For a variety of reasons WordPress sites are targeted by hackers. This makes addressing security vulnerabilities a critical aspect of managing a WordPress website. WordPress attacks are not an isolated issue that only affects popular sites — you can’t avoid them simply by being a small, relatively unknown website. If your site runs on WordPress, it is safe to assume it will be targeted at some point. A compromised site could be an inconvenience or it could be business-ending if it leads to a customer data leak.
To protect your site from being compromised, you should install (and correctly configure!) WordPress security plugins to cover the vulnerabilities your host doesn’t handle for you. If you’re not using a good Managed WordPress Host (like us), chances are good that your site needs a couple of extra security plugins to add WordPress-specific security defenses. Thankfully, there are a wide variety of excellent WordPress plugins available to help with everything from authentication to zipping and sending automated backups into the cloud.
In this post, we help you choose the best WordPress security solutions for your website by listing some of the most popular plugins. We provide a concise summary and categorize them by their primary function. You should combine plugins to create the types of protection you need.
To know what protection your site needs, ask your current host whether they provide:
- General defensive hardening for WordPress sites
- Daily, automated backups held for at least two weeks
- Firewall protection
- Two-factor authentication (2FA)
- Malware scanning
The plugins listed here are divided into categories so you can easily jump to the ones that interest you:
- All-in-one security plugins
- Malware scanning plugins
- Firewall plugins
- Two-factor authentication plugins
- Backup plugin solutions
- Miscellaneous security plugins
The plugins aren’t listed in any particular order (they aren’t ranked) but to make this list they had to:
- Have been updated recently (last couple of months)
- Have a good user rating (4 stars and up) in the WordPress directory
- Have a decent number of installations (100+)
All in one security plugins
All-in-one WordPress security solutions try to protect you from all security threats with general hardening of your site’s defenses by patching common security vulnerabilities, file protection, brute force protection, firewall, etc. If you just want the easiest, fastest solution for protecting your site, an all-in-one solution probably makes the most sense.
It is important to know that you’ll have to go through the configuration process for the plugin to be effective. You can’t just activate the plugin. All the plugins listed here have thorough documentation to guide you through the setup process.
iThemes Security
iThemes protects your site in more than 30 ways. Their free version of the plugin checks many of the important security boxes like hiding your login URLs, file change detection, forced SSL, securing wp-admin, and more. The Pro version starts at $80 and adds Google reCAPTCHA integration, two-factor authentication, core file comparison, and other advanced security features for top-notch site protection.
WordPress directory rating: 4.7 out of 5
Free version available: Yes
Premium version starts at: $80
Website | WordPress directory | Documentation
WordFence
WordFence premium offers some interesting features including real-time IP blacklist (as other sites using WordFence are targeted all other sites using WordFence block that IP address), real-time website firewall rule updates, and malware signature updates. In addition, they offer an endpoint firewall that may offer more protection than the cloud firewalls offered by many solutions because the traffic to and from your site remains encrypted throughout the process.
WordPress directory rating: 4.8 out of 5
Free version available: Yes
Premium version starts at: $99
Website | WordPress directory | Documentation
All In One WP Security & Firewall
This solution is great for someone with limited technical knowledge because it divides different security features into basic, intermediate, and advanced categories then gives you an overall grade on how well-protected your site is. This plugin is unique because it is a completely free WordPress security plugin — it does not offer a paid version. WebNots has a great configuration and set up tutorial should you choose to go this route.
WordPress directory rating: 4.8 out of 5
Free version available: Yes
Premium version starts at: n/a
WordPress directory | Documentation
BulletProof Security
BulletProof offers a free version and a Pro version that includes additional security features for a one-time fee and lifetime updates (no recurring monthly or yearly charges). The Pro version offers important features like auto-restore, upload anti-exploit guard, php.ini security protection, and more.
WordPress directory rating: 4.8 out of 5
Free version available: Yes
Premium version starts at: $69.95
Website | WordPress directory | Documentation
Astra Web Security
Astra’s core features are a Web Application Firewall (WAF), malware removal, file upload scanning, and the general security hardening features you’d expect an all-in-one solution to have. If you’re an agency, Astra offers tools that make it easy to monitor and manage the security of the sites you’re responsible for. A free version of the plugin is not available to install and try on your site but monthly plans start at $9 a month.
