The internet is an amazing place. But it can also be a scary place, as hundreds of thousands of sites get hacked every day. Cybercriminals aren’t going away anytime soon — even if you ask politely. So, to protect your site, you need nothing but the best WordPress security plugins.
These security plugins are built to defend against WordPress-targeted cyberattacks. They include an array of features, including website scanning and web application firewalls (WAFs). While HubSpot provides free malware scanning and threat detection through the freeContent Hub, WordPress security plugins can be free or paid monthly. Paid versions are often considered worth the recurring expense to avoid the fallout of an attack.
Ironically, the wrong plugin can increase the chances of a successful hack on your website, which is why it’s important to choose well-reviewed and well-maintained plugins from the WordPress plugin library.
In this post, we’ve compiled the best plugins to guard your WordPress site from online threats.
Best WordPress Security Plugins
- Wordfence Security
- SiteGround Security
- iThemes Security
- Sucuri
- All In One WP Security and Firewall
- Jetpack
- BulletProof Security
- Defender
- MalCare Security
- miniOrange's Google Authenticator
- Shield Security
- Cerber Security, Anti-spam & Malware Scan
- Titan Anti-spam & Security
- WP Hide & Security Enhancer
- NinjaFirewall (WP Edition)
- Security & Malware scan by CleanTalk
1. Wordfence Security
Price: Free with paid plans available
With over 4 million downloads to date, Wordfence is a leading security plugin. Its flagship free scanning tool audits your core files, plugin files, theme files, posts, and comments for suspicious code, incorrect URLs, and spam. ;
Wordfence performs these scans regularly and automatically and alerts you if it detects a threat, vulnerability, or corrupted file. While it doesn’t offer restore options for the latter, it will tell you how the file has been changed so you can repair it faster.
The free version includes a website firewall for keeping bots off your site — unlike most security plugins, which only offer a firewall in their premium version. The free version of Wordfence also includes login attempt limits to stop brute force attacks and live traffic monitoring which tracks who is visiting your site (be it humans, good bots, or bad bots) and reports malicious intrusion attempts in real-time.
Wordfence Security offers a premium version that includes comment spam filters, country blocking, remote scanning, two-factor authentication, and premium customer support.
What we like: ;
- The plugin’s free version offers great features like a firewall and live traffic monitoring.
- You can get up to a 25% discount when adding more than 15 websites to your premium plan.
- Wordfence offers prompt support to customers who’re having trouble with setting up the plugin.
Price: 100% Free and available for all WordPress users
The SiteGround Security plugin is free and available for all WordPress users. It is easy to set up and comes with powerful security features divided into several categories: site security, login security, activity log, and post-hack actions. The plugin helps you secure your website on an application level with a set of tools that harden your WordPress security and protects it from brute-force attempts, unauthorized access, and other attacks.
SiteGround Security comes with a comprehensive activity log with the option to easily block and unblock suspicious users, preventing unauthorized access to your site. Additionally, all plugin users can opt-in for weekly reports with a summary of the most important events and recommendations related to their site's security.
The plugin goes the extra mile and gives you tools for post-hack actions for a quick remedy, if you suspect that your website has been hacked, you've installed a compromised plugin, or one of your users' login has been compromised. With a few simple clicks, you can reinstall all free plugins, force password reset for all users, and log out all users.
What we like:
- Easy-to-use even for non-technical users, while still being super powerful
- You can secure your site on all levels from a number of threats, such as brute-force attacks, malware, data leaks, and other security issues.
- It's completely free and comes packed with features that usually cost extra with competitors' solutions
3. iThemes Security
Price: Free, with paid plans available
iThemes security has more than 1 million global users and offers both a free version and a paid version.
The free version conducts malware scans powered by Sucuri SiteCheck and provides tips to address any detected vulnerabilities. It also sets various security requirements throughout your site. For example, it forces strong passwords and SSL on all pages and prevents the administrator from editing files if an intruder ever gains access to your private credentials.
iThemes also lets you change the WordPress database table prefix and the wp-content path, bans troublesome bots and spiders, prevents brute force attacks, and backs up your database.
For online file comparisons, you'll have to upgrade to the premium version. When a file change is detected, the plugin will scan the origin of the files to determine if the change was malicious or not. Currently, it only works for WordPress core files — not plugins and themes.
Starting at $80 per year, iThemes Security Pro brings more advanced features to the table: GeoIP, two-factor authentication, automated daily malware scanning, password expiration, and Google captchas, to name a few. The free version is an excellent choice for beginners, but the premium version is where iThemes shines.
