X

8+ Best WordPress Security Plugins (Free & Premium 2020)

Defender WordPress Security, Malware Detection, and Firewall

Defender adds the best in WordPress security to your website with just a few clicks. Stop brute force attacks, SQL injections, cross-site scripting XSS, and other WordPress vulnerabilities with Defender malware scans, firewall, and two-factor authentication login security.

No longer do you have to go through hideously complex settings and get a virtual PhD in security. Defender adds all the hardening and security tweaks you need. Defender’s regular security scans, vulnerability reports, audit logs, 2-factor authentication, safety recommendations, blacklist monitoring, IP lockout device, simple security tweaks, core, plugin and theme code checker and login masking are too much for even the most wily villain.

WordFence Security

Wordfence starts by checking if your site is already infected. We do a deep server-side scan of your source code comparing it to the Official WordPress repository for core, themes and plugins. Then Wordfence secures your site and makes it up to 50 times faster.

THE MOST POPULAR WORDPRESS FIREWALL & SECURITY SCANNER

Wordfence includes an endpoint firewall and malware scanner that were built from the ground up to protect WordPress. Our Threat Defense Feed arms Wordfence with the newest firewall rules, malware signatures and malicious IP addresses it needs to keep your website safe. Rounded out by 2FA and a suite of additional features, Wordfence is the most comprehensive WordPress security solution available.

WORDPRESS FIREWALL

  • Web Application Firewall identifies and blocks malicious traffic. Built and maintained by a large team focused 100% on WordPress security.
  • [Premium] Real-time firewall rule and malware signature updates via the Threat Defense Feed (free version is delayed by 30 days).
  • [Premium] Real-time IP Blacklist blocks all requests from the most malicious IPs, protecting your site while reducing load.
  • Protects your site at the endpoint, enabling deep integration with WordPress. Unlike cloud alternatives does not break encryption, cannot be bypassed and cannot leak data.
  • Integrated malware scanner blocks requests that include malicious code or content.
  • Protection from brute force attacks by limiting login attempts.

WORDPRESS SECURITY SCANNER

  • Malware scanner checks core files, themes and plugins for malware, bad URLs, backdoors, SEO spam, malicious redirects and code injections.
  • [Premium] Real-time malware signature updates via the Threat Defense Feed (free version is delayed by 30 days).
  • Compares your core files, themes and plugins with what is in the WordPress.org repository, checking their integrity and reporting any changes to you.
  • Repair files that have changed by overwriting them with a pristine, original version. Delete any files that don’t belong easily within the Wordfence interface.
  • Checks your site for known security vulnerabilities and alerts you to any issues. Also alerts you to potential security issues when a plugin has been closed or abandoned.

LOGIN SECURITY

  • Two-factor authentication (2FA), one of the most secure forms of remote system authentication available via any TOTP-based authenticator app or service.
  • Login Page CAPTCHA stops bots from logging in.
  • Disable or add 2FA to XML-RPC.
  • Block logins for administrators using known compromised passwords.

iThemes Security

ITHEMES SECURITY IS THE #1 WORDPRESS SECURITY PLUGIN

iThemes Security (formerly Better WP Security) gives you over 30+ ways to secure and protect your WordPress site. On average, 30,000 new websites are hacked each day. WordPress sites can be an easy target for attacks because of plugin vulnerabilities, weak passwords and obsolete software.

Most WordPress admins don’t know they’re vulnerable, but iThemes Security works to lock down WordPress, fix common holes, stop automated attacks and strengthen user credentials. With advanced features for experienced users, our WordPress security plugin can help harden WordPress.

MAINTAINED AND SUPPORTED BY ITHEMES

iThemes has been building and supporting WordPress tools since 2008 like BackupBuddy, our WordPress backup plugin. With our full range of WordPress plugins, themes and training, WordPress security is the next step in providing you with everything you need to build the WordPress web.

