You know that it’s a nasty world out there with malicious actors just itching to get their dirty hands on your WordPress website. You also know that you should probably be doing “something” to keep your WordPress site safe from all those baddies.
What you might not know is what that “something” is.
That’s what I’m going to share with you in this post.
I’ll cover eight of the best WordPress security plugins and tools, along with each tool’s pros and cons. Then, at the end, I’ll try to help you pick the right set of tools based on your own unique situation.
But first, let me start with a quick caveat…
WordPress security isn’t just about plugins and tools
All of the security plugins and tools on this list will help you make WordPress more secure. But they don’t eliminate the need for action on your part.
Think of them kind of like wearing a motorcycle helmet. Sure – motorcycle helmets will help protect you in a crash, but they aren’t a license to go out and drive recklessly.
These tools are like that. They give you some much-needed protection, but you still need to drive safely if you want to stay safe and secure.
So what is “driving safely” in the WordPress world? I’m talking about really simple things like:
- Promptly updating your WordPress software, plugins, and themes
- Using a secure password for your WordPress administrator account and web hosting account
- Only using themes and plugins from reputable developers/sources
- Backing up your site on a regular basis
Those tips might seem overly simplistic, but doing those four things alone will help protect you from most WordPress security issues.
Then, to protect your site from everything else, you can use these WordPress security plugins and tools.
A few key security terms explained before we dig in
While these plugins and tools make things pretty simple, WordPress security still includes a lot of terms that you might not be familiar with.
To help you understand what these tools are actually doing, I want to explain a few of the most common terms that you’ll see throughout the rest of the post.
First, you’ll see the word firewall come up a lot (also referred to as WAF: web application firewall). For your WordPress site, a firewall basically sits between your site’s server and all the incoming traffic. Because it occupies this position, it’s able to inspect and filter out malicious actors before they even reach your server.
All firewalls are not created equal, though. And the effectiveness of your chosen firewall depends on the rules and configurations that the firewall provider puts in place.
Another term is malware scanning, which you’ll probably be more familiar with. Just like you would scan your own computer for viruses and malware, many of these tools can scan your WordPress site’s server for malware.
Finally, I’ll throw the term security hardening around a lot. These are basically little tweaks that, when put together, help make your site more secure.
With that knowledge in hand, let’s dig into the plugins.
Wordfence is the biggest name in WordPress security, especially when it comes to all-in-one solutions. It’s active on over two million sites while maintaining an impressive 4.8-star rating on over 3,000 reviews.
Suffice it to say, a lot of people like it.
So why is it so popular?
First, it comes in a generous free version (as well as a premium version).
Second, it offers an all-in-one approach to WordPress security.
At a broad level, it includes a web application firewall to filter and block malicious traffic, as well as a built-in malware scanner to check your files for malware, backdoors, and other malicious injections.
Both the free and Pro version include these two core features, but the Pro version offers more of a real-time approach to both. For example, the Pro version’s firewall gets real-time firewall rule updates, while the free version only updates every 30 days.
Similarly, the Pro version’s malware scan updates its signatures in real-time, while the free version is delayed by 30 days.
So if you want protection against the most cutting-edge exploits, you’re better off with the Pro version.
Beyond those broad protections, it also makes a lot of the little tweaks that can further harden your site. I’m talking about things like:
- Two-factor authentication to secure your login
- Update notifications
- Email alerts for important actions, like an administrator account signing in
- Limit login attempts (automatically block users that enter incorrect passwords/usernames too many times)
- Enforce strong passwords
Price: Free at WordPress.org. Pro version starts at $99 per year, though you get discounts for purchasing multiple years at a time.
MalCare is a WordPress security plugin that, as you can probably guess from the name, focuses on malware detection and removal.
One of the things that I like about MalCare in comparison to something like Wordfence is that MalCare does its scanning on its own servers. Scanning for malware is a pretty intensive process, so if a plugin is doing the scans on your live server, it can slow down your site while the scan is running.
MalCare fixes that by using its own servers to do the scanning.
It’s also just generally built to catch malware that other plugins don’t. And if it does catch something, it offers one-click malware removal to get rid of the offending file.