Both versions of iThemes are built to blend with the WordPress administrator interface, and its library of documentation and video tutorials help to lower the learning curve.
What we like:
- The plugin’s easy to install and set up even if you have zero cybersecurity background.
- You can run Google scans to identify malware on your site.
- The plugin’s pro version lets you add secure temporary admin access to your site.
4. Sucuri
Price: $10/month
Sucuri is popular among web developers and online businesses for its exceptional cybersecurity products and services. Sucuri’s free WordPress security plugin, which gives you extensive control over your site and a comprehensive overview of its security-related aspects, is among these offerings.
In addition to resources like email alerts, WordPress core integrity checks, and guides for a post-hacking scenario, Sucuri’s plugin contains a scanner that detects malware, errors, outdated code, and blacklisting status.
One limitation of Sucuri’s scanner is that it's a remote tool, so it can only find vulnerabilities in your WordPress website pages. It can’t scan your core files that control your site’s back end.
Furthermore, to unlock the benefits of virtual patching and hardening, DDoS protection, CDN performance optimization, signature detection, and bot blocking, you'll have to pay for Sucuri’s web application firewall service.
What we like:
- Sucuri offers several SSL certificates.
- It instantly notifies you of any errors on your website.
- The free version provides excellent tools for malware scanning and security hardening.
5. All In One WP Security & Firewall
Price: Free
All In One WP Security & Firewall is a free, popular, and versatile security plugin. This add-on boasts a wide range of features for its (lack of) price, including malware and vulnerability scanning, login protection, comment spam protection, user monitoring, database backups, a firewall, and other ways to harden your website.
All of this is tied together with an intuitive, innovative interface — the plugin presents its findings on a grading system, making it easy for beginner site owners to understand and improve the safety of their website.
One not-so-beginner-friendly aspect of this plugin: while you can enable basic firewall protection by checking a box in your WordPress dashboard, you'll have to add the plugin's intermediate and advanced firewall rules via your .htaccess file. This can potentially break some functionality of other plugins installed on your site, so there may be trial and error when implementing the more advanced firewall rules.
What we like:
- Free plugin without any upsells.
- You can backup and restore faulty .htaccess and .wp-config files.
- It features a blacklist tool that can restrict certain users.
6. Jetpack
Price: Free, with paid plans available
As a WordPress site owner, there’s a good chance you’ve already heard of Jetpack — it’s regarded within the WordPress community as one of the best plugins around, and for good reason. It offers an easy, all-inclusive solution for site security, performance, and enhanced content management.
The free version of Jetpack offers basic protection: spam and malware blocking, brute-force login protection, a simple activity log, site stat reporting, and plugin auto-updates.
However, we recommend upgrading to the Premium plan, which gets you daily malware scans and priority support if you run into functionality problems. One feature that sets Jetpack's premium plan apart from other plugins: you can back up your site in real-time and restore it to any point with one click. There's no need to install a separate backup plugin.
What we like:
- Jetpack lets you backup and restore your website with one click.
- It’s a versatile plugin that jettisons the need for other plugins for social media, optimization, and email marketing. ;
- Jetpack offers excellent security for small websites.
Price: ;Free, with paid plans available
BulletProof Security is a suitable choice if you’re looking for a more advanced, hands-on security plugin. This plugin does its tasks through the main .htaccess file, and its main features improve database security, firewall security, and login hardening.
BulletProof also includes manual and scheduled database backups, security logging and HTTP error logging, and the option to turn on maintenance mode so you can introduce chances without exposing potential performance issues to your visitors.
The free version of BulletProof Security is quite capable by itself, and the pro version nearly doubles the number of features. You'll have to upgrade to this version to unlock its firewall — which some plugins offer for free — but you'll get advanced functionality that no other security plugin provides. ;
Its AutoRestore Intrusion Detection & Prevention System is just one example. This system monitors all of your website files for changes. If file changes are detected or if new files are uploaded to your website, then those files are either auto-restored or quarantined for review of possible malicious activity. ;
The Bulletproof Security plugin might take a bit more time for beginners to learn, but its setup wizard and comprehensive documentation are there to make things a bit simpler.
What we like:
- Its BPS Pro ARQ Intrusion Detection and Prevention System is one of the most advanced security tools available.
- Bulletproof features a maintenance mode that is absent in many other security plugins.
- The free version has rich features that’ll adequately protect a small to the average website.
