we discovered the culprit.
The hacker had inserted a small script straight into the WordPress database. This script allowed the website to behave normally to all users who visited the site but if Google crawlers visited the site, they would display different pages with links to dodgy sites, for SEO purposes.
This is called cloaking, a technique used by black-hat SEOs and it really had us stumped.
But make no mistake, the effects of such a hack had been drastic. They had a drop in traffic of more than 80%!
Why secure your website?
There are several reasons why you would want to invest time or money in securing your website. If it’s a business website, you have to keep it secure to maintain your reputation.
Any hack or loss of data could seriously impact your future just as we have seen above!
If your website is more of a hobby, you still want to protect it. If you’re investing hundreds or thousands of hours on something, you want to make sure it’s safe and protected from such hacks.
Unless you take any safety precautions quickly, you could be allowing the bad guys to sabotage your online business.
This roundup post on the best WordPress security plugins wants to make sure everybody is protecting their WordPress website from attack.
When it comes to choosing a WordPress protection plugin, there is no one size fits all solution. Each one is unique in terms of the features it offers.
Take a look at each one of them below, and install those products that you believe best suit your needs. Whatever you do, DO NOT leave this page without having installed a plugin to secure your website!
Best WordPress Security Plugins
Here's our list of the best WordPress security plugins. If you're interested in checking out other premium and popular WordPress plugins, we frequently post in-depth reviews and articles. Check some of them by clicking on the WordPress menu at the top of the page.
Security Ninja is a top-rated product that takes plenty of preventative action to make sure your website is protected.
Essentially, Security Ninja looks for potential problems, vulnerabilities, zero-day exploits, versions of old software including the software running on your server such as PHP versions, MySQL versions and Apache versions.
The difference between this and other products is that Security Ninja does not perform any changes on your installation. It allows you to make the changes yourself, ensuring you can decide what actions you want to take to fix the problems which have been identified.
This makes a lot of sense as you might already know about specific vulnerabilities and have valid reasons why they are in place.
Let's have a look at a few of the excellent features:
- 50+ checks to find any issues with your installation
- Brute force tests your website so that it is prepared for such attacks
- WP core + external software tests
- Checks for known and common behaviours which can result in getting hacked
Pros: Does not change files on your installation so that you are in full control.
Cons: If you are not familiar with some of the more serious problems and how to fix them, you might be left with question marks on whether your website is protected or not.
There is a free version of the tool that you can download from here.
Should you use it?
Security Ninja is great for alerting you to risks and vulnerabilities in your WordPress installation. The idea of then leaving it to you to fix them will either work for you or not. If you want more control over what happens on your website, this could be the perfect security plugin.
Free for the standard version while premium starts from $29.
When you enable Sucuri products such as CloudProxy (Sucuri products are not your typical WordPress plugins - they do protection on their site, not yours), all your web traffic goes through Sucuri’s cloud proxy firewall before reaching your web host. That means the firewall blocks most attacks before they reach your site.
CloudProxy is a combined website firewall and CDN, designed to send only legitimate traffic to your website while also hosting files on its own systems for fast access. It comes with the website security bundle and will need some DNS changes to activate it.
If you’re looking for a free version, you may download it from here. The free version offers seven key features including activity audit logging, file integrity monitoring, security hardening, security alerts, post-hack security actions and blacklist monitoring.
By installing the premium version, you can use CloudProxy and in-depth scanning which helps you to figure out if there are any server-side or theme/plugin issues.
Pros: Sucuri is a company that creates tools and plugins for securing websites on different platforms including WordPress. No other option here can secure your installation with a DNS level firewall.
Cons: The price is significant comparing to other WordPress security plugins.
Should you use it?
Sucuri plugin is the best bet if you’re looking for the most comprehensive protection and price is not a consideration. To compare Sucuri to another popular WordPress security plugin, check out Sucuri vs Wordfence.
Unlike some of the other WordPress plugins we feature in this post, Sucuri is billed annually. It is free or $199 per year.
iThemes Security (formerly known as Better WP Security) is one of the best WordPress hardening plugins in the official directory. With multiple ways to protect your website, it ensures that your website is not an easy target for hackers.
