Having read forums, Googled for hours, I wanted to know:
- What is the best security plugin?
- What is the best security plugin to deal with Brute Force attacks?
- What WordPress security plugin is best to block comment spammers?
WordPress is the most popular blogging platform in the world with millions of websites using WordPress as a content publishing platform.
Subsequently, WordPress attracts unwanted attention from spammers and hackers. Given the way WordPress is setup, hackers can easily target and attack web sites where security is weak. Hacking is not only bad for the web site but bad for the (host) server as well. Repeated attacks require server resources to manage security to keep the hacker out.
WordPress updates reguarly to patch all the known vulnerabilities, but third party themes and plugins make WordPress vulnerable. Sometimes hackers also find vulnerabilities in WordPress that allow them to hack the whole server.
In this article, I discuss the top security plugins available for WordPress. These security plugins offer a wide range of features to make your WordPress blog secure from known threats. These plugins keep their services updated with security from the latest exploits and threats.
Seriously, every WordPress user must use at least one security plugin to make it secure as it is only a matter of time before you will be hacked.
These are the best known security plugins available for WordPress (in no particular order)
Wordfence features both a free and premium version. This WP plugin for security has over 1 million installs and provides free protection from malware and hacks. In addition to the usual features of two-step authentication, stopping brute force attacks and user security strengthening, it also provides scanning features to check if the site is already infected.
This plugin blocks bruteforce attack. You can also block traffic from a specific country. It also includes a firewall to block fake traffic, botnet and scanners. It also scans your hosting for known backdoors including C99, R57 and others.
It scans all the files of your WordPress core, theme and plugins. If it finds any kind of infection, it will notify you.
It also scans your posts and comments for malicious code. It also supports multi-site. You can also check the traffic on your WordPress website in real time and see if there is any security threat attacking your website.
2. BulletProof Security
This WordPress security plugin covers three major areas: firewall, login and database security. It has a one-click setup wizard which makes it fast and easy to set up. For more advanced users, there’s also a manual mode for more specific fine tuning. The .htaccess security filter are designed to match malicious and nuisance attack patterns, which is great for maintaining website speed and integrity.
It limits failed login attempts and blocks security scanners, fake traffic, IP blocking and code scanners. It keeps on checking the code of WordPress core files, themes and plugins. In case of any known infection, it notifies admin. It also optimizes the performance of your website by adding caching. It comes with built-in file manager for htaccess. It protects WordPress websites against various vulnerabilities including XSS, RFI, CRLF, CSRF, Base64, Code Injection, SQL Injection and many other. This plugin keeps itself updated with new vulnerabilities to keep your website protected. It keeps on updating it according to new exploits and vulnerabilities.
It also has a pro version which offers some advanced features to improve the security of your website. But the free version is popular enough to make your website secure.
3. Sucuri Security
Sucuri is primarily a monitoring tool for changes and activities that can harm a WordPress site.
This plugin offers various security features like security activity auditing, file integrity monitoring, malware scanning, blacklist monitoring, and website firewall. It incorporates various blacklist engines including Google Safe Browsing, Sucuri Labs, Norton, McAfee Site Advisor and more to check your website. If there is anything wrong, it will notify you via email.
It protects your website from DOS attack, Zero Day Disclosure Patches, bruteforce attacks and other scanner attacks. It also keeps log of all activities and keep these logs safe in the Sucuri cloud. So, if an attacker is able to bypass the security controls, your security logs will be safe within Sucuri’s security operations center.
If you are willing to pay, you can go for the Sucuri premium service. They are a well known web application security company with a team of experts. So, you can get better service and advice.
4. iThemes Security
iThemes Security offers both a free and premium version. iThemes Security is also a nice WordPress security plugin which claims to offer 30+ ways to secure and protect your WordPress website. With one click installation, you can stop automated attacks and protect your website. it also fixes various common security holes in your website.
Formerly Better WP Security, this security WordPress plugin is developed by iThemes which makes themes and other plugins for WordPress. The plugin is great for beginners and advanced users alike. There’s a one-click installation for the novice user, and options to configure more advanced settings from the dashboard.
It tracks registered users’ activity and adds two-factor authentication, import/export settings, password expiration, malware scanning, and various other things.