PROTECT

iThemes Security works to protect your site by blocking bad users and increasing the security of passwords and other vital information.

  • Prevents brute force attacks by banning hosts and users with too many invalid login attempts
  • Scans your site to instantly report where vulnerabilities exist and fixes them in seconds
  • Bans troublesome user agents, bots and other hosts
  • Strengthens server security
  • Enforces strong passwords for all accounts of a configurable minimum role
  • Forces SSL for admin pages (on supporting servers)
  • Forces SSL for any page or post (on supporting servers)
  • Turns off file editing from within WordPress admin area
  • Detects and blocks numerous attacks to your filesystem and database

DETECT

iThemes Security monitors your site and reports changes to the filesystem and database that might indicate a compromise. iThemes Security also works to detect bots and other attempts to search vulnerabilities.

  • Detects bots and other attempts to search for vulnerabilities.
  • Monitors filesystem for unauthorized changes.
  • Run a scan for malware and blacklists on the homepage of your site.
  • Receive email notifications when someone gets locked out after too many failed login attempts or when a file on your site has been changed.

Securi Scanner

Sucuri SiteCheck will check your site for malware, spam, blacklisting and other security issues like .htaccess redirects, hidden eval code, etc. The best thing about it is it’s completely free.

Sucuri Inc. is a globally recognized authority in all matters related to website security, with specialization in WordPress Security.

The Sucuri Security WordPress plugin is free to all WordPress users. It is a security suite meant to complement your existing security posture. It offers its users a set of security features for their website, each designed to have a positive effect on their security posture:

  • Security Activity Auditing
  • File Integrity Monitoring
  • Remote Malware Scanning
  • Blacklist Monitoring
  • Effective Security Hardening
  • Post-Hack Security Actions
  • Security Notifications
  • Website Firewall (premium)

AntiVirus

AntiVirus for WordPress is a easy-to-use, safe tool to harden your WordPress site against exploits, malware and spam injections.
You can configure AntiVirus to perform an automated daily scan of your theme files and database tables. If the plugin happens to detect any suspicious code injections, it will send out a notification to a previously configured e-mail address.

In case your WordPress site has been hacked, AntiVirus will help you to become aware of the problem very quickly in order for you to take immediate action.

FEATURES

  • Virus alert in the admin bar
  • Cleaning up after plugin removal
  • Daily scan with email notifications
  • Database tables and theme templates checks
  • Whitelist solution: Mark suspected cases as “no virus”
  • Manual check of template files with alerts on suspected cases
  • Optional: Google Safe Browsing for malware and phishing monitoring.

CONTRIBUTE

  • Active development of this plugin is handled on GitHub.
  • Pull requests for documented bugs are highly appreciated.
  • If you think you’ve found a bug (e.g. you’re experiencing unexpected behavior), please post at the support forums first.
  • If you want to help us translate this plugin you can do so on WordPress Translate.

All In One WP Security and Firewall

All In One WP Security and Firewall

A COMPREHENSIVE, EASY TO USE, STABLE AND WELL SUPPORTED WORDPRESS SECURITY PLUGIN

WordPress itself is a very secure platform. However, it helps to add some extra security and firewall to your site by using a security plugin that enforces a lot of good security practices.

The All In One WordPress Security plugin will take your website security to a whole new level.

This plugin is designed and written by experts and is easy to use and understand.

It reduces security risk by checking for vulnerabilities, and by implementing and enforcing the latest recommended WordPress security practices and techniques.

All In One WP Security also uses an unprecedented security points grading system to measure how well you are protecting your site based on the security features you have activated.

Our security and firewall rules are categorized into “basic”, “intermediate” and “advanced”. This way you can apply the firewall rules progressively without breaking your site’s functionality.

The All In One WordPress Security plugin doesn’t slow down your site and it is 100% free.

Visit the WordPress Security Plugin page for more details.

