14+ Best Free WordPress Security Plugins (Free & Premium 2020)

Looking for the best WordPress Security plugins both free and premium to secure your WordPress website from hackers, viruses and injections. We put together a list of the best WordPress security plugins to help you stay secure and make sure your website is up and running without any major security issues. You migh also check the most wanted security plugins in 2020 to make sure you pick the perfect security plugin for your site. When you pick one of those plugins to make sure it: blocks malicious traffic, firewall, backdoors, stops SEO spam, malicious redirects and code injections, prevents brute force attacks and it has two-factor authentication login.

MalCare Security WordPress Plugin

MalCare Security Plugin WordPress

MalCare offers a suite of WordPress protection services that go above and beyond almost any other plugin out there. It offers a wide array of features ranging from malware scanning and removal to login protection and firewall. MalCare runs on a learning algorithm that keeps getting smarter with each threat it faces across the entire network of sites that it protects. With a first-in-kind one-click malware removal tool, MalCare bypasses the need to hire a security expert for every small error or anomaly on your site. At the same time, MalCare’s firewall and login protection locks out suspicious IPs and malicious bots without ever hogging your server resources.

Malware Scanner 

MalCare comes with a powerful scanner that can detect just about any malware under the sun. The most notable qualities of the scanner are – 

  • It goes beyond signature matching to detect complex and unknown malware.
  • Locates malware with pinpoint accuracy. 99% of the time, MalCare will automatically clean your site without needing a security expert or engineer.
  • Chances of false positives are very low. So, you only get notified of serious threats that require immediate attention.
  • Scan runs on MalCare’s own servers, which means that the performance of our website is never affected.
  • Most importantly, MalCare runs a daily scan on its own without us having to take any action.

Malware Removal

MalCare’s malware removal technology is unlike any other WordPress security plugin. Let’s take a look at what makes it so unique –

  • It’s an automatic cleaner. This means you don’t have to rely on security services to manually clean your website. Just click a button and MalCare will quickly clean your website just under a minute. 
  • MalCare does a complete sweep of your website. It removes all traces of malware. 
  • It removes the malicious parts of your website without breaking the site. 

WordPress Firewall & Login Protection

The firewall & login protection blocks malicious traffic without you having to raise a finger. Just set up the plugin and forget about it. 

  • The firewall detects malicious traffic trying to access your website and block it automatically.
  • MalCare’s firewall preemptively detects bot traffic before WordPress is loaded by recognising known malicious IPs. This way, your server resources don’t get depleted.
  • The login protection limits the number of failed login attempts which is an effective way to block brute force attacks.
  • MalCare runs on an adaptive learning algorithm that keeps learning from threats faced by the entire network of sites it protects. So, your protection grows stronger over time.

WordPress Management 

MalCare comes integrated with a complete website management module that ensures better security for all your websites from a single dashboard. MalCare’s management offerings include – 

  • Manage users, plugins, themes, even the core of all your website from a single dashboard. 
  • Easily share your account with clients and team members.
  • Enable white-labeling to serve your clients without risking your business.
  • Generate detailed reports for your client’s peace of mind.
  • Monitor your site’s uptime and speed right from the MalCare dashboard, etc

We highly recommend that you give MalCare a spin.

You can get MalCare at $99 for a single site for a year.

Defender WordPress Security, Malware Detection, and Firewall

defender wordpress security free

Defender adds the best in WordPress security to your website with just a few clicks. Stop brute force attacks, SQL injections, cross-site scripting XSS, and other WordPress vulnerabilities with Defender malware scans, firewall, and two-factor authentication login security.

No longer do you have to go through hideously complex settings and get a virtual PhD in security. Defender adds all the hardening and security tweaks you need. Defender’s regular security scans, vulnerability reports, audit logs, 2-factor authentication, safety recommendations, blacklist monitoring, IP lockout device, simple security tweaks, core, plugin and theme code checker and login masking are too much for even the most wily villain.

WordFence Security

Wordfence WordPress free security

Wordfence starts by checking if your site is already infected. We do a deep server-side scan of your source code comparing it to the Official WordPress repository for core, themes and plugins. Then Wordfence secures your site and makes it up to 50 times faster.


