22 Best WordPress Security Plugins to Help You Sleep Tight
Do I really need to use WordPress Security Plugins?
WordPress is the most popular content management system (CMS) worldwide. At least one out of every four websites is made up with WordPress.
WordPress (WP) originally meant to be a perfect option for bloggers, and because so many developers and contributors worked so hard to create themes and plugins for it; it happened to be the best choice for anyone who wants to launch a website.
WordPress is so famous that most web hosting providers have special plans for hosting WordPress. They have optimized their servers for huge number of clients who want to run a WP website.
One of the reasons that WordPress is such a popular CMS is the customizations you can do with that. According to your needs you can find thousands of plugins to add to your WordPress website.
Although it is a famous and popular platform for running any websites, it has its own pros and cons. One Being able to choose between thousands of plugins and themes is a big plus but being well-known to both web-owners and hackers is a big worry for anyone having a WordPress website/weblog. DDoS attack is still a common way that targets websites.
There are some basic steps that you should follow to strengthen security on your WordPress website; using the latest version of WordPress core, plugins and theme ,and getting plugins and themes from wordpress.org or the associated developer’s website are the basic steps to follow.
Working with a secured webhost which provides some basic protection is always a wise solution. In addition, Scanning the website and its uploaded files by the latest antivirus software can help you to make sure that all the hosted files are safe. This is not the end; you also need to take more actions.
Fortunately there are hundreds of plugins that can make you sure about security level of WP with no need of any prior knowledge of PHP, MySQL and WordPress coding.
In this article we will introduce the most powerful security plugins which help you enhance security of your WordPress site.
Top WordPress Security Plugins
1. iThemes Security plugin (formerly Better WP Security)
iThemes Security plugin lets you secure your WordPress website in a few minutes with no prior knowledge regarding security. There are more than 30 options and enabling them doesn’t need any coding. Just a few clicks!
Some of the features iThemes security offers in real-time:
- Two-Factor Authentication (2FA): It adds another step of verification to conventional username and password. It has several authentication ways including Authy and Google Authenticator.
- Banning Users: Certain users are denied access to the website.
- Network Brute Force Protection: iThemes Security community has more than 1 million websites. Trying to access and misuse any of these websites results in banning from all other 1 million sites instantly.
- File Change Detection: All changes made to your website are being monitored and logged into iThemes Security so you can easily track the changes and prevent unwanted ones.
In addition to what we’ve already mentioned, iThemes security plugin can change User ID 1, change Database Prefix, Check File Permission and etc. The premium version has online file comparison to compare core WordPress files with the original ones to detect malicious or unwanted changes. It provides reCAPTCHA requirement on your WordPress user registration, reset password, login, and comments.
2. Wordfence Security – Firewall & Malware Scan
This is one of the most popular WordPress security plugins with more than 4 million active installations. It has an endpoint firewall and a malware scanner to keep your WordPress website safe and secure.
The free scanning tool scans all WP core files, plugins and themes to make sure they are all safe and virus-free. It also checks content of the posts and comments for probable suspicious code, and spams.
The scanning process is automated and you don’t need to worry about scanning your website regularly.
Main features of Wordfence Security plugin are:
- Malware scanner
- Comparing WordPress core files, themes and plugins with WordPress.org repository.
- Two-factor authentication (2FA)
- Login Page CAPTCHA
- Free website firewall
- Block attackers by IP range (Country blocking available with Wordfence Premium)
3. Sucuri Security – Auditing, Malware Scanner and Security Hardening
One main feature of Sucuri security plugin is inspecting your WordPress installation and searching for modifications on the core files as provided by WordPress.org. Root directory, wp-admin and wp-includes will be compared to official distributed files and you will get an alert in case of any mismatches. This is an important step against suspicious actions.
Sucuri plugin has a powerful Firewall for WordPress websites. You’ll need to add your firewall API key to benefit from firewall API service.
Sucuri premium services consist of DDoS protection, signature detection, CDN and bot blocking.
4. Hide My WP Ghost – Security Plugin
A comprehensive plugin to hide your WordPress website from attackers, It hides almost every aspects of your WordPress installation and makes it too difficult for hackers to penetrate your site. It also gives you the option to hide your plugins and themes.
Hide My WP Ghost prevents Scripts and SQL Injections, Brute Force attacks, XML-RPC attacks and more.
