Cybercriminals aren’t going away anytime soon, even if you ask politely. So, the best thing you can do as a WordPress administrator is to secure your site as much as possible to decrease the chances of a successful hack. A good first step to doing this is installing a WordPress security plugin.
Security plugins are built to defend against WordPress-targeted cyberattacks. They include an array of features to do this, including website scanning and web application firewalls (WAFs). WordPress security plugins can be free or paid monthly, but paid versions are often considered worth the recurring expense in order to avoid the fallout of an attack.
Ironically, the wrong plugin can actually increase the chances of a successful hack on your website, which is why it’s important to only choose well-reviewed and well-maintained plugins from the WordPress plugin library.
In this post, we’ve compiled the best plugins to guard your WordPress site from online threats. Let’s save your website.
With over three million downloads to date, Wordfence is a leader in the security plugin space. Its flagship free scanning tool audits all your core files, plugin files, theme files, posts, and comments for suspicious code, faulty URLs, and spam. Wordfence performs these scans regularly and automatically, and alerts you if it detects a threat, vulnerability, or corrupted file. While it does not offer restore options for the latter, it will tell you how the file has been changed so you can repair it faster.
The free version of Wordfence includes a website firewall for keeping bots off your site — unlike most security plugins, which only offer a firewall in their premium version. The free version of Wordfence also includes login attempt limits to stop brute force attacks and live traffic monitoring which tracks who is visiting your site (be it humans, good bots, or bad bots) and reports malicious intrusion attempts in real-time.
Wordfence Security offers a premium version that includes comment spam filters, country blocking, remote scanning, two-factor authentication, and premium customer support. Wordfence Premium starts at $99 per year for one license.
Defender is a new but promising security solution for WordPress that's already been downloaded over one million times. After you install and configure the tool with a few clicks, it immediately goes to work to harden your site.
Defender offers an impressive range of security features for no cost. Like Wordfence, it provides a firewall with IP blocking enabled for free. In addition, its free version includes malware scans, brute-force login protection, notifications from threats, and two-factor authentication through Google.
Upgrading to Defender Pro for $49 per month enables scheduling automated scans, more in-depth reporting of security problems, and enhanced support. Your membership also grants access to all other premium WordPress plugins made by WPMU Dev.
iThemes security has more than 900,000 global users, and also offers both a free version and a paid version.
The free version conducts malware scans powered by Sucuri SiteCheck, and provides tips to address any detected vulnerabilities. It also sets a variety of security requirements throughout your site: It forces strong passwords and SSL on all pages, and prevents the administrator from editing files in case an intruder ever gained access to your private credentials.
iThemes also lets you change the WordPress database table prefix as well as the wp-content path, bans troublesome bots and spiders, prevents brute force attacks, and backs up your database.
For online file comparisons, you'll have to upgrade to the premium version. When a file change is detected, the plugin will scan the origin of the files to determine if the change was malicious or not. Currently, it only works for WordPress core files — not plugins and themes.
Starting at $80 per year, iThemes Security Pro brings more advanced features to the table: GeoIP, two-factor authentication, automated daily malware scanning, password expiration, and Google captchas to name just a few. The free version is a nice choice for beginners, but the premium version is where iThemes shines.
Both versions of iThemes are built to blend with the WordPress administrator interface, and its library of documentation and video tutorials help to lower the learning curve.
Sucuri is known for its exceptional cybersecurity products and services, which are popular among web developers and online businesses. Among these offerings is Sucuri’s free WordPress security plugin, which gives you extensive control over your site and a comprehensive overview of its security-related aspects.
In addition to resources like email alerts, WordPress core integrity checks, and guides for a post-hacking scenario, Sucuri’s plugin contains a scanner which detects malware, errors, outdated code, and blacklisting status.
One limitation of Sucuri’s scanner is that it's a remote tool, so it can only find vulnerabilities in your WordPress website pages. It can’t scan your core files that control your site’s back end.
Furthermore, to unlock the benefits of virtual patching and hardening, DDoS protection, CDN performance optimization, signature detection, and bot blocking, you'll have to pay for Sucuri’s web application firewall service. Plans start at $9.99 per month.
All In One WP Security & Firewall is a free, popular, and versatile security plugin. This add-on boasts its wide range of features for its (lack of) price, which include malware and vulnerability scanning, login protection, comment spam protection, user monitoring, database backups, a firewall, and other ways to harden your website.
