Top Security Plugins to Safeguard WordPress

Posted on September 29, 2016 at 12:53 pm

Tags: ,


Our Top 10 WordPress Security Plugins

Your website is a valuable digital asset. Just as there are vandals looking to break-in and steal your possessions, there are miscreants looking to inject malware into your website / take it over / deny access to genuine visitors.

Malware in the website can cause it to slow down thereby turning away search engines. Downtime can cost websites dearly, especially eCommerce sites. A 13 minute outage on Amazon has the potential to cause a loss of over $2.5 million in revenue.

It is in our best interest to stay ahead in this cat and mouse game with these mischief makers. After all, an ounce of prevention is far better than a pound of cure.

WordPress is now a popular CMS and more than 25% of the websites have adopted this platform. And that is why WordPress is the target of so many attacks. WordPress sites are easy targets for attacks because of plugin vulnerabilities, weak passwords and obsolete software. The team at WordPress pays continuous attention to security, but it is up to us to implement good security practices on our websites on a daily basis.

One way in which we can give hackers a hard time is by installing plugins. Ten popular plugins are discussed in this post.

WordPress Hacked?

If your WordPress Website has been hacked then we can help you with our WordPress Hacked Fix Services, where we can clean and update your site in 24 hours or even less. We also offer a 30 days period where you will get free cleaning services in case you WordPress website gets hacked again.

iThemes Security

iThemes Security protects your website in 30 different ways. It toughens user credentials, allows only a limited number of login attempts, clamps down on automated attacks, and hardens all round security. To take complete advantage of this plugin, the authors advise that the latest version of WordPress is used. Take note, the plugin makes a good number of changes to database, so be cautious and backup before you try out it out.

Setting up the plugin is not a hassle as you can enable settings and features in the plugin with a single click.


It keeps out bad users if they hit too many 404 pages or if they figure on a bot blacklist. IP level blocking is permitted. Other features include local and network brute force protection, turning off file editing in WP admin, database backups, and hiding login and admin URL.

Updating your WordPress salt and keys, checking file permissions and Google reCAPTCHA integration are 3 recently added features. If you are not likely to visit your dashboard for a while, totally block access to your dashboard by setting the plugin in AWAY mode for any period of time.


With iThemes Security Pro, you get a Dashboard widget, two factor authentication, scheduled malware scans, ability to match your core files with the version (to rule out any malicious changes), and reCAPTCHA integration for login pages, comments sections and user registrations.

You'll receive alerts in your inbox if any file changes are detected. Be prepared, file change detection and database backups can eat into your RAM.

Clef Two-Factor Authentication


Kudos to Peter Vukcevic from FirstSiteGuide for the heads up.

Two factor authentication has been around for sometime now. It provides near fool proof security for authentication pages - dashboard, API access and password resets. It almost completely eliminates password based attacks. Once activated on your website, you are protected against phishing attacks, account takeovers due to email hacking, brute force attacks and unauthorized login attempts.

The traditional two factor sign-in needed you to enter a code that is sent to your phone. The code is replaced by a 'Wave' in Clef Two-Factor Authentication. No passwords and no one time codes.


To install Clef, download the plugin from the WordPress repository and the Clef App into your mobile phone. When you attempt to log in, you need to use the camera on your mobile to sync with the wave appearing on the screen.

Once signed in, enjoy one click sign-ins to subsequent sites. Sign out can be timed or done with a single click. Clef does take a bit of setting up, but should be smooth sailing after that.


If you happen to lock yourself out, delete the /wp-content/plugins/wpclef/ folder to restore password based access. For users who do not have smartphones, check the options for allowing password based login. The app is free and so is usage for up to 10 users per site.

Login Security Solution

Login Security Solution works to reduce exposure to security risks caused by weak passwords, without annoying genuine users. By clicking on a link 'Change All Passwords', you can force all users (except Admin) to reset passwords the next time they come to a page that needs authentication.

This plugin prevents brute force attacks by making it harder to log in from IPs which have a history of failed attempts. It compiles IP addresses, usernames and passwords from each failed login attempt. When a person or bot tries to log in again, the data is matched against stored data. If there is a match, the response time is delayed.


The delay in response can vary, and can be randomized in the plugin settings. The intent here is that the person will then move away to an easier target. Failure and breach notifications are received in your inbox.

The period for retaining data and time after which an inactive user is to be signed out is can be set. You can also set levels of acceptability for passwords with reference to complexity, age, length and history. UTF-8 character set (a character encoding capability) is supported.


A neat plugin that enforces strong passwords to make it difficult for miscreants to pull off a brute force attack.