It scans the entire website and tries to find if there is any potential vulnerability in your website. It also prevents bruteforce attacks and ban IP addresses which try to bruteforce. It also forces users to use secure passwords and also forces SSL for admin area in server support. Unlike other plugins, the GeoIP banning feature is not available. But the company has promised to bring this feature soon. We cannot say exactly when, but it says the feature is coming soon. It also integrates Google reCAPTCHA to prevent comment spam on your website.
5. Acunetix WP SecurityScan
Acunetix WP Security Scan is the WordPress security plugin by Acunetix. Acunetix is a well known company in web application security. It offers a security scanning tool to find vulnerabilities in web applications. This plugin helps you to secure your WordPress website and suggests measures to improve the security. It offers file permission security, version hiding, admin protection, removing WP generator tag from source, and database security.
It removes various information from the source code of the page which can be used in the information gathering process before attack. This includes theme update information, plugin update information, really simple discover meta tag, WordPress version, Windows live write meta tag, error information from login page, versions from scripts, versions from stylesheets, database and php error reporting.
It also offers a database backup tool to take a backup of your website. With its live traffic monitor tool, you can check traffic in real time. It also scans your website to notify known web application vulnerabilities.
6. All In One WP Security & Firewall
As what is probably the top free WordPress security tool, All in One WP Security currently shows over 200,000 installations.
This WordPress security plugin has a user-friendly interface for those who are not familiar with advanced security settings. Some of its features includes a password strength tool to help you create stronger passwords, as well as a login lockdown feature that blocks an IP address from continuously making failed login attempts, which is called a Brute Force Attack.
The firewall feature blocks malicious scripts before it affects the code on your WordPress site. It also lets you prevent hotlinking of images, as well as block fake Googlebots from crawling your site.
7. 6Scan Security
6Scan Security is a popular auto-fix protection for your WordPress site. It can protect your website from hackers. It offers rule-based protection for your website and tries to keep the security of your website up to date.
It has a security scanner which scans and protect your website against SQL injection, Cross Site Scripting, CSRF, Directory traversal, Remote file including, DOS attack and other OWASP top ten security vulnerabilities.
A notable feature of the plugin is its automatic vulnerability fix. When it finds any vulnerable code, it applies auto-fix by using its auto-fix server-side agent solution. It also has an automatic malware fix for malware related issues on your website. Like other plugins, it also sends email notifications if there is anything serious in your website.
8. Shield WordPress Security
Previously known as WP Simple Firewall, don’t underestimate this last plugin. It might sound “simple” but users are hooked and think its the best plugin by far.
Shield is the most powerful WordPress protection system available. Designed for maximum compatibility with your WordPress sites, it provides a super-simple platform for both beginner and advanced users.
NO more nasty site lockouts! Experience the difference that a great security plugin makes, alongside common-sense security design.
Additional security measures
Along with these WordPress plugins, you should also follow a few security measures from your side. These will help you in improving the security of your blog.
Always keep your WordPress installation up to date. Update your WordPress as soon as possible if there is any new WordPress update. Most of the times, hacked websites are those which are using an older version of WordPress. Older versions of WordPress always have a few known security issues. And exploits for these security issues are available for free. Even a kid can hack your website if it is running on a vulnerable version of WordPress.
Always keep plugins and themes added in your blog updates to latest version. New versions always come with new features and security fixes. So, updating plugins and themes is necessary. Most of the time, these third party plugins and themes are the reason for vulnerability in WordPress websites. Attackers can exploit these plugins to gain access to your website or inject malicious script in your website.
Avoid using the username ‘admin’ (default). By using this username, you are making the attacker’s job of getting into your web site easier. He does not need to guess the username now, just bruteforce your website for username admin. Thanks to the plugins above, bruteforce will not work anymore.
Always use strong passwords. Use a long password with capital letters, small case letters, numbers and special characters. A combination of these makes a strong password which is hard to guess.
Top tip: Block all access to the admin login page to all but ‘known’ IP Addresses. Learn more here
Next Tip: If you don’t show comments or want comments, remove them from your web site. How to remove Comments from WordPress in 3 easy step.
