We have good news and bad news for you.
First, the bad news: because WordPress is one of the most popular content management systems in use, there’s a lot of people trying to exploit WordPress sites. After all, many people don’t take security too seriously. If you can figure out how to exploit one site, you can probably use those very techniques to exploit other sites as well.
But, don’t worry (much), because we have good news: there are tons of plugins you can use to help secure your website. There are so many, as a matter of fact, that it can be overwhelming to choose the option that is best for you.
We want to make it as easy as possible for you to keep your WordPress site safe. So, if you are overwhelmed by the number of plugins available, read on. In this article, we will cover the best WordPress security plugins as of 2019.
In This Article 🖐️
- Why You Need to Use WordPress Security Plugins
- Do a WordPress Security Plan
- The Best WordPress Security Plugins (Premium and Free)
- Best Practices (Before Installing WordPress Security Plugins)
- Using VPNs to Secure Your Session
- Wrapping Up
Why You Need to Use WordPress Security Plugins 🤷
We’ve mentioned before that most people don’t take website security too seriously. If that’s you, here’s why that’s a very bad thing: at any given time, about 18.5 million websites on the internet are affected by malware, with the average website attacked over 40 times per day.📈 18.5 million websites on the internet are affected by malware, with the average website attacked over 40 times per day. #WordPress Click To Tweet
Getting a website online requires a fairly hefty investment of resources, and we think it wise to protect that investment to the best of your ability. After all, you insure your car, house, or business, and you might consider the use of a security system that includes cameras and alarms.
We don’t think that your website should be treated any differently. After all, if your website gets attacked, some of the problems you might encounter include:
- The inability to visit your website (if the hackers take it down), which users will find highly frustrating and can damage your brand (as a matter of fact, downtime is so problematic that we wrote 10 Highly Effective Website Monitoring Tools and Services for WordPress (Free & Paid) to help you find tools to let you know that this happens immediately)
- Loss of access to your website, if the attacker chooses to change the credentials used to log in, so that you are no longer in control
- Loss of your data, if the attacker chooses to delete anything
- Theft of private information pertaining to either you or your users -- this is especially problematic if you have an e-commerce site and have access to information like addresses and credit card information
- Use of your website to distribute malicious code to people who visit your site; though many browsers should detect and block such sites, your site behaving like this will damage your site reputation
Given the risks of a breached WordPress site, what should you do? Start with learning! WPblog has a great article on 30 Proven Tips to Secure your WordPress Website in 2019.
WordPress comes built-in with some basic security features, but you will definitely want to improve this.
You can manually secure your WordPress site, but this is a fairly lengthy, labor-intensive process. That’s why we recommend using WordPress security plugins. Not only does this ease your workload somewhat, but you’ll also get additional features that are highly useful, such as:
- File scanning
- Site monitoring
- Malware detection
- Blacklist monitoring
- Protection against brute force, DDoS, and other attacks
- Notifications if there any security issues arise
Free Security eBook
The 21-Step Checklist to
Ensure a 99.9% Secure WordPress Website
Do a WordPress Security Scan 💥
Do you think that your WordPress site has been compromised already? Or do you have no idea as to what’s going on with your website right now?
One way to get the lay of the land, so to speak, is to perform a WordPress security scan. There are several reasons why this is a good thing to do before you do anything else.🔑 Performing a site security scan is an essential step in establishing a security protocol for your #WordPress site. Duh, right? Click To Tweet
First, you’ll know what, if any, security problems your website has. There are overt issues, such as your site being offline, but the security scan should shed light on whether you have any covert ones.
Second, you’ll know what you need to do. Chances are, you have some security precautions in place, and running a comprehensive scan should provide you information on:
- What you have done
- What you need to do
Ninja Scanner is a good option for a security scanner. Since 2013, Bangkok, Thailand-based Ninja Technologies Network (NinTechNet) has been offering a suite of security- and back-up related plugins for WordPress sites.
Of specific interest to you is NinjaScanner, a powerful anti-virus scanner for WordPress. It is lightweight (and therefore fast), and it comes with additional features including file integrity checking and comparison, sandboxes for quarantined files, multiple-types of scans, and more.
There’s plenty to like in the free version, but upgrading to the premium version gets you additional features, along with full support from the NinTechNet team.
Another option is the CleanTalk Security and Malware Scan.
