As an online business owner and someone whose site runs on WordPress, I am aware of the security issues that can arise if your website is not properly protected. Fortunately, there are several ways you can mitigate the chances of your site getting hacked. One popular way is through WordPress security plugins that will help eliminate and protect your site from hackers, malware and spam. There are a lot of WordPress security plugins, I have researched many and listed the 7 best below along with a summary of what they do and their prices.
However, for full transparency, I have to say that I do not use any WordPress security plugins and I shall tell you why at the end of this article.
WordPress is hugely popular and powers nearly 30% of the web, it is by far the most popular CMS and everyone from small-time bloggers likes me to Mercedes Benz use it to run their online business.
Its huge popularity also makes it a prime target for hackers to exploit and do some serious damage.
Fortunately, WordPress at its very core is very secure, Automattic has a staff of over 50 that takes care of security issues around WordPress. What makes WordPress a prime target for hackers is 1) its huge popularity and 2) the huge ecosystem of themes and plugins, many of which are not properly coded or updated regularly which leaves security holes that hackers can exploit.
Hosting vulnerabilities are also one of the major way’s hackers gain access to websites if your hosting service has security checks on the server level it is way more effective than having to install a security plugin and fiddle around with settings most us do not truly understand.
I will talk more about why managed WordPress hosting is the better option near the end of this article.
WordPress Security Tips.
Before listing the 7 best WordPress security plugins, there are a number of things that you should do to minimize any threats to your site.
These are basic stuff that people completely ignore but are important to the overall security of your site.
1. Always update WordPress to the latest version
2. Backup your files
3. Use strong login passwords
4. Have a CAPTHCHA on your login page
5. Only use legitimate themes and plugins that have good reviews and are well maintained.
6. Update these themes and plugins when required
7. Only give admin access to people you trust
These may seem like very basic things people would automatically do, but it’s surprising how many people disregard many of the protective measures I have mentioned.
Best Security Plugins For WordPress
1.Wordfence
This is the most popular WordPress security plugin and the good thing is they have a free version which is more than adequate for most small business operations.
As of writing, it has over 2 million downloads and has a 4.8-star rating on WordPress.org, so it seems to be a plugin that most people are happy with.
Before I switched to a hosting platform that took care of all the security for my website, I used Wordfence, I really don’t know if it made any difference for me because my site was new and hardly getting any traffic.
However, it does come with a solid set of security features that will protect your site from the most common threats.
These features include the following;
A firewall that prevents malicious traffic entering your site
A malware scanner that identifies suspect code in your plugins and themes
DDoS protection by limiting login attempts
Gives access to live traffic coming to your site including IP address, time stamp,place of origin and if your site was attempted to be hacked.
Has a massive database of backlisted IP addresses that are automatically blocked from entering your site
Can restore damaged files to their original versions.
Wordfence has a lot of features, many of which you don’t really need to touch, its dashboard is easy to navigate, and the default settings should be fine for most small sites.
There is a premium version that comes with additional features like real-time IP blacklist updates, real-time firewall rules update, option to block traffic from certain countries and two-factor authentication.
The premium version of the Wordfence costs $99 per year for one website but if you purchase additional licenses you get a discount between 10%-25% ( depending on how many licenses you buy)
2.Sucuri
Sucuri is a very popular name in the world of website security, they are owned by GoDaddy and have an impressive clientele that includes WPengine, Miami University, NYU and Harper Collins.
They provide a free WordPress plugin that has the necessary features to keep a website safe from hackers and malware.
The plugin also checks and records all activity within your site, this allows for you to check if there is anything suspicious going and take any necessary actions.
Sucuri also provides a remote malware scanning engine that you can use to see if your website is infected. However, if it is infected, you will need to upgrade to one of their paid plans to get the malware removed.
The free version of the plugin is decent but to properly protect your site, it is best to upgrade to one of their paid plans. The cheapest starts at $199.99 per year for one site, if you do get the paid option, there is no need to install the free plugin as their web application firewall and server-side malware scanner are all cloud based.
Personally, I would choose the free version of Wordfence over the Sucuri, it provides way more protection and if you want to upgrade Wordfence is much cheaper.
3.iThemes Security
iThemes have been developing WordPress tools and plugins since 2008, thy also provide over 900 hours of free WordPress training and even offer a hosting service. Its fair to say they know their way around WordPress. The iThemes Security plugin (formerly known as better WP security) is one of the best free security plugins that comes with a ton of features.