All of this is tied together with an intuitive, innovative interface — the plugin presents its findings on a grading system, making it easy for a beginner site owner to understand and improve the safety of their website.
One not-so-beginner-friendly aspect of this plugin: while you can enable basic firewall protection by checking a box in your WordPress dashboard, you'll have to add the plugin's intermediate and advanced firewall rules via your .htaccess file. This can potentially break some functionality of other plugins installed on your site so there may be some trial-and-error when implementing the more advanced firewall rules.
As a WordPress site owner, there’s a good chance you’ve already heard of Jetpack — it’s regarded within the WordPress community as one of the best plugins around, and for good reason: It offers an easy, all-inclusive solution for site security, performance, and enhanced content management.
The free version of Jetpack offers basic protection: spam and malware blocking, brute-force login protection, a simple activity log, site stat reporting, and plugin auto-updates.
However, we recommend upgrading to at least the Premium plan, which gets you daily malware scans and priority support if you run into functionality problems. One feature that sets Jetpack's premium plan apart from other plugins: you can back up your site in real time and restore it to any point with one click. There's no need to install a separate backup plugin.
If you’re looking for a more advanced and hands-on security plugin, BulletProof Security is a suitable choice. This plugin does its tasks through the main .htaccess file and its main features improve database security, firewall security, and login hardening.
BulletProof also includes manual and scheduled database backups, security logging and HTTP error logging, and the option to turn on maintenance mode so you can introduce chances without exposing potential performance issues to your visitors.
The free version of BulletProof Security is quite capable by itself, and the pro version nearly doubles the number of available features. You'll have to upgrade to this version to unlock its firewall — which some plugins offer for free — but you'll get advanced functionality that no other security plugin offers. Its AutoRestore Intrusion Detection & Prevention System is just one example. This system monitors all of your website files for changes. If file changes are detected or if new files are uploaded to your website, then those files are either auto-restored or quarantined for review of possible malicious activity.
The Bulletproof Security plugin might take a bit more time for beginners to learn, but its setup wizard and comprehensive documentation are there to make things a bit simpler.
For vulnerability testing that’s comprehensive and user-friendly, try the Security Ninja plugin for WordPress. This tool performs more than 50 security checks on your core files, themes, plugins, and password strength, then reports the safety status of your website in your dashboard. The free version of Security Ninja only reports problems, and does not alter your site in any way. So, if you’re hesitant to make big changes right now, try it out.
On the other hand, if you need a plugin that implements fixes to these issues for you, consider an alternative or upgrade to Security Ninja Pro for $39.99 per year. In addition to an auto fixer, the pro version includes a firewall, malware scanner, events logger, and scheduled scans.
We’ve discussed many options for preventing cyberattacks, but most people don’t really want to think about what they would do after a successful hacking attempt. This is where MalCare Security comes in. This plugin specializes in post-attack malware cleanup, offering one-click removal with its premium version (starting at $99 annually).
MalCare free is a solid plugin by itself — it comes with tools for deep malware scanning of your website files and WordPress database, login and bot protection, and a web application firewall. However, you’ll need to upgrade to take advantage of automatic and unlimited post-hack cleanups.
Surprisingly, two-factor authentication isn’t a given for most free WordPress security plugins. If you're looking to supplement a free security plugin you installed, or you’re on a tighter budget and can't afford a premium solution that offers a firewall, IP blocking, malware removal, and other security features, Google Authenticator is a free, simple solution for getting extra login protection.
With this plugin, you can add Google 2FA to your login screens for users at all access levels, as well as to your forms and other user-submission fields. Google Authenticator integrates with other popular content restriction plugins like BuddyPress and Ultimate Member, and even lets you choose your preferred secondary authentication method.
For more granular control of your authentication process, consider upgrading to the pro version for $5 annually.
Shield Security is one of the top-rated and most downloaded security plugin in the WordPress directory. It starts working immediately once activated so your site is protected even as you learn to configure its settings.
The free version of Shield Security offers an application layer firewall and early identification and automatic blocking of malicious bots. Shield Security is also the only WordPress security plugin that offers full and accurate detection of file modifications for plugins and themes — not just core files. That's because while other plugins rely exclusively on the core fingerprint files that WordPress provides, Shield Security built their own file fingerprints.
To protect premium plugins and themes and gain access to individual, dedicated technical support, you'll need to upgrade to ShieldPRO.
Cerber Security is another five-star security plugin that defends against hacker attacks, spammers, trojans, and malware. The free version of Cerber Security offers sophisticated protection against spam and other malicious activity — but it's not as rich in features as other free versions of plugins on this list.