Wordfence includes an endpoint firewall and malware scanner that were built from the ground up to protect WordPress. Our Threat Defense Feed arms Wordfence with the newest firewall rules, malware signatures and malicious IP addresses it needs to keep your website safe. Rounded out by 2FA and a suite of additional features, Wordfence is the most comprehensive WordPress security solution available.


  • Web Application Firewall identifies and blocks malicious traffic. Built and maintained by a large team focused 100% on WordPress security.
  • [Premium] Real-time firewall rule and malware signature updates via the Threat Defense Feed (free version is delayed by 30 days).
  • [Premium] Real-time IP Blacklist blocks all requests from the most malicious IPs, protecting your site while reducing load.
  • Protects your site at the endpoint, enabling deep integration with WordPress. Unlike cloud alternatives does not break encryption, cannot be bypassed and cannot leak data.
  • Integrated malware scanner blocks requests that include malicious code or content.
  • Protection from brute force attacks by limiting login attempts.


  • Malware scanner checks core files, themes and plugins for malware, bad URLs, backdoors, SEO spam, malicious redirects and code injections.
  • [Premium] Real-time malware signature updates via the Threat Defense Feed (free version is delayed by 30 days).
  • Compares your core files, themes and plugins with what is in the WordPress.org repository, checking their integrity and reporting any changes to you.
  • Repair files that have changed by overwriting them with a pristine, original version. Delete any files that don’t belong easily within the Wordfence interface.
  • Checks your site for known security vulnerabilities and alerts you to any issues. Also alerts you to potential security issues when a plugin has been closed or abandoned.


  • Two-factor authentication (2FA), one of the most secure forms of remote system authentication available via any TOTP-based authenticator app or service.
  • Login Page CAPTCHA stops bots from logging in.
  • Disable or add 2FA to XML-RPC.
  • Block logins for administrators using known compromised passwords.

iThemes Security

iThemes security plugin


iThemes Security (formerly Better WP Security) gives you over 30+ ways to secure and protect your WordPress site. On average, 30,000 new websites are hacked each day. WordPress sites can be an easy target for attacks because of plugin vulnerabilities, weak passwords and obsolete software.

Most WordPress admins don’t know they’re vulnerable, but iThemes Security works to lock down WordPress, fix common holes, stop automated attacks and strengthen user credentials. With advanced features for experienced users, our WordPress security plugin can help harden WordPress.


iThemes has been building and supporting WordPress tools since 2008 like BackupBuddy, our WordPress backup plugin. With our full range of WordPress plugins, themes and training, WordPress security is the next step in providing you with everything you need to build the WordPress web.


iThemes Security works to protect your site by blocking bad users and increasing the security of passwords and other vital information.

  • Prevents brute force attacks by banning hosts and users with too many invalid login attempts
  • Scans your site to instantly report where vulnerabilities exist and fixes them in seconds
  • Bans troublesome user agents, bots and other hosts
  • Strengthens server security
  • Enforces strong passwords for all accounts of a configurable minimum role
  • Forces SSL for admin pages (on supporting servers)
  • Forces SSL for any page or post (on supporting servers)
  • Turns off file editing from within WordPress admin area
  • Detects and blocks numerous attacks to your filesystem and database


iThemes Security monitors your site and reports changes to the filesystem and database that might indicate a compromise. iThemes Security also works to detect bots and other attempts to search vulnerabilities.

  • Detects bots and other attempts to search for vulnerabilities.
  • Monitors filesystem for unauthorized changes.
  • Run a scan for malware and blacklists on the homepage of your site.
  • Receive email notifications when someone gets locked out after too many failed login attempts or when a file on your site has been changed.

Sucuri Security – Auditing, Malware Scanner and Security Hardening

Sucuri Security – Auditing, Malware Scanner and Security Hardening

Sucuri SiteCheck will check your site for malware, spam, blacklisting and other security issues like .htaccess redirects, hidden eval code, etc. The best thing about it is it’s completely free.

Sucuri Inc. is a globally recognized authority in all matters related to website security, with specialization in WordPress Security.

The Sucuri Security WordPress plugin is free to all WordPress users. It is a security suite meant to complement your existing security posture. It offers its users a set of security features for their website, each designed to have a positive effect on their security posture:

  • Security Activity Auditing
  • File Integrity Monitoring
  • Remote Malware Scanning
  • Blacklist Monitoring
  • Effective Security Hardening
  • Post-Hack Security Actions
  • Security Notifications
  • Website Firewall (premium)

JetPack Always On Security

JetPack Always On Security

Keep your site totally backed up in real-time with no storage limits and one-click restores.