If you would like to try their free version before switching to a premium user, you can download it from here. Of course, the Pro version offers more features for a very good price.
Some of the pro features include but are not limited to:
- Two-factor authentication
- WordPress user check
- Enforce strong passwords for all users
- Regular malware scan with Sucuri Sitecheck
- iThemes Sync Integration for up to 10 websites for free
You can easily review and take action if you find any potential threats. Once you logged in to WordPress admin navigate to Security>> Settings to assess the current state of your site and enable only those protection features you need.
Pros: One of the best WordPress plugins for any kind of WordPress site, with some advanced features.
Cons: Like any other advanced product to secure your installation, it also has the potential to cause problems because it could make significant changes to the database and files. It is also less than ideal if you’re on a shared hosting platform as it could consume system resources during the scan.
Should you use it?
The pricing starts from just $48 and is one of the most advanced WordPress security plugins on the market and quite possibly, the only one you’ll ever need.
- Personal- $48 for 2 sites
- Freelancer- $60 for 10 sites
- Developer- $90 for unlimited sites
- Plugin suite- $149 for developer licence for all of the iThemes plugins
Malcare is a security service for your website which does things slightly differently than the rest of the WordPress security plugins we cover.
Essentially, Malcare uses a dashboard that can control all of the sites which you manage. So besides the standard hardening functionality (such as website firewall, core file changes scanning, theme and plugin updates and so on), you will be able to manage all of your websites from one place.
This is ideal of you are a developer, website manager or are responsible for multiple websites.
In terms of features, Malcare gives you:
- An overview of any problems it detects on your site
- A firewall
- Automatic malware scanning and removal,
- IP address blocker
- Website backup tool
The beauty is that thanks to the helper plugin which gets installed on your site, you can perform any security changes and updates directly from this dashboard. This is an essential feature for those who manage websites for other companies (or their clients) - because you can just log in to this dashboard and perform all security updates from the same place.
Pros: One single dashboard to monitor and manage all sites under your care plus all the security tools you need in one place.
Cons: None that we are aware of right now
Should you use it?
We find the Malcare dashboard to be an excellent feature of this plugin. It also can install the helper plugin directly through the dashboard, making it the only place you need to log on to. We do believe it's one of the best options out there for those who manage and secure multiple websites.
Malcare costs from $59/month for up to 20 sites which works out to about $3/site/month for developers. If you are looking for a personal plan, they start at $99/year, which is very fair.
WP Activity Log, formerly WP Security Audit Log, is a different kind of plugin. Rather than provide barrier security, this plugin keeps a full audit log of the actions your users have been taking on the website where it is installed. It also monitors suspicious behaviour and provides compliance coverage too.
Once installed, WP Activity Log shows a log of all actions which are happening on your website.
The plugin can audit:
- Changes to content and comments
- User activity and changes to user profiles
- Database changes
- Plugin changes
- Theme changes
- Menu changes
- Widget changes
- Multisite changes
- Changes to 3rd party plugins (BBPress, Yoast, and WooCommerce)
There is no firewall, malware scanning or any of the traditional WordPress security features. Instead, you have a full audit log of every action taken on your website. Whether you want to keep an eye on multiple authors or work in a regulated environment, this auditing can be essential.
Pros: If you’re looking for a product that keeps full logs of what is happening by different users accessing and using your site, this plugin is a perfect choice.
Cons: We haven't seen any particular things we didn't like with this plugin but it doesn’t provide the typical security features you might be looking for.
Should you use it?
We believe this is a necessary tool for all those users who could run into problems if they don't strictly monitor what their users have been doing. It is also a useful tool to help manage compliance.
You’ll need to buy a license to access some of the advanced features of the product, such as email notifications, session management, database integration and other features. The price starts at $89 for a single site licence.
Looking for complete and convenient protection that enforces a lot of good practices on your website? Then, all in One WP Security & Firewall plugin is well worth trying.
This is one of the highest-rated plugins for securing your installation in the official WordPress directory.
All in One Security and Firewall is a comprehensive security plugin for WordPress that will take proper care of your site’s safety. It monitors your entire website and checks it for vulnerabilities, malware, force login attacks, and any issues or problems occurring on your site.