Upgrading to the premium version will unlock a lot more functionality, including layered spam protection and automated integrity checks. Additionally, with Cerber Security Pro, you can schedule automated website scans and file recovery on an hourly or daily basis. If it detects malware or any modified or infected files, Cerber Security will remove the malware and recover your corrupted files.
Titan Anti-spam & Security began as a simple spam blocker, but has since become a comprehensive security plugin that’s actively installed on more than 100,000 sites. The free version scans system files, themes, and plugins for malware, invalid URLs, backdoors, and SEO spam and hides any comments that seem like spam.
The premium version of Titan is an anti-spam tool, firewall, and malware scanner rolled in one. In addition to a three-step intelligent spam filtering service that allows you to protect your website from spam, it offers a real-time IP blocklist, scheduled scanning on a daily, monthly, and yearly basis, and the ability to update firewall rules and malware signatures.
WP Hide & Security Enhancer is a simple and specialized solution for making your WordPress site more secure.
Designed to defend against brute force, SQL injections, and other attacks that take advantage of outdated plugins and other entry points, WP Hide & Security Enhancer hides your WordPress core files, theme and plugin file paths, and login page. Using URL rewrite techniques and WordPress filters, it removes all WordPress fingerprints automatically — all you have to do is fill in the new file names or paths in your WordPress dashboard.
The one downside: you have to clear data from your server cache and any cache plugins and CDN (if you use them).
NinjaFirewall is one of the most powerful security plugins available in a free and premium version. Unlike other plugins with a firewall, NinjaFirewall “stands” in front of WordPress. Meaning, it processes all incoming HTTP requests before they reach your site or any of its installed plugins. That makes NinjaFirewall the only WordPress plugin able to protect a site against very large brute-force attacks, including distributed attacks coming from several thousand IPs.
It also provides a powerful filtering engine that can sanitize, normalize, transform, decode, and deobfuscate data from incoming HTTP requests. This allows it to detect any WAF evasion techniques and obfuscation tactics used by hackers that may have gone unnoticed by other plugin firewalls.
In addition, NinjaFirewall offers file integrity monitoring and real-time detection. Not only does it check your file integrity when scanning your website hourly, twice daily, or daily (depending on how you configured the plugin’s settings) — it can also detect any access to a PHP file that was recently modified or created and send you an alert in real time. This alert would contain all the details you needed — script name, IP address, request, date and time — to identify whether it was malicious activity.
For more features, like rate limiting, anti-spam for comments and registration forms, and additional file upload and access controls, you can upgrade to NinjaFirewall WP+ Edition. Plans start at $49 per year for one domain.
It’s important to note that NinjaFirewall requires at least a PHP version of 5.5 or later and a MySQLi extension. It’s also only compatible with Linux and BSD operating systems.That means WordPress site owners using Microsoft Windows will have to use an alternative.
The cloud security service company CleanTalk designed the Security & Malware Scan plugin to protect WordPress websites from all online threats.
In addition to limiting login attempts and temporarily banning IP addresses with 10+ login attempts to defend against brute force attacks, CleanTalk Security can be configured to block IP addresses that have exceeded a set number of HTTP requests per hour, IP addresses from a specific county, or entire IP networks.
Its web application firewall checks all HTTP requests for SQL Injection, Cross Site Scripting (XSS), uploaded files from non-authorised users, PHP constructions/code, and malicious code. Any blocked requests will be logged and able to view in your control panel. CleanTalk Security will also scan all your WordPress files — including your plugin and theme files, not just the core — and flag any files with suspicious code in your control panel. You can view the code there as well as other detailed security stats.
While the plugin is free, it does require a subscription to CleanTalk’s cloud security service. When you first register an account, you will get a free trial. Once the free trial expires, you can either renew the subscription starting at $8 per year or deactivate the plugin.
A Good First Step
After finding and configuring your security plugin of choice, you’ll be on track to securing your online presence for you, your teammates, and, most importantly, your visitors and customers.
But, your work doesn’t stop here. Hackers love WordPress for its security vulnerabilities and widely indifferent user base. Don’t wait for something to go wrong — follow our Ultimate Guide to WordPress Security for more tips to stop attacks, many of which you can apply in minutes.
Editor's note: This post was originally published in October 2019 and has been updated for comprehensiveness.
Originally published Feb 25, 2021 7:00:00 AM, updated March 18 2021