WordPress is the world's most popular content management system and so the massive attack against WordPress is not surprising. Using WordPress security plugins had just been one way to protect WordPress websites and it has been effective.
Not to get you scared about WordPress attacks – securing your WordPress site doesn’t require you to be a programming guru. But you will want some WordPress security plugins and tools to get the job done.
In this post, we will cover a selection of the best WordPress security plugins and tools out there, along with their pros and cons. Then, at the end, we'll try to help you pick the right set of tools based on your own situation.
Read more WordPress ResourcesWordPress Search Engine Optimization Tutorial
Quick caveat: WordPress security isn’t just about plugins and tools
All of the security plugins and tools on this list will help you make WordPress more secure. But they don’t eliminate the need for action on your part.
Think of them kind like wearing a vehicle seat belt. Sure – seat belts will help protect you in a crash, but they aren’t a license to go out and drive recklessly. These tools are like that. They give you some much-needed protection, but you still need to drive safely if you want to stay safe and secure.
So what is “driving safely” in the WordPress world? Here we are talking about really simple things like:
- Promptly updating your WordPress software, plugins, and themes
- Using a secure password for your WordPress administrator account and web hosting account
- Only using themes and plugins from reputable developers/sources
- Backing up your site on a regular basis
Those tips might seem overly simplistic, but doing those four things alone will help protect you from most WordPress security issues. Then, to protect your site from everything else, you can use these WordPress security plugins and tools.
Read more WordPress Resources7 Security Tips for a WordPress Website
Let's define a few key security terms before we move on
While these plugins and tools make things pretty simple, WordPress security still includes a lot of terms that you might not be familiar with.
To help you understand what these tools are actually doing, we want to explain a few of the most common terms that you’ll see throughout the rest of the post.
Firewall - also referred to as WAF: web application firewall. For your WordPress site, a firewall basically sits between your site’s server and all the incoming traffic. Because it occupies this position, it’s able to inspect and filter out malicious actors before they even reach your server.
All firewalls are not created equal, though. And the effectiveness of your chosen firewall depends on the rules and configurations that the firewall provider puts in place.
Malware scanning - Just like you would scan your own computer for viruses and malware, many of these tools can scan your WordPress site’s server for malware.
Security hardening - These are basically little tweaks that, when put together, help make your site more secure.
So, let's look at our recommended plugins
Read more WordPress Resources:
1. Wordfence – A simple, all-in-one security plugin
Wordfence is the biggest name in WordPress security, especially when it comes to all-in-one solutions. It’s active on over two million sites while maintaining an impressive 4.8-star rating on over 3,000 reviews.
Suffice it to say, a lot of people like it. So why is it so popular?
First, it comes in a generous free version (as well as a premium version).
Second, it offers an all-in-one approach to WordPress security.
At a broad level, it includes a web application firewall to filter and block malicious traffic, as well as a built-in malware scanner to check your files for malware, backdoors, and other malicious injections.
Both the free and Pro version include these two core features, but the Pro version offers more of a real-time approach to both. For example, the Pro version’s firewall gets real-time firewall rule updates, while the free version only updates every 30 days.
Similarly, the Pro version’s malware scan updates its signatures in real-time, while the free version is delayed by 30 days. So if you want protection against the most cutting-edge exploits, you’re better off with the Pro version.
Beyond those broad protections, it also makes a lot of the little tweaks that can further harden your site.
Best Features of WordFence Security
- The free version is powerful enough for smaller websites.
- Developers can save tons of money when they signup for multiple site keys.
- It has a full firewall suite with tools for country blocking, manual blocking, brute force protection, real-time threat defense, and a web application firewall.
- The scan portion of the plugin fights off malware, real-time threats, and spam.
- The plugin monitors live traffic by viewing things like Google crawl activity, logins and logouts, human visitors, and bots.
- You gain access to some unique tools like the option to sign in with your cell phone and password auditing.