8. Defender
Price: Defender Pro only, $6/month; Security & Backup Packs, $9/month; Agency plan, $19/month
Defender is a new but promising security solution for WordPress that's already been downloaded over one million times. After you install and configure the tool with a few clicks, it immediately goes to work to protect your site.
Defender offers an impressive range of security features for no cost. Like Wordfence, it provides a firewall with IP blocking enabled for free. Additionally, its free version includes malware scans, brute-force login protection, notifications from threats, and two-factor authentication through Google. ;
Upgrading to Defender Pro for $49 per month enables scheduling automated scans, more in-depth reporting of security problems, and enhanced support. Your membership also grants access to all other premium WordPress plugins made by WPMU Dev.
What we like:
- Defender Pro offers flexible pricing depending on how many websites you own.
- The plugin comes with an Audit Log that tracks every user’s action.
- You can automatically reset all your passwords if you suspect a hack or data breach.
9. MalCare Security
Price: Free, with paid plans available
We’ve discussed many options for preventing cyberattacks, but most people don’t want to think about what they would do after a successful hacking attempt. ;
This is where MalCare Security comes in. This plugin specializes in post-attack malware cleanup, offering one-click removal with its premium version (starting at $99 annually).
MalCare free is a solid plugin by itself — it comes with tools for deep malware scanning of your website files and WordPress database, login and bot protection, and a web application firewall. However, you’ll need to upgrade to take advantage of automatic and unlimited post-hack cleanups.
What we like: ;
- Malcare’s off-site scanning reduces server load.
- This plugin has made a name for itself because of its accurate scanning.
- Effectively tests more than 100 signals.
10. miniOrange's Google Authenticator
Price: ;$95/year
Surprisingly, two-factor authentication isn’t a given for most free WordPress security plugins. However, if you're looking to supplement a free security plugin, or you’re on a tighter budget and can't afford a premium solution that offers a firewall, IP blocking, malware removal, and other security features, MiniOrange is a free, simple solution for getting extra login protection. ;
With this plugin, you can add Google 2FA to your login screens for users at all access levels, as well as to your forms and other user-submission fields. Additionally, Google Authenticator integrates with other popular content restriction plugins like BuddyPress and Ultimate Member and even lets you choose your preferred secondary authentication method.
What we like:
- Effectively eliminates login area vulnerability.
- One of the more affordable security plugins. ;
- Allows you to choose the 2FA method easiest for you.
11. Shield Security
Price: Free, with paid plans available
Shield Security is one of the top-rated and most downloaded security plugins in the WordPress directory. It starts working immediately once activated, so your site is protected even as you configure its settings.
The free version offers an application-layer firewall and early identification and automatic blocking of malicious bots. Shield Security is also the only WordPress security plugin that offers complete and accurate detection of file modifications for plugins and themes — not just core files. That's because while other plugins rely exclusively on the core fingerprint files that WordPress provides, Shield Security built its file fingerprints.
To protect premium plugins and themes and gain access to individual, dedicated technical support, you'll need to upgrade to ShieldPRO.
What we like:
- It offers you plenty of protection without disturbing you with notifications. ;
- It begins scanning and protection from the moment of activation.
- Provides you with three types of 2FA to choose from.
12. WP Cerber Security, Anti-spam & Malware Scan
Price: ;Free, with paid plans available
Cerber Security is another five-star security plugin that’s effective against hacker attacks, spammers, trojans, and malware. The free version of Cerber Security offers sophisticated protection against spam and other malicious activity — but it's not as rich in features as other free versions of plugins on this list. ;
Upgrading to the premium version will unlock more functionality, including layered spam protection and automated integrity checks. Additionally, with Cerber Security Pro, you can schedule automated website scans and file recovery hourly or daily. Cerber Security will remove the malware and recover your corrupted files if it detects malware or any modified or infected files.
What we like:
- Its ability to block PHP file uploads is helpful on sites that share files in PDF and similar formats.
- Cerber Security has a very informative report dashboard.
- It rarely causes any unintended issues, unlike other plugins on the market.
13. Titan Anti-spam & Security
Price: ;Free, with paid plans available
Titan Anti-spam & Security began as a simple spam blocker but has become a comprehensive security plugin actively installed on more than 100,000 sites. The free version scans system files, themes, and plugins for malware, invalid URLs, backdoors, and SEO spam and hides any comments that seem like spam. ;
The premium version of Titan is an anti-spam tool, firewall, and malware scanner rolled in one. In addition to a three-step intelligent spam filtering service that allows you to protect your website from spam, it offers a real-time IP blocklist, scheduled scanning daily, monthly, and yearly, and the ability to update firewall rules and malware signatures.