It has a fantastic 4.7-star rating on WordPress and the free version should be enough for most people (especially if you are just getting started). The free version of iThemes security has over 18 security features that includes;
Blocks malicious users, bots and hosts.
Hides your login and admin URL
Scans and fixes any weaknesses found inside your site
Prevents brute force attacks by banning agents known to do this
Scans for malware and blacklists.
Notifies you of any unauthorised changes to your files.
Regular backups of your WordPress database
Away mode, a feature that allows you to completely lockdown your WordPress dashboard when you are not using it.
I like this WordPress security plugin; the dashboard is easy to navigate and its One-Click Security Check ensures that you have the recommended settings and not worry about what settings to activate.
The Pro version comes with even more protective measure and priority customer support, it costs $80 per year which is pretty cheap when compare to others.
4.All In One WP Security and Firewall
A hugely popular plugin that has over 700,000 downloads and a near perfect rating on WordPress and the best thing? This is a completely free plugin that has no paid plans.
The developers behind this plugin are WordPress experts and despite being a free plugin, they provide a lot of support and update it on a regular basis.
One thing that really impresses me about this plugin is the data is very easy to understand with its brightly coloured graphics and gives you some recommendations on what security features should be activated that will best protect your site.
The settings are split up into three categories, basic, intermediate and advanced, this is so that anyone can configure settings without worrying about making the wrong adjustments.
It comes with a security scanner that will alert you if there are any unauthorised changes to your file system or if there is suspicious code in your WordPress database.
There is also a pretty powerful firewall that will protect your site against any malicious script via the htaccess file.
You can also block IP addresses known for spam and prevent brute force attacks by limiting login attempts.
The dashboard provides an overall security score for your website and what areas need more protection, this is really helpful as you get a visual aid of the security situation of your website and see what needs more attention.
This is definitely one of the best user-friendly security plugins on this list.
5.Shield Security
Another hugely popular plugin that has the highest rating of any security plugin on WordPress.
This is a free plugin that is easy to use and a dashboard that is simple to navigate, the free version comes with all the security features you will need to protect your site while the Pro version comes with more advanced features and priority support.
One of the main goals of the developers of this plugin is to make it as user friendly as possible and not overwhelm people with a sophisticated set up process. They achieve this with the simple step by step setup process that anyone can follow.
The plugin will protect your site against brute force login attempts, block malicious IP addresses, scan your site for malware and isolate them and a strong firewall that will stop web traffic that violate their security rules.
The Pro version only costs $1 per month and comes with more scanning features, advanced 2-factor authentication protection against brute fore attacks and priority customer service.
Definitely a plugin worth considering.
6.SecurePress
A relatively new security plugin but one that has grown in popularity, it has over 10,000 downloads and 4.5 star-rating on WordPress.
There is both a free and premium version, the free version would be enough for new bloggers and website owners.
The user interface is easy to navigate, and you can activate the main security features without having to worry about breaking anything on your site.
The main features of Securepress are;
Preventing brute force attacks,
Blocking bad IP addresses
A malware scanner
Firewall to prevent brute force attacks and block malicious traffic.
The Pro version costs $70 per year for one site, it comes with even more features including antispam filter to prevent bad traffic and useless comments, automatic backup of your WordPress database, 2 factor authentication, theme and plugin scanner, ability to schedule more scans, alerts and notification if there are any security breaches or issues that need immediate attention.
7.Jetpack
If you are familiar with WordPress you will most likely have either used this plugin or at least heard of it. I wasn’t sure whether to include it or not because it is a multiple purpose plugin and not just concentrated on security.
I decided to include it because it is so popular, and it has been developed by Automattic (the team behind WordPress).
The free version of the plugin will protect your site against brute force attacks and monitor your website for any downtime and alert you through email if there is.
Its not much but then again, it is a multiple purpose plugin and comes with many other features that will enhance the overall performance of your site.
The paid plans provide even more security features and start plans at only $3 per month. It is a well-supported plugin and is good enough if you are just starting your blog or website.
What Do I Use?
I mentioned that I do not use any security plugins for my sites ( not for my main sites anyway), this is because I have premium managed WordPress hosting which takes care of all security issues for me.
This means that any suspicious bots, malware, brute force attacks are stopped before they can enter the server my site is hosted. This gives me an added peace of mind because I really do not want to be constantly updating plugins and getting daily alerts about security issues about my site.
Also, although I am a technically minded person, I don’t like playing around with plugins that may cause some serious issues if I mistakenly turn on features that may conflict with other plugins, themes or even my host. This has happened to me before and completely broke my site, luckily my hosting service got my site up and running in no time and uninstalled the plugin that caused the initial problem.
