A Collection of the Best WordPress Security Plugins

Posted on October 26, 2015 by in Resources | 63 comments

A Collection of the Best WordPress Security Plugins

Most of us don’t worry about the security of our WordPress website until it’s too late. Security, backups and website recovery are, most of the time, an afterthought.

Avoiding potential problems until it’s too late is human nature, and that will probably never change – for most people. I’d encourage you to be proactive when it comes to WordPress security. Spending just a small amount of time planning and preparing can reduce the risk of your website being hacked.

In this post, we’re going to cover some of the best WordPress security plugins out there. Some of the plugins reviewed offer more specific functionality than others so before making a choice, be sure you’re comparing features properly.

WordPress Security Vulnerabilities

The number of potential security vulnerabilities faced by WordPress websites is actually much greater than most people realize. Typically we think of the obvious things like using strong passwords and keeping WordPress core files up to date. Truth be told, those particular items cover only a small percentage of the total vulnerabilities. Other things that need to be considered include:

  • Server vulnerabilities
  • Theme security
  • Plugin security
  • File permissions
  • Securing specific files (like wp-admin and wp-config and wp-includes)
  • Database security
  • Computer vulnerabilities
  • FTP vulnerabilities
  • and more

As you can see, the list is long and we’ve only just scratched the surface. To make matters more complicated, no single plugin is really capable of covering all the security holes. And that shouldn’t really be your goal either, after all, managing WordPress security is a balancing act. You could spend all day trying to secure your website, but hey, you’ve also got a business to run, right?

How to Tell if Your WordPress Site Has Been Hacked

Figuring out whether or not your WordPress site has been hacked is not always as easy as you might think. There are a few ways to assess your site, none of which is perfect or foolproof. Other than that, it comes down to plain old detective work – and hackers are a sneaky bunch.

Performing regular scans of your website using free third-party services is a good idea. Google Webmaster Tools is the best place to start since their interpretation of your website will have the greatest impact on your ranking within the SERPs. Just be aware, that even GWT is prone to errors – a problem free website in Google’s eyes may, in fact, have problems. Also, remember to take a look at how your site is indexed by typing “site:yourwebsite.com” into Google search. Scan through a decent sampling of your page/post results and look for anything suspicious.

A free service like Sucuri Site Check will scan your site for free. Most of the time, Sucuri will alert you to any sign of malware, spam injections, defacing or blacklisting. Alternatively, there are also inexpensive paid services like CodeGuard that will backup your website every day and alert you to any changes.

Finally, it’s always a good idea to keep an eye on your Google Analytics account for anything unusual. Although GA can be a little tricky these days with the referral traffic causing traffic spikes, you should still keep an eye on the long-term patterns. Monitoring bandwidth use through your hosts CPanel is advisable as well.

Sorting Through the Best WordPress Security Plugins

Protecting your website from the more common WordPress security threats will put you in a much better position than most other sites. The vast majority of website owners don’t give a second thought to security until it’s too late.

Don’t be fooled into thinking that you’ll be able to achieve a 100% secure website – it’s just not realistic. Instead, set yourself a more reasonable goal of limiting your risk and protecting against some of the more common threats.

Remember that protecting against non-targeted attacks is always easier since they are automated and typically scan for common vulnerabilities. Targeted attacks are much more difficult to protect against since it’s your website versus the hacker. Anytime you have an individual who is willing to take time out of their day to analyze your specific website for vulnerabilities, there is an increased risk.

iThemes Security

iThemes Secutiry

iThemes Security is available in free and commercial versions

As one of the more popular WordPress security plugins, iThemes Security offers both a free and premium version which means there is really no excuse for failing to improve your current security situation. The different pricing options are available including:

  • $80/year for 2 sites + 12 months of support and updates
  • $100/year for 10 sites + 12 months of support and updates
  • $150/year for unlimited sites and 12 months of support and updates

iThemes manages to cover most of the common security threats including:

  • Brute force protection.
  • Monitoring core files for any changes.
  • Hiding both the login and admin pages.
  • Locking out users who enter their username or password incorrectly too many times.
  • Two-Factor identification.
  • Logging user actions.
  • Forcing the use of secure passwords for specific user roles and file permissions.
  • Ticketed support is also available to all pro users.

With over 30 different ways that iThemes improves the security of your website, there are a few things to be aware of before jumping in. If you’re installing the plugin on an existing site, there is a possibility that some of the changes might break your site. Of particular concern are the changes made to the database and changing the path of your wp-content directory. As a precaution, you should make sure you backup your website before activating the plugin or enabling any new features.