CleanTalk is a small, privately-owned company located in Carson City, Nevada by Alex Bezborodov, Denis Shagimuratov, and Aleksei Znaev. The company has been around since 2014, offering security tools using the software-as-a-service model.
CleanTalk Security and Malware Scan is a cloud-based service that protects your WordPress site from multiple types of threats. This plugin offers you scanning for viruses and malware, as well as an audit log for security-related features. It also comes with other basic security tools like firewalls, brute force protection, and IP-based blocking.
CleanTalk Security and Malware scan can be used free of charge, but the company offers premium security tools you can use to augment your WordPress security suite.
Finally, you can run a WordPress security scan with Security Ninja.
Security Ninja comes with a security tester module (available even in the free version), which performs over fifty (50) tests on your website. This test takes just minutes, and you’ll have information on what is wrong, as well as how you can fix the issue it identifies.
The above scanners aren't your only options, however. Of the WordPress security plugins we mention below, most offer some type of WordPress security scan. We highly recommend that you use this feature.
The Best WordPress Security Plugins (Premium and Free) 😎
In a hurry? Here’s the list of plugins we recommend. However, if you want to see more information on why we chose these as the best of the best, read on.
- iThemes Security
- WP Security Audit Log
- BulletProof Security
- Hide My WP
- Shield Security
- All in One WordPress Security
Please note that you only need one security plugin. If you use multiple plugins simultaneously, you might see errors from the plugins causing conflicts with each other. You may, however, opt to add stand-alone tools to augment your security plugin (e.g., BlogVault for website backups and restoration.)
1. iThemes Security
iThemes Security provides you with over 30 different ways to protect and secure your WordPress site. You’ll get the features you need to prevent unauthorized access to your WordPress site (such as two-factor authentication, salts and security keys, strong password generation, and Google reCaptcha).
From the front-end, you’ll get malware scanning (which you can schedule ahead of time), protection against brute force attacks, and blocking of bots and other problematic parties. You’ll also get monitoring tools to let you know if there have been any changes made to your site that require your attention.
Finally, iThemes Security makes basic changes to your site, such as the admin account name and ID, database table prefixes, and the URLs for your WordPress Dashboard (which would otherwise be identical, format-wise, to most other WordPress sites). It also allows for an away mode so that logins aren’t allowed during the specified time period and removes login error messages, which allow attackers to collect information that can then be used to guess your credentials.
Users who want customer service, updates to the iThemes Security plugin, and multi-site support should opt for the premium version. Best of all? If you sign up for a WP Buffs subscription care plan you can get iThemes Security Pro for free. Pretty cool, right?
iThemes is an Oklahoma City, Oklahoma-based company that is known for its WordPress themes and training services. Though the company is small (they employ just under 20 people), the company offers a robust set of products, including the security and backup plugins we think you’ll be interested in.
Security is important, but one of the best things you can do for your peace of mind is to have robust, functional backups of your website. We hope that you never have to use them, but if your security tools fail for whatever reason, you’ll be glad that you can roll back instead of deleting everything and starting from scratch. That’s what BlogVault comes into play.
BlogVault bills itself as the most reliable WordPress backup plugin, boasting a 100% website recovery rate. While BlogVault isn’t an all-in-one solution, you might consider using this plugin to augment your security suite, ensuring that you have a reliable backup in case your site is so compromised that the only option is to roll back.💯 BlogVault boasts of a 100% website recovery rate. That's pretty impressive. #WordPress Click To Tweet
BlogVault can quickly create backups, as well as test your backups prior to recovery to make sure that all will work well (even if your website is 100% offline). The backups can also be used to migrate your website, and its included staging environment provides you with the space you need to test and check your migrations.
You can try BlogVault free of charge, but the company offers a variety of subscription plans from which you can choose. Prices are dependent on the features you select, as well as the number of sites you need to secure.
BlogVault is run by a small Bangalore-based company called Inactiv.com Media Solutions dedicated to making website backups easy to create and use. Though small in size, BlogVault nevertheless works with over 10,000 customers around the world. Tiny but very mighty!
Customers are also very pleased with what the company has to offer.
MalCare is a simple WordPress security plugin (setup takes just 60 seconds), but don’t think that it’s not powerful. MalCare offers a 24/7 firewall to protect against threats and is capable of detecting hidden malware and removing it in under 60 seconds using its Auto-Clean feature.