WordPress directory rating: n/a
Free version available: No
Premium version starts at: $9/month
Security Ninja
Security Ninja offers a one-click, 50 point scan of your website. You can test the plugin for free but to unlock all its features you’ll need the paid version which starts at $29 for a year of updates and support. The Pro version includes a firewall, malware scanner, auto fixer, core scanner, and other tools you’d expect a comprehensive WordPress security solution to include.
WordPress directory rating: 4.3 out of 5
Free version available: Yes
Premium version starts at: $29/year
Website | WordPress directory | Docs
Jetpack
Jetpack is the swiss army knife of the WordPress world. One of the tools on that multifunction knife is security. If you’re already a Jetpack user, it makes sense to see if it offers the level of protection you need before adding yet another plugin to your WordPress app. Jetpack, being built and maintained by Automattic lends it authority but, it is less robust than some of the other all-in-ones listed here in terms of the number of security enhancements it provides. Jetpack includes: Downtime Monitoring, Plugin Updates, Secure Sign-On on the free version and Security Scanning, Backups, and Spam Protection on the paid version. The $9 a month paid version includes all security features as well as the many other WordPress enhancements Jetpack offers.
WordPress directory rating: 3.9 out of 5
Free version available: Yes
Premium version starts at: $9/month
Website | WordPress directory | Docs
Malware scanner plugins
A malware scanner protects your site from malicious code by checking your files for known malware and suspicious code. While many all-in-one plugins include malware scanners, you may want a standalone malware scanner if, for instance, you’ve taken care of general WordPress security and hardening of your defenses.
MalCare
A malicious code scanner that also helps you clean up any infected files. Malcare states that their scanner will not slow your website down because there is no load placed on server resources. Similar to WordFence, Malcare leverages its network of websites to create a smart firewall that is updated as new threats are identified. Malcare advertises that their scanner will not slow down your site. One year of Malcare protection starts at $99 for one site.
WordPress directory rating: 4.5 out of 5
Free version available: Yes
Premium version starts at: $99
Website | WordPress directory | Docs
Cerber Security, Antispam & Malware Scan
Cerber protects your site with a malware scanner, integrity checker, and file monitor to continuously check your site’s files for signs of a malicious code infection. This plugin also includes brute force protection, various anti-spam protections, and logs suspicious activity making it close to an all-in-one security solution.
WordPress directory rating: 4.9 out of 5
Free version available: Yes
Premium version starts at: $29/quarter
Website | WordPress directory | Docs
WordPress firewall plugins
WordPress firewalls are web application firewalls (WAF) designed specifically for protecting WordPress by monitoring and controlling incoming and outgoing traffic. Basically, it is a barrier that protects your WordPress website from potentially malicious traffic. When your firewall detects malicious traffic, it drops the connection.
BBQ: Block Bad Queries
BBQ claims to be the fastest WordPress firewall plugin available. It is fully customizable but needs zero configuration to launch. The paid version is powered by the 5G/6G blacklist, offers IP address whitelisting, and advanced configuration and customization options.
WordPress directory rating: 5 out of 5
Free version available: Yes
Premium version starts at: $20
Website | WordPress directory | Docs
Sucuri
This cloud-based firewall uses application profiling, signatures and heuristics, and a correlation engine to protect your site from unwanted traffic leading to enhanced security. Sucuri’s paid plans start at $199/year and offer additional protection and services including: malware and hack clean up, blacklist monitoring, virtual patching, and a CDN for faster performance.
WordPress directory rating: 4.4 out of 5
Free version available: Yes
Premium version starts at: $199
Website | WordPress directory | Docs
Two-factor authentication (2FA) plugins
2FA plugins protect WordPress from unauthorized access by adding another layer of security to the login process. Rather than simply entering your username and password, you’re asked to enter a code sent to your email, phone, or an authentication app like Authenticator or Authy.
Google Authenticator 2FA plugin
The free version of this plugin offers 2FA authentication for a single user. If you need protection for additional users, the cost is $5 for 2 users, $20 for up to 5 users, and $30 for up to 50 users. In spite of the name, this plugin is actually compatible with many 2FA solutions, not just Google Authenticator, including Authy, LastPass Authenticator, QR Code, Push Notification, Soft Token, and Security Questions (KBA).
