How to Protect Your Website Using the Best Security Plugins for WordPress
There are hundreds of WordPress security plugins to choose from, with some trying to do one thing only and others trying to do it all. Given the fact that security plugins will often make fundamental changes to folder locations, database prefixes, user ID’s and enumeration obfuscate file locations and restrict login access, it’s always prudent to make a backup and look at plugins which are:
- Well rated on wordpress.org
- Have a substantial number of active installations
- Are known for including great customer support
- Robust in free versions and even more powerful in paid versions (if needed)
Some plugins focus on the firewall, malware, file integrity, scanning, monitoring, or locking down access. Some do all those things. However, none offer the full range of features (cumulative) found in the top 6 best WordPress security plugins. Choose any one of them, make a backup, then follow the install instructions.
Advice on choosing a security plugin – try the free version before buying a paid version!
What Defenses Can Security Plugins Provide
Authentication / Login
- Add Two Factor Authentication (SMS, Google Authenticator, Other)
- Auto Logout Idle Users
- Restrict # of Login Attempts
- Signup Form Honeypots
- SSL Forced
- Strong Password Creator
Backups – Automatic
- Database (Full or Partial)
- Replace Altered Files with Originals
- Remove Files that Shouldn’t Be There
- Block by Country, IP, IP Range, Hostname, User Agent, Referrer
- Block Brute Force Attempts
- Block Scanners
- Block Fake Traffic
- Block Botnets
- Block or Limit Unwanted or Low Value Search Crawlers
- Block Image Hotlinking
- Internal + Downloadable Blacklists
- Internal + Downloadable Firewall Rules
- Users Hitting Excessive 404 URLs
Hacking Attempts (Few Examples Below)
- Code Injection
- SQL Injection
Malware (Internal and Cloud Scanning)
- Scan WordPress Core Files
- Scan Theme Files
- Scan Plugin Files
- Scan Posts & Comments (Malware, Bad URLs, Redirects, Backdoors)
- Check Against Google Safe Browsing List
- Downloadable Malware Signatures
Monitoring & Logging (Internal and Cloud)
- Whenever Plugins are Closed or Abandoned
- Checks to see if Your Site is Blacklisted for Spam, Malware or Security Issues
- See Real-Time Traffic Activity
- Which Users are Consuming Most Content
- Reverse IP Lookup & Geolocation
- Track User Logins / Logouts
- See Errors
- Check Disk Usage to Avoid Exhausted Space DoS Attacks
Notifications & Integrations
- Slack / Similar
- WordPress Dashboard
Obfuscation (Security Through Obscurity)
- Admin URL Change
- Admin User Name Change
- Admin User ID Change
- Database Table Prefix Change
- Notification Removal
- Non-Admin User Updates
- WP Errors
- wp-content Folder Name (Path) Change
6 Best WordPress Security Plugins (2020) [Alphabetical Order]
Providing a well-rounded feature set and highly reviewed support, All In One WP Security & Firewall has nearly 1 million active installations (wordpress.org stats) with a 5-star rating. It’s currently translated into more than a dozen different languages as well.
Features can be applied based on user preferences as “basic”, “intermediate” and “advanced” using a straightforward user interface that utilizes charts to display security scoring across various categories.
- Basic – lowest chance of site breakage
- Intermediate & Advanced – more secure with each step though can break some sites
- User Account Security
- Login & Registration Security + Brute Force Blocking
- Database Backups and Prefix Changer
- File System Permission Check + WP Core File Scanner
- Hosting Account System Log Monitor
- Firewall with Dozens of Features
- Comment Spam Security
- Obfuscation by Removing Identifying Information
Providing a solid free version is worth mentioning, though the Pro version is an incredible value with a one-time payment of $69.95 that includes unlimited sites, unlimited support, and too many features to list individually here.
Noteworthy Pro version features include automatic restoration of files that have been altered by someone else, quarantining of altered files, database intrusion detection, database change monitoring, plugin firewalling, WordPress uploads folder protection, full system monitoring/logging/notifications, 16 Pro utilities to aid administration plus file and folder locking.
When it comes to features x number of sites divided by lifetime cost of ownership, BulletProof Security represents an outstanding value for money and should be one plugin considered by anyone looking for a multi-pronged security solution
- DB Backup + Prefix Changer + Monitoring
- File System Monitoring
- Login Security + Monitoring
- Malware Scanner
- Plugin Firewall with Whitelisting
Having over 1 million active installations according to wordpress.org is no small achievement. With 4.5 stars and translations available in 16+ languages, iThemes Security has a satisfied global audience. It’s also been around for some time – long enough to develop 30 different ways to help secure your WordPress site.
The free version of iThemes Security is no slouch and includes file integrity checking, obfuscation of key WP information, brute force protection, logging, notifications and more.
- Automated Backups
- Brute Force Protection
- File Editing Lockdown & Integrity Checking
- Forced SSL
- Login and Password Security
- Malware Scanning
- Vulnerability Scanner
Upgrading to the Pro version costs anywhere from $80 for 1 year, 1 site up to and including unlimited sites for $199 for 1 year. You’ll get two factor authentication, scheduled malware scanning, core file comparison, WP-CLI integration, password expiry, private ticketed support and several other handy features.
While the features aren’t as impressive as some others on this list, it is nonetheless a stable, well supported security plugin that’s worthy of consideration.
