This article is part of a series created in partnership with SiteGround. Thank you for supporting the partners who make SitePoint possible.
How do you avoid getting hacked? Our last article detailed forty techniques for securing your WordPress site. This follow-up post is a quick reference of the best plugins that look after your security needs.
We’ve focused on highly-rated plugins that cover a range of security features, rather than one-trick-wonders. If your hosting provider doesn’t already have a comprehensive security solution, installing one of these would be a great first step in your security strategy.
Have we missed your favorite security plugin? Let us know in the comments.
- Cost: Free, Premium from $99/year
- Active installs: 2+ million
- Rating: 4.8 out of 5 stars (3,048 reviews)
Wordfence Security is 100% free and open source. We also offer a Premium API key that gives you Premium Support, Country Blocking, Scheduled Scans, Password Auditing, real-time updates to the Threat Defense Feed, two-factor authentication, and we even check if your website IP address is being used to Spamvertize.
WordFence includes these security features:
- Firewall. WAF with automatically updated firewall rules that block common WordPress security threats.
- Blocking features. Real-time blocking of known attackers and malicious networks and other security threats.
- Login security. Two-factor authentication, enforced strong passwords, security to lock out brute force attacks.
- Security scanning. Scans core files, themes and plugins for malware and backdoors, and checks for files that have been changed.
- Monitoring. Monitors traffic in real time including bots and reverse DNS, monitors for DNS changes and disk space.
2. All In One WP Security & Firewall
- Cost: Free
- Active installs: 500,000+
- Rating: 4.8 out of 5 stars (669 reviews)
A comprehensive, easy to use, stable and well supported security plugin… It reduces security risk by checking for vulnerabilities, and by implementing and enforcing the latest recommended WordPress security practices and techniques.
All In One WP Security & Firewall includes these security features:
- User accounts security. Change the default admin username, check for user display names that are the same as usernames, password strength tool, stop user enumeration.
- User login security. Login lockdown (brute force protection), log out inctive users, view failed login attempts, whitelist IP addresses, see who’s logged in, CAPTCHA.
- User registration security. Enable manual approval, CAPTCHA, Honeypot.
- Database security. Set the default WP prefix, schedule automatic backups.
- File system security. Identify and fix insecure permissions, disable file editing from WP admin, monitor system logs.
- htaccess and wp-config.php file backup and restore. Easily backup, restore and modify these important files.
- Blacklist functionality. Ban users based on IP address or range, or by specifying user agents.
- Firewall. Add firewall protection via htaccess, firewall rules that stop malicious scripts.
- Brute force login and attack prevention. Cookie-based login prevention, CAPTCHA on login form, rename login form URL, Honeypot.
- Whois lookup. Get full details of a suspicous host.
- Security scanner. File change alerts, scan database tables for suspicious strings.
- Comment spam security. Block IP addresses of spammers, add CAPTCHA to comment form.
- Front-end text copy protection. Disables right click, text selection and the copy option.
3. iThemes Security
- Cost: Free, Pro: 2 sites $80/year, 10 sites $100/year, unlimited sites $150/year, Gold $297 lifetime.
- Previously called Better WP Security
- Active installs: 800,000+
- Rating: 4.7 out of 5 stars (3,812 reviews)
iThemes Security Pro takes the guesswork out of WordPress security. You shouldn’t have to be a security professional to use a security plugin, so iThemes Security Pro makes it easy to secure & protect your WordPress website.
The free version gives you some protection, but the Pro version includes these security features:
- Two-Factor Authentication. “Use a mobile app such as Google Authenticator or Authy to generate a code or have a generated code emailed to you.”
- WordPress Salts & Security Keys. “The iThemes Security plugin makes updating your WordPress keys and salts easy.”
- Malware Scan Scheduling. “Have your site scanned for malware automatically each day. If an issue is found, an email is sent with the details.”
- Password Security. “Generate strong passwords right from your profile screen.”
- Password Expiration. “Set a maximum password age and force users to choose a new password. You can also force all users to choose a new password immediately (if needed).”
- Google reCAPTCHA. “Protect your site against spammers.”
- User Action Logging. “Track when users edit content, login or logout.”
- Import/Export Settings. “Saves time setting up multiple WordPress sites.”
- Dashboard Widget. “Manage important tasks such as user banning and system scans right from the WordPress dashboard.”
- Online File Comparison. “When a file change is detected it will scan the origin of the files to determine if the change was malicious or not. Currently works only in WordPress core but plugins and themes are coming.”
- Temporary Privilege Escalation. “Give a contractor or someone else temporary admin or editor access to your site that will automatically reset itself.”
- wp-cli Integration. “Manage your site’s security from the command line.”
4. Sucuri Security
- Cost: Free, Basic $199/year, Pro $299/year, Business $499/year
- Active installs: 300,000+
- Rating: 4.6 out of 5 stars (260 reviews)
We keep your website safe and hack-free! The Sucuri Platform is a suite of tools designed for complete website security. With no additional cost or hidden fees, the Sucuri Platform is affordable, easy to deploy, and supported by a team of professionals at your disposal.
Sucuri forms part of the security solution of many quality hosting providers, including SiteGround. It’s a valuable tool for SiteGround to protect its clients’ sites from malware, because it scans every link that is accessible from the website homepage on a daily basis. It includes these security features:
- Clean and repair hacked websites. “Professional security incident response team available 24/7/365.”
- Attack and hack prevention. “A cloud-based WAF/IPS solution designed to stop hacks and attacks.”
- Continuous monitoring. “Continuous monitoring and alerting of any security-related issues.”
