Security plugins are a crucial part of your website or your clients' website protection. To help you choose the best WordPress security plugin for your needs, we've collected 8 great options that can help with security hardening, firewalls, and malware scanning.
WordPress powers over 35% of all the websites on the Internet, which makes it a juicy target for malicious actors around the world.
If you want to secure your website, or your clients’ websites, a dedicated security plugin can do a lot of the heavy lifting for you.
To help you pick the best WordPress security plugin for your needs, we’ve collected eight great options that can help with security hardening, firewalls, and malware scanning.
Let’s dig in, starting with a quick overview of what most WordPress security plugins actually do.
What Do WordPress Security Plugins Do?
WordPress security is a pretty broad topic, so when I say “WordPress security plugin”, that can encompass a range of different features.
So before I get into the plugins, let’s go over what those different high-level features are so that you know what each of these tools is doing.
Basic Security Hardening
Basic security hardening is kind of a catch-all for “configuration changes or tools that make your WordPress website more secure.”
For example, security plugins will usually help you secure your login page with features such as:
- Limiting login attempts
- Two-factor authentication
- Changing the WordPress login URL
- Enforcing strong passwords
- Setting password expirations
- Adding a CAPTCHA
Those are all hardening tactics.
Other popular hardening strategies include monitoring the core WordPress files to detect if anything has been changed, disabling WordPress features such as XML-RPC, stopping user enumeration, etc.
Another tactic you’ll see mentioned a lot is a firewall.
Essentially, a website firewall is something that sits between your WordPress site and its visitors. Regular visitors have no problem using your site, but if the firewall detects malicious activity (via IP address, actions, etc.), then it will block that visitor before it can cause a problem.
With WordPress, you’ll see this called a web application firewall or WAF.
It’s important to note that not all firewalls are the same. That is, just because two plugins both offer a “firewall,” that doesn’t mean those tools are automatically equal because a firewall is only as good as the rules that it follows.
Some WordPress security plugins, like Wordfence, are constantly updating their firewall rules in real-time to adjust to emerging security threats. Others are basically a static set of rules that never change. Both can be useful – it’s just that one will be more effective at protecting you from new types of vulnerabilities.
Another popular part of WordPress security plugins is malware scanning. You’re probably familiar with this concept from running scans on your own computer.
Basically, the tool will scan your site for malicious code and return a report of anything that it finds.
Again, the effectiveness of malware scanning depends on its rules and approach. That is, just because two plugins both do “malware scanning,” that doesn’t make them equal.
First, just as with firewalls, you have differences in detection rules. A malware scanner relies on “malware signatures” to identify malware. So if your malware scanner doesn’t have a signature for an emergent threat, it might not be able to detect it.
Second, you have the approach. Some plugins/tools, like the popular Sucuri SiteCheck tool, only scan the front-end of your site. This can catch malware that’s detectable from the front-end of your website, but it wouldn’t detect malware that’s lurking hidden on your server.
To detect malware that isn’t manifesting itself on the front-end of your site, you’d need to use a malware scanner that scans all of the files on your server.
With that introduction out of the way, let’s help you pick the best WordPress security plugin for your needs.
8 Best WordPress Security Plugins
Here are the eight plugins that we’ll be looking at:
- iThemes Security
- All In One WP Security & Firewall
- BulletProof Security
- Cerber Security
Sucuri is another popular website security tool. There are two parts to Sucuri:
- A free plugin at WordPress.org
- A paid firewall, monitoring, and hack cleanup service
The free plugin at WordPress.org helps you mainly with basic security hardening.
It will give you various rules and tips that you can apply, such as disabling in-dashboard plugin and theme editing and blocking PHP execution in certain sensitive directories.
Other security features include the ability to:
- Monitor file integrity for core files
- Track failed login attempts
- Receive security alert notifications for various actions
- List scripts and iframes on your site.
Beyond that, the plugin also comes with the Sucuri SiteCheck service for malware scanning. However, it’s important to understand that this service just scans the front-end of your site for problems – it won’t scan the files on your server like some other malware scans. You also don’t need the plugin to use this tool – you can run it from the Sucuri website.
For more security, the plugin can help you connect to the paid Sucuri firewall service. This firewall is a cloud-based WAF with regularly updated rules from the Sucuri team. The firewall also lets you:
- Whitelist or blacklist certain IP addresses
- Block entire countries
- Secure sensitive areas (like your WordPress dashboard/login) with CAPTCHAs, two-factor authentication, or additional passwords.
The paid Sucuri service can also help protect your site from DDoS attacks.
Price: The Sucuri plugin is 100% free. The Sucuri firewall costs $19.98 per month and the entire Sucuri platform (which includes malware detection and cleanup) costs $299.99 per year.
