X

10+ Best Free WordPress Security Plugins (UPDATED 2020)

Defender WordPress Security, Malware Detection, and Firewall

Defender adds the best in WordPress security to your website with just a few clicks. Stop brute force attacks, SQL injections, cross-site scripting XSS, and other WordPress vulnerabilities with Defender malware scans, firewall, and two-factor authentication login security.

No longer do you have to go through hideously complex settings and get a virtual PhD in security. Defender adds all the hardening and security tweaks you need. Defender’s regular security scans, vulnerability reports, audit logs, 2-factor authentication, safety recommendations, blacklist monitoring, IP lockout device, simple security tweaks, core, plugin and theme code checker and login masking are too much for even the most wily villain.

WordFence Security

Wordfence starts by checking if your site is already infected. We do a deep server-side scan of your source code comparing it to the Official WordPress repository for core, themes and plugins. Then Wordfence secures your site and makes it up to 50 times faster.

THE MOST POPULAR WORDPRESS FIREWALL & SECURITY SCANNER

Wordfence includes an endpoint firewall and malware scanner that were built from the ground up to protect WordPress. Our Threat Defense Feed arms Wordfence with the newest firewall rules, malware signatures and malicious IP addresses it needs to keep your website safe. Rounded out by 2FA and a suite of additional features, Wordfence is the most comprehensive WordPress security solution available.

WORDPRESS FIREWALL

  • Web Application Firewall identifies and blocks malicious traffic. Built and maintained by a large team focused 100% on WordPress security.
  • [Premium] Real-time firewall rule and malware signature updates via the Threat Defense Feed (free version is delayed by 30 days).
  • [Premium] Real-time IP Blacklist blocks all requests from the most malicious IPs, protecting your site while reducing load.
  • Protects your site at the endpoint, enabling deep integration with WordPress. Unlike cloud alternatives does not break encryption, cannot be bypassed and cannot leak data.
  • Integrated malware scanner blocks requests that include malicious code or content.
  • Protection from brute force attacks by limiting login attempts.

WORDPRESS SECURITY SCANNER

  • Malware scanner checks core files, themes and plugins for malware, bad URLs, backdoors, SEO spam, malicious redirects and code injections.
  • [Premium] Real-time malware signature updates via the Threat Defense Feed (free version is delayed by 30 days).
  • Compares your core files, themes and plugins with what is in the WordPress.org repository, checking their integrity and reporting any changes to you.
  • Repair files that have changed by overwriting them with a pristine, original version. Delete any files that don’t belong easily within the Wordfence interface.
  • Checks your site for known security vulnerabilities and alerts you to any issues. Also alerts you to potential security issues when a plugin has been closed or abandoned.

LOGIN SECURITY

  • Two-factor authentication (2FA), one of the most secure forms of remote system authentication available via any TOTP-based authenticator app or service.
  • Login Page CAPTCHA stops bots from logging in.
  • Disable or add 2FA to XML-RPC.
  • Block logins for administrators using known compromised passwords.

iThemes Security

ITHEMES SECURITY IS THE #1 WORDPRESS SECURITY PLUGIN

iThemes Security (formerly Better WP Security) gives you over 30+ ways to secure and protect your WordPress site. On average, 30,000 new websites are hacked each day. WordPress sites can be an easy target for attacks because of plugin vulnerabilities, weak passwords and obsolete software.

Most WordPress admins don’t know they’re vulnerable, but iThemes Security works to lock down WordPress, fix common holes, stop automated attacks and strengthen user credentials. With advanced features for experienced users, our WordPress security plugin can help harden WordPress.

MAINTAINED AND SUPPORTED BY ITHEMES

iThemes has been building and supporting WordPress tools since 2008 like BackupBuddy, our WordPress backup plugin. With our full range of WordPress plugins, themes and training, WordPress security is the next step in providing you with everything you need to build the WordPress web.

PROTECT

iThemes Security works to protect your site by blocking bad users and increasing the security of passwords and other vital information.

  • Prevents brute force attacks by banning hosts and users with too many invalid login attempts
  • Scans your site to instantly report where vulnerabilities exist and fixes them in seconds
  • Bans troublesome user agents, bots and other hosts
  • Strengthens server security
  • Enforces strong passwords for all accounts of a configurable minimum role
  • Forces SSL for admin pages (on supporting servers)
  • Forces SSL for any page or post (on supporting servers)
  • Turns off file editing from within WordPress admin area
  • Detects and blocks numerous attacks to your filesystem and database

DETECT

iThemes Security monitors your site and reports changes to the filesystem and database that might indicate a compromise. iThemes Security also works to detect bots and other attempts to search vulnerabilities.

  • Detects bots and other attempts to search for vulnerabilities.
  • Monitors filesystem for unauthorized changes.
  • Run a scan for malware and blacklists on the homepage of your site.
  • Receive email notifications when someone gets locked out after too many failed login attempts or when a file on your site has been changed.

Securi Scanner

Sucuri SiteCheck will check your site for malware, spam, blacklisting and other security issues like .htaccess redirects, hidden eval code, etc. The best thing about it is it’s completely free.

Sucuri Inc. is a globally recognized authority in all matters related to website security, with specialization in WordPress Security.

The Sucuri Security WordPress plugin is free to all WordPress users. It is a security suite meant to complement your existing security posture. It offers its users a set of security features for their website, each designed to have a positive effect on their security posture:

  • Security Activity Auditing
  • File Integrity Monitoring
  • Remote Malware Scanning
  • Blacklist Monitoring
  • Effective Security Hardening
  • Post-Hack Security Actions
  • Security Notifications
  • Website Firewall (premium)

AntiVirus

AntiVirus for WordPress is a easy-to-use, safe tool to harden your WordPress site against exploits, malware and spam injections.
You can configure AntiVirus to perform an automated daily scan of your theme files and database tables. If the plugin happens to detect any suspicious code injections, it will send out a notification to a previously configured e-mail address.

In case your WordPress site has been hacked, AntiVirus will help you to become aware of the problem very quickly in order for you to take immediate action.

FEATURES

  • Virus alert in the admin bar
  • Cleaning up after plugin removal
  • Daily scan with email notifications
  • Database tables and theme templates checks
  • Whitelist solution: Mark suspected cases as “no virus”
  • Manual check of template files with alerts on suspected cases
  • Optional: Google Safe Browsing for malware and phishing monitoring.

CONTRIBUTE

  • Active development of this plugin is handled on GitHub.
  • Pull requests for documented bugs are highly appreciated.
  • If you think you’ve found a bug (e.g. you’re experiencing unexpected behavior), please post at the support forums first.
  • If you want to help us translate this plugin you can do so on WordPress Translate.