The settings for malware scanning are fully customizable. The plugin uses a neat points grading system to measure how well your website is protected based on the features activated.
It also comes with an effective website firewall that will take your protection to a whole new level and block out malicious scripts before they even hit your site.
It is a fully-featured product despite being free. It comprises almost every WordPress hardening feature you'll ever need, including:
- User account protection
- User log in protection
- Database hardening
- File system hardening
- Blacklist and firewall functionality
Pros: This WordPress security plugin is free and fully featured. All the basics are covered at no cost.
Cons: It may create a conflict with other plugins if the advanced functionality is enabled. You may need to test it before enabling it on your live installation.
Should you use it?
As the name denotes, the plugin is an all-in-one solution most non-corporate websites will ever need. Since it is free, there is nothing to complain about.
Incidentally, if you want to implement WordPress security to prevent hacking, we've got you covered.
With over 2 million downloads, Wordfence is the most downloaded WordPress security plugin in the official directory.
If you would like to try the free version, you can download it from here.
Wordfence is ideal if you're looking for one of the best plugins for hardening a WordPress site. It is bundled with all of the hardening features you'll ever need including a website firewall, IP address blacklist and whitelist, login-limit, password reset limit and a ton of other security features.
Depending on your level of expertise, Wordfence lets you scan and fix issues from a central dashboard. Once you scanned the installation, it shows you the result as either 'critical' or 'warning' level issues. When you need more help, you’ll need to take a look at their extensive documentation to see how to fix most of the issues the product reveals.
Pros: Offers tons of features and is being consistently updated to fight against known vulnerabilities. The free version is genuinely useful and probably enough for many websites, though keep it mind that the free version delays the latest security "signatures" by one month. For true protection, you'll need the Premium version.
Cons: The downside is that there is a bit of learning curve if you enable high sensitivity scanning. It might return lots of false positives that will need to be filtered.
Should you use it?
Wordfence is the right tool for those who take their website protection seriously. The free version is all you need and the pro version is not for you if you wanted a simple product that works out of the box.
There is a free version. Pricing starts at $8.25 per month for premium.
8. Hide My WP
Hide My WP is one of the best WordPress security plugins in the CodeCanyon marketplace with 30k+ downloads. It prevents attacks from hackers by hiding the fact that your website is on a WordPress platform. It also hides theme details, changes the WP-Admin URL and some other neat tricks.
Similar to Swift, Hide My WP modifies the paths of your files and directories without changing locations.
Some other useful features of Hide My WP are:
- Hides page and wp-admin area
- Spy notification feature
- Disallow direct access to theme files
- Detects and blocks XSS, SQL Injection type of security attacks
Once you install the plugin, in the General settings tab of the configuration page, you can check those options you would like to hide. You can change the permalinks structures by clicking on the Permalinks & URLs tab.
Pros: Hide My WP protects from hacking attempts that are primarily targeted at this CMS by hiding its identity. It also changes the universally known WP-Admin URL to protect from bots and hack attempts.
Cons: Even though it helps you to protect against targeted attacks, securing through obscuring is just one element out of many required for a fully secure WordPress site.
Should you use it?
If you're looking for an option that simply obscures WordPress, this plugin is the right choice. It would need to be used in conjunction with another WordPress security plugin for full coverage.
Hide My WP costs just $19 from CodeCanyon.
Most WordPress users will know of and probably use JetPack in one form or another. The JetPack suite of tools is designed specifically for the CMS and many are free. JetPack Security is not free but bolts onto the free offering with very little effort.
Tools include email alerts for downtime, protection against brute force attacks, logins, spam, malware, website backups and activity logging. Each is available through the standard JetPack dashboard and is easy to configure and set up.
Key features include:
- Downtime alerts with corresponding recovery alert
- Spam and comment protection
- Malware scanning
- One-click vulnerability checker
Pros: JetPack has along and illustrious history alongside WordPress so it’s natural to offer a WordPress security plugin too. It’s easy to use and has most of the core tools you need to keep it secure.