This security plugin hides everything virtually and nothing will be changed physically so you don’t have to worry about future issues you may face after disabling and deleting this plugin. All changes are made by redirects and automatically. It can hide all common paths.
The good news is that you can use Hide my Wp Ghost and other WordPress security plugins as well. It’s Compatible with WP Multisite, Apache, LiteSpeed cache, Nginx and IIS, All In One SEO, Yoast SEO, Rank Math, Squirrly SEO, WP-Rocket, Minify HTML, iThemes Security, Sucuri Security and so many other plugins.
Some of the FREE features of Hide My WP Ghost:
- Hiding WordPress wp-admin and ghost-login/ URL and redirect them to 404 page or a custom page
- Changing the wp-admin and wp-login URLs
- Changing lost password URL
- Changing register URL
- Changing wp-content URL
- Changing plugins name URL
- Changing themes name URL
- Hiding wp-admin Path
- Hiding wp-login Path
- Hiding login Path
The premium version offers so many options to ensure you about the security of your WordPress site. A few number of features might not work in some servers but most of the features are running well on all servers. For sure it is worthy to try this WordPress security plugin.
In the dashboard of All in one WP Security a summary of website’s security, security strength meter and security points breakdown is shown.
WP Security allows you to lockdown login attempts, set maximum login attempts and set retry time period. You can set time duration for a particular IP address to prevent from logging in, and set a desired error message when a login attempt fails. Moreover, The administrator is informed when someone has been locked out due to maximum failed login attempts.
WP security enables admin of WordPress website to manually approve new registrations. With WP Security admin can generate New database table prefix ( instead of default value which is wp_ ).
All In One WP Security & Firewall scans file permissions of WordPress directories and enables admin to set recommended permissions by just one click.
Enabling the ban of selected IP addresses and/or user agents is another feature of this security plugin.
Main features of All In One WP Security’s Firewall:
- Protects your htaccess file by denying access to it
- Disables the server signature
- Limits maximum file upload size
- Protects your wp-config.php file by denying access to it
- Enables 6G Firewall Protection
- Enables legacy 5G Firewall Protection
- Blocks Fake Googlebots
- Enables 404 IP Detection and Lockout
With WP Security admin can rename and change login page and enable Captcha on login page. Spam comment prevention and manual file change detection are another parts of this plugin.
Jetpack is one of the most professional and popular WordPress plugins which is highly multifunctional. It can help you with backup, restore and migration of WordPress to a new host. Moreover, Jetpack increases the speed of your website and drives more traffic to your website by optimizing it. Another good feature of this plugin is security.
Automatic malware and security scanning alongside with spam comment blocking are what most of administrators are looking for these days. Brute force attack protection, website monitoring for downtime and sending alert notification for webmaster in case of downtime work together with 2FA (two factor authentication) to ensure the webmaster that everything is under control.
Titan Anti-spam & Security is a fairly popular security plugin and it offers many options but most of the features are only available to paid members.
With Antispam you can save comments for further review. It has manual malware scan (scheduled scan is available for paid members) , forces users to use strong passwords instead of weak ones, and hides WordPress version from visitors. Limited functional firewall is also a main free feature of Titan Anti-spam & Security plugin.
Actually there are many other WordPress security plugins out there that provide so many options without any need to make a payment.
The setup wizard can walk you through all the steps to setup this security plugin properly and further settings are available through below items:
- .htaccess File Options
- Malware Scanner (MScan)
- Login Security
- Database Backup Options
.htaccess website security protection allows you to backup/restore bulletproof root, wp-admin, and htaccess folders.
Using bulletproof security plugin, you can hide plugins folder easily. Max login attempts, automatic lockout time, forcing members to use strong passwords ,and defining minimum password character length increase the security of WordPress installation.
With Bulletproof plugin, admin can make full, partial, manual or scheduled database backups.
9. Security Ninja – Secure Firewall & Secure Malware Scanner
Test your website security with one click and fix all vulnerabilities easily. Some of the tests that this plugin performs to make sure the WordPress installation is safe and protected are:
- Check if WordPress core is up to date
- Check if full WordPress version info is revealed in page’s meta data.
