6 Best WordPress Security Plugins for a Safer Site
A list of the best WordPress security plugins to protect your website from hackers. Keep WordPress safe with these recommended free & paid security plugins.
WordPress is relied upon by millions of businesses, both large and small, to power their online presence. While WordPress is a powerful and flexible publishing tool, it also makes a juicy target for hackers and other nefarious characters. This is mainly because of its widespread use. Over 28% of all websites on the Web are now powered by WordPress! With such a large market share, WordPress remains one of the most targeted platforms on the Web. This is why it’s crucial for WordPress users to take steps to secure their site.
In this article, I'll list the best WordPress security plugins, both free and paid, to help you keep your website safe.
GETTING BETTER & BETTER: Along with WordPress' underlying language PHP, there have been many advancements to increase security. Many of the earlier vulnerabilities have been eliminated in recent versions. WordPress has also been improved. You do not need to know how to code to reduce the risk of being hacked. WordPress has some very easy-to-employ plugins that will handle many of these tasks for you.
6 Plugins to Help Secure WordPress
While there is no such thing as an “unhackable” site, there are ways of making it more difficult for those who would like to break-in. This is comparable to locking the doors of your house with multiple keys. Sure someone can get in, but it requires more effort. It's often best if they leave you alone and go after someone else who is less protected. I know this is not perfect, but the world being what it is, it's a large part of what we have to go by.
IMPORTANT: Remember to always keep your plugins, themes, and WordPress core updated with the latest version.
Sucuri Security is one of the most popular security plugins available on WordPress.org. In addition to providing options for hardening your WordPress site, it does active security monitoring. In other words, it helps identify if someone has gained access to your site. This tool essentially turns you into a system administrator and you can get a good birds-eye view what is occurring at any given time. It will identify modifications to your system and alert you if there is something that changed to the way your site behaves, and when and how it changed.
One of the cool things about WordPress is that there are tons of great third-party plugins to do all sorts of useful and fun things with your site. However, not all of them behave “responsibly.” Some are outright malicious (these are mostly filtered out by WordPress), but there are also many others that are poorly written and open up new security holes in your site. Sucuri will also help you know if plugins you have installed provide any new vulnerabilities,
Sucuri also utilizes SiteCheck which will help you scan external sites (such as those provided by users to your blog) to identify if they contain malware. Along with this Sucuri ties incorporates information from other blacklist engines, who track bad entities across the internet.
- Security activity auditing
- Remote malware scanning
- Blacklist monitoring for your site
- Effective security hardening recommendations for your site
- Post-hack security actions
- Security notifications
- Website firewall (premium feature)
If (unfortunately, but definitely possible) you do find your site has been breached at some point, Sucuri will also help walk you through cleaning up your site, and protecting yourself again.
WordFence is another very popular plugin for WordPress, and for good reason. WordFence is a free download (there is a premium version which is relatively inexpensive for one site, but the expense can rise if you have multiple sites).
It provides a firewall which identifies malicious activity blocking this before it can enter your site. WordFence also keeps an up-date-database of known attackers and blocks them by IP. It can also block entire networks or even entire countries if you wish.
WordFence also has some good tools (comparable to those used by financial institutions) which enforce good password identification, and provides protection against “brute-force” attacks. One method that hackers can use to break into your site is by trying as many different combination of passwords to break into your site. Using rainbow tables, which are essentially very large tables storing every combination of alphanumeric and special character passwords up to a specific length. (Side note: this is a fairly complex topic, but here's a good cartoon to help explain why some common forms of security are problematic; this is something you might want to consider when setting up required passwords. One method is to prevent too many login attempts, or force people to use “captchas,” which are those squiggly collections of letters and numbers some sites force you to type in to prove you are not a machine.
Beyond this, WordFence also provides monitoring features and processes which regularly scan your site to identify if something is amiss.
- Web application firewall
- Threat defense feed – stays up to date with the most recent threats (more with premium)
- Multiple blocking features (ranging from individual users and IP addresses to entire countries)
- Two-factor logins
- Strong password enforcement
- Regular security scanning
- File change analysis
- Scans for known back doors
- Monitors all traffic, including real persons and bots
- Identifies 404 errors (a threat if someone spots a hole in your code)
- Reverse DNS lookup
- Keeps track of disk space (helps identify DDoS attacks)
- multi-site security
- IPv6 compatibility
Loginizer is another popular security plugin developed by Raj Kothari which is really great at identifying and blocking bad login attempts. It stops brute force attacks by blocking the IP addresses of the attacker once a certain number (a number that you can specify) of failed login attempts has occurred. You also have the ability to blacklist or whitelist specific specific IP addresses. It's a really simple and easy to use plugin that is very effective.