WordPress directory rating: 4.5 out of 5
Free version available: Yes
Premium version starts at: $5
Website | WordPress directory | Docs
UNLOQ
UNLOQ specializes in two-factor authentication. They realized that installing, configuring, and managing a 2FA solution can be daunting and overwhelming to many users so they intentionally created a 2FA solution that is easy to set up and manage. Authentication can be sent by push notification, time-based one-time password (provided by the UNLOQ mobile app), and by email. UNLOQ is free for up to 100 users.
WordPress directory rating: 4.4 out of 5
Free version available: Yes
Premium version starts at: Free up to 100 users then $19/month for 101 – 200 users
Website | WordPress directory | Docs
Back up solutions
Having frequent, scheduled backups is an important part of risk mitigation. In the event of a security issue you’ll need an uncompromised version of your website to restore to.
While these plugins make the process of creating and managing backups simple, Pagely customers do not need a backup solution because we handle that for you as part of our managed WordPress hosting solution.
UpDraftPlus
UpDraftPlus is a popular and highly-regarded WordPress backup solution that can handle full and incremental backups of files and databases, automated backups prior to updates, and migrations. It is highly configurable allowing you to send your backups to a number of remote locations including Google Drive, Dropbox, AWS, and more. The premium version gives you access to a variety of useful add-ons and is $70 for two sites ($45/year after the initial $70 fee).
WordPress directory rating: 4.8 out of 5
Free version available: Yes
Premium version starts at: $70/first year, $45/year after
Website | WordPress directory | Docs
Backup Buddy
Backup Buddy offers complete site backup, restore, and migration. They include advanced features like database back up and rollback. The easy roll back feature is convenient if you ever make a small mistake and don’t want to go through the hassle of restoring from a complete backup. The premium version of BackUp Buddy is $80 for 1 site. There is no free or trial version available in the WordPress directory but this is a highly regarded solution worth evaluating.
WordPress directory rating: n/a
Free version available: No
Premium version starts at: $80
VaultPress (part of JetPack)
JetPack was already mentioned as an all-in-one security solution but it also includes options for backing up your website. Like its security features, these features are straightforward and may be enough for many users but it lacks the advanced options and depth more specialized backup plugins offer.
WordPress directory rating: 3.9 out of 5
Free version available: Yes
Premium version starts at: $9/month
Website | WordPress directory | Docs
Miscellaneous security plugins
These are highly specialized plugins that offer unique security benefits but don’t fit neatly into other security categories.
Simple History
Simple history logs events that happen in WordPress including changes to pages and posts, uploads, plugins installed or modified, comments, logins and failed attempts, and data exports and data erasure requests. Having a detailed log of this type of activity can help you untangle what happened in the event there’s unauthorized access to one of your WordPress accounts. Once you have a rough idea of what was modified and when, you can rewind the clock to undo those changes by restoring from a backup.
WordPress directory rating: n/a
Free version available: No
Premium version starts at: n/a (no premium version offered)
Fail2Ban
Fail2Ban offers protection from a very specific type of attack: brute force. A brute force attack is when combinations of usernames and passwords are tried, one after the other, until the right combination is found. Once authenticated the attacker has whatever privileges and access that account provides. While using a strong password and avoiding the “admin” username will help prevent a successful brute force attack, another defense is to block access to bots and humans who may be trying combinations maliciously. That’s exactly what the Fail2Ban plugin does and it does it very well. With 4.9 stars, it’s one of the highest-rated security plugins covered here.
WordPress directory rating: 4.8 out of 5
Free version available: Yes
Premium version starts at: $99
Conclusion
WordPress website security is a critical responsibility for anyone managing a WordPress site. It is not something that can be ignored or put off. You have to address it or it’s only a matter of time till your site is hacked or somehow compromised.
If managing your own site’s security defenses is daunting or intimidating to you, you may want to seek out a Managed WordPress Hosting provider such as Pagely to handle security for you. We’ve specialized in WordPress hosting for over a decade and have a security team dedicated to proactively protecting your WordPress site from malicious activity.
Thanks for putting this together. Can you also recommend some good password protection plugins? I just want to protect my private content from users.