There are a number of ways in which your site could become the victim of a security breach. Unsupported and outdated plugins and themes are one way. Weak password rules and unfettered access to WordPress is another. Hackers could also get in through your hosting server. And on and on the possibilities go.
Needless to say, having a laser-eye focus on security is of the utmost importance when you’re a web developer, especially when you work on a platform like WordPress that already seems to have a huge target on its back.
But this isn’t news to you. That’s why WPMU DEV publishes posts with the most commonly overlooked security tips as well as the ultimate reference guide to WordPress security.
Now, although it’s been revealed in the past that some WordPress plugins have actually introduced vulnerabilities into WordPress, those problems tend to stem from plugins that developers no longer support or monitor. There are plenty of plugins that are secure, reliable, and well-maintained to the point where you’ll regularly see patches come through for them (just as you do the core).
And it’s within those plugins where you’ll find trustworthy security plugins to help keep your site secure.
17 Best WordPress Security Plugins to Keep Your Site Secure
Typically, when we talk about the best security plugins, we focus on ones that promise to be all-encompassing. However, a list of the best WordPress security plugins really isn’t complete without breaking out the more specialized players. You know the ones: they deal in special protection against things like brute-force attacks or in safeguarding the admin login area.
That’s why, in the following roundup, I’m going to cover all of the best WordPress security plugins that will help you protect your site from every angle.
Best All-Encompassing Security Plugins
These plugins cover as many security bases as they possibly can.
WPMU DEV’s Defender plugin is now available for free in the WordPress repository and remains part of the WPMU DEV membership pack. What’s not to love about that? Oh yeah. The security piece. Here’s why this is the ultimate bodyguard for your WordPress site:
- Automated and customized security scans
- Recommended security fixes
- Updated security keys
- Two-factor authentication at login
- Limited login attempts
- Code and file scanning for unauthorized changes
- Bot and IP lockout when you suspect they’re out to do you harm
- Online monitoring lets you know if your site was blacklisted
- 10GB of Snapshot backup included
The name is no exaggeration. When you want all-in-one security protection for your site, you can trust in this plugin to deliver that. It will cover:
- Standard security scanning
- User account (and password) security
- IP address blacklisting/whitelisting
- Automated database backups
- One-click restore
- File security
- Firewall enabling
- Brute-force attack security
- And more
Although there is a premium version of this plugin available, I think the standard iThemes Security is a good place to start so you can get a sense for the power this plugin packs into it. As the developer describes it, this plugin’s job is to protect, detect, and obscure. If you want to round out your process with the “recover” portion, iThemes sells BackupBuddy, one of the backup plugins [link to Backup Plugins article] we recently featured in our comparison roundup.
This plugin really specializes in fortifying the login and user management piece of WordPress security, so if that is a primary concern for you, then this may be a good one to start with.
Perhaps my favorite thing about this plugin is the developer’s commitment to automating the security monitoring and protection process. When you look at how easy this plugin is to use and how many points it ticks off on your security audit checklist, you can see that they really take this mission to heart.
Here are some of the things Shield Security will do:
- Off-site security key included
- Activity auditing
- Firewall protection
- Two-factor authentication
- Brute force protection
- Automatic core, plugin, and theme updates
- IP address blocking
Sucuri is a trusted name in security. You’ve likely seen one of their hacked website reports that consistently demonstrate how vulnerable WordPress can be when it’s not properly secured. So, it’s nice to see that an expert on the matter has thrown their own plugin to the mix. Aside from a premium firewall add-on, this plugin is 100% free to use. It includes:
- Activity auditing
- File monitoring
- Malware scanning
- Post-hack recovery
- And more
Wordfence Security is by far the most downloaded security plugin for WordPress and there is a good reason for it. Although there are a number of upgrades worth looking into if you manage higher-traffic sites, the free version in and of itself is super robust and may be sufficient enough on its own.
With the standard Wordfence security plugin, you’ll get:
- A firewall
- Real-time monitoring capabilities
- Scanning of the core, plugins, themes, and all files
- Blocking against a variety of threat types
- Stronger login practices
Best Anti-Spam Plugins
Part of the Automattic family of plugins, Akismet handles all that nasty comment spam that often comes through on blogs. It’s a super simple plugin that takes all the thinking and actual work out of moderating comments or links from malicious entities you want to spare your readers from clicking on.
This is another simple anti-spam plugin that works to kick out malicious comments from your blog. This one is more set-it-and-forget-it, so if you like the idea of not having to bother with settings or monitoring the spammy traffic that comes through, this may be a good choice.
This plugin from CleanTalk does more than just protect your blog comment feeds from spam infiltration. This one also works to prevent you from having to moderate spam emails or responses on your contact forms, surveys, reservation systems, and more.
I recently tackled the question, “Should you disable comments on your WordPress blog?” While much of the reasoning came from WordPress pros who used factors like SEO or website real estate to validate their decisions, there’s one thing they didn’t talk about much about. And that is speed.
WP-SpamShield directly addresses that part of the equation, however, as this firewall plugin aims to keep spam completely off your site and out of your database.
This anti-spam plugin works much as the others do: it blocks spammers from getting in through comment fields as well as contact forms. This one, however, takes it one step further and defends against brute force attacks. So, if you’re looking for a one-two punch, you’ll get it here.
Best Login Protection Plugins
This plugin is part anti-spam, part login-fortifying plugin. Like many of the other plugins mentioned before, this one works on kicking out spammers before they can get through to your comments or contact forms. It also works to strengthen your login screen, changing the wp-admin address, adding a reCAPTCHA, and limiting login attempts.
The main purpose of this plugin is to limit the number of login attempts made on your WordPress website; effectively, shutting down any opportunity for a brute force attack. However, this plugin also comes with some great premium features. If you like how effective the free Loginizer is, you might want to think about an upgrade so you can unlock two-factor authentication, login challenge questions, reCAPTCHA, wp-admin renaming, disabling of XML-RPC, and more.
This is a great plugin to add onto your security plugin set when none of the others will help you rename and “hide” the wp-admin directory or your wp-login.php page. In addition, this works with Multisite, so you can change your entire network’s admin URL much more easily.
Other Security Plugins
It’s so easy these days to get an SSL certificate that it seems kind of silly not to have one. That said, if you’re not able to get one through your web host, you’ll need to get it from a third-party provider and then install it on your site. This plugin will help you get it up and running while also checking for mixed content issues that could cause just as much of a security headache as not having a certificate in the first place.
Has your WordPress site had issues with malware in the past? If so, you might want to think about getting this plugin that specifically targets that type of vulnerability in WordPress, especially issues discovered in plugins as well as the core.
Geotargeting can be quite useful when you’re trying to better hone where your site’s traffic comes from. This particular geotargeting plugin can also be used to block malicious parties from entering your site, especially if you know where the brunt of those attacks are coming from geographically.
If you’re really worried about the security of the WordPress platform, then a WordPress security plugin is definitely in order. Whether you want one that promises an all-encompassing approach to security or you want to mix-and-match plugins based on where you believe your site to be most vulnerable, there is indeed a plugin that can help.
Why 100 is NOT a Perfect Google PageSpeed Score (*5 Min Watch)
Learn how to use Google PageSpeed Insights to set realistic goals, improve site speed, and why aiming for a perfect 100 is the WRONG goal.