Prevent unwanted intrusions with effective brute force attack protection, malware scanning, and spam filtering. Jetpack always on protection

Security, performance, and site management: the best way to WordPress is with Jetpack.


Jetpack is your site’s security detail, guarding you against brute-force attacks and unauthorized logins. Basic protection is always free, while premium plans add expanded backup and automated fixes. Jetpack’s full suite of site security tools include:

  • Brute-force attack protection, spam filtering, and downtime monitoring.
  • Backups of your entire site, either once daily or in real time.
  • Secure login, with optional two-factor authentication.
  • Malware scanning, code scanning, and automated threat resolution.
  • A record of every change on your site to simplify troubleshooting.
  • Fast, priority support from WordPress experts.

Get alerts about site downtime instantly.

VaultPress – security scanning

Vaultpress security scan

VaultPress is a real-time backup and security scanning service designed and built by Automattic, the same company that operates (and backs up!) millions of sites on WordPress.com.

VaultPress is now powered by Jetpack and effortlessly backs up every post, comment, media file, revision, and dashboard setting on your site to our servers. With VaultPress you’re protected against hackers, malware, accidental damage, and host outages.


Antivirus plugin

AntiVirus for WordPress is a easy-to-use, safe tool to harden your WordPress site against exploits, malware and spam injections.
You can configure AntiVirus to perform an automated daily scan of your theme files and database tables. If the plugin happens to detect any suspicious code injections, it will send out a notification to a previously configured e-mail address.

In case your WordPress site has been hacked, AntiVirus will help you to become aware of the problem very quickly in order for you to take immediate action.


  • Virus alert in the admin bar
  • Cleaning up after plugin removal
  • Daily scan with email notifications
  • Database tables and theme templates checks
  • Whitelist solution: Mark suspected cases as “no virus”
  • Manual check of template files with alerts on suspected cases
  • Optional: Google Safe Browsing for malware and phishing monitoring.


  • Active development of this plugin is handled on GitHub.
  • Pull requests for documented bugs are highly appreciated.
  • If you think you’ve found a bug (e.g. you’re experiencing unexpected behavior), please post at the support forums first.
  • If you want to help us translate this plugin you can do so on WordPress Translate.

All In One WP Security and Firewall

All In One WP Security and Firewall


WordPress itself is a very secure platform. However, it helps to add some extra security and firewall to your site by using a security plugin that enforces a lot of good security practices.

The All In One WordPress Security plugin will take your website security to a whole new level.

This plugin is designed and written by experts and is easy to use and understand.

It reduces security risk by checking for vulnerabilities, and by implementing and enforcing the latest recommended WordPress security practices and techniques.

All In One WP Security also uses an unprecedented security points grading system to measure how well you are protecting your site based on the security features you have activated.

Our security and firewall rules are categorized into “basic”, “intermediate” and “advanced”. This way you can apply the firewall rules progressively without breaking your site’s functionality.

The All In One WordPress Security plugin doesn’t slow down your site and it is 100% free.

Visit the WordPress Security Plugin page for more details.

Below is a list of the security and firewall features offered in this plugin:


  • Detect if there is a user account which has the default “admin” username and easily change the username to a value of your choice.
  • The plugin will also detect if you have any WordPress user accounts which have identical login and display names. Having account’s where display name is identical to login name is bad security practice because
    you are making it 50% easier for hackers because they already know the login name.
  • Password strength tool to allow you to create very strong passwords.
  • Stop user enumeration. So users/bots cannot discover user info via author permalink.


  • Protect against “Brute Force Login Attack” with the Login Lockdown feature. Users with a certain IP address or range will be locked out of the system for a predetermined amount of time based on the configuration settings and you can also choose to be notified
    via email whenever somebody gets locked out due to too many login attempts.
  • As the administrator you can view a list of all locked out users which are displayed in an easily readable and navigable table which also allows you to unlock individual or bulk IP addresses at the click of a button.
  • Force logout of all users after a configurable time period
  • Monitor/View failed login attempts which show the user’s IP address, User ID/Username and Date/Time of the failed login attempt
  • Monitor/View the account activity of all user accounts on your system by keeping track of the username, IP address, login date/time, and logout date/time.
  • Ability to automatically lockout IP address ranges which attempt to login with an invalid username.
  • Ability to see a list of all the users who are currently logged into your site.
  • Allows you to specify one or more IP addresses in a special whitelist. The whitelisted IP addresses will have access to your WP login page.
  • Add Google reCaptcha or plain maths captcha to WordPress Login form.
  • Add Google reCaptcha or plain maths captcha to the forgot password form of your WP Login system.