Cons: The new JetPack dashboard takes a little getting used to and the Security tools are not free like many others within the suite.
Should you use it?
JetPack Security is a decent collection of tools that includes some very useful administration tools as well as security ones.
The free version includes downtime alerts while premium plans begin at $5 per month up to $30 per month.
SecuPress has been developed by the same team who gave us WP Rocket, one of our favourite caching plugins. You will notice similarities in design thanks to an intuitive dashboard, straightforward navigation and easy operation. While visual appeal isn’t a prime consideration in a plugin, it makes the dashboard a nicer place to be.
SecuPress is a fully-featured WordPress security plugin that provides malware scanning, vulnerability checking, antivirus, firewall, login page protection, tool to disable XML-RPC, IP blocking and backups. Everything the website owner is likely to need in one package.
We particularly appreciate the ability to disable XML-RPC as this is a key vulnerability in WordPress and something few other WordPress security plugins offer.
SecuPress has a range of benefits, including:
- Antivirus and firewall
- Malware scanning, including PHP
- Vulnerability scanner
- Login page protection
- IP blocker
Pros: SecuPress is very well designed and logical to use. All tools are easy to find and understand and cover most security considerations for a WordPress website.
Cons: SecuPress is expensive at €60 per year and you have to pay extra for help in configuring the plugin and even more if you need assistance removing malware.
Should you use it?
While SecuPress charges extra for configuration, it is unlikely that you’ll need that help. Setup is straightforward, the dashboard is intuitive and there is enough instruction around to get you up and running with the minimum of fuss.
SecuPress costs €60 per year.
BulletProof Security may have one of the ugliest websites on the internet but it also has a bold claim, ‘BulletProof Security Pro is installed on 50,000+ websites worldwide. Not a single one of those websites has been hacked in the past 8+ years.’
Look at the features and you can see why this WordPress security plugin is so popular. It includes malware scanning, firewall, database backups, intrusion detection, intrusion prevention, the ability to lock the Upload folder, a database diff tool to detect changes and session logout tools. Each combines to offer a high level of security to your website.
BulletProof Security offers:
- A malware scanner
- Website Firewall
- Database backup tool
- Intrusion detection and prevention
- Idle session logout tool
Pros: This is a powerful WordPress security plugin that offers a lot of protection. The basic tools are pretty good but it’s the Upload folder locking and database diff tool that shine. Both offer significant security upgrades that many others in this list miss.
Cons: The dashboard has quite the learning curve and will need to be set up correctly to get the best out of it. Fortunately, there is a ton of documentation and lots of instructional videos to help.
Should you use it?
BulletProof Security isn’t for WordPress beginners but if you have patience and a little tenacity the documentation is out there to help you set it up properly. Pricing is pretty good too for a premium plugin. The cost includes a lifetime licence and unlimited use, which is rare.
There is a free version of BulletProof Security and BulletProof Security Pro. Pro costs $70 for a lifetime licence and unlimited installations.
VaultPress is developed by Automatic and is available as part of JetPack as well as in its own right. This WordPress security plugin is more about backup and repair than barrier methods but it does offer spam and brute force attack protection.
VaultPress is a simple installation and setup. It integrates into JetPack and has the same dashboard and navigation too. You will need to register the website with VaultPress if you don’t use JetPack but otherwise, setup is a series of settings to enable, schedule or disable. It’s a very straightforward system to use.
Highlights of VaultPress include:
- Offsite backup tools
- File repair tool
- Spam protection
- Brute force attack protection
- Website migration tools
- Website restore tools
Pros: VaultPress integrates into JetPack if you use that or can be used independently. Setup is simple and configuration is refreshingly straightforward.
Cons: This plugin is more about helping you recover from a hack than protecting you from it. It does have a couple of barrier tools though.
Should you use it?
If you use VaultPress with a free firewall plugin or other security plugin with malware scanning, then yes VaultPress is well worth using for the recovery tools alone.
Pricing is from $39 per year for the security tools. You can purchase the backup tool separately for $3 per month for daily backups or $20 per month for real-time backup.