All In One WP Security & Firewall

Not sure about the level of security that your website needs ? All In One WP Security & Firewall can help you. There are 3 levels of security - basic, intermediate and advanced. The dashboard displays the minimum level of features that you should activate to achieve a basic level of security. And based on the features you activate, you'll be graded by the security strength meter gauge on how well you are protecting your site. The basic features have Nil to minimum impact on your site's functionality.


You'll find most of the features offered by standard security plugins present in All in One as well. Login lockdown, IP level blocking, locking out a user after a specified time period, monitoring login attempts & user account activity, whitelisting & blacklisting IP addresses and preventing brute force attacks are some of the ways that it protects the login page. Files are checked for settings that may be insecure, and corrected. To protect your PHP code, disable file editing.

Any traffic reaching your website has to be processed first by the htaccess file. The firewall protection to this file can be enhanced to stop malware before it reaches your site. While the plugin administers a whole set of firewall rules like denying bad query strings, preventing hotlinking and blocking bots, you can also add custom rules of your own.


Easy backup and restore of your .htaccess file and wp-config.php file is possible. Whoislookup functionality helps to check out on suspicious domains. Monitor and block comments and spam IP addresses with a single click.

Disabling right click on the front end to protect text from being copied, hiding WordPress version, stopping other sites from displaying your content, database scanner and file scanner that can report changes via an alert, are all features packed into this plugin.

Sucuri Security

Sucuri Security can safeguard your website in many ways. The Sucuri Security Plugin has tools that undertake audit logging, security hardening, email alerts, integrity checking and more. After activating the plugin, you will need to generate a free API. Once installed, the plugin creates a good known copy the files and database, and checks for file integrity at regular intervals. If you're on the blacklist of any of the popular blacklist engines like McAfee or Norton, this plugin will let you know about it and then help to get off the list.


For a simple scan of your website for malware, you can run your site URL by the Sucuri SiteCheck Scanner. The scanner compares all the links and pages against Sucuri's malware database and looks for (and reports) malware, blacklisting, defacing, website errors and out-of-date software. It also recommends how you should handle these security issues. The scanner does not have access to your server, so anything suspicious in the server will slip scrutiny.

Sucuri also offers a paid Sucuri CloudProxy Firewall that protects websites from DOS / DDoS attacks, brute force attacks and software glitches. With the firewall feature activated, you can detect and clean up malware, and remove your website from any blacklist. Zero day patches that tackle zero day attacks, can be fixed virtually to your website within minutes of a known attack.


BulletProof Security

BulletProof Security comes with a setup wizard that checks your site for compatibility before installation. The main security tool in this plugin is the security log. It blocks hackers and spammers and maintains logs of user activity. It enforces login security and monitoring, idle session logout and firewall protection for .htaccess.


File and folder permission checks, login and brute force protection, auth cookie expiration security and database backup are just a few of the many ways in which it watches over your website. And it does all this without making excessive MySQL queries or using too much server memory or resources.


The pro version uses a prevention system that monitors files and data base in real time. This system can automatically quarantine intrusions whether they contain malware or not, and auto restore the original files. Moreover, the pro version is a fully automated, self repairing and self configuring plugin that pretty much sets itself up when you run the Setup Wizard. The WordPress plugin folder is guarded by a firewall, so vulnerabilities are not exploited.

Acunetix WP Security

Acunetix WP Security scours your website checking for all kinds of security lapses and recommends how you can set them right. It looks up your database, admin area and file permissions for vulnerabilities. It suggests corrective actions that include stronger passwords, stricter file permissions and many ways to better protect the admin and database.


To make it difficult for hackers, the plugin removes some information from the core,

  • Disables database and PHP error reporting.
  • Removes error information on login page.
  • Removes information on updates of core, plugins and themes for non-admins.
  • Removes version information at the backend and in URLs on the front end.
  • Removes WP Generator META tag.

It prevents directory listing by adding index to theme, plugins, content & upload files, and provides a live traffic tool to monitor your website in real time.

Acunetix is multisite ready, but can be activated only across the entire network, not on a per-site basis.

For an audit of your website and perimeter servers, sign up for the Free Network Security Scanner. Acunetix also offers paid scanning services with their Vulnerability Scanner.

WP Security Audit Log

With WP Security Audit Log a website administrator can keep track of all WordPress changes within the website. It helps identify suspicious activity early on and take protective measures. All user activity is monitored, so admin can know when users logged in or out, what content they created, modified, deleted and much more.

If you are managing a number of client websites, you can view what has been done on the site and quickly change or reverse it, to resolve any complaint reported by the client.