Google Authenticator

Google Authenticator

Have a completely Secure login to your WordPress website using this FREE, Simple & very easy to setup plugin. It provides Google two factor authentication (2FA, MFA) whenever login to your WordPress website ensuring no unauthorised access to your website.


  • Simplified & easy to user interface.
  • Two Factor Authentication (2FA) for 1 User forever FREE!
  • Variety of Authentication Methods: Any App supporting TOTP algorithm like Google, Authy, LastPass Authenticator, QR Code, Push Notification, Soft Token and Security Questions(KBA)
  • Includes Language Translation Support. Supports a wide variety of languages
  • This plugin Supports standard TOTP + HOTP protocols for Authentication Methods.
  • Two Factor Authentication (2FA) allows authentication on login page itself for Google Authenticator & miniOrange Soft Token.
  • Brute force attack prevention & IP Blocking.
  • User login Monitorning.


  • Two Factor Authentication (2FA) for Users as per the upgrade ( User-based pricing )
  • Available Authentication Methods: Google, Authy, LastPass Authenticator, QR Code, Push Notification, Soft Token, Security Questions(KBA), OTP Over Email, OTP Over SMS, OTP Over SMS and Email, Email Verification. ( SMS credits need to be purchased as per the need)
  • Includes language Translation Support. Supports wide variety of languages.
  • Multiple Login Options: Username + password + two-factor (or) Username + two-factor i.e. Passwordless login.
  • Backup Method: KBA(Security Questions)
  • Multisite compatible.
  • User role based redirection after Login, Customize account name in Google Authenticator app
  • Custom Security Questions (KBA)


  • Two Factor Authentication (2FA) for Users as per the upgrade ( User-based pricing )
  • Available Authentication Methods: Google, Authy, LastPass Authenticator, QR Code, Push Notification, Soft Token, Security Questions(KBA), OTP Over Email, OTP Over SMS, OTP Over SMS and Email, Email Verification, Hardware Token. ( SMS and Email credits need to be purchased as per the need)
  • Language Translation Support
  • Multiple Login Options: Username + password + two-factor (or) Username + two-factor i.e. Passwordless login.
  • Backup Methods: KBA(Security Questions), OTP Over Email, Backup Codes
  • Multisite compatible.
  • Email notification to users asking them to set up Two Factor Authentication (2FA).
  • User role based redirection after Login, Custom Security Questions (KBA), Customize account name in Google Authenticator app.
  • Enable Two Factor Authentication (2FA) for specific Users/User Roles
  • Choose specific authentication methods for Users
  • App Specific Password to login from mobile Apps
  • Add-Ons Included: RBA & Trusted Devices Management Add-on, Personalization Add-on and Short Codes Add-on

Bullet Proof Security

Bullet Proof Security

WordPress Security Protection: Malware scanner, Firewall, Login Security, DB Backup, Anti-Spam & much more. View Security feature highlights below. View BulletProof Security feature details under the FAQ help section below. Secure your WordPress website even further by adding additional BulletProof Security Bonus Custom Code. See BulletProof Security Bonus Custom Code under the FAQ help section below. Effective, Reliable & Easy to use WordPress Security Plugin.


  • One-Click Setup Wizard
  • Setup Wizard AutoFix (AutoWhitelist|AutoSetup|AutoCleanup)
  • MScan Malware Scanner
  • .htaccess Website Security Protection (Firewalls)
  • Hidden Plugin Folders|Files Cron (HPF)
  • Login Security & Monitoring
  • JTC-Lite (Limited version of BPS Pro JTC Anti-Spam|Anti-Hacker)
  • Idle Session Logout (ISL)
  • Auth Cookie Expiration (ACE)
  • DB Backup: Full|Partial DB Backups | Manual|Scheduled DB Backups | Email Zip Backups | Cron Delete Old Backups
  • DB Table Prefix Changer
  • Security Logging
  • HTTP Error Logging
  • FrontEnd|BackEnd Maintenance Mode
  • UI Theme Skin Changer (3 Theme Skins)
  • Extensive System Info