- Check if database table prefix is the default one (wp_)
- Check if user with username “admin” exists
- Check if wp-config.php file has the right permissions (chmod) set
- Check if PHP safe mode is disabled
- Check if admin interface is delivered via SSL
- Check if MySQL account used by WordPress has too many permissions
- Check for unwanted files in your root folder you should remove
Paid version of security Ninja claims to have a firewall with about 600 million IPs that are known for distributing malware, performing brute force attacks on sites and doing other “bad” activities.
10. WP Cerber Security, Anti-spam & Malware Scan
WP Cerber Security protects WordPress from hackers, spams, trojans and malware. Brute force attacks are limited by limiting the number of login attempts, XML-RPC / REST API requests, or login cookies. It gives you options to:
- Limit login attempts
- Block IP address for specified amount of time
- Option to not reveal non-existing usernames and emails in the failed login attempt message
- Custom login URL
- Immediately block IP when attempting to log in with a non-existing username
- Disable automatic redirection to the login page when /ghost-admin/
- Immediately block IP after any request to ghost-login/
- Live traffic inspector
- Protect comment form with bot detection engine
- Protect registration form with bot detection engine
- Protect all forums on the website with bot detection engine
WP Hide virtually (without making any real physical change) hides your WordPress core files, login page, theme and plugins paths and changes wp-admin and ghost-login/ to something randomly to protect your website against unauthorized access. Some main features are:
- Block/change default admin URL
- Block/change ghost-login/
- Block XML-RPC API and make a new path for it
- Change theme name/URL
- Block/custom wp-include and wp-content paths
- Block/custom plugin path
This plugin requires deleting all previously cached files using plugins or CDN.
12. WPS Hide Login
WPS Hide Login is a very light, simple and easy-to-use plugin to change URLs of important WordPress paths and login URL. To do so, you only need to install this plugin and after installing it, Go to Settings -> General at the bottom of this page, you will see WPS Hide Login options. When someone tries to access the ghost-login/ page and the wp-admin, WPS Hide can change ghost-login/ page and the wp-admin directory paths and define a new page to redirect visitor to.
The configuration of this plugin finishes here and you do not need to do anything else.
SiteGround security is a powerful yet simple plugin to defend any WordPress website/weblog. This plugin consists of two main sections, Site Security and Login Security. Configurating this plugin is really easy and could be done so fast without any confusion.
Site Security Options:
- Lock and Protect System Folders
- Hide WordPress Version
- Disable Themes & Plugins Editor
- Disable XML-RPC
- Force HTTP Strict-Transport-Security (HSTS)
- Disable RSS and ATOM Feeds
- Advanced XSS Protection
- Delete the Default Readme.html
Login Security Options:
- Custom Login URL
- Limiting the access to specific IPs or range of IPs in order to prevent brute-force attacks or malicious login attempts
- Two-factor Authentication for Admin & Editors Users
- Disabling Common Usernames
- Limiting Login Attempts
14. MalCare Security– Free Malware Scanner, Protection & Security for WordPress
This plugin is different from all previously discussed WordPress plugins as its main function is helping the website owners after getting attacked.
MalCare detects and removes malware with an automatic one-click with zero effect on your website’s speed. This WP security plugin monitors your website constantly and if the website goes down, the administrator will receive notification.
In order to use MalCare plugin, you must enter a valid email address. It automatically connects your site to the appropriate servers and will redirect you to MalCare dashboard (remote website).
Some characteristics of MalCare are:
- Real-time Firewall blocks hackers.
- Login Protection stops brute-force attacks.
- Daily Automatic Malware Scan finds complex malware.
- Deep learning scan
- Public File Matching
- Change Detection
- Deep Database Scan
- Vulnerability monitoring
All these features are free but if you need automatic and unlimited post-hack cleanups, you should upgrade your plan and become a paid member.
Anti-Malware is TOTALLY FREE and useful. It is recommended that security plugin be installed on every WordPress website. It scans httpdocs, wp-content and plugins folder completely. It can track potential threats but if you want to use it to the fullest, you need to get a key from it by registration. After registration, it starts downloading definitions of new threats (by making call to GOTMLS.NET) and looks for database injections, htaccess threats, imThumb exploits, known threats and core file changes.
You can always update your database manually to latest malware definition but if want to get automatic definition updates, you’ll need to make a $29 donation.
The features of firewall are:
- Revolution Slider Exploit Protection
- Directory Traversal Protection
- Upload PHP File Protection
- REST users API (This protection can prevent hackers from discovering user data without credentials.)