- The comment spam filter removes the need to install a separate plugin for this.
- Two-factor authentication to secure your login
- Update notifications
- Email alerts for important actions, like an administrator account signing in
- Limit login attempts (automatically block users that enter incorrect passwords/usernames too many times)
- Enforce strong passwords
Price: Free at WordPress.org. Pro version starts at $99 per year, though you get discounts for purchasing multiple years at a time.
Read more WordPress Resources:
2. iThemes Security – Another popular all-in-one security plugin
iThemes Security is another popular all-in-one security solution that comes in both a free and a premium version. iThemes is a long-standing WordPress company that was recently acquired by Liquid Web. iThemes Security does not include a firewall like Wordfence, but it does offer malware scanning.
Beyond malware scanning, it also comes with a whole heap of smaller security tweaks to harden your WordPress site.
First, it does a number of things to protect your login page like:
- Hiding the login page.
- Blocking hosts/users with too many failed login attempts to protect from brute force attacks.
- Enforcing strong passwords for all user accounts.
- Renaming the “admin” account if you’re still using admin as a username.
- Removing login error messages.
- Offering two-factor authentication (Pro).
Then, there are lots of other small tweaks, many of which you’ll see in WordPress security guides:
- Disable in-dashboard file editing.
- Remove update notifications for unauthorized users.
- Change the WordPress database prefix.
- Change wp-content path.
- Log user actions.
If you’d like to use iThemes Security, the developers recommend pairing it with Sucuri’s WordPress firewall.
Price: Free at WordPress.org. Pro version starts at $80 per year.
3. Sucuri – Comes as both a plugin and firewall service
Sucuri is a popular website security solution that has two different products that help with WordPress security:
- A free plugin
- A paid firewall service
You can pair both of these together, or you can opt to just use one of them (or pair the firewall with a different plugin, like iThemes security).
Sucuri’s security plugin is available for free at WordPress.org. It doesn’t include the firewall functionality, but it does a lot to keep your site secure (and it can help you integrate the firewall, if you opt to pay for it).
First, it includes activity auditing and file integrity monitoring. Basically, these two features help you monitor what’s happening on your site. For example, the activity auditing can show you failed login attempts and the file integrity monitoring can tell you if any of your core WordPress files have been modified.
Beyond that, the plugin includes basic malware scanning. This functionality is essentially an in-dashboard implementation of Sucuri’s free SiteCheck scanner. As such, it’s more limited than many other solutions and won’t be able to catch all malware.
Finally, Sucuri’s plugin also includes some basic WordPress security hardening tweaks, like blocking PHP files in the uploads directory and disabling in-dashboard file editing.
Price: Free at WordPress.org
Rad more WordPress Resources
Sucuri Firewall is one of the commonly used tools for WordPress security. Whereas Sucuri’s plugin is about monitoring and basic hardening, Sucuri’s Firewall service proactively blocks threats before they happen and also protects you from DDoS attacks.
Beyond blocking malicious bots and known exploits, Sucuri also uses its large network and machine learning to constantly improve its firewall rules and protect your site from newly discovered exploits.
Additionally, Sucuri lets you create your own firewall rules. For example, you can have Sucuri restrict access to your WordPress dashboard to a specific set of whitelisted IP addresses.
Sucuri Firewall also includes a CDN to speed up your site, though that doesn’t really had anything to do with WordPress security!
Price: $19.98 per month for just the firewall. Or, included as part of the broader Sucuri Website Security Platform, which starts at $299.99 per year.
Read More Resources
4. WebARX – A firewall that makes it easy to manage multiple sites
WebARX is a relatively new service that adds a secure firewall to your websites, as well as a few other features.
It’s not specific to WordPress, but it does include a WordPress plugin to make the setup easy.
One of the nice things about WebARX is that it makes it easy to monitor all of your websites from one single dashboard. So if you have a lot of smaller sites spread out, this is a convenient way to keep an eye on all of them from one spot.