However, there is one downside to having a fully managed WordPress hosting service and that is the cost is high. Much higher than the price of shared hosting you can get through the likes of Bluehost, Hostgator, A2 Hosting, iPage etc.
These hosting services start at $2 per month while with managed WordPress hosting you could be paying anything from $20 pm to over hundreds per month, however, I personally believe if it is within your budget it will be worth it in the long run.
There are a lot of well-managed WordPress hosting services, I personally use Wealthy Affiliate to host my main sites.
They provide fantastic WordPress hosting services and they particularly excel in security and loading speed.
Price is $49 per month but this can be reduced if you take their 6 month or yearly plan.
They also provide other services like online business training, marketing research tools and 24/7 support. Click on the button below and check out more details on their hosting platform.
The other WordPress hosting I would recommend is WPX hosting, a hugely popular WordPress hosting service that is used by many popular online bloggers like Matthew Woodward and Chris Lee of Rankxl. For a premium hosting service, their prices are one of the lowest on the market starting at just $20.83 per month.
Other premium hosting services include the following;
Kinsta (Starts at $30 pm for 1 site)
WPengine ($35 pm for 1 site)
Pressable ($45 pm for 10 sites)
Liquid Web ($99 pm for 10 sites)
Final Thoughts
Keeping your WordPress site is very important, this is why having a good security plugin is highly recommended, I would personally go with Wordfence as I believe they provide all the major security features in the free version of their plugin.
However, any of the other plugins would be adequate for new bloggers and website owners.
What kind of security measures do you have for your site? do you use a plugin? Or is your WordPress site on a managed hosting service where all your security concerns are taken care of by your host? Would like to hear your thoughts on this subject.
I’ve been slightly worried about the security of my blog for quite some time now, as I keep on reading and coming across nightmare stories from bloggers online!
Out of all that you have listed – I think I like the sound of Wordfence the most. You mention that they have a premium version for $99 a year…but what does the free version give you? How is it limited?
Hi Chris
The Wordfence free version should be alright for most small time bloggers, but if you want faster support and more security features like real-time threat updates, blacklist bad IP’s, block by Geo-location, 2-factor authentication, the premium version is for you.
All the best
When it comes to security we should all be extra careful and pay attention to any potential updates that will help our business stay secure. Plugins can help with this but we should be careful which one to use as we don’t want to slow down the speed of our website that could lead on lower traffic. Thank you for your suggestion, I will take a better look at them at the first chance.
Thanks for your review on the best security plugins to use on wordpress. I love the way you highlighted the points.
I have tried sacuri and ithemes security on my blog few months ago and i can boastfully confirm that they are one of the best plugins you can ever use on your blog.
Thanks for sharing this wonderful review with us.
Hey there,I haven’t also used any security plugins myself, because my hosting provider also takes care of backups and security issues. That said, I would probably have used Jetpack because it is created by Wordpress, who knows the nuts and bolts of the platform. And perhaps a themes security plugin.Thanks for a very detailed post!Marios
This actually cleared up quite a bit of confusion, but I still have a question.I installed the Wordfence plugin on my website because I wasn’t sure if I was protected. It is nice, they send me updates weekly on any activity, etc. However, I belong to Wealthy Affiliate– do they cover the security portion of this? It is something I cannot recall and would love some clarification!
Thank you so much for researching each of these. I truly appreciate it as this is an area I am not well versed in.
Thanks again,
Ciara
Hi Ciara
Thanks for your comment and yes Wealthy Affiliate do take care of all security related to your website, it is one of the many benefits of having a managed hosting service from Wealthy Affiliate. Here is a link that explains more
Extra security precautions
All the best.
Very educative post Minhaj. I had no idea word press has so much security plugins. My site is new and it’s still under wealthyaffiliate for now, so am not too bothered about security. But once I buy the website soon, this article will come very handy cause I know nothing about keeping a website secure
Thank you Mr Minhaj for this educating post. This is actually helpful. As a rookie in affiliated marketing job. without good plugins on your website, it actually nonsense. I actually go for the world-fence and Ithemes for my wordpress. The strong password and the protection of malicious traffic that the World fence offer makes me like it and the hide for admin login and URL makes me trust the Ithemes
Hi Kehinde
Thanks for your comment, just one bit of advice, don’t install multiple security plugins, they may conflict with each other and leave your site more vulnerable.
All the best