13. WPMUDEV Defender
If you’re looking for a WordPress security plugin that allows you to conduct regular scans on your website, Defender could be an excellent choice. After scanning your website it gives you WordPress vulnerability reports and safety suggestions so that you can guard your site for better protection without hiring a WordPress expert.
Do keep in mind that Defender is part of WPMUDev’s premium membership. You can only access it by becoming their premium member.
(Speaking of membership, have you had a look at the top 25+ WordPress Membership themes and plugins you need to create a members site written also by CollectiveRay? See it all here: https://www.collectiveray.com/wp/themes/top-wordpress-membership)
Below are a few benefits of using WPMUDEV Defender:
- Conduct plugin, theme and core vulnerability scans
- IP blocking
- Restore and repair damaged or corrupted files
- Google blacklist monitoring and alerts
- Enable 2-Factor Authentication
- Its audit logging functionality tracks everything that happens on your website including login attempts and logs of comments and posts.
- Always monitor whether your site is being flagged as unsafe.
You can easily harden your website, scan or monitor if your site is blacklisted right from the dashboard page.
Pros: If you’re looking for a product that scans, audits and takes backups of your installation, Defender has you covered.
Cons: You need to become a premium member of WPMUDev to access the product.
Should you use it?
One of the best things about WPMU premium membership is that it offers 24/7 expert WordPress support. By signing up for the premium membership and by installing Defender, you can assure that you get a premium expert support all day long.
You’ll need to become a premium member of WPMUDev.org to download and install Defender. The membership cost is $49/month so is not insignificant, but you get access to all their plugin with that fee.
Astra Web Security is a feature-rich WordPress security plugin that is well worth checking out. It includes a suite of tools including firewall, IP blocking, blacklists, spam protection, brute force protection, malware scanning and removal, auditing and a whole lot more.
Astra Web Security has a very usable dashboard that brings all these tools together in an easy to use window. Tools are simple, setup is very straightforward and you can be protecting your website in no time.
Astra Web Security includes:
- Firewall and malware scanner
- IP whitelist and blacklisting
- Spam blocking
- Brute force protection
- Automatic malware scanning and removal
- Security audits
Pros: Controlling Astra Web Security is laughably simple. From clear navigation to simple on/off toggles it is very easy to use and is suitable for website owners of every experience level. It manages to offer full security protection without the learning curve of some other WordPress security plugins.
Cons: Pricing is somewhat expensive but you do get a lot for your money.
Should you use it?
Astra Web Security makes security simple. It is simple to use, simple to set up and simple to see exactly what’s going on. All that comes at a price though. This WordPress security plugin is great for those whom cost is not a factor.
Astra Web Security costs $19 per month for the Pro Plan, $39 per month for Advanced Plan and $119 per month for the Business Plan. Each is billed annually. Pro would be enough for most websites.
Shield Security Pro is a smart-looking WordPress security plugin with some decent tools. It has a free and a premium version, but as usual you will have to pay to access the better ones. Tools include a plugin and theme vulnerability scanner, code guard, malware scanner, site auditing, two-factor authentication, password enforcement, third party service protection and more.
Shield Security Pro uses an attractive dashboard to control all services. You access each through tabs and there are clear indicators of the status of each tool and your website. It is intuitive to use and makes easy work of securing WordPress.
Shield Security Pro includes:
- Plugin and WordPress theme scanner and code guard
- Malware scanner and removal
- Website auditing
- Two-factor authentication for logins
- Strong password enforcement tool
Pros: Shield Security Pro has everything covered except brute force protection. To counter that, the plugin and theme scanner and lock is an excellent replacement. If you like experimenting with plugins and importing themes, that alone makes this worth using.
Cons: There is no brute force protection or antivirus. However, viruses are less of a threat now than malware.
Should you use it?
Shield Security Pro offers a full suite of security tools within an easy to use dashboard. Setup may take a little time and patience but once done, you’re protected. It isn’t the cheapest here but it offers a lot for your money.
Shield Security Pro costs $29 per year for 1 site, $36 per year for 3 sites, $60 per year for 5 sites and $120 per year for 10 sites. Ironic when the company behind it is called One Dollar Plugin.