Yes, there is a “best” security plugin, but comments need to be made before revealing which one.
As website owners, we are responsible for the safety of our content (not the host, software or webmaster). Security plugins are a must for adding a layer of security and safety for your website, but vigilance and awareness should always be the main weapon against hack attacks.
If you’re not familiar with how a WordPress site might get compromised, it’s important to learn about it now. The more you know, the more you can optimize these plugins to work for your site.
The BEST Security Plugin for WordPress
Selecting one as the BEST is always going to be a personal choice.
As with any plugin, there are factors which affect the performance of plugins like the server the web site is hosted on. It may very well be an excellent server but on a shared server there are insufficient resources to run a good plugin.
I found that one particular plugin used way too many resources causing our site to crash. Yes, it was very effective while running but obviously not good when our site crashed.
*Important: Back up your site before using any of these plugins in case there is a problem or compatibility issue with other plugins.
Going out on a limb, it may be prudent to use a number of plugins. Only activate them when you need them and then they are not affecting your server performance.
Is there a BEST WordPress security plugin?
Each plugin has its own core focus. Some are better at blocking bots, others better at blocking comment spam, and others fit into a category all their own.
The best security plugin is the plugin that best meets the client’s needs.
Based on this statement, here is the best way to decide whats “best” for YOU.
The WordPress Security Plugins Revealed Chart shows general categories of features and what each plugin has.
Things we do not need: Login defence, spam comments defence, backups, : We resolve this without the need for a plugin. Take these two away and you’re left with a plugin that is looking for Brute Force and hacker attacks.
Security Plugins – File Edit/Deny Related
The best security plugin according to Adam (Server Guru Extraordinaire) is: WORDFENCE | Download
Almost all of the security plugins email constantly, with advice, tips and tales of doom and gloom, Wordfence emails with short understandable emails that can be read at a glance like this one sent in December 2016.
- Bloggers Guide to WordPress Security – A comprehensive guide to WordPress security written by Alex, Founder of BestVPN.org.
- Why Do I Have to Secure My WordPress Account?
- Chapter One: Setting Up and Configuring Your WordPress Installation
- Change Your Administrative Username
- How to Change Your Administrative Username
- Add Two-Factor Authentication
- Installing Two-Factor Authentication With Google Authenticator
- Install a CAPTCHA Solution
- Installing a CAPTCHA Solution
- Get Spam Protection for Your Comments
- Installing the Akismet WordPress Plug-In
- Remove Your WordPress Version Number
- Disable the WordPress API
- Disable XML-RPC
- Chapter Two: Passwords and Password Hygiene
- Crafting a Strong and Memorable Password
- Practicing Good Password Hygiene
- Making Sure Your Password Can’t Be Reset
- Locking Out Multiple Sign On Attempts
- Installing WP Limit Login Attempts
- Chapter Three: Adding an Internal Monitoring System
- Monitoring Security with Sucuri
- Monitoring Security with Wordfence
- Monitoring Security with WordPress Security
- Chapter Four: Securing Your Web Hosting Account
- Finding the Right Hosting Service
- Adding External Monitoring Systems
- Setup an SSL Certificate and Configure WordPress
- How to Add SSL and HTTPS to WordPress
- Update Your File Permissions
- Turn Off PHP Error Reporting
- Chapter Five: Protecting Against Your Users
- The Importance of Restricting Permissions
- Setting Password Restrictions
- Log Out Idle Users
- Chapter Six: Protecting Against Third-Party Utilities and Services
- Validating Third-Party Plug-Ins
- Avoiding Malicious Third-Party Services
- Identifying Potentially Harmful Plug-Ins or Themes
- Only Installing the Plug-Ins You Need
- Chapter Seven: Computers, Connections, and the Internet of Things
- Protecting Your Blog Against Physical Intrusion
- Chapter Eight: Constructing Your Disaster Preparedness Plan
- What is a Disaster Preparedness Plan?
- The Four Best Practices for Website Backups
- Options for Backing Up Your WordPress Site
- Chapter Nine: Managing and Monitoring Your WordPress Site
- Keeping Your WordPress Site Current
- Abandoning Out-of-Date Plug-Ins
- Keeping Your Site Clean