Protect Your Site Using the Best Security Plugins Available
Updated October 12, 2020
There are hundreds of WordPress security plugins to choose from, with some trying to do one thing only and others trying to do it all. Given the fact that security plugins will often make fundamental changes to folder locations, database prefixes, user ID’s and enumeration, obfuscate file locations and restrict login access, it’s always prudent to make a backup and look at plugins which are:
– Well rated on wordpress.org
– Have a substantial number of active installations
– Are known for including great customer support
– Robust in free versions and even more powerful in paid versions (if needed)
Some plugins focus on firewall, malware, file integrity, scanning, monitoring or locking down access. Some do all those things. However, none offer the full range of features (cumulative) found in the top 6 best WordPress security plugins. Choose any one of them, make a backup, then follow the install instructions.
Advice on choosing a security plugin – try the free version before buying a paid version!
6 Best WordPress Security Plugins (2020) [Alphabetical Order]
1. All In One WP Security & Firewall [free]
Providing a well-rounded feature set and highly reviewed support, All In One WP Security & Firewall has nearly 1 million active installations (wordpress.org stats) with a 5-star rating. It’s currently translated into more than a dozen different languages as well.
Features can be applied based on user preferences as “basic”, “intermediate” and “advanced” using a straightforward user interface that utilizes charts to display security scoring across various categories.
Basic – lowest chance of site breakage
Intermediate & Advanced – more secure with each step though can break some sites
– User Account Security
– Login & Registration Security + Brute Force Blocking
– Database Backups and Prefix Changer
– File System Permission Check + WP Core File Scanner
– Hosting Account System Log Monitor
– Firewall with Dozens of Features
– Comment Spam Security
– Obfuscation by Removing Identifying Information
2. BulletProof Security [free and Pro versions]
Providing a solid free version is worth mentioning, though the Pro version is an incredible value with a one-time payment of $69.95 that includes unlimited sites, unlimited support and too many features to list individually here.
Noteworthy Pro version features include automatic restoration of files that have been altered by someone else, quarantining of altered files, database intrusion detection, database change monitoring, plugin firewalling, WordPress uploads folder protection, full system monitoring/logging/notifications, 16 Pro utilities to aid administration plus file and folder locking.
When it comes to features x number of sites divided by lifetime cost of ownership, BulletProof Security represents an outstanding value for money and should be one plugin considered by anyone looking for a multi-pronged security solution
– DB Backup + Prefix Changer + Monitoring
– File System Monitoring
– Login Security + Monitoring
– Malware Scanner
– Plugin Firewall with Whitelisting
3. iThemes Security (formerly Better WP Security) [free and Pro versions]
Having over 1 million active installations according to wordpress.org is no small achievement. With 4.5 stars and translations available in 16+ languages, iThemes Security has a satisfied global audience. It’s also been around for some time – long enough to develop 30 different ways to help secure your WordPress site.
The free version of iThemes Security is no slouch and includes file integrity checking, obfuscation of key WP information, brute force protection, logging, notifications and more.
– Automated Backups
– Brute Force Protection
– File Editing Lockdown & Integrity Checking
– Forced SSL
– Login and Password Security
– Malware Scanning
– Vulnerability Scanner
Upgrading to the Pro version costs anywhere from $80 for 1 year, 1 site up to and including unlimited sites for $199 for 1 year. You’ll get two factor authentication, scheduled malware scanning, core file comparison, WP-CLI integration, password expiry, private ticketed support and several other handy features.
While the features aren’t as impressive as some others on this list, it is nonetheless a stable, well supported security plugin that’s worthy of consideration.
4. Malcare Security [free and Premium]
30,000+ active installs. 4.0 stars. Malcare Security has been around a couple of years and is rapidly gaining a foothold in the market thanks to a respectable set of free features and a rich set of specialist features (it doesn’t try to do everything) in the Premium version.
Premium costs anywhere from $99/year for 1 site to $599/year for 20 sites.
Designed with agencies and resellers in mind, Malcare Security includes user management, team management, client management, scheduled reports, white labeling and centralized management of multiple sites for ease of administration.