2. iThemes Security
iThemes Security is a freemium security plugin from…iThemes – hence the name. If you’re not familiar, iThemes is a popular developer behind a range of plugins, including BackupBuddy. iThemes was acquired by Liquid Web in 2018.
iThemes Security is focused on WordPress security hardening. It does let you connect to the Sucuri SiteCheck service for front-end malware detection – but you could just run this feature from Sucuri’s website, so it’s not really built-in malware scanning.
It doesn’t advertise a firewall, but it does include features that let you block some bots and IP addresses. There’s also a “network brute force protection” feature that can automatically block IP addresses that have tried to brute force other WordPress sites.
As for the security hardening, iThemes Security can help you secure your login process with features such as:
- Limit login attempts
- Change the WordPress login URL
- Google reCAPTCHA (paid)
- Two-factor authentication (paid)
- Strong password enforcement
- Password expiration (paid)
It also offers an “Away” mode by which you can basically lock down your site during times when you don’t access it.
Other security hardening features include:
- File change detection
- Change database prefix
- Turn off in-dashboard file editing
- User action logging (paid)
- Change wp-content path
If you need to manage multiple WordPress sites, it also has an integration with iThemes Sync.
Price: Free version at WordPress.org. Paid version starts at $80.
3. All In One WP Security & Firewall
All In One WP Security & Firewall is a popular WordPress security plugin that’s 100% free.
It helps you implement a ton of different security hardening features such as:
- Change the WordPress database prefix
- Monitor file permissions
- Disable in-dashboard file editing
- File integrity monitoring
- Hide WordPress version number
It also includes features to secure your login process such as:
- Limit login attempts
- Force log out users after a certain amount of time
- Add reCAPTCHA for login protection
- Whitelist certain IP addresses
- Stop user enumeration
It will also give you a “security strength meter” to help you improve your site’s security.
All In One WP Security & Firewall does include what it calls a firewall, but it’s not quite as robust as something like Wordfence or Sucuri. It’s more of a static set of rules – it doesn’t adapt to emerging threats like those other plugins.
Price: 100% free at WordPress.org.
4. BulletProof Security
BulletProof Security is another option that offers an all-in-one approach to WordPress security with:
- Malware scanning
The free version offers basic hardening such as:
- Login security
- Change database table prefix
- Security logging
- Database backup
It also includes malware scanning in the free version, while the paid version includes real-time protection with BulletProof Security’s AutoRestore|Quarantine Intrusion Detection and Prevention System (ARQ IDPS).
The paid version also adds other features such as:
- Database monitoring and differential checking
- Upload protection
- Plugin firewall
The user interface looks quite dated and isn’t as pleasant as other tools, but BulletProof Security is well-regarded when it comes to its effectiveness.
Price: Free version at WordPress.org. Paid version starts at $69.95.
Jetpack is a popular all-in-one plugin from Automattic, the same folks behind WordPress.com and WooCommerce.
Unlike all of the other plugins on this list, Jetpack is not focused on just WordPress security, but it does include plenty of security features across its free and paid plans.
The free version helps secure your WordPress login with brute force protection and the option to use secure WordPress.com sign-on. That is, you can log in to your own WordPress site using your WordPress.com credentials.
With the paid plans, you also get access to backups and malware scans (these features were previously called VaultPress. Now, VaultPress has merged with Jetpack).
The backup and scan features are tied together, which is part of what makes them unique. With most malware scan tools, the tool scans the files on your actual WordPress server. This is good for catching malware, but it also eats up resources on your live website’s server.
With Jetpack, Jetpack first backs up your site to an off-site location. Then, it scans the backup copy of your site for malware, which means it won’t affect the performance of your live website.
As part of its scans, Jetpack looks for:
- Changes to core WordPress files
- Web-based shells
- TimThumb vulnerabilities
If Jetpack does find something malicious, it can help you repair the issue.
Price: Some features are available in the free version. Malware scanning is available on the Premium plan and above, which starts at $9 per month. This also gets you access to lots of other Jetpack features.
SecuPress is another well-known WordPress security plugin that comes in both a free and paid version.
SecuPress was originally launched by WP Media, the same company behind the popular WP Rocket plugin. However, WP Media later released ownership to the current owner (who was one of the co-founders of WP Media). Basically, that’s a long way of saying that you’ll see some design similarities to WP Rocket, but the two are no longer the same entity.
With the free version, you can:
- Block IP addresses and bad bots
- Protect your login from brute force attacks
- Hide the login page
- Hide your WordPress and WooCommerce versions
- Manage XML-RPC and REST API
- Log important user actions
You also get a firewall in the free version.