Beyond the firewall to protect your site from attacks and malicious bots, WebARX also includes uptime and defacement monitoring. If your site goes down or is defaced, you can get a notification via email or Slack. Again, this is helpful if you have a bunch of small sites that you don’t check that often.
Price: Starts at $10 per month.
5. MalCare – Performance-optimized WordPress malware scans
MalCare is a WordPress security plugin that, as you can probably guess from the name, focuses on malware detection and removal.
One of the things that I like about MalCare in comparison to something like Wordfence is that MalCare does its scanning on its own servers. Scanning for malware is a pretty intensive process, so if a plugin is doing the scans on your live server, it can slow down your site while the scan is running.
MalCare fixes that by using its own servers to do the scanning.
It’s also just generally built to catch malware that other plugins don’t. And if it does catch something, it offers one-click malware removal to get rid of the offending file.
MalCare also does include a firewall, but I don’t think it’s as high-quality as what you get with Sucuri, so I’d still recommend using Sucuri’s firewall instead if you can swing the price.
Beyond that, it also offers some basic security hardening like:
- CAPTCHA for your login page
- Limit login attempts
- Disable file editing
- Disable file execution in uploads folder
In general, though, I think the unique selling proposition for MalCare is off-server malware scanning. Like WebARX, it also lets you manage multiple sites from one single dashboard, which is another nice bonus.
Price: Starts at $8.25 per month
6. VaultPress – Off-site backups and malware scans
VaultPress is a backup and security service from Automattic, the same company behind WordPress.com. It’s part of the paid Jetpack plans, so you’ll also get access to all of the other premium Jetpack features if you go with VaultPress.
Like MalCare, one of the neat things about VaultPress is that it does its security scanning on its own servers, which ensures that there’s never any performance hit to your website.
Here’s how that works:
Every day, VaultPress automatically backs up your site to its secure servers. Then, it scans the files that it just backed up for malware of other infiltrations.
On the highest tier plan, VaultPress can also automatically fix any security issues that it discovers (the cheapest tier only supports “manual resolution”, though).
Overall, VaultPress is a good option if you want something that combines security scanning with backups. You still might want a separate firewall solution, though.
Price: $99 per year for basic security (Jetpack Premium) or $299 for automatic resolution (Jetpack Professional)
7. Cloudflare – DDoS protection, firewall, and easy security rules
Cloudflare is commonly thought of as a performance-boosting tool because of its CDN functionality.It’s a stellar option to speed up your WordPress site. But because Cloudflare acts as a reverse proxy, it’s also a great tool to secure your WordPress site. Essentially, a reverse proxy sits between your visitors’ browsers and your website’s server and directs traffic, which lets it filter out malicious actors.
Cloudflare’s free plan offers basic security in the form of DDoS protection and reputation-based threat protection (blocks known malicious threats from accessing your site).
If you’re willing to pay, through, Cloudflare’s paid plans include a web application firewall as well as IP whitelisting rules.
If you’re already using Cloudflare for its performance-boosting features, you might want to consider upgrading to the paid plans to take advantage of the web application firewall.
Price: Free with basic security. Paid plans with the firewall start at $20 per month
8. Login No Captcha reCAPTCHA – Brute force protection
Login No Captcha reCAPTCHA is a much smaller solution than all the other plugins. While the other tools are all focused on firewalls, malware scanning, and other big tweaks, Login No Captcha reCAPTCHA really only does one thing: Add Google reCAPTCHA protection to your login page.
This is an easy way to protect your login page from brute force attacks and keep out unauthorized users.
Some all-in-one-security plugins already add this functionality (e.g. iThemes Security). But if you opt not to use one of those all-in-one solutions, you should still consider Login No Captcha reCAPTCHA to lock down your login page.
