The internet is an amazing place. But can also be a scary place, especially if you run a WordPress website. On average, 30,000 new websites are hacked every day, and many of these are WordPress-powered websites without basic but essential security measures in place.
Cybercriminals aren’t going away anytime soon, even if you ask politely. So, the best thing you can do as a WordPress administrator is to secure your site as much as possible to decrease the chances of a successful hack. A good first step to doing this is installing a WordPress security plugin.
Security plugins are built to defend against WordPress-targeted cyberattacks. They include an array of features to do this, including website scanning and web application firewalls (WAFs). WordPress security plugins can be free or paid monthly, but paid versions are often considered worth the recurring expense in order to avoid the fallout of an attack.
Ironically, the wrong plugin can actually increase the chances of a successful hack on your website, which is why it’s important to only choose well-reviewed and well-maintained plugins from the WordPress plugin library.
In this post, we’ve compiled the 10 best plugins to guard your WordPress site from online threats. Let’s save your website.
With over three million downloads to date, Wordfence is a leader in the security plugin space. Its flagship free scanning tool audits all your core files, plugin files, theme files, posts, and comments for suspicious code, faulty URLs, and spam. Wordfence performs these scans regularly and automatically, and alerts you if it detects a threat or vulnerability.
The free version of Wordfence also includes a website firewall for keeping bots off your site, login attempt limits to stop brute force attacks, and live traffic monitoring which tracks who is visiting your site (be it humans, good bots, or bad bots) and reports malicious intrusion attempts in real-time.
Wordfence Security also comes as a premium version that includes comment spam filters, country blocking, remote scanning, two-factor authentication, and premium customer support. Wordfence Premium starts at $99 per year for one license.
Defender is a new but promising security solution for WordPress. After you install and configure the tool with a few clicks, it immediately goes to work to harden your site.
Defender offers an impressive range of security features for no cost: In addition to malware scans, brute-force login protection, notifications from threats, its free version also includes two-factor authentication (through Google) and a firewall with IP blocking enabled.
Upgrading to Defender Pro for $49 per month enables automated scans, more in-depth reporting of security problems, and enhanced support. Your membership also grants access to all other premium WordPress plugins made by WPMU Dev.
iThemes security has more than 900,000 global users, and also offers both a free version and a paid version.
The free version conducts malware scans powered by Sucuri SiteCheck, and provides tips to address any detected vulnerabilities. It also sets a variety of security requirements throughout your site: It forces strong passwords and SSL on all pages, and prevents the administrator from editing files in case an intruder ever gained access to your private credentials.
iThemes also lets you change the WordPress database table prefix as well as the wp-content path, bans troublesome bots and spiders, prevents brute force attacks, and backs up your database.
Starting at $80 per year, iThemes Security Pro brings more advanced features to the table: GeoIP, two-factor authentication, automated malware scanning, password expiration, and Google captchas to name just a few. The free version is a nice choice for beginners, but the premium version is where iThemes shines.
Both versions of iThemes are built to blend with the WordPress administrator interface, and its library of documentation and video tutorials help to lower the learning curve.
Sucuri is known for its exceptional cybersecurity products and services, which are popular among web developers and online businesses. Among these offerings is Sucuri’s free WordPress security plugin, which gives you extensive control over your site and a comprehensive overview of its security-related aspects.
In addition to resources like email alerts, WordPress core integrity checks, integration with Sucuri’s web application firewall product (starting at $9.99 per month), and guides for a post-hacking scenario, Sucuri’s plugin contains a scanner which detects malware, errors, outdated code, and blacklisting status.
Note that Sucuri’s scanner is a remote tool, so it can only find vulnerabilities in your WordPress website pages. It can’t scan your core files that control your site’s backend.
All In One WP Security & Firewall is a free, popular, and versatile security plugin. This add-on boasts its wide range of features for its (lack of) price, which include malware and vulnerability scanning, a firewall, login protection, comment spam protection, user monitoring, database backups, and other ways to harden your website.
All of this is tied together with an intuitive, innovative interface — the plugin presents its findings on a grading system, making it easy for a beginner site owner to understand and improve the safety of their website.
As a WordPress site owner, there’s a good chance you’ve already heard of Jetpack — it’s regarded within the WordPress community as one of the best plugins around, and for good reason: It offers an easy, all-inclusive solution for site security, performance, and enhanced content management.
The free version of Jetpack offers basic protection: spam and malware blocking, brute-force login protection, a simple activity log, site stat reporting, and plugin auto-updates. However, we recommend upgrading to at least the Premium plan, which gets you daily site backups, daily malware scans, and priority support if you run into functionality problems.
If you’re looking for a more advanced and hands-on security plugin, BulletProof Security is a suitable choice. This plugin does its tasks through the main .htaccess file and its main features improve database security, firewall security, and login hardening.
BulletProof also includes manual and scheduled database backups, security logging and HTTP error logging, and the option to turn on maintenance mode so you can introduce chances without exposing potential performance issues to your visitors.
The free version of BulletProof Security is quite capable by itself, and the pro version nearly doubles the number of available features. It might take a bit more time for beginners to find their way around, but its setup wizard and comprehensive documentation are there to make things a bit simpler.
For vulnerability testing that’s comprehensive and user-friendly, try the Security Ninja plugin for WordPress. This tool performs more than 50 security checks on your core files, themes, plugins, and password strength, then reports the safety status of your website in your dashboard. The free version of Security Ninja only reports problems, and does not alter your site in any way. So, if you’re hesitant to make big changes right now, try it out.
On the other hand, if you need a plugin that implements fixes to these issues for you, consider an alternative or upgrade to Security Ninja Pro for $39.99 per year.
We’ve discussed many options for preventing cyberattacks, but most people don’t really want to think about what they would do after a successful hacking attempt. This is where MalCare Security comes in. This plugin specializes in post-attack malware cleanup, offering one-click removal with its premium version (starting at $99 annually).
MalCare free is a solid plugin by itself — it comes with tools for deep malware scanning of your website files and WordPress database, login and bot protection, and a web application firewall. However, you’ll need to upgrade to take advantage of automatic unlimited post-hack cleanups.
Surprisingly, two-factor authentication isn’t a given for most free WordPress security plugins. If you’re on a tighter budget but still want extra login protection, Google Authenticator is a free, simple solution.
With this plugin, you can add Google 2FA to your login screens for users at all access levels, as well as to your forms and other user-submission fields. Google Authenticator integrates with other popular content restriction plugins like BuddyPress and Ultimate Member, and even lets you choose your preferred secondary authentication method.
For more granular control of your authentication process, consider upgrading to the pro version for $5 annually.
After finding and configuring your security plugin of choice, you’ll be on track to securing your online presence for you, your teammates, and, most importantly, your visitors and customers.
But, your work doesn’t stop here. Hackers love WordPress for its security vulnerabilities and widely indifferent user base. Don’t wait for something to go wrong — follow our Ultimate Guide to WordPress Security for more tips to stop attacks, many of which you can apply in minutes.
Originally published Oct 13, 2020 9:02:00 AM, updated October 14 2020