MalCare also comes with features like WordPress Hardening (which allow you to make security-related changes from the dashboard) and Captcha-based login protection, as well as a firewall to protect against hackers and bots. Furthermore, MalCare promises that it will run without impacting your website performance negatively.🏥 MalCare makes a promise to its customers: the plugin runs without affecting site performance. #WordPress Click To Tweet
MalCare guarantees 100% removal of malware from your WordPress site, all without creating any issues that would break your website. If that’s not the case, you’ll get 3x your money back.
The cost of MalCare depends on the feature plan you select, the number of websites you need to secure, and whether you choose to pay monthly or annually.
If you notice any similarities between MalCare’s and BlogVault’s websites, you're not imagining things. The small, privately-held company behind BlogVault is also the one who develops MalCare.
MalCare customers are quick to talk about the high-quality of service this plugin offers.
Jetpack, which is put out by WordPress’ parent company, Automattic, is a popular plugin that includes statistics/analytics, search engine optimization (SEO), backup, and security features.
More specifically, Jetpack’s security features include protection against brute force attacks and filtering against spam messages. You’ll also get downtime monitoring so you know the moment your site becomes unavailable, and secured logins (including optional two-factor authentication) make it difficult for unauthorized parties to gain access to your site.
When it comes to malicious behavior, you’ll get scanning for malware and malicious code, as well as automatic fixes for any identified issues. To make sure that any changes that are made are authorized, Jetpack keeps detailed change logs so you know exactly what happened, when, and who authorized the change.
Finally, Jetpack Premium comes with expanded backup features, which is helpful if you need to roll back in the future.
Unless you’ve upgraded, it’s likely that you aren’t maximizing Jetpack’s potential (especially since there’s a fair number of features available only to those who have paid). Support for JetPack is provided by Automattic employees.
5. WP Security Audit Log
WP White Security is a European company that puts out security and administration plugins for WordPress. WP White Security, which was founded by Robert Abela, is small in size, but the company’s WP Security Audit Log plugin is one of the most widely used options around.
The WP Security Audit Log is not an all-in-one solution like many of the other options on the list. Instead, it is a detailed activity logging platform that allows you to track everything that happens on your WordPress site. Other tools might come with built-in activity logging, but if you’d like additional information, using another plugin to supplement is a good idea.
For all changes that occur, WP Security Audio Log tracks the date and time of the change, the user who implemented the change, along with the user’s role, and the IP address where the changed originated.
6. BulletProof Security
BulletProof Security offers protection for everything from malware to spam. The plugin offers a one-click setup wizard to make installation easy, and you can opt to have issues fixed automatically upon detection.
BulletProof Security adds a firewall to your WordPress site, obfuscates common variables like your admin account name, database table prefixes, and login URLs, and backs up key files like .htaccess and wp-config.
BulletProof Security also comes with robust monitoring tools so that suspicious activity gets flagged right away. It also comes with detailed error logging to make it easier to fix any website problems that pop up.
Other bonus features offered to uses include skins for your themes, access to 16 mini-plugins to extend the functionality of BulletProof Security, and anti-spam protection. BulletProof isn’t the easiest security plugin to use, but those who are tech-savvy will find this tool’s more advanced functionality valuable.
AITpro Website Security is the California-company behind BulletProof Security. Though Ed Alexander is the owner of AITpro, BulletProof Security is open source, which means that it features contributions from people around the world.
7. Hide My WP
Hide My WP is a very popular security plugin for WordPress since its inception in 2013. When an attacker comes to know that a website is WordPress-based, the attack become very targeted by enumerating plugins, themes and configuration of that specific installation.
Primary use case of this product is that it completely hides the fact that you are using WordPress as your CMS. This helps in securing the websites from hackers and detectors like Wappalyzer and Builtwith.
It also bundles a state-of-the-art intrusion detector (IDS) to block security attacks like SQL injection, XSS etc in realtime. The IDS is based on ever growing signatures which blocks any attack (discovered or undiscovered) which may harm the website.
The best features of Hide My WP are:
- Hides WordPress from detectors and hackers. Hides the name of the theme, plugin, changes permalinks, hides wp-admin, login URL and a lot more.