Below is a list of the security and firewall features offered in this plugin:

USER ACCOUNTS SECURITY

  • Detect if there is a user account which has the default “admin” username and easily change the username to a value of your choice.
  • The plugin will also detect if you have any WordPress user accounts which have identical login and display names. Having account’s where display name is identical to login name is bad security practice because
    you are making it 50% easier for hackers because they already know the login name.
  • Password strength tool to allow you to create very strong passwords.
  • Stop user enumeration. So users/bots cannot discover user info via author permalink.

USER LOGIN SECURITY

  • Protect against “Brute Force Login Attack” with the Login Lockdown feature. Users with a certain IP address or range will be locked out of the system for a predetermined amount of time based on the configuration settings and you can also choose to be notified
    via email whenever somebody gets locked out due to too many login attempts.
  • As the administrator you can view a list of all locked out users which are displayed in an easily readable and navigable table which also allows you to unlock individual or bulk IP addresses at the click of a button.
  • Force logout of all users after a configurable time period
  • Monitor/View failed login attempts which show the user’s IP address, User ID/Username and Date/Time of the failed login attempt
  • Monitor/View the account activity of all user accounts on your system by keeping track of the username, IP address, login date/time, and logout date/time.
  • Ability to automatically lockout IP address ranges which attempt to login with an invalid username.
  • Ability to see a list of all the users who are currently logged into your site.
  • Allows you to specify one or more IP addresses in a special whitelist. The whitelisted IP addresses will have access to your WP login page.
  • Add Google reCaptcha or plain maths captcha to WordPress Login form.
  • Add Google reCaptcha or plain maths captcha to the forgot password form of your WP Login system.

Google Authenticator

Google Authenticator

Have a completely Secure login to your WordPress website using this FREE, Simple & very easy to setup plugin. It provides Google two factor authentication (2FA, MFA) whenever login to your WordPress website ensuring no unauthorised access to your website.

FREE PLUGIN FEATURES

  • Simplified & easy to user interface.
  • Two Factor Authentication (2FA) for 1 User forever FREE!
  • Variety of Authentication Methods: Any App supporting TOTP algorithm like Google, Authy, LastPass Authenticator, QR Code, Push Notification, Soft Token and Security Questions(KBA)
  • Includes Language Translation Support. Supports a wide variety of languages
  • This plugin Supports standard TOTP + HOTP protocols for Authentication Methods.
  • Two Factor Authentication (2FA) allows authentication on login page itself for Google Authenticator & miniOrange Soft Token.
  • Brute force attack prevention & IP Blocking.
  • User login Monitorning.

STANDARD PLUGIN FEATURES

  • Two Factor Authentication (2FA) for Users as per the upgrade ( User-based pricing )
  • Available Authentication Methods: Google, Authy, LastPass Authenticator, QR Code, Push Notification, Soft Token, Security Questions(KBA), OTP Over Email, OTP Over SMS, OTP Over SMS and Email, Email Verification. ( SMS credits need to be purchased as per the need)
  • Includes language Translation Support. Supports wide variety of languages.
  • Multiple Login Options: Username + password + two-factor (or) Username + two-factor i.e. Passwordless login.
  • Backup Method: KBA(Security Questions)
  • Multisite compatible.
  • User role based redirection after Login, Customize account name in Google Authenticator app
  • Custom Security Questions (KBA)

PREMIUM PLUGIN FEATURES

  • Two Factor Authentication (2FA) for Users as per the upgrade ( User-based pricing )
  • Available Authentication Methods: Google, Authy, LastPass Authenticator, QR Code, Push Notification, Soft Token, Security Questions(KBA), OTP Over Email, OTP Over SMS, OTP Over SMS and Email, Email Verification, Hardware Token. ( SMS and Email credits need to be purchased as per the need)
  • Language Translation Support
  • Multiple Login Options: Username + password + two-factor (or) Username + two-factor i.e. Passwordless login.
  • Backup Methods: KBA(Security Questions), OTP Over Email, Backup Codes
  • Multisite compatible.
  • Email notification to users asking them to set up Two Factor Authentication (2FA).
  • User role based redirection after Login, Custom Security Questions (KBA), Customize account name in Google Authenticator app.
  • Enable Two Factor Authentication (2FA) for specific Users/User Roles
  • Choose specific authentication methods for Users
  • App Specific Password to login from mobile Apps
  • Add-Ons Included: RBA & Trusted Devices Management Add-on, Personalization Add-on and Short Codes Add-on