MalCare also does include a firewall, but I don’t think it’s as high-quality as what you get with Sucuri, so I’d still recommend using Sucuri’s firewall instead if you can swing the price.
Beyond that, it also offers some basic security hardening like:
- CAPTCHA for your login page
- Limit login attempts
- Disable file editing
- Disable file execution in uploads folder
In general, though, I think the unique selling proposition for MalCare is off-server malware scanning. It also lets you manage multiple sites from one single dashboard, which is another nice bonus.
Price: Starts at $8.25 per month
3. iThemes Security
iThemes Security is another popular all-in-one security solution that comes in both a free and a premium version. iThemes is a long-standing WordPress company that was recently acquired by Liquid Web, a popular managed hosting service.
iThemes Security does not include a firewall like Wordfence, but it does offer malware scanning.
Beyond malware scanning, it also comes with a whole heap of smaller security tweaks to harden your WordPress site.
First, it does a number of things to protect your login page like:
- Hiding the login page.
- Blocking hosts/users with too many failed login attempts to protect from brute force attacks.
- Enforcing strong passwords for all user accounts.
- Renaming the “admin” account if you’re still using admin as a username.
- Removing login error messages.
- Offering two-factor authentication (Pro).
Then, there are lots of other small tweaks, many of which you’ll see in WordPress security guides:
- Disable in-dashboard file editing.
- Remove update notifications for unauthorized users.
- Change the WordPress database prefix.
- Change wp-content path.
- Log user actions.
If you’d like to use iThemes Security, the developers recommend pairing it with Sucuri’s WordPress firewall, which we’ll cover next.
Price: Free at WordPress.org. Pro version starts at $80 per year.
Sucuri is a popular website security solution that has two different products that help with WordPress security:
- A free plugin
- A paid firewall service
You can pair both of these together, or you can opt to just use one of them (or pair the firewall with a different plugin, like iThemes security).
Sucuri’s security plugin is available for free at WordPress.org. It doesn’t include the firewall functionality, but it does a lot to keep your site secure (and it can help you integrate the firewall, if you opt to pay for it).
First, it includes activity auditing and file integrity monitoring. Basically, these two features help you monitor what’s happening on your site. For example, the activity auditing can show you failed login attempts and the file integrity monitoring can tell you if any of your core WordPress files have been modified.
Beyond that, the plugin includes basic malware scanning. This functionality is essentially an in-dashboard implementation of Sucuri’s free SiteCheck scanner. As such, it’s more limited than many other solutions and won’t be able to catch all malware.
Finally, Sucuri’s plugin also includes some basic WordPress security hardening tweaks, like blocking PHP files in the uploads directory and disabling in-dashboard file editing.
Price: Free at WordPress.org
Whereas Sucuri’s plugin is about monitoring and basic hardening, Sucuri’s Firewall service proactively blocks threats before they happen and also protects you from DDoS attacks.
Beyond blocking malicious bots and known exploits, Sucuri also uses its large network and machine learning to constantly improve its firewall rules and protect your site from newly discovered exploits.
Additionally, Sucuri lets you create your own firewall rules. For example, you can have Sucuri restrict access to your WordPress dashboard to a specific set of whitelisted IP addresses.
As a nice little bonus, Sucuri Firewall also includes a CDN to speed up your site, though that doesn’t really have anything to do with WordPress security!
Price: $19.98 per month for just the firewall. Or, included as part of the broader Sucuri Website Security Platform, which starts at $299.99 per year.
WebARX is a relatively new service that adds a secure firewall to your websites, as well as a few other features.
It’s not specific to WordPress, but it does include a WordPress plugin to make the setup easy.
One of the nice things about WebARX is that it makes it easy to monitor all of your websites from one single dashboard. So if you have a lot of smaller sites spread out, this is a convenient way to keep an eye on all of them from one spot.
Beyond the firewall to protect your site from attacks and malicious bots, WebARX also includes uptime and defacement monitoring. If your site goes down or is defaced, you can get a notification via email or Slack. Again, this is helpful if you have a bunch of small sites that you don’t check that often.