- Blocks direct access to PHP files, cleanup WP class names, disable directory listing.
- Protects websites from undiscovered vulnerabilities and realtime attacks.
- Be notified about any potential bad behavior with full details of attacker including username, ip address, date etc.
- Includes a trust network which automatically blocks traffic from bad source IP addresses.
- Replaces complete URLs or any string in the code with any text you wish.
- Easy to use, choose from pre-made settings for 1-click deployment.
- Compatible with multi-site, apache, nginx, IIS, premium themes and other security plugins.
Sucuri is a feature-rich security plugin that secures your websites, fixes issues, and assists in preventing future attacks.
Sucuri’s Web Application Firewall (WAF) and Intrusion Prevention System (IPS) protect your website against:
- Malicious code
- Distributed denial of service (DDoS) attacks
- Brute force attacks
Sucuri constantly updates its product, due to the quickly changing threat landscape, and the company utilizes machine learning to help protect you from future threats. You’ll also get protected pages, which are accessible only to those who’ve been authorized, application profiling and signature detection to deter malicious traffic, bad block blocking, and blocking based on geographic locations.
You can get immediate alerts whenever something happens with Sucuri’s monitoring tools, and the company offers incident response services. If you notice a performance hit on your WordPress site, you can take advantage of Sucuri’s CDN.
Most users would be happy with the free version of Sucuri, though the paid options come with extras like customer service, frequent scans, and SSL certificates. Sucuri isn’t the cheapest option around, so it might not be an option for those with smaller budgets.
For on-the-go website security checks and malware scans, Sucuri offers SiteCheck. It is not a comprehensive tool, but it is a quick and easy way for you to run a scan without needing to launch and use more robust plugins.
The Sucuri team is lead by an impressive pair: the co-founders act as the VP of Engineering and the Head of Security Products at GoDaddy. To round out the team, the company employs 125 people who are based in 25 different countries.
Wordfence is a comprehensive WordPress security plugin that offers a firewall, malware scanning, malicious party blocking, audits of live traffic, and login security. The Wordfence team is 100% focused on WordPress security.
Unlike many other firewalls, Wordfence’s firewall runs on your server, which offers you increased security from breaches and data leaks. The integrated malware scanner identifies malicious code, protects against brute force attacks, enforces the use of strong passwords, and more.
Premium users will receive frequent updates to their plugin to make sure they stay ahead of the curve (free users will receive the same updates 30 days later). You can use Wordfence to manage multiple WordPress sites, and all of the information you need to see is displayed in one view.
Pricing for Wordfence begins at $99, but the company offers robust multi-site discounts. Those who have multiple websites for which they need security should check out Wordfence.
Defiant is a small software engineering team building products that have been downloaded over 90 million times to protect over 2 million active WordPress sites. Wordfence is Defiant, Inc.’s flagship product, though the company also provides coverage to new research in the WordPress security arena.
Built by WordPress’ parent company, Automattic, VaultPress offers you real-time backup and security services.
VaultPress is powered by Jetpack (which we reviewed above), and with VaultPress, you’ll get:
- Automated daily backups, with no limitations on the storage space your site uses
- 1-click restoration of your website
- Protection against brute force attacks
- Uptime monitoring
- Spam filtering
- Statistics and activity logging
- Priority support from Automattic’s Happiness Engineers
Depending on the plan level you purchase, you may also get malware and infiltration scans, as well as automatic threat resolution.
There’s a lot of overlap between Jetpack and VaultPress, so you don’t really need both. For those who seek convenience, Jetpack is great since it includes so many security features (and more!). Some, however, would prefer simplicity or to build their own security suite, rather than use a comprehensive tool -- for that, VaultPress would be a good option.
VaultPress is another plugin on this list developed by WordPress’ privately-owned, parent company, Automattic. (Fun fact: Automattic is a fully distributed company employing over 900 people working from 70 different countries).
SecuPress is a plugin that offers you a firewall for your site, malware scanning, the ability to block bots and users with suspicious IP addresses, and protection against brute force logins.
One interesting feature SecuPress offers that many others don’t is the check for vulnerable plugins and themes -- one of the entry points into WordPress sites for hackers are themes and plugins that are flawed in some way.
If SecuPress identifies any issues with your WordPress site, SecuPress presents this information to you in PDF format.