- Brute-force Protection ( only available to those who have donated).
16. WP fail2ban – Advanced Security Plugin
This plugin has some good features but we recommend that you use it only if previous options didn’t fit your needs. It seems to be a more difficult plugin to configure compared to other mentioned plugins. Some of the features of WP fail2ban according to developer’s are:
- Blocking username logins
- Stoping bots that want to login to your website without a username
- Working fine with Cloudflare and proxy servers
- Log comments, failed pingbacks, pingbacks and comments are marked as spams.
17. SecuPress Free — WordPress Security
Defends WP against malwares, bots and suspicious IP addresses manually for free. If you need automated scans, you need to go for SecuPress pro. It scans for more than 30 issues but for fixing them it tells you: “The Pro Version is required to autofix issues.”
SecuPress Free protects WordPress website with the following methods:
- Limits the number of bad login attempts, bans non-existing usernames login attempts
- Secures WordPress Endpoints and APIs by blocking bad requests for XML-RPC or REST API
- Firewall to block malicious requests
- Malware Scan for FTP files and uploaded files
- Backups your WordPress installation. (Its not the best backup option (there are many excellent backup plugins).
- Alerting if something goes wrong with your website.
A comprehensive security plugin to protect WordPress website against unauthorized, suspicious and bad login attempts.
Loginizer is a good fighter against brute-force attacks because it can easily block IP address from accessing the website after a certain number of login attempts have done to login the website. Member login can be empowered by two factor authentication to make sure that only the real owner of every account have access to the site.
By default, after 3 failed attempts to access any account, Loginizer will ban that IP address from accessing website for 15 minutes and if more attempt are done, that special IP address will be banned for 24 hours. These default values can be changed by admin.
To have a better control of allowed and blocked IP addresses on your website, Loginizer has separated blacklisted and white listed IPs.
Using Google’s reCAPTCHA for logging in, commenting, registration in addition to changing login and WP-Admin URLs are some other possibilities that Loginizer WordPress security plugin offers.
19. BBQ Firewall
Are you tired of configuring security WordPress plugins? If your answer is yes, BBQ Firewall is the best solution for you. After you install this plugin, you’re done. You don’t need to do any further customizations; actually there’s not any configuration to be done. This plugin automatically does everything that is needed to protect your website.
BBQ checks all visitors and blocks any requests containing suspicious codes like
base64, and excessively long request-strings. Main threats that BBQ Firewall can defend your website from are:
- SQL injection attacks
- Unsafe character requests
- PHP remote/file execution
- Protection against bad bots, bad referrers and bad requests
In addition to mentioned possibilities that BBQ offers for free, there is another option for users who need more security.
- Can disable BBQ for logged-in users
- Scans the Request URI
- Scans the Query String
- Scans the User Agent, IP Address and Referrer
- Blocks SQL injection attacks, file uploads and traversal attacks
Keep up-to-dated with all changes made to your WordPress files, using this plugin. After installing this plugin, it will scan all your files and inform you if any changes have been made. Website File Changes Monitor will check all WP directories to detect changes. The included folders are:
- WordPress core files
- Themes directory
- Plugins directory
- Uploads directory
- /core/ directory
You can also set the maximum file size to be scanned for probable changes. For example you could set this value to 10 MB and in this case only files lower than 10 MB will be scanned for changes.
In case there are some files or folders you don’t want to be checked regularly for changes, you could set those files/folders to be excluded from scanning. Even certain file types are excludable to speed up the process.
The administrator is able to set threshold value to be informed about changes. The default value is set to 10; it means you will get an email if 10 files are changed.
By default WordPress allows any user to try logging in to a website for as many times as they want to and this could lead to security issues as some bots can find usernames and passwords using this method. This plugin blocks certain users or IPs after they have reached a number of failed attempts. It’s an important step to protect site against brute-force attacks.
The admin can set whitelist of IPs or usernames to allow them to have access in case they reach the limit number.
Improving the security of WordPress could be achieved by plugins and SiteGuard WP plugin is one of them. This plugin offers many options for protecting websites. The main parts of this plugin are:
- Option to change and define a new login path
- Using CAPTCHA for login, comment, lost password and registration pages
- Setting a threshold for maximum number of login tries and set an interval for re-allowing access to the login page
- Sending message to admin containing username and IP address of suspicious user.
- Disabling Pingback/XMLRPC