Price: Starts at $10 per month.
6. VaultPress (part of Jetpack)
VaultPress is a backup and security service from Automattic, the same company behind WordPress.com. It’s part of the paid Jetpack plans, so you’ll also get access to all of the other premium Jetpack features if you go with VaultPress.
Like MalCare, one of the neat things about VaultPress is that it does its security scanning on its own servers, which ensures that there’s never any performance hit to your website.
Here’s how that works:
Every day, VaultPress automatically backs up your site to its secure servers. Then, it scans the files that it just backed up for malware of other infiltrations.
On the highest tier plan, VaultPress can also automatically fix any security issues that it discovers (the cheapest tier only supports “manual resolution”, though).
Overall, VaultPress is a good option if you want something that combines security scanning with backups. You still might want a separate firewall solution, though.
Price: $99 per year for basic security (Jetpack Premium) or $299 for automatic resolution (Jetpack Professional)
But because Cloudflare acts as a reverse proxy, it’s also a great tool to secure your WordPress site. Essentially, a reverse proxy sits between your visitors’ browsers and your website’s server and directs traffic, which lets it filter out malicious actors.
Cloudflare’s free plan offers basic security in the form of DDoS protection and reputation-based threat protection (blocks known malicious threats from accessing your site).
If you’re willing to pay, through, Cloudflare’s paid plans include a web application firewall as well as IP whitelisting rules.
If you’re already using Cloudflare for its performance-boosting features, you might want to consider upgrading to the paid plans to take advantage of the web application firewall.
Price: Free with basic security. Paid plans with the firewall start at $20 per month
8. Login No Captcha reCAPTCHA
Login No Captcha reCAPTCHA is a much smaller solution than all the other plugins. While the other tools are all focused on firewalls, malware scanning, and other big tweaks, Login No Captcha reCAPTCHA really only does one thing:
Add Google reCAPTCHA protection to your login page.
This is an easy way to protect your login page from brute force attacks and keep out unauthorized users.
Some all-in-one-security plugins already add this functionality (e.g. iThemes Security). But if you opt not to use one of those all-in-one solutions, you should still consider Login No Captcha reCAPTCHA to lock down your login page.
Price: 100% free
Which of these WordPress security plugins and tools are right for your needs?
You certainly don’t want to use all of these security plugins and tools on your site. So which ones should you pick? How do you build your security stack?
Well, before making your choice, I recommend that you check what your WordPress host is already doing. Some hosts – especially managed WordPress hosts – might already implement firewalls and malware scanning for you at a server level. So if that’s the case, there’s no need to duplicate their efforts.
Once you know what your host is already doing, here are some tips for choosing your solutions.
If you want a website firewall, Sucuri Firewall is the best option for mission-critical sites, while MalCare offers a more affordable version with a dashboard that makes it easy to manage multiple sites.
You can also combine a firewall and malware scanning plugin. For example, you can use WebARX for firewalls and MalCare for malware scanning. While Malcare does technically offer a firewall, it’s not the service’s strong point. That’s why you’re better off disabling Malcare’s plugin-based firewall and pairing it with something like WebARX or Sucuri.
If your host has already implemented firewalls and malware scanning for you, you can skip those plugins, but I’d still recommend adding something like Login No Captcha reCAPTCHA to lock down your login page. However, Wordfence and WebARX have this feature built-in so they don’t require an extra plugin.
Finally, you have the all-in-one security plugins like Wordfence and iThemes Security. These plugins make security really simple, which is good. But because they’re always on and running on your server, they can also slow down your site, which is bad.
For that reason, I personally don’t use them and prefer to pick and choose the specific security features that I want.
That said, I do recognize their benefit from a simplicity standpoint.
Note: Wordfence and iThemes Security should not be used together. If you choose to go down the “all-in-one security plugin” route – just use one.
So if you’re feeling overwhelmed by all of these options and just want something that’s easy to use right out of the box, those two are certainly solid options. But pay close attention to your site’s load times before and after to make sure there’s no noticeable slow-down.
Disclosure: This post contains affiliate links. This means we may make a small commission if you make a purchase.