SecuPress offers a free version, which its developers say is good for those who are proactive. Those who want to automate both scans and fixes, however, would be well-served by the paid Pro version. There are also certain features (e.g., brute force protection) that only come with the Pro version.
SecuPress is a plugin first released by French developer Julio Potier in 2013 after a year and a half of development work. Portier has been working in website security in 2002 and has years of experience with WordPress specifically.
Defender offers its users multiple layers of security while featuring an easy-to-use interface. Defender boasts that you can add “all the hardening and security tweaks you need in minutes.”
Defender does it all. It performs WordPress security scans, changes common WordPress variables (e.g., renaming the admin account, changing your database table prefixes, disabling your file editor, and hiding your error reports), offers login protection and two-factor authentication, and IP address blocking. If Defender finds any issues with your site, it will send you the appropriate notifications.
Defender is free to use, but those who would like extra scanning, auditing, and monitoring can upgrade to Defender Pro.
WPMU DEV, which refers to itself as a league of WordPress experts, puts out an all-in-one WordPress platform featuring tools that help you with things like security, performance, SEO, marketing, and more. The company does receive assistance, however, from users around the world for things like plugin translations and issue identification and tracking.
13. Shield Security
Shield Security is one of the easiest options to set up -- all you have to do is install and activate it. Once you’ve done that, you’ll get alerts if there are issues, and the alert will include information on the steps you need to take to resolve the issue. At a later point, if you want to be more hands-on and take a more granular approach to your WordPress site’s security, you can do so.
If you’re new to handling security for your WordPress site, Shield comes with guided wizards to walk you through what you need to do. Shield’s security-related features include:
- Login limitations, two-factor authentication for login requests, and protection against brute force attacks
- File scanners
- Automatic IP address blacklists
- Spam filtering
- Audit trails and activity logging
For most users, the free version of Shield Security should be sufficient. However, the company offers a Pro version that gets you additional scans, WooCommerce protection, import and export functionality, and premium support.
One Dollar Plugin is a small company offering safe-to-use, budget-friendly WordPress plugins. The company’s first major release was Shield Security. Since then, One Dollar Plugin has shipped two additional plugins.
14. All in One WP Security & Firewall
All in One WP Security & Firewall strives to be a comprehensive, yet user-friendly WordPress security suite that can be used by just about anyone. The company has divided its features into three categories: Basic, Intermediate, and Advanced, so you can work only with the features appropriate for what you feel your skill level is.
All in One WP Security & Firewall will:
- Check for vulnerabilities
- Add a firewall to your site
- Protect you from threats and spam
- Makes sure that you’re implementing the latest security practices and techniques as recommended by Automattic, the parent company of WordPress. The plugin does all of this without slowing down your website.
All in One WP Security & Firewall will also obfuscate common WordPress variables (for example, the plugin will change the name of your admin account), helps you strengthen your passwords, protects against brute force attacks, and monitors your account for suspicious activity. All in One WP Security & Firewall will also secure your database and file system, as well as backup important files (e.g., htaccess and wp-config).
All in One WP Security & Firewall is currently available in 11 languages, including Spanish, Russian, and Chinese. It is also completely free to use.
All in One WP Security & Firewall is a free, open source product. Unlike many of the other options on this list, this plugin features contributions by Tips and Tricks HQ (a company that focuses on WordPress plugin development), Peter Petreski, mbrsolution, wpsolutions, Ruhul Amin, and Česlav Przywara.
Best Practices (Before Installing WordPress Security Plugins) 📝
Choosing a security plugin to help you with the heavy lifting is just the first step in securing your WordPress site. In addition to using the security plugin of your choice, we recommend the following best practices:
- Keep your plugins updated. Hackers can exploit vulnerabilities to do things like redirect users to bad sites, according to Ars Technica; these problems are discovered eventually, but this isn’t helpful to you if you don’t patch your site.
- Make sure that you are using a genuine product that is still supported. The options we present to you on this list are currently legitimate plugins with robust support offered to their users. However, this is not the case across the board when it comes to plugins available (and even the status of the options on this list may change). There are many bad actors posing as real developers who ship plugins laden with malware. Furthermore, abandoned plugins are problematic because they fall out of date and there’s no one to fix issues. This leaves you vulnerable, according to ZDNet.