The latest version has increased the plugin's capabilities to keep a log of 404 requests, changes in the comments section, content that is automatically generated by plugins and more. Plugin, theme and code behavior can be monitored and alerts received.

All security alerts are stored in 3 tables in the WordPress database. With a little bit of coding, you can also create a custom alert.

WP Security Audit Log offers a number of paid add-ons. You can choose to receive email alerts, search and filter function to identify the changes, generate reports and store the audit log in an external database.

Wordfence Security

Wordfence Security is a free, open source, full-featured, comprehensive plugin that is updated on an ongoing basis. With over a million active installs, it is the most downloaded security plugin in the WordPress repository. It collects data from the thousands of websites that it protects and uses it to protect yours.

It has 2 core features - firewall protection and malware scanning. Recently, the malware scanner has been integrated with the firewall. Free users are currently protected using 402 scan signatures. Premium users are protected using an additional 130 signatures (which become available to free users after 30 days). All scans are fast as they happen on your web server, without consuming your bandwidth.


Wordfence protects your website by,

  • Enforcing Login Security - Insisting on strong passwords and preventing brute force attacks.
  • Blocking - Known attackers are blocked in real time, including entire malicious networks.
  • Monitoring - View all your traffic in real time and screen for robots, 404 errors, logins, automated bots that don't show up on analytics. Also for unauthorized DNS changes, security risks from specific geographies and suspicious consumption of disk space that may lead to blocking out visitors.
  • Scanning - Scans your core files, themes and plugins, and checks with WordPress repository for integrity. Blocks over 44000 known malware variants and continuously scours for fresh malware, backdoors, trojans and phishing URLs.
  • Firewall - To block common security threats before they reach your website. The firewall is constantly updated, so you are protected from the latest threats. Premium users are protected by real time feed.


Once installed, visit the settings page to enable or disable options. Select rules according to your preference. Pick the security level you want, and opt to receive alerts once you have entered your email.

Wordfence is multi-site compatible, scanning all the blogs in the network from a single dashboard. It ensures faster caching with support from Falcon Engine, a fast WordPress caching engine. Cache management features like monitoring and clearing cache is allowed. This prevents any clash between security and caching functions.

If you wish to block traffic from a specific country or region, or require a higher frequency of scans, scheduled scans or cell phone sign-in (two factor authentication), you'll need to upgrade to the premium version. This version also verifies source code integrity against WordPress repository, fully supports IPv6 & multisites & two factor sign-in and checks all the URLs on your website against Google's safe browsing list.

If I've got to say what's not good about WordFence, it is simply that the options page can be a little overwhelming while their scan page is bloated with some text ads about their pro services.

Brute Force Login Protection

Brute Force Attacks Login Protection prevents forced entry by anyone trying out different user names and passwords over and over again. You can set the number of attempts after which the attempted login will be blocked. This simple action can filter out a number of unwanted users.


Choose to display the number of attempts remaining on login page or to delay response after a failed login. In addition, you can manually block unwanted IPs or add IPs to a whitelist. Site admin as well as the blocked user can be informed of blocked IP.

In Conclusion

Malware can lurk within your website for a long time for a long time without you even knowing it. It can affect your search engine ranking and spreads over the internet through your readers browsers. Take precautions, and don't give hackers any chance of harm your website.

Comments (3)

  1. Barbara Reply

    September 30, 2016 at 12:01 am

    Great post, thanks!

    Forms built for gated content need to be as attractive as possible so people will be more likely to use them. This rules out captcha and creates an opening for spam. Have just discovered the WPBruiser plugin, and it works great. It actually does a lot more than just keeping out form spam, and has built in reporting too.

    The free plugin, WPBruiser {no- Captcha anti-Spam} in the WordPress plugin repository is built to protect all form submissions from spam without captcha, and has add-ons for popular form building plugins (very reasonably priced). There’s also a country-blocking add-on. They provide great support too!

    I highly recommend WPBruiser!

  2. bhaskar dhiman Reply

    April 30, 2017 at 7:08 am

    Great article thanks. Please provide comparison between all and suggest overall best. Single is enough for protection or i have to use the combination ? also how to set security headers ?

    1. Makis Mourelatos Reply

      April 30, 2017 at 11:35 am

      Hello Bhaskar.
      I avoid comparing plugins unless I have used them for long under various WP setups. Specifically a security plugin is something that we must be very serious about suggesting to our readers or subscribers since they tend to fully rely on them for their site’s security.

      Security headers is a great idea for a new article, come back in a few days or subscribe to our Blog in order to be notified when that post is published.

Leave a Reply

Your email address will not be published. Required fields are marked *