Bullet Proof Security

Bullet Proof Security

WordPress Security Protection: Malware scanner, Firewall, Login Security, DB Backup, Anti-Spam & much more. View Security feature highlights below. View BulletProof Security feature details under the FAQ help section below. Secure your WordPress website even further by adding additional BulletProof Security Bonus Custom Code. See BulletProof Security Bonus Custom Code under the FAQ help section below. Effective, Reliable & Easy to use WordPress Security Plugin.

BULLETPROOF SECURITY FEATURE HIGHLIGHTS

  • One-Click Setup Wizard
  • Setup Wizard AutoFix (AutoWhitelist|AutoSetup|AutoCleanup)
  • MScan Malware Scanner
  • .htaccess Website Security Protection (Firewalls)
  • Hidden Plugin Folders|Files Cron (HPF)
  • Login Security & Monitoring
  • JTC-Lite (Limited version of BPS Pro JTC Anti-Spam|Anti-Hacker)
  • Idle Session Logout (ISL)
  • Auth Cookie Expiration (ACE)
  • DB Backup: Full|Partial DB Backups | Manual|Scheduled DB Backups | Email Zip Backups | Cron Delete Old Backups
  • DB Table Prefix Changer
  • Security Logging
  • HTTP Error Logging
  • FrontEnd|BackEnd Maintenance Mode
  • UI Theme Skin Changer (3 Theme Skins)
  • Extensive System Info

BULLETPROOF SECURITY PRO FEATURE HIGHLIGHTS

  • One-Click Setup Wizard
  • Setup Wizard AutoFix (AutoWhitelist|AutoSetup|AutoCleanup)
  • AutoRestore Intrusion Detection & Prevention System (ARQ IDPS)
  • Quarantine Intrusion Detection & Prevention System (ARQ IDPS)
  • Real-time File Monitor (IDPS)
  • MScan Malware Scanner
  • DB Monitor Intrusion Detection System (IDS)
  • DB Diff Tool: data comparison tool
  • DB Backup: Full|Partial DB Backups | Manual|Scheduled DB Backups | Email Zip Backups | Cron Delete Old Backups
  • DB Status & Info: extensive database status & info
  • Plugin Firewall (IP Firewall): Automated Whitelisting & IP Address Updating in Real-time
  • JTC Anti-Spam|Anti-Hacker
  • Uploads Folder Anti-Exploit Guard (UAEG)
  • .htaccess Website Security Protection (Firewalls)
  • Hidden Plugin Folders|Files Cron (HPF)
  • Custom php.ini Website Security
  • Login Security & Monitoring w/Dashboard Alerting|Status Display & additional options/features
  • Idle Session Logout (ISL)
  • Auth Cookie Expiration (ACE)
  • F-Lock: Read Only File Locking
  • FrontEnd|BackEnd Maintenance Mode
  • Security Logging
  • HTTP Error Logging
  • PHP Error Logging
  • DB Table Prefix Changer
  • S-Monitor: Monitoring & Alerting Core
  • Pro Tools: 16 mini-plugins
  • Heads Up Dashboard Status Display
  • UI Theme Skin Changer (3 Theme Skins)
  • Extensive System Info

JetPack Always On Security

JetPack Always On Security

Keep your site totally backed up in real-time with no storage limits and one-click restores.

Prevent unwanted intrusions with effective brute force attack protection, malware scanning, and spam filtering. Jetpack always on protection

Get alerts about site downtime instantly.