  • One-Click Setup Wizard
  • Setup Wizard AutoFix (AutoWhitelist|AutoSetup|AutoCleanup)
  • AutoRestore Intrusion Detection & Prevention System (ARQ IDPS)
  • Quarantine Intrusion Detection & Prevention System (ARQ IDPS)
  • Real-time File Monitor (IDPS)
  • MScan Malware Scanner
  • DB Monitor Intrusion Detection System (IDS)
  • DB Diff Tool: data comparison tool
  • DB Backup: Full|Partial DB Backups | Manual|Scheduled DB Backups | Email Zip Backups | Cron Delete Old Backups
  • DB Status & Info: extensive database status & info
  • Plugin Firewall (IP Firewall): Automated Whitelisting & IP Address Updating in Real-time
  • JTC Anti-Spam|Anti-Hacker
  • Uploads Folder Anti-Exploit Guard (UAEG)
  • .htaccess Website Security Protection (Firewalls)
  • Hidden Plugin Folders|Files Cron (HPF)
  • Custom php.ini Website Security
  • Login Security & Monitoring w/Dashboard Alerting|Status Display & additional options/features
  • Idle Session Logout (ISL)
  • Auth Cookie Expiration (ACE)
  • F-Lock: Read Only File Locking
  • FrontEnd|BackEnd Maintenance Mode
  • Security Logging
  • HTTP Error Logging
  • PHP Error Logging
  • DB Table Prefix Changer
  • S-Monitor: Monitoring & Alerting Core
  • Pro Tools: 16 mini-plugins
  • Heads Up Dashboard Status Display
  • UI Theme Skin Changer (3 Theme Skins)
  • Extensive System Info

Shield Security: Protection with Smarter Automation

Shield Security: Protection with Smarter Automation


There’s no reason for security to be so darn complicated. It doesn’t have to be this way any longer.

Shield is the easiest security plugin to setup – you simply activate it.

And you can gradually dig deeper, as you’re ready.


You’ve probably been let down in the past, but Shield is the WordPress Security solution that does what it says it’ll do – Protect Your Site.


Receiving constant alerts from your security plugins isn’t “security”. It’s just noise. By the time you receive a notification and respond to it, it’s already too late.

Instead, Shield Security does it what it needs to do, and alerts you if and when you need to informed.

Shield is your Silent Guardian. It doesn’t squawk at you every time a visitor presses against your defenses.

It’ll do its job without moaning at you, and leave you in peace to get on with your job.

Cerber Security, Anti-spam & Malware Scan

Cerber Security, Anti-spam & Malware Scan

Defends WordPress against hacker attacks, spam, trojans and malware.
Mitigates brute force attacks by limiting the number of login attempts through the login form, XML-RPC / REST API requests or using auth cookies.
Tracks user and bad actors activity with flexible email, mobile and desktop notifications.
Stops spam by using a specialized Cerber’s anti-spam engine and Google reCAPTCHA to protect registration, contact and comments forms.
Advanced malware scanner, integrity checker and file monitor.
Hardening WordPress with a set of flexible security rules and sophisticated security algorithms.
Restricts access with Black and White IP Access Lists.

Anti-Malware Security and Brute-Force Firewall

Anti-Malware Security and Brute-Force Firewall



  • Download Definition Updates to protect against new threats.
  • Run a Complete Scan to automatically remove known security threats, backdoor scripts, and database injections.
  • Firewall block SoakSoak and other malware from exploiting Revolution Slider and other plugins with known vulnerabilites.
  • Upgrade vulnerable versions of timthumb scripts.

Premium Features:

  • Patch your wp-login and XMLRPC to block Brute-Force and DDoS attacks.
  • Check the integrity of your WordPress Core files.
  • Automatically download new Definition Updates when running a Complete Scan.

Register this plugin at GOTMLS.NET and get access to new definitions of “Known Threats” and added features like Automatic Removal, plus patches for specific security vulnerabilities like old versions of timthumb. Updated definition files can be downloaded automatically within the admin once your Key is registered. Otherwise, this plugin just scans for “Potential Threats” and leaves it up to you to identify and remove the malicious ones.