- Blocks IP addresses after maximum retries allowed
- Extended Lockout after maximum lockouts allowed
- Email notification to admin after max lockouts
- Blacklist & whitelist IP addresses
- Check logs of failed attempts
- Create & delete IP ranges
- MD5 Checksum of core WordPress files
- PasswordLess login and two factor authentication
- Login challenge question
- reCAPTHCA on login screen, comments section, and registration form
- Rename login page and wp-admin url
- Disable and rename XML-RPC
- Change the admin username
- Disable pingbacks
Another notable feature I love about this plugin is its ability to change WordPress' default login slug (url) from wp-login.php to anything of your choice. For example, you could name it my-secret-login, thus disabling /wp-login.php and /wp-admin, making it harder for bad guys to login.
It also has support for including two-factor authorization (e.g. a list of identifying questions that people answer to get access), PasswordLess login (which in my opinion is not only secure, but improves the user experience of your site), and reCaptcha (a Google maintained Captcha system) on any login area.
All in all, this is a great plugin that can compliment other security plugins to add an extra layer of security on your site.
iThemes Security has a number of useful features. It will track user activity, and let you know when a user has edited content or logged in and out of your WordPress website.
iThemes provides two-factor authentication, and monitors your file system to tell if someone has made changes without your authorization. iThemes will also run regular scans to let you know if your site has been infected with malware, and automatically send you an email with the details.
- Two-factor authentication
- WordPress salts & security keys
- Malware scan scheduling
- Password security & expiration
- Google reCAPTCHA for logins
- User action logging
- Import/export settings
- Online file comparison
- Temporary privilege escalation
- wp-cli Integration (command line security management)
One of iThemes' advantages over some of the other options listed is that if you have multiple sites, the license is considerably less expensive. This is something you might want to weigh over the fact that it provides fewer services. It is very popular and has a high level of user-satisfaction.
All In One Security & Firewall
This free plugin provides a fairly comprehensive suite of security tools for WordPress. It covers most of the areas where there may be security problems on your site.
User Account security detects admins and users, locates duplicate accounts and enables strong password strength. Brute-force attacks are protected against with abilities to block IP addresses, domains, etc. Captchas can be added to both login screens as well as the “forgot password” screens.
All in One adds a small amount of database security, changing standard WP prefixes to ones of your choice (though this is what I might refer to as “security by obfuscation” which, while okay as a first step should not be relied upon), and allows backups of your database at periodic times, which will allow you to recover your database in case it is breached, which is a nice feature to save having to do this manually. Note: this is not what I would consider to be “comprehensive” DB security.
All In One does have some nice features to ensure secure files, such as identifying bad permissions, and also the ability to disable file editing (which can wreak havoc on the PHP source code in WordPress). It also contains a fairly comprehensive firewall and other useful features as well.
- User account security (identifies default logins, identical names, password strength tools)
- User login security (brute force attack protection, automatic account locking, force all users to logout, monitor failed login attempts, and more)
- User registration security (allow manual approval of accounts, CAPTCHA, and honeypots)
- Database security
- File system security
- .htaccess and wp-config backup and restore
- Blacklist functionality
Overall this is pretty good and not a bad starting place, as it will help you gain a good understanding of many of the security risks your site may face. I would also recommend complimenting this plugin with Security Ninja, which I'll get to next.
Secuirty Ninja is an all-in-one plugin that provides pretty much everything you'd need to protect your site. While a little more expensive than some of the other options (though it is not exorbitant even for single sites), it includes over 50 security tests to protect your site's integrity, including brute-force attacks as well as the security features mentioned in the other plugins.
Security Ninja also identifies possible security holes in your site which will help you actively work to prevent attacks before they occur, and as it is regularly updated, provides protection against “zero-day attacks” (vulnerabilities in code that may not be known by the vendor) and also provides analysis of underlying PHP/MySQL structures, and even includes code snippets.
- 50+ security tests that check for:
- brute-force attack on user accounts to test password strength
- numerous installation parameters tests
- file permissions
- version hiding
- 0-day exploits tests
- debug and auto-update modes tests
- database configuration tests
- Apache and PHP related tests
- WP options tests
- Does not make changes to your site
- Checks site for security vulnerabilities, issues, & holes
- Keeps out script-kiddies
- Prevents zero day exploit attacks
I strongly recommend Security Ninja if you are a coder, as it can protect well against future nightmares. This is essentially a professional kit. As it does not make changes to your site, you should understand what you are looking at. I find this to be an honest security tool. It does not give you any false sense of security, but will also help you understand the nature of the threats and can be a fantastic learning tool. If you can, I'd include this along with any other plugins listed above.
This, of course, is far from a comprehensive list. I have mostly included security platforms that are essentially security suites. You may use these separately or together (depending on compatibility) There are literally thousands of applications available, some of which are excellent add-ons to the above packages.
IMPORTANT: Installing security plugins is only a piece of the puzzle when securing a WordPress site. Read more on improving your WordPress site's security.
While many of the features of these plugins run automatically, some things, such as monitoring, require your attention at least periodically. Make a checklist before setting up your site. Make sure you follow these procedures. It's a good idea to make it part of your daily tasks to look at your logs. This may feel like it's not necessary if you sense that your site has not been breached, but a little vigilance may protect you from the worst of what's out there.