Price: 100% free
9. WP fail2ban
WP fail2ban delivers one feature, but it’s a rather important one: protection from brute force attacks. The plugin takes a different approach which many see as more effective than what you get from some of the security suite plugins listed above. WP fail2ban documents all login attempts, regardless of their nature or successfulness, to the syslog using LOG_AUTH. You have the option to implement a soft or hard ban, which is different from the more traditional approach of only choosing one.
There’s not much to know in terms of configuration for the WP fail2ban plugin. In fact, all you have to do is install it and let it do its magic. In addition, the brute force security plugin is completely free so you don’t have to worry about spending any money. This plugin is truly a standout, since the users consistently report that it works flawlessly.
Best Features of WP fail2ban
- Choose between hard or soft blocks.
- Integrate with CloudFlare and proxy servers.
- Log comments to prevent spam or malicious comments.
- The plugin also logs information about spam, pingbacks, and user enumeration.
- You also have the option to create a shortcode that blocks users immediately before even having a chance to reach the login process.
10. All In One WP Security & Firewall
As one of the most feature-packed free security plugins, All In One WP Security & Firewall provides an easy interface and decent customer support without any premium plans. This is a highly visual security plugin with graphs and meters to explain to the beginners metrics like security strength and what needs to be done to make your site stronger.
The features are broken down into three categories: Basic, Intermediate, and Advanced. Therefore, you can still take advantage of the plugin if you’re a more advanced developer. The main ways this plugin works is by protecting your user accounts, blocking forceful attempts on your login, and enhancing the user registration security. Database and file security is also packaged into the plugin.
Best Features of All In One WP Security & Firewall
- The WordPress security plugin has a blacklist tool where you can set certain requirements to block a user.
- You can backup .htaccess and .wp-config files. There’s also a tool to restore them if anything goes wrong.
- The plugin shows one graph to specify how strong your website is and a graph that designates points to certain areas of your site. It’s one of the best features for the average user to visualize what’s going on with the security of a site.
- The plugin is free without any upsells along the way.
Most people who use WordPress are familiar with Jetpack, and it’s mainly because the plugin has so many features, but it’s also because the plugin is made by the people from WordPress.com. Jetpack is filled with modules to strengthen your social media, site speed, and spam protection. There are so many features in Jetpack that it’s definitely worth exploring.
Some security tools are included with Jetpack as well, making it an appealing plugin for those who want to save money and rely on a reputable solution. For instance, the Protect module is free and it blocks suspicious activity from happening. Brute force attack protection and whitelisting is also supported by the basic security functionality from Jetpack.
That said, the paid versions of Jetpack are more powerful when it comes to security. For instance, the $99 per year plan includes malware scanning, scheduled website backups, and restoration if anything goes wrong. Furthermore, the $299 per year plan offers on-demand malware scans and real-time backups for the ultimate protection.
Best Features of Jetpack
- The free plan provides a decent amount of security for a small website, then you can upgrade to the reasonably priced premium plans and get full support and a plugin that’s one of the best on the market.
- The premium plans turn the plugin into more of a suite, with benefits like backups, spam protection, and security scanning.
- Plugin updates are managed entirely through Jetpack.
- You also get downtime monitoring.
- Jetpack is also a plugin that eliminates the need for other plugins. For instance, it has features for email marketing, social media, site customization, and optimization.
SecuPress is a newer security plugin on the market (originally released as freemium in 2016), but it’s definitely one that’s growing rapidly. It’s actually developed by Julio Potier, one of the original co-founders of WP Media, who you might recognize, as they develop WP Rocket and Imagify. There is both a free version and premium version which includes a lot of additional features.
If you want a security plugin that has a great UI and easy to use interface, SecuPress is definitely the plugin to go with. The free version features anti-brute force login, blocked IPs, and a firewall. It also includes protection of your security keys as well as blocks visits from bad bots (which you usually have to pay for in other security plugins).
If you want even more features, their premium versions starts at $59 a year per site and includes additional features such as alerts and notifications, two-factor authentication, GeoIP blocking, PHP malware scans, and PDF reports.