The premium version adds additional features such as:
- Two-factor authentication to secure your login
- Antispam features
- Backup for database and files
- Detection for themes or plugins with known security vulnerabilities
- PHP malware scan
- Country blocking (geolocation)
- Task scheduling
One standout feature with SecuPress is the interface. It has the most pleasant interface of any tool on this list, which is especially nice if your clients will ever see it. Again, you can definitely see the WP Rocket influence in the interface.
Price: Free version at WordPress.org. Paid version starts $65.
7. Cerber Security
Cerber Security is another popular all-in-one WordPress security plugin that comes with:
- Security hardening
- Malware scanning
First off, it’s packed with security hardening rules such as:
- Changing the WordPress login page
- Disabling PHP in the uploads folder
- Stopping user enumeration
- Limiting login attempts
- Monitoring file integrity
- Two-factor authentication
You can also set up rules, like automatically blocking any IP address that tries to log in with a non-existent user name. You can also create custom role-based policies, like requiring two-factor for admin users and automatically logging them out after a certain amount of time.
As part of the firewall, you get a real-time traffic inspector where you can see everything that’s happening on your site, including monitoring both logged-in sessions and visitors. You also get geo-blocking rules.
Finally, you get malware scans, including the ability to schedule scans to run automatically.
If you need to manage multiple sites, it also includes a Cerber.Hub feature that lets you manage multiple sites from one dashboard. This dashboard is self-hosted, unlike Wordfence. You’ll designate one WordPress site as the “Master” and then “Slave” other installs to that master dashboard.
Price: Free version at WordPress.org. Paid version starts at $99.
General Security Hardening
First, WordPress includes tons of tools to help with basic WordPress security hardening such as:
- Disabling code execution in the uploads directory
- Hiding your WordPress version
- Stopping user enumeration
You also get a dedicated Login Security tab from which you can control login security measures such as:
- Using two-factor authentication (for all users or just certain user roles)
- Disabling XML-RPC authentication
- Adding reCAPTCHA on the login page
- Limiting failed login attempts (this is part of the firewall)
- Enforcing strong passwords
Web Application Firewall
Wordfence also includes its own WAF. The Wordfence team is continuously adding new rules in real-time to adjust for emerging threats. You can also configure how the firewall functions, such as whitelisting certain IP addresses and services.
You can also immediately block IP addresses that try to access certain sensitive URLs. And with the premium version, you can block entire countries with geotargeting.
Finally, you also get detailed malware scans. These scans can scan all the files on your server, as well as checking for other security issues such as:
- Malicious links in comments
- Newly created admin users
- Out-of-date themes or plugins
- Weak passwords
So it’s kind of a “general WordPress security weakness scan” that also includes malware scanning.
You also get rules to configure how often and how in-depth to scan, which can help you control the server resources that your scans consume.
If you’re managing lots of WordPress sites (like client sites), Wordfence also includes a Wordfence Central tool that lets you manage the security for all of your sites from one central location. You can also create Wordfence settings templates that you can quickly apply to new sites and receive alerts when something happens on any of your sites.
The core Wordfence plugin and most of the features are free. However, there’s a notable difference when it comes to the rules that Wordfence uses for its firewall and malware scans.
With the premium version, you get real-time updates to those rules. So as soon as Wordfence detects a threat (which it’s pretty proactive about), Wordfence immediately adds those rules to your site.
However, with the free version, those rule updates are delayed by 30 days.
Price: Wordfence is available for free at WordPress.org. The paid version starts at $99 for use on a single site, with volume discounts for larger numbers of sites.
Is a WordPress Security Plugin All You Need?
No! Not by a long shot.
While all of these security plugins certainly help secure your website, WordPress security is not as simple as installing a plugin and calling it a day.
That doesn’t mean security plugins aren’t useful – it just means that if you aren’t doing the little things right, even a security plugin won’t be able to save you.
One of the absolute most important things that you can do is promptly update the WordPress core software, your plugins, and your theme – especially for minor security releases (e.g. WordPress 5.4.X).
According to Sucuri‘s 2019 Hacked Website report, about half of all WordPress sites were running an out-of-date version of the core software when their site was infected. What’s more, 44% of hacked websites were running an out-of-date plugin.
Long story short, the following actions are just as important, if not more important, than using a WordPress security plugin:
- Promptly updating your site and its extensions for security releases.
- Being careful about the extensions you choose (and never installing nulled plugins from questionable sources).
- Using strong passwords, especially on admin accounts.
For more tips, check out our complete guide to how to secure your WordPress site.
And if you’re not sure which plugin to pick, you certainly won’t go wrong with Wordfence as a first option.