– Admin Area Protection
– Deep Malware Scanning
– Login Protection
– Malware Automated Cleanup
– Plugin and Theme Updater
– Real Time Support
– Web Application Firewall
5. Sucuri Scanner [free and Premium]
Sucuri Scanner hasn’t quite reached 1 million active installations but is doing well globally with 9 translations and 4.5 stars on wordpress.org.
Billed as a tool for auditing, malware scanning and security hardening, Sucuri Scanner offer a wide range of features in the free version and even more in the Premium, which costs from $199/year to $499/year.
Not a cheap option in comparison to the rest of the field, but is a solid contender.
– Activity Auditing
– Blacklist Monitoring
– File Integrity Monitoring
– Malware Scanning and Cleanup
– Web Application Firewall
6. WordFence Security [free and Premium]
3+ million active installs, 5 star reviewed, robust, stable and a top contender in both free and paid categories. WordFence has been around for a long time, for good reason – it works, well.
Billed as a firewall and security scanner, WordFence doesn’t do everything, but what it does do, it does do well.
The Premium version costs between $99/site and $74.25/site.
– Blacklist Checker
– Brute Force Protection
– Country Level Blocking + IP / IP Range / Referrer / User-Agent Blocking
– File Integrity Checker + File Repair / Restore
– Login Security
– Malware Scanner
– Multi-Site Central Management
– Notifications and Alerts
– Real-Time Activity Monitoring
– Vulnerability Checker
– Web Application Firewall with Rule and Malware Signature Updates
With free security plugins, you’ll often get directed to a forum where you can post a question and hope for help. Paid versions often include email and live chat support. Telephone support is incredibly rare for plugins, security and otherwise.
Internal (Local) vs Cloud (Remote) Differences
Many cloud-based malware scanners are limited to testing what they see presented to a simulated web browser, so they wouldn’t be able to detect at the same level as a scan running on the server where the WordPress site is hosted.
Some cloud-based Web Application Firewalls (WAF) can be bypassed unless restrictive techniques are employed to limit access.
Premium vs Free Feature List Differences
There is no hard and fast rule as to which features come with the free version of plugins and which features will require premium upgrades. Suffice it to say that the security plugins listed are very powerful, even in their free versions, but you should check on premium upgrades to see what else can be had and at what price.
Malware Detection vs Detection + Removal
Detection is one thing, but removal or file restoration is quite another. Many free plugins will check for malware and alert you if there’s a problem, but it’s mostly paid versions that offer the quick and easy removal feature.
Multiple Plugins Working Together
Not all security plugins can be installed together, simultaneously, mostly because the scans and checks they do can be seen as attacks by other plugins. For example, WordFence will likely detect Sucuri Scanner as an invalid crawler and will stop Sucuri from performing basic functions, unless the Sucuri IP address is whitelisted within WordFence.
Operating Environment Requirements
Be sure to check the installation requirements before making a decision and trying to install a security plugin or plugins.
– CPU – vCPU Cores Available
– Sites – Single, Multi-Site, Network
– RAM – Minimum MB of Available Memory
– Web Server – Apache, LiteSpeed (mod_rewrite?), NGINX
Always make a backup of your entire site and database before installing a security plugin that might make massive changes to your file paths, database or other critical parts of the website / hosting account.
Try the free version before splashing out cash on a paid version. See if you like the look and feel, features, notifications and ease of management. It pays to spend a little time testing and evaluating. After all, there are reasons why there are multiple competing plugins in the market that are all high quality and popular. It’s because each one fits a slightly different user preference. Try out one. try out several (not all at once) and decide for yourself which one is preferred.
There’s no absolute top choice among this field. You’d do well to install any of them as compared to doing nothing!
If you have the time and inclination, you could install other plugins that each perform one or two of the features that these behemoths have in their repertoire. Slice and dice the features that you want, or think you need, and create your own solution.
These mega-security plugins for WordPress are built to give users the convenience of having a laundry list of security features all in one place. It’s less work than installing, updating and testing a dozen other smaller plugins (making sure they all work well together).
The list of plugins here has been narrowed from hundreds based on features, support, regular updates, reviews and prior experience in hands-on testing.
KnownHost customers can open a support ticket and ask for advice or a hand in case anything goes wrong along the way (but please make a backup before installing any of these). You can also check out the forums where other site owners, web visitors and KnownHost staff are known to frequent – feel free to ask questions and share insights – it’s a very helpful community here!