Wordfence

Wordfence Plugin

Wordfence can also protect your site for free

Wordfence is the second security plugin on our list to feature both a free and premium version. Depending upon how many licenses you are purchasing and how long each license is valid for, Wordfence can provide some fairly steep discounts. For example, while a single site 1-year license will cost you $39, a 5-year license will cost just $29.25/year. If you’re running multiple websites or a purchasing licenses for client sites, you could pick up 10 license keys good for 12 months at $16.90 each. As you can see, the cost drops significantly with greater volume.

Wordfence is more than just a standalone plugin – at regular (free version) or customized intervals, Wordfence servers will scan your site for file changes, code injections, malware, or known backdoors. The premium option offers advanced scanning options so you can coordinate scans with low traffic periods.

Taking a slightly different approach than iThemes Security, Wordfence specializes in the following tasks:

  • Scanning for file changes
  • Blocking IP addresses
  • Two-factor authentication
  • Country blocking and country redirects
  • Custom alerts

As you can see, Wordfence does a lot to improve the chances of keeping your site secure. It offers some different functionality than the other plugins covered in this post and there is less risk of problems compared to some of the other plugins.

All in One WP Security

All in One is a very popular free option

All in One is a very popular free option

As what is probably the top free WordPress security tool, All in One WP Security currently shows over 200,000 installations (versus iThemes 600K). Using a convenient grading system, this plugin makes it relatively easy to see the areas where your website security might need to be improved. The main dashboard has an indicator that ranks your current level of security between 0 and 470 depending upon how many features are currently enabled.

With this plugin, there is also the risk of breaking your site. To reduce the likelihood of this happening they have implemented three categories of changes – basic, intermediate and advanced. The basic features are relatively safe to activate while the intermediate and advanced changes have the potential to break some of your website’s functionality. If something goes wrong there are detailed instruction for fixing the problem but it’s still a good idea to err on the side of caution.

Each primary security feature is contained within its own sub-menu and is supported by a detailed description so you know exactly what you’re changing. A more extensive list of security features includes:

  • The ability to disable the WP Meta information
  • Monitoring user accounts for obvious vulnerabilities
  • Brute Force login attack prevention that’s more extensive than the Limit Login Attempts Plugin
  • A setting that requires you to manually approve new user registrations
  • Database prefix management
  • Protection of specific files including the ability to edit PHP files from within the dashboard
  • Blacklisting users based upon their IP address or a range of IP addresses
  • Basic firewall protection
  • Changing the login page URL, cookie based logins as well as Captchas and whitelists
  • Comment spam prevention
  • File change detection
  • Disable copying of text and the use of your site in an iFrame

Sucuri Security

Sucuri offers scanning and monitoring

Sucuri offers scanning and monitoring

Sucuri offers a free plugin which is available in the WordPress repository. Much like Sucuri’s free web-based scanning tool, the plugin is designed primarily as a method of alerting you to potential problems with your site. There are four primary areas that this plugin can help with:

The first has to do with monitoring and recording all activity within your WordPress installation. Sucuri attempts to keep an accurate log of who’s doing what and when. This particular feature is the equivalent of having a security camera set up to monitor what’s happening on your site – which users are logging in and what are they doing while they’re there.

Another key feature of Sucuri Security is the monitoring of all files including WP core, themes, and plugins. If you plan to use this feature properly, it’s important to make sure that the plugin is being installed on clean site. As soon as the plugin is activated it takes a snapshot of all files under the assumption that they are known to be good. From that point forward, you’ll be notified of any changes – including the addition of new files.

Malware and blacklist monitoring are provided and powered by Sucuri’s free scanner. You’ll also be able to tell if your website has been added to one of the many blacklist engines.

Finally, the plugin also helps you take some of the basic but critical steps necessary to harden your website security including:

  • Removing the WordPress version information
  • Protecting the uploads directory from browsing and PHP execution
  • Restricting access to wp-content and wp-includes
  • Verifying your security keys
  • Restricting access to the file editor from with the WordPress dashboard.

BulletProof Security

Bulletproof Security

BulletProof Security is packed with features

Although their website is somewhat antiquated, BulletProof Security continues to be a popular WordPress security plugin in the repository with over 100k downloads. BPS offers two versions of their plugin – free and paid. The paid version is a one time purchase of $59.95 and includes lifetime updates and technical support as well as unlimited installations.