Best Features of SecuPress
- The UI in SecuPress is probably one of the best! This makes it very easy to use, even for beginners.
- The premium version definitely adds a lot of value. Check 35 security points in 5 minutes, get a nice report, and then harden your WordPress site.
- It includes the ability to change your WordPress login URL so bots can’t find it.
- Helps you detect themes and plugins that are vulnerable or that have been tampered with to include malicious code.
13. BulletProof Security
The BulletProof Security plugin has both free and premium versions. The paid option sells for a one-time payment of $69.95 and is actively developed, updated, and probably contains more features than most of the other security plugins on the market. They provide a 30-day money back guarantee, and you receive features for quarantines, email alerting, anti-spam, auto-restore, and more.
It's a good idea to try out the free plugin first, since it offers the following tools:
- Login security and monitoring.
- Database backups and restoring.
- MScan Malware Scanner.
- Anti-spam and anti-hacking tools.
- A security log.
- Hidden plugin folders.
- Maintenance mode.
- A full setup wizard.
It’s not the most user-friendly WordPress security plugin, but it does the job for advanced developers who want to take advantage of unique settings and features like the anti-exploit guard and the online Base64 decoder. It also has a setup wizard auto-fix feature to help make it a little easier.
Best Features of BulletProof Security
- It has some of the most unique advanced security tools on the market, with features like BPS Pro ARQ Intrusion Detection and Prevention System (ARQ IDPS) encrypting solutions, as well as scheduled crons, cURL scans, folder locking, and more.
- The free version is packed with enough features for the average website.
- The database backups are provided in the free version.
- You can hide individual plugin folders.
- The maintenance mode functionality is not something you would find in most other security plugins.
14. Google Authenticator – Two Factor Authentication
The majority of plugins that have individual security features don’t make much sense to install. The reason for this is because you can typically go with a plugin like iThemes Security Pro and get that one feature along with dozens of other ones. However, two-factor authentication is a different story, since it seems like most security suites don’t include it. Therefore, it might make sense to harden your login security with a plugin like this.
The Google Authenticator plugin adds a second layer of security to your login module, which is rather important since the majority of hacking attempts happen with the login. In addition to your regular password, this plugin either sends a push notification to your phone or some other form of authentication such as using a QR code or asking a security question.
This way, your login becomes far less penetrable since the second layer is most likely something that only you know or have on your person (like your phone).
This WordPress security plugin doesn’t require any payment, and the interface is easy enough to understand. Besides choosing the type of authentication, another cool feature lets you specify which type o
Which WordPress security plugins and tools are right for you?
You certainly don’t want to use all of these security plugins and tools on your site. So which ones should you pick?
Well, before making your choice, It is recommend that you check what your WordPress host is already doing. Some hosts – especially managed WordPress hosts – might already implement firewalls and malware scanning for you at a server level. So if that’s the case, there’s no need to duplicate their efforts.
Once you know what your host is already doing, here are some tips for choosing your solutions.
If you want a website firewall, Sucuri Firewall is the best option for mission-critical sites, while WebARX offers a more affordable version with a dashboard that makes it easy to manage multiple sites.
You can also combine a firewall and malware scanning plugin. For example, you can use WebARX for firewalls and MalCare for malware scanning. While Malcare does technically offer a firewall, it’s not the service’s strong point. That’s why you’re better off disabling Malcare’s plugin-based firewall and pairing it with something like WebARX or Sucuri.
You also have the all-in-one security plugins like Wordfence and iThemes Security. These plugins make security really simple, which is good. But because they’re always on and running on your server, they can also slow down your site, which is bad.
For that reason, it may simply be better to pick and choose the specific security features that you want.
Notwithstanding, they are great plugins offering good benefits from a simplicity standpoint.
So if you’re feeling overwhelmed by all of these options and just want something that’s easy to use right out of the box, those two are certainly solid options. You will however need to pay close attention to your site’s load times before and after to make sure there’s no noticeable slow-down.That''s it.