What we like:
- The free version of this plugin scans every line of code of each file.
- Still one of the best plugins at filtering spam.
14. WP Hide & Security Enhancer
Price: ;$39 for first year, $25/year after the first year
WP Hide & Security Enhancer is a specialized and straightforward solution for making your WordPress site more secure.
Designed to defend against brute force, SQL injections, and other attacks, WP Hide & Security Enhancer hides your WordPress core files, theme and plugin file paths, and login page. Then, using URL rewrite techniques and WordPress filters, it removes all WordPress fingerprints automatically — all you have to do is fill in the new file names or paths in your WordPress dashboard. ;
The one downside: you have to clear data from your server cache and any cache plugins and CDN (if you use them).
What we like:
- The plugin hides your core files, theme path, login page, and plugin paths from intruders.
- Notifies admin of any suspicious behavior and provides complete details of intruders. ;
- It’s straightforward to set up.
15. NinjaFirewall (WP Edition)
Price: Free, with paid plans available
NinjaFirewall is one of the most powerful security plugins available in a free and premium version. Unlike other plugins, NinjaFirewall “stands” in front of WordPress. Meaning, it processes all incoming HTTP requests before they reach your site or any of its installed plugins. That makes NinjaFirewall the only WordPress plugin able to protect a site against massive brute-force attacks, including distributed attacks coming from several thousand IPs. ;
It also provides a powerful filtering engine that can sanitize, normalize, transform, decode, and deobfuscate data from incoming HTTP requests. This allows it to detect any WAF evasion techniques and obfuscation tactics used by hackers that may have gone unnoticed by other plugin firewalls. ;
In addition, NinjaFirewall offers file integrity monitoring and real-time detection. Not only does it check your file integrity when scanning your website hourly, twice daily, or daily (depending on how you configured the plugin’s settings) — it can also detect any access to a PHP file that was recently modified or created and send you an alert in real-time. This alert would contain all the details you needed — script name, IP address, request, date, and time — to identify whether it was malicious activity. ;
For more features, like rate limiting, anti-spam for comments and registration forms, and other file upload and access controls, you can upgrade to NinjaFirewall WP+ Edition.
It’s important to note that NinjaFirewall requires a PHP version of 5.5 or later and a MySQLi extension. It’s also only compatible with Linux and BSD operating systems. That means WordPress site owners using Microsoft Windows will have to use an alternative.
What we like:
- The plugin has a non-intrusive user interface.
- It features IP, country, URL, bot, and role-based access control.
- Its rate limiting option helps block attacks by bots, web scrapers, HTTP attacks, and sinister users.
16. Security & Malware Scan by CleanTalk
Price: $9/year
The cloud security service company, CleanTalk, designed the Security & Malware Scan plugin to protect WordPress websites from all online threats. ;
In addition to limiting login attempts and temporarily banning IP addresses with 10+ login attempts, CleanTalk Security can be configured to block IP addresses that have exceeded a set number of HTTP requests per hour, IP addresses from a specific county, or entire IP networks.
Its web application firewall checks all HTTP requests for SQL Injection, Cross-Site Scripting (XSS), uploaded files from non-authorized users, PHP constructions/code, and malicious code. Any blocked requests will be logged and able to view in your control panel. CleanTalk Security will also scan all your WordPress files — including your plugin and theme files, not just the core — ; and flag any files with suspicious code in your control panel. You can view the code there as well as other detailed security stats. ;
While the plugin is free, it does require a subscription to CleanTalk’s cloud security service. When you first register an account, you will get a free trial. Once the free trial expires, you can renew the subscription starting at $8 per year or deactivate the plugin.
What we like:
- It eliminates the need for CAPTCHA and complicated communication methods for spam protection.
- Offers protection over all your website forms without the need to install a new plugin.
- It’s simple to use.
A Good First Step in WordPress Security
After finding and configuring your security plugin of choice, you’ll be on track to securing your online presence for you, your teammates, and, most importantly, your visitors and customers.
But, your work doesn’t stop here. Hackers love WordPress for its security vulnerabilities and widely indifferent user base. Don’t wait for something to go wrong — follow our Ultimate Guide to WordPress Security for more tips to stop attacks, many of which you can apply in minutes.
Editor's note: This post was originally published in October 2019 and has been updated for comprehensiveness.
;