The list of features included with BulletProof security is too long to list but include:

  • An easy one-click setup
  • htaccess protection against XSS, RFI, CSRF, Base64, SQL injection and other hacking attempts
  • Login security and monitoring including max login attempts and lockout time
  • Database backups
  • Database prefix changes
  • File monitoring and quarantine of uploaded files
  • Email alerts for a variety of user actions
  • Many more

Even though their website is in need of work, their support forums are active within the WordPress repository and questions from users appear to be addressed quickly.

Wrap Up

Taking any security measure to protect your WordPress site can be considered proactive and will put you in a better position than someone who chooses to do nothing. There are several high-quality security plugins available, all of which are capable of making your website more secure – including the free versions.

While there is no such thing as a site being 100% secure, you’re always better leaning towards the side of caution. Even with a security plugin installed, it’s still important to keep an eye out for anything unusual on your site that could indicate a problem. As well, remember that the higher profile your site becomes the greater the risk of a targeted attack.

If you’ve currently using any of the plugins covered in this post, please share your experience in the comments.

Article thumbnail image by La1n / shutterstock.com

63 Comments

  1. I use iThemes Security. It’s fantastic!
    Too many bad tentative of accesses may be blocking directly from ip.

    • I agree, iThemes security is awesome. The easy set up is great too. It makes my workflow easier for client sites.

      • Do you use the pro version or the free version, is there really a good reason to upgrade if on a budget?

  2. Great post.

    We’ve had a lot of problems with hacking in the past, but since we’ve installed iThemes security it hasn’t been a problem. Great plugin and super easy to use. My biggest recommendations.

  3. We never talk too much about security, but it is one of the first things to do for protect our websites and to give our customers an acceptable grade of security.

    In our modest opinion iTheme Security + Sucuri together are the best formula.

    • Is there a reason that you don’t include Wordfence in your formula? I tend to combine iThemes + Wordfence, but I am interested to hear why you decide on the other combo.

      Cheers! Niki

  4. Love your articles Joe. I need your help buddy. I came here via Zite app and saw your article on the first line. Can you share your experience on how to set these guys up, so that my blog posts appear on their feed too? Your fan, Rob.

    • Joe Fylan

      Sorry, I’m not familiar with that service?

      Probably something to do with the Elegant Themes blog rather than me personally.

  5. Critical info for each wordpress developer. Too often we find the best plugin for today, but don’t keep current on new or update solutions.

    I appreciate the help!

  6. Hello,

    I agree with your choices, I would add one more, Gauntlet Security, adds a scan option in the tools section, turn it on, scan and fix and then uninstall it.

    Does do some duplication of what iThemes Security does but explains it better to the layman and might be easier for some non tech types to follow.

    Thanks,
    Rob.

    I just noticed you use dribbble.com too, havent checked it out but I will and will follow you.

  7. Sucuri Security plugin in is very powerful, and is an extension of their firewall protection services. I found that it provides quite a few features to harden your files.

    The cool thing about it is the alerts that you can set up. Especially, if there too many failed attempts made to access your website.

    I have found that their support is excellent & their site is heavily document.

    Given that I previously used another company that was $100’s per month, I professionally cannot express that Sucuri’s Security has so very much more to offer.

    Their plugin is genius & can coincide with their paid Fire Wall protection plans for a extremely reason fee.

    Without the paid service plan, I am really amazed how they do offer this plugin for free.

    It does so much.

    • But it doesn’t scan for malware, right?

    • Sorry I was replying to the comment below. Not sure why it went here.

  8. Not to cast aspersions as all of the above are great plugins, but I’d add WP Simple Firewall to the list https://wordpress.org/plugins/wp-simple-firewall/, and in fact I’ve replaced all of the above with it as it does the same job without the incessant alerts, that only serve to pat themselves on the back for doing what they’re supposed to do anyway. JMHO

    • But it doesn’t scan for malware, right?

  9. WordFence is slowly becoming my best friend when dealing with WordPress security, i’ll plus one it here 🙂

    • Mee tootoo. I use WordFence on all my sites. It speeds up the site too.

  10. I use iThemes also and have to agree with the others – it is awesome! Love the bruteforce protection. For us it’s been extremely effective and one of the must have plugins!

  11. There are two plugins that we commonly use, Wordfence: Great all round security and built in caching (Falcon Cache) that works brilliantly, Sometimes wordfence can give us issues. In that scenario, we opt for WP Simple Security which we find on par with Wordfence.

  12. a REAL brute force protection can only be achieved on a server level…. at least one should protect wp-login with a htpassword

    • I fully agree, password protect both wp-login and wp-admin folder. A htaccess password is easy to setup, plus it’s a one-off affair. I always begin with htaccess authentication, then think of adding a plugin like WordFence to tighten the security.