The free WordPress security plugin includes these features:
- Security Activity Audit Logging
- File Integrity Monitoring
- Remote Malware Scanning
- Blacklist Monitoring
- Effective Security Hardening
- Post-Hack Security Actions
- Security Notifications
5. Jetpack, which now includes VaultPress
- Cost: Free, Personal ($39/year), Premium ($99/year), Professional ($299/year)
- Active installs: 3+ million
- Rating: 4.1 out of 5 stars (1,330 reviews)
Jetpack (by Automattic, who bring you WordPress) does more than just security. It basically brings the features of WordPress.com to the rest of us, which is appealing. For security and backup the paid plans includes VaultPress.
VaultPress is a real-time backup and security scanning service designed and built by Automattic, the same company that operates (and backs up!) millions of sites on WordPress.com.
VaultPress is now powered by Jetpack and effortlessly backs up every post, comment, media file, revision, and dashboard setting on your site to our servers. With VaultPress you’re protected against hackers, malware, accidental damage, and host outages.
VaultPress includes these security features:
- Backups. “Comprehensive daily or real-time automated backups stored in our offsite digital vault, optimized for WordPress and better than your host.”
- Restores. “Even during the most stressful moments we have your back. Restore your entire online presence quickly and easily without needing your host.”
- File scanning. “Automatically detect and eliminate viruses, malware, and other exploitable security problems that may be hiding in your website.”
- Automated file repair. “Fix detected viruses, malware, and other dangerous threats with a single click.”
- Spam defense. “Protect your SEO, readers, and brand reputation by automatically blocking all spammers.”
6. BulletProof Security
- Cost: Free, Pro $59.95 (one time purchase)
- Active installs: 100,000+
- Rating: 4.7 out of 5 stars (302 reviews)
BulletProof Security Pro has an amazing track record. BPS Pro has been publicly available for 5+ years and is installed on over 30,000 websites worldwide. Not a single one of those 30,000+ websites in 5+ years have been hacked.
100% hack free website guarantee. If your website is hacked after installing BPS Pro, we will clean up your hacked website for free. We can easily offer that awesome deal because your website will never be hacked if you have BPS Pro installed.
The free version includes these security features:
- One-Click setup wizard
- .htaccess website security protection (firewalls)
- Hidden plugin folders / files cron (HPF)
- Login security & monitoring
- Idle session logout (ISL)
- Auth cookie expiration (ACE)
- DB backup: full/Partial, manual/scheduled, email/zip, cron delete old backups, logging
- DB table prefix changer
- Security logging
- HTTP error logging
The Pro version adds these features:
- AutoRestore Intrusion Detection & Prevention System (ARQ IDPS)
- Quarantine Intrusion Detection & Prevention System (ARQ IDPS)
- Real-time file monitor (IDPS)
- DB Monitor Intrusion Detection System (IDS)
- DB diff tool: data comparison tool
- DB status & info
- Plugin firewall (IP Firewall): automated whitelisting & IP address updating in real time
- JTC anti-spam/anti-hacker
- Uploads folder anti-exploit guard (UAEG)
- Custom php.ini website security
- F-Lock: read only file locking
- Additional logging options
- S-Monitor: monitoring & alerting core
- Pro Tools: 16 mini-plugins
- Cost: Free, 1 site $57.60/year, 3 sites $144/year, 10 sites $288/year, unlimited sites $479/year
- Active installs: 5,000+
- Rating: 4.8 out of 5 stars (19 reviews)
Protect your WordPress with malware scans, block bots & suspicious IPs. Get a complete WordPress security toolkit for free or as a pro plugin.
If you are proactive, our free WordPress security plugin is a great choice! No time to activate weekly scans? Then SecuPress pro is the way to go. Our plugin takes care of everything with automated tasks.
SecuPress includes these features:
- Anti brute force login
- Blocked IPs
- Security alerts
- Malware scan (Pro)
- Block country by geolocation
- Protection of security keys
- Block visits from bad bots
- Vulnerable plugins & themes detection (Pro)
- Security reports in PDF format (Pro)
8. Security Ninja
- Cost: Single site $29 (1 year updates/support), multi site $79 (1 year updates/support), forever unlimited $199
- Active installs: 6,000+
- Rating: 5 out of 5 stars (6 reviews)
Security Ninja helps thousands to stay safe and prevent downtime due to security issues. 50+ tests will provide a comprehensive overview of your site’s security.
The free version lets you achieve the following:
- Perform 50+ security tests including brute-force attacks.
- Check your site for security vulnerabilities and holes.
- Take preventive measures against attacks.
- Prevent 0-day exploit attacks.
- Use included code snippets for quick fixes.
- Brute-force attack on user accounts to test password strength.
- Numerous installation parameters tests.
- File permissions.
- Version hiding.
- 0-day exploits tests.
- Debug and auto-update modes tests.
- Database configuration tests.
- Apache and PHP related tests
- WP options tests.
You can even more protection using these Pro modules:
- Core scanner. “Easily monitor the state of your WP core files. Have a clear view of files that are modified but shouldn’t be and restore them with a single click.”
- Malware scanner. “Powerful heuristic malware scanning algorithm will check all your themes, plugins, uploaded files and options table for suspicious content.”
- Auto fixer. “If you don’t like creating backups, editing files, messing with code and getting your hands dirty – Security Ninja PRO will do everything for you. Fix security issues with one click.”
- Events logger. “Monitor, track and log more than 50 events on the site in great detail. From user actions, to post edits and widget changes – Events Logger sees everything.”
- Scheduled scanner. “Have Security Ninja do automatic, periodic scans of your sites, including scans of core files. If there are any changes you’ll be notified via email.”