30,000+ active installs. 4.0 stars. Malcare Security has been around a couple of years and is rapidly gaining a foothold in the market thanks to a respectable set of free features and a rich set of specialist features (it doesn’t try to do everything) in the Premium version.
Premium costs anywhere from $99/year for 1 site to $599/year for 20 sites.
Designed with agencies and resellers in mind, Malcare Security includes user management, team management, client management, scheduled reports, white labeling and centralized management of multiple sites for ease of administration.
- Admin Area Protection
- Deep Malware Scanning
- Login Protection
- Malware Automated Cleanup
- Plugin and Theme Updater
- Real Time Support
- Web Application Firewall
Sucuri Scanner hasn’t quite reached 1 million active installations but is doing well globally with 9 translations and 4.5 stars on wordpress.org.
Billed as a tool for auditing, malware scanning and security hardening, Sucuri Scanner offer a wide range of features in the free version and even more in the Premium, which costs from $199/year to $499/year.
Not a cheap option in comparison to the rest of the field, but is a solid contender.
- Activity Auditing
- Blacklist Monitoring
- File Integrity Monitoring
- Malware Scanning and Cleanup
- Web Application Firewall
3+ million active installs, 5 star reviewed, robust, stable and a top contender in both free and paid categories. WordFence has been around for a long time, for good reason – it works, well.
Billed as a firewall and security scanner, WordFence doesn’t do everything, but what it does do, it does do well.
The Premium version costs between $99/site and $74.25/site.
- Blacklist Checker
- Brute Force Protection
- Country Level Blocking + IP / IP Range / Referrer / User-Agent Blocking
- File Integrity Checker + File Repair / Restore
- Login Security
- Malware Scanner
- Multi-Site Central Management
- Notifications and Alerts
- Real-Time Activity Monitoring
- Vulnerability Checker
- Web Application Firewall with Rule and Malware Signature Updates
With free security plugins, you’ll often get directed to a forum where you can post a question and hope for help. Paid versions often include email and live chat support. Telephone support is incredibly rare for plugins, security and otherwise.
Internal (Local) vs Cloud (Remote) Differences
Many cloud-based malware scanners are limited to testing what they see presented to a simulated web browser, so they wouldn’t be able to detect at the same level as a scan running on the server where the WordPress site is hosted.
Some cloud-based Web Application Firewalls (WAF) can be bypassed unless restrictive techniques are employed to limit access.
Premium vs Free Feature List Differences
There is no hard and fast rule as to which features come with the free version of plugins and which features will require premium upgrades. Suffice it to say that the security plugins listed are very powerful, even in their free versions, but you should check on premium upgrades to see what else can be had and at what price.
Malware Detection vs Detection + Removal
Detection is one thing, but removal or file restoration is quite another. Many free plugins will check for malware and alert you if there’s a problem, but it’s mostly paid versions that offer the quick and easy removal feature.
Multiple Plugins Working Together
Not all security plugins can be installed together, simultaneously, mostly because the scans and checks they do can be seen as attacks by other plugins. For example, WordFence will likely detect Sucuri Scanner as an invalid crawler and will stop Sucuri from performing basic functions, unless the Sucuri IP address is whitelisted within WordFence.
Operating Environment Requirements
Be sure to check the installation requirements before making a decision and trying to install a security plugin or plugins.
- CPU – vCPU Cores Available
- Sites – Single, Multi-Site, Network
- RAM – Minimum MB of Available Memory
- Web Server – Apache, LiteSpeed (mod_rewrite?), NGINX
Cautions About InstallingSecurity Plugins
Always make a backup of your entire site and database before installing a security plugin that might make massive changes to your file paths, database, or other critical parts of the website / hosting account.
Try the free version before splashing out cash on a paid version. See if you like the look and feel, features, notifications, and ease of management. It pays to spend a little time testing and evaluating. After all, there are reasons why there are multiple competing plugins in the market that are all high quality and popular. It’s because each one fits a slightly different user preference. Try out one. try out several (not all at once) and decide for yourself which one is preferred.
There’s no absolute top choice among this field. You’d do well to install any of them as compared to doing nothing!
If you have the time and inclination, you could install other plugins that each perform one or two of the features that these behemoths have in their repertoire. Slice and dice the features that you want, or think you need, and create your own solution.
These mega-security plugins for WordPress are built to give users the convenience of having a laundry list of security features all in one place. It’s less work than installing, updating and testing a dozen other smaller plugins (making sure they all work well together).
The list of plugins here has been narrowed from hundreds based on features, support, regular updates, reviews and prior experience in hands-on testing.
Notes: We’re not getting paid to endorse any of these plugins. There are no referral compensation or affiliate fees in case you click a link and buy a premium version of one. We’re sharing this information to help you make a good decision about securing your site.
KnownHost customers can open a support ticket and ask for advice or a hand in case anything goes wrong along the way (but please make a backup before installing any of these). You can also check out the forums where other site owners, web visitors and KnownHost staff are known to frequent – feel free to ask questions and share insights – it’s a very helpful community here!
Editor’s Pick For Best Security Plugins
If you’re wanting to get a great plugin without spending a penny, then look no further than:
- All In One WP Security & Firewall
For maximum features at a minimum cost per site, per year, then check out:
- BulletProof Security Pro
Have a WordPress website? Check out our Managed WordPress Hosting and see if we are a good fit for you. KnownHost offers 365 days a year, 24 hours a day, all 7 days of the week best in class technical support. A dedicated team ready to help you should you need our assistance. You’re not using KnownHost for the best webhosting experience? Well, why not?