      • I’ve never tried putting passwords on any of the files in my system, but now that I think of it, it makes perfect sense. However, I’m wondering if this creates a problem for sites where I want my users to be able to log in…wouldn’t they have to have the wp-login password before the page actually loaded? … Effectively requiring them to have TWO passwords to log in?

        David

  13. The plugin Custom Login URL is simple in what it does. It changes site.com/wp-admin to whatever you want such as site.com/sxz-38. And make sure the login name is changed from admin to something else. I’ve posted other free ideas and plugins on secure-your-website.com. Art

  14. From previous experience I have found that certainly the free versions of the above don’t always have every feature that you would ideally require.

    Has anyone had any experience in use perhaps two of these together to get all functionality required?

    • My go-to combo for the last 6+ months has been ‘free’ versions of both Sucuri and Wordfence.

      For sites that I manage personally and for those I manage for clients with ‘known’ user names, I can heartily recommend the use of WordFence’s feature, under ‘Options –> Login Security Options’, of “Immediately lock out invalid usernames” which blocks the IP of anyone attempting to login with an unknown user name.
      Caveat of course being that strict instructions are given to client users to at the very very very least, remember/spell-correctly their user name. 😉

  15. I am still new on WP. I will download one right now. Which of the free options is the best in your opinion?

    • If your are new, try out WordFence first, the options are simple to setup and you get a live traffic feed and performance optimizer. It does the job of a security plugin and cache.

      • Thansk…I will do that

  16. Yeah, iThemes Security is my choice for every new WordPress Installation.

    I have tried WordFence but it makes excessive Database writes to the DB which i didn`t wanted to have…

    Your post would be much spicier if it had an additional performance overview/check for the Plugins you supposed… 😉

    • good point Marius.

      I always wondered how iThemes/Wordfence/younameit affect the performance: databases writes, scanning time, etc… will this affect the site perfomance?

  17. I’ve tried and tested all of the security plugins mentioned and now have a really good set up for all of my sites using iThemes Security and Sucuri.

    We don’t change the login url, but pretty much use all of the other settings and it works a treat…or has done (reach for some wood to touch).

  18. I have heard that some people use both ithemes and sucuri free versions, but I don’t know what features to turn on and off so the two themes don’t argue with each other and collapse in a heap.

    Any useful links or tips?

  19. I tried Wordfence and Bullet Proof. The second one disappointed me. It looked complete but the way it got its fingers into htaccess and I couldn’t clear it, I didn’t like it. So now I use Wordfence and I see it as the best security plugin.

  20. I use Bullet Proof security and for a site that doesn’t have UGC (User Generated Content) I feel that it is really good. It was a lot harder to set up before and now has a wizard type approach that makes most of the decisions for you. It allows to fine tune security a lot more than others I feel and cost-wise there is no discussion it is a winner
    To make the most of it and to configure things specifically it does take a bit of time but it is well worth it. It also allows you to manage redirections of domain names and other tailored redirections directly from the console / dashboard.
    Agree about the website, could do with an update, the tool’s CSS also! But in security I’m less bothered about the visual aspect if it does the job properly

    • Plus 1 for BulletProof Security. Never been hacked or had any issues since installing it.

  21. My current setup is:

    WordFence with strong policies. Plus the falcon engine enabled as caching helps massively if a site is under attack.

    There are a couple of features of WF that don’t appear to work particularly well, especially if the site is under a major attack. So…

    NinjaFirewall.

    Sits in front of WP at the app level so reduces all the PHP and MySQL calls.

    Strong policies, block XML-RPC API access, blocks username enumeration (this does not work on WF even though there is an option).

    At the server level, if you have access, ModSecurity using Comodo ruleset. Blocks most brute force attacks as well as a load of others at the server, never reaches the site.

    If I get time I will look into using Fail2Ban as well.

    • Another vote for Ninja Firewall. It’s great and has a wealth of options.

  22. Wordfence all the way. Strong policies for non community sites.

    XML-RPC API is something I’m still hoping WF will address soon.

    I love sucuri for their exposure activity though!

  23. One issue of note: WordPress security and any security plugins, are rendered moot and useless if server security is not addressed. Poor server security renders anything done on the WordPress end useless 😉

    Suffice to say, it’s critical to ensure server level security is addressed *before* attempting to implement site level (WordPress) security.

    Just saying…

    • If I have shared hosting then this is not something I can really address, correct? Hopefully my host is addressing it themselves?

  24. Much appreciated lowdown – clients seem to appreciate web design security more than developers, so you’ve given me something to think about there. Appreciated.

