Looking for the best WordPress security plugin to lock down your WordPress site?
In this post, I’ve collected eight of the best plugins that offer a comprehensive approach to WordPress security (as opposed to plugins with a smaller focus, like just limiting login attempts or adding two-factor authentication).
Hackers don’t sleep, so let’s get right into the list so that you can get your site secured ASAP.
Best WordPress Security Plugins in 2019
1. Wordfence Security
Active on over three million WordPress sites, Wordfence Security is definitely one of the most popular and well-known WordPress security plugins.
It does a great job of protecting your site in a variety of ways, including:
- Web application firewall to block malicious traffic before it can do anything to your site.
- Security scanner to check for malware and other malicious exploits.
- Login page hardening with two-factor authentication and/or a login page CAPTCHA.
- Lots of various security hardening rules.
Wordfence also gives you a really nice dashboard to view important aspects of your site’s security:
While the core Wordfence plugin is free, you’ll need to pay for the premium version if you want access to real-time firewall rules and malware signatures. The free version has to wait 30 days. What this means is that the free version might not protect you against 0-day exploits, but it still does a great job of protecting you from known exploits.
Price: Starts free. Pro starts at $99 per year.
2. iThemes Security
iThemes Security is the flagship security plugin from iThemes, which was acquired by Liquid Web back in early 2018.
Like Wordfence, it comes in both a free and a premium version (the free version was previously named Better WP Security).
iThemes Security gives you 30+ tools to harden your WordPress site’s security. In the free version, that’s tools like:
- Brute force protection
- File permission monitoring
- File change detection
- IP bans
- Etc.
Everything is modular, which means you can easily activate or deactivate features as needed:
With the free version, it doesn’t do any scanning. However, if you upgrade to Pro, you’ll get access to new features like:
- Malware scans
- Two-factor authentication
- User action logs
- reCAPTCHA
It does not have a web application firewall, though – the iThemes team recommends pairing the plugin with Sucuri’s Website Firewall (at the server-level) if you want a firewall.
Price: Limited free version. Pro version starts at $80.
3. All In One WP Security & Firewall
All In One WP Security & Firewall is a 100% free WordPress security plugin, which makes it a great option for those on a budget.
It helps you implement a ton of different security hardening principles, along with a neat scoring system to help you figure out what’s important:
Its changes are comprehensive, covering everything from adding image hotlink protection to file permissions security to a bunch of security hardening tweaks.
Some other notable features are:
- File integrity scans
- Brute force protection
- User account security
All In One WP Security & Firewall also includes a firewall feature, but it’s not quite the same as Wordfence’s firewall, which is actually using constantly-updated rules. All In One WP Security & Firewall’s firewall is more about implementing a standard set of rules and calling it a day.
With that being said, it does also let you implement the 6G firewall security rules from Perishable Press.
Price: 100% free
Get All In One WP Security & Firewall
4. Sucuri Security
There are two parts to the popular Sucuri Security plugin at WordPress.org:
- The free plugin, which implements some basic hardening and file integrity checks.
- The paid Sucuri firewall service, which you can implement via the plugin.
In total, the plugin can help you:
- Monitor file integrity.
- Scan for malware on the front-end of your site using the public security scanner (this would not catch files just sitting on your server).
- Check for blacklisting in Google and other places.
- Track user logins.
- Implement various hardening tips, like blocking PHP files in wp-content.
- Send email alerts for important issues.
If you want to use Sucuri’s firewall, though, you’ll need to pay. The firewall starts at $9.99 per month and also comes with a CDN and DDoS protection.
Price: Limited free version. Firewall service starts at $9.99 per month.
5. SecuPress
SecuPress is another freemium WordPress security plugin that offers a comprehensive approach to WordPress security.
With it, you’ll get access to high-level security features like:
- Brute force protection
- IP blocking
- A firewall
- Security alerts (paid)
- Malware scans (paid)
- Option to block certain countries by geolocation (paid)
Plus, you also get lots of smaller security hardening features, all of which are wrapped up in a nicely-designed interface with a modular approach:
Price: Limited free version at WordPress.org. Pro starts at $65
6. Jetpack/VaultPress
Jetpack and VaultPress are separate plugins, but I’m lumping them together because they both come from Automattic and are part of the same subscription.
First, let’s look at VaultPress:
It takes automatic daily backups of your site and then runs security scans on those backups. This has two benefits:
- It keeps your site safe.
- The security scans happen off your server, which limits the performance hit.
Then, there’s Jetpack, which includes tools like:
- Downtime monitoring
- Secure sign-on
- Brute force protection
Some of the Jetpack features are free, but most of the advanced security features require the paid version.
Price: Jetpack Personal, which includes VaultPress, starts at $39 per year.
7. WP Cerber
WP Cerber helps protect your site from malicious actors, malware, and spam.
To accomplish this, it gives you a ton of different security tools including:
- Live traffic inspector
- Firewall
- IP whitelisting and blacklisting
- Two-factor authentication
- Malware scanner and file integrity checker
- Built-in anti-spam engine
- Login page hardening, with an option to limit login attempts
- …lots more – there are a lot of security features (seriously)
And you can access all of these settings in a well-designed interface:
Above, you can see the live traffic inspector tool where WP Cerber accurately logged my failed login attempt.
Price: Start for free. Pro version starts at $99 per year.
8. MalCare
MalCare helps you scan your site for malware and remove any malware that the tool finds. That latter part is important! Like VaultPress, it does these scans by copying the files to an offsite location and scanning them there, which lessens the load on your server.
I snagged this back when it was an AppSumo deal and I was happy with my purchase.
In addition to finding and removing malware, it can also help you with:
- A real-time firewall
- Basic WordPress security hardening
- Captcha-based login protection
- Lots of smaller hardening, like disabling the file editor and protecting your uploads folder
You can also pair MalCare with BlogVault, from the same developer, if you want access to automatic backups, too.
Price: Starts at $99 per year
Create a More Secure WordPress Site
That wraps up our collection of the best WordPress security plugins.
Of course, there’s more to WordPress security than just installing a WordPress security plugin.
So in addition to using whichever plugin first your needs, I’d also recommend checking out our other posts on the topic:
Have any questions about picking the best WordPress security plugin for your needs? Let us know in the comments!