Block Bad Queries, or BBQ as it is also known, is a WordPress firewall. It has a free and a premium version, both of which concentrate on protecting your website against unauthorized access and attack. What it lacks in features it more than makes up for with ease of use and power.
Block Bad Queries is fully automatic and is a fire and forget WordPress security plugin. Keep it updated the same as your other WordPress plugins and you’re protected. BBQ uses the popular 5G and 6G blacklists and scans all traffic hitting your website.
When we say it scans all traffic, we mean it. BBQ scans the IP, the referrer, request URI, everything. It is the most complete firewall we know of.
Block Bad Queries can:
- Scan all traffic hitting your website
- Compare all visitors to 5G and 6G blacklists
- Scan the IP, request URI, referrer and user agent for all visitors
- Block SQL injections, executable uploads and more
- Be fully customized or left with default settings
Pros: Block Bad Queries is probably the most complete website firewall you can get for WordPress. It scans everyone for everything and doesn’t seem to slow traffic down at all.
Cons: It’s ‘only’ a firewall. You will need another WordPress security plugin to protect other parts of your website.
Should you use it?
If you don’t mind bolstering your website with other WordPress security plugins, BBQ is well worth using. It’s a fully-featured firewall with some of the most advanced traffic filtering we have seen.
There is a free version of Block Bad Queries and four premium plans starting at $20 up to $180 for 1 to unlimited websites.
17. Google Authenticator - WordPress Two Factor Authentication
Google Authenticator adds two-factor authentication to your website. Two-factor authentication, 2FA, is a powerful security feature that protects logins into your site. Despite the name, it isn’t developed by Google but by MiniOrange.
This isn’t a full WordPress security plugin but is a very useful tool to use in conjunction with other security tools. Essentially it adds a second authorization method to every WordPress login, preventing the vast majority of attacks. It won’t protect from malware or other attacks but is very effective at keeping unauthorized users out of your website.
Google Authenticator provides:
- Two-factor authentication for all logins
- Compatibility with Google, Authy, LastPass Authenticator, QR Code, push notification, soft token and security questions (KBA)
- Translation-ready operation
- Brute force attack prevention & IP Blocking
- User login monitoring
Pros: Google Authenticator is fast and works well. It is super-simple to set up, fire and forget and is free for up to 3 users.
Cons: Google Authenticator only covers one side of WordPress security so you will have to use other plugins to address other threats.
Should you use it?
Two-factor authentication is a powerful security tool and adding it to any website is an excellent idea. Used in conjunction with other WordPress security plugins, it can help protect what’s yours.
There is a free version and premium versions including other security tools costing from $15 per year.
Anti-Malware Security and Brute-Force Firewall is a malware removal tool and firewall for WordPress. The focus is very much on malware removal but the firewall is also very effective at preventing access to your website.
Only a few of the WordPress security plugins in this list will automatically delete malware rather than ask you what you want to do and this is one of them. It makes this plugin very straightforward to use as long as you keep backups of your files. The firewall then adds another layer of security to your website to prevent attacks in the first place.
Anti-Malware Security and Brute-Force Firewall provides:
- Automatic detection and removal of malware
- Automatic definition updates once registered
- Effective firewall to block attacks
- Change the WP-Admin URL to prevent attacks
- WordPress core file integrity checking
Pros: Anti-Malware Security and Brute-Force Firewall has a very effective scanner that will automatically remove malicious code without waiting to ask. This minimizes exposure and means your site essentially manages itself.
Cons: The plugin requires registration to access malware definitions. This is a little cynical in our opinion as a malware scanner is pointless without current malware definitions.
Should you use it?
Anti-Malware Security and Brute-Force Firewall is pretty good at what it does. It is also well reviewed and seemed to perform well when we tested it. The idea of being held to ransom by forcing registration for malware definitions is not good practice but if you ignore that, the plugin delivers on its promises.
Anti-Malware Security and Brute-Force Firewall is free.
19. WP Fail2Ban
WP Fail2Ban is a little different. It is designed to protect against brute force logins and does a pretty good job of things. It logs all login attempts into the WordPress system log and gives you the opportunity to block, ban or allow those logins according to your needs.