  25. For me, it’s Bulletproof Security. It’s really great and I feel it’s the most complete Security Plugin.

    As mentioned above, it used to be a nightmare to install it in the earlier times but it is constantly maintained and updated and by now it’s just a simple click to protect your website.

    • I second that re BulletProof Security. And it’s now updated to work with an easy one-click Wizard setup.

  26. Wordfence over the last (about) 8 months has gained huge popularity with over 1 mil active installs, impressive Good to Bad ratio reviews, and updates as it evolves and improves, I think the stats are impressive for a reason.

    …Just saying 🙂

  27. So many superb security plugins – if we use 2 or even 3 – is there a risk of them interacting in a way that could be detrimental?

    So far I have Wordfence as my default security plugin for all my blogs and then either sucuri or iThemes as well.

    I would be interested in anyone’s opinion on how they get the best out of these

    🙂

  28. Wordfence all the way.. we use it on every wp website we do

  29. I also use WordFence on all my websites. Based on comments here, I also added Sucuri. Both are working fine.

  30. No doubt, Ithemes security is superior than others.Very much satisfied by using this.Very user friendly. I am going to recommend this to all.

  31. Hi
    I would really like to know more about combining some of these security-plugins

    @Joe Fylan (or someone else)….. please make article about this 🙂

    By the way ….. I use iTheme Security ALLWAYS

    I hide the backend-login and combine it with Googles NoCaptcha (actually i don’t know if it’s helps me in any way!?)

    //Lars, Copenhagen

    • I agree with Lars B, there needs to be more of a conversation around how to best combine security plugins for best effect.

  32. Nice sharing. I want to try wordfence plugin free version. May I know, how different about free and premium version.

  33. I have been using BruteProtect for some times. In case of securing your site from brute force attacks you can use BruteProtect WP plugin.

  34. awesome share this is really important to protect blog from getting hacked
    i am using Wordfence free version on all sites

    is there any benefits of using paid version

  35. Did anyone ever hear of this Security Plugin? WP Site Guardian

    • WP Site Guardian is the latest whizz bang wordpress security plugin to hit the market (and my inbox about 100 times). I personally use Wordfence and Bullet Proof Security (BPS), the Pro version. I haven’t been hacked yet. WP Site Guardian claims to provide security in areas that both Wordfence and BPS does not. So I reached out to AIT who are the developers of BPS. They never replied but instead left a statement on their forum in which they basically say WP Site Guardian is a scam. Google bulletproof-security-pro-vs-wp-site-guardian and you will see. There most relevant point I guess is that WP Site Guardian does not have a ‘free’ version on the WordPress Plugin Repository which suggests it may have something to hide.

  36. wordfence is hands down my favourite!!!

  37. I am a big fan of WordFence. It offers everything that you can think off..easy to setup as well!

  38. Wordfence is my best,its free and me full security,i love it!!

  39. Oh, I forgot. Can I use 2 security plugin like itheme and wordfence or wordfence and all in one security in same time in same wp site?
    If I use then what problem i will face?

  40. Not happy with WORDFENCE. Practically doubled their charges overnight. What used to cost $16 per year on multi license now cost a wapping £29.79 in the space of a few months of looking.

    How often are they going to increase price once hooked into their system.

    Looking for alternative!!

  41. Nice article

    I’m using Wordfence, currently. Not paying for the external scanning part yet.
    Have had no issues.

    Also using WPBruiser {no-Captcha anti-Spam} blocks spam bots, but doesn’t require captcha for users

    Using Askimet

    Turned off trackbacks/pings-backs/comments since mostly a woo-commerce site(for now)

    Did away with admin as a username

    Require confirm e-mail

    2x Daily snapshots

    Jetpack Monitor

    I see a couple mentioned in article/post that I’ll likely be implementing as well

  42. Bulletproof Security Pro has saved me so much time! I get far fewer security alerts in my inbox and feel much more confident that the sites where it is installed are safe from malware. The login page protection is effective against all brute force attacks and keeps bots from ever successfully attempting to log in. This plugin has replaced the combination of BPS free, Wordfence, Sucuri and GOTMLS (which I also highly recommend) that I was using on all the sites I manage, and still have on sites which do not yet have BPS Pro installed. Even if using it on just one site, it’s a cost-effective solution that will give you peace of mind. I’ve never had a problem with their “antiquated” website and always get thoughtful, effective support promptly when I need it.

437,821 Customers Are Already Building Amazing Websites With Divi. Join The Most Empowered WordPress Community On The Web

We offer a 30 Day Money Back Guarantee, so joining is Risk-Free!

Sign Up Today

Pin It on Pinterest