We would be remiss if we didn’t mention hosting. Choose secure hosting. There’s a lot that goes on behind the scenes that you don’t have control over, so it’s important that your web host takes security as seriously as you do. If you are in the market for a secure host, check out our partners, whom we’ve vetted as being security-minded.
- ✅ Perfect for serious website owners
- ✅ Specialize in high-traffic websites
- ✅ Free migration, SSL and CDN
💰 Starting at $30/mo
Kinsta is a managed WordPress hosting provider where they take care of all your needs regarding your website. They run their services on cutting edge technology and take support seriously. They specialize in high-traffic WordPress site, so if you have one, they're an ideal partner.
💰 Starting at $25/mo
With award winning speed and an expert WordPress support team, Pressable Hosting is a great choice for agencies and developers. The company is owned by Automattic, so you know they do great work. Pressable is suited to website owners, freelancers and WordPress Agencies and every plan supports staging sites for testing.
Using VPNs to Secure Your Session 🔒
Using a security plugin to perform security scans, monitor for changes, and identify any issues is a good first step. However, there are also changes you can make to your workflow to lessen the likelihood that your WordPress page gets attacked. One of these changes is to use a virtual private network (VPN).
If you’re looking for options, check out our article, 7 Best Free VPNs to Secure 100% of Your Online Activity (2019).
What VPNs Are and How They Work
Virtual private networks (VPNs) are used to secure your internet connection by hiding all of your activity from others. VPNs typically are paid services that required the installation of a program on your computer. Once you’ve done this, your VPN encrypts your data, sends your data to the VPN’s servers, and then forwards the data from your VPN’s server to the final destination.
Sound convoluted? A bit, but when it comes to security, you need to be ahead of hackers. So what are the benefits of this process?
First, the destination sees that the origins of the traffic are the VPN server, not you, which offers you anonymity. This makes it hard to identify you as the source of your data, including information on what you’re doing, where you’re doing it from, and so on.
Second, your data is encrypted. Even if someone can “see” your transmissions, they’re unable to read what you’re doing.
Why VPNs Matter
When you work on your WordPress site, you run the risk of sharing your data with unauthorized parties (especially if you’re working in a public space and using a publically-available WiFi connection). By using a VPN, you obfuscate what you’re doing, reducing the risk that malicious parties gain access to information that they can then use to compromise your WordPress site.
There are tons of VPN options available, but not all are created equal. One option we recommend is Ivacy, which is an easy-to-use VPN service offering fast speeds (as you can imagine, the intermediate steps involved in securing your traffic can slow you down a bit). Ivacy offers apps for a variety of devices, so you can use it for your laptop and mobile devices.
Ivacy, however, isn’t the only VPN tool that’s good. HotSpot Shield is similar to Ivacy with its emphasis on security and speed, as well as support for multiple platforms. Those who work mostly on desktops or laptops might find Windscribe useful -- the company offers an easy-to-use browser extension and adblocking.
Wrapping Up 🎁
Whether you know it or not, there are tons of threats to your WordPress site. Luckily, most hackers aren’t interested in working too hard to access your site -- they’re aiming for the low-hanging fruit, so if your site is more difficult to access than your neighbors, the hackers will go elsewhere.
Website security, however, isn’t an easy thing to implement and maintain. There are many layers to securing your WordPress site. However, that’s where plugins come in. By choosing and using the best WordPress security plugin for your site, you can help make sure that your site stays safe against malicious parties.
No matter what your skill level is -- maybe you want everything automated, but maybe you are super comfortable and want to manage the nitty-gritty yourself -- there is a plugin that does what you need at a price you can afford.
Don’t wait until your site gets compromised to act! Remember, an ounce of prevention beats a pound of cure!
And if you need some help figuring all of this out, we here at WP Buffs are more than willing to help lend a hand with our comprehensive site care plans. Whether you need to install WordPress security plugins or need a whole site security check, we've got you covered.
Want to give your feedback or join the conversation? Add your comments 🐦 on Twitter.
Brenda Barron is the blog editor for the WP Buffs WordPress blog and a freelance writer from southern California. When not working, she’s spending time with her family, homeschooling her kids, knitting, and getting outdoors. Find out more about her at Digital Inkwell. If you want some freebies, check out our free speed and security ebooks, webinars for WordPress professionals, WordPress blog or WordPress podcast all about building monthly recurring revenue.