This WordPress security plugin needs very little configuration and can be fire and forget. Install, activate and leave it to get on with things. You can interact and monitor it if you like but it is entirely self-supporting.
Highlights of WP Fail2Ban include:
- Fire and forget login protection
- Requires no setup or configuration
- Can use soft temporary blocks or hard permanent ones
- Works with Cloudflare and other services
- Can protect against spam comments and pingbacks
Pros: The plugin proved effective in testing and had no impact on the running of our test website. Once installed, you can leave it to do its thing or monitor your logs, it’s entirely up to you.
Cons: Singular focus that will require supporting WordPress security plugins to cover other vulnerabilities.
Should you use it?
If you have other WordPress security plugins to handle the rest of your website security then WP Fail2Ban is an excellent option.
WP Fail2Ban is free to use.
WebArx is a WordPress security plugin that concentrates on protecting from plugin vulnerabilities. These vulnerabilities are the biggest threat to a WordPress site so it’s right to mitigate as much as possible against them.
WebArx also has a firewall, automatic patching tool, two-factor authentication, captcha for logins, WP-Admin URL changer, uptime monitoring, powerful reporting tool and customizable alerting system. All this is controlled from a very straightforward dashboard with all the tools logically labelled.
- Protection from plugin vulnerabilities
- Firewall and file protection
- Login protection with 2FA, captcha and WP-Admin URL modification
- Uptime monitoring
- Full reporting tool with PDF report option
Pros: WebArx offers wide ranging security in an easy to use package. It includes protection against most WordPress vulnerabilities and makes concepts and controls simple to understand.
Cons: It’s not the cheapest WordPress security plugin out there.
Should you use it?
WebArx is a fully-featured WordPress security plugin with very few downsides. Sure you pay for the privilege but in return you get almost complete protection for your website. That peace of mind is hard to question.
WebArx costs from $14.99 per month up to $180 per month.
Plugins that we no longer recommend
Some sites are still recommending these plugins, but we think that these plugins should no longer be used.
WP Security Manager
This plugin was released on CodeCanyon in 2013, but has no longer been updated since October of 2013.
For this reason, we believe the plugin is now obsolete and outdated and should no longer be installed on any live sites.
FAQs around WordPress security plugins
Do I need a WordPress security plugin?
Yes you do need a WordPress security plugin. Few websites or themes come with security built in. Even premium web hosts only provide limited security options so it’s up to you to protect yourself. Plugins are the default way to protect WordPress websites and provide the opportunity to select your own solutions to suit your own needs.
What is the best WordPress security plugin?
While there is no ‘best’ WordPress security plugin, our preferred products are Sucuri and iThemes Security Pro. Each product in this list has strengths and weaknesses and is often tuned to a specific threat. You may find one solution to address every threat you face or a combination of plugins to cover all your bases.
How do I add security to my WordPress site?
The easiest way to add security to a WordPress site is through security plugins. Careful web host selection and WordPress theme selection can help but these plugins offer broad protection that can be customized to your specific needs.
Is WordPress a security risk?
WordPress is not a security risk in itself. Newer versions of the CMS are more secure than ever. But, some themes and plugins provide vulnerabilities that you need to protect against. WordPress is used by a third of the internet so is a prime target for hackers. This is the main reason you need a WordPress security plugin, not because the CMS is a security risk.
Why is WordPress hacked so much?
WordPress is hacked so much because it is so popular. It is no more or less secure than other technologies but because it powers over a third of websites on the internet, it is a prime target for attack. All websites are vulnerable to hacking, hence the emphasis on protecting what’s yours.
Which WordPress security plugin works for you?
It is universally agreed that every website should use some form of security. Exactly what form that takes is entirely up to you. After reading this page, you now have a good idea of what solutions are available, what they can and cannot do and how much they cost.
The rest is up to you.
If you're not using one of the above WordPress security plugins, which do you use? Have you found any problems with the above, or is there anything you'd like to say? Let us know in the comments below.
Please leave a useful comment with your thoughts, then share this on your Facebook group(s) who would find this useful and let's reap the benefits together. Thank you for sharing and being nice!