Most of us don’t worry about the security of our WordPress website until it’s too late. Security, backups and website recovery are, most of the time, an afterthought.
Avoiding potential problems until it’s too late is human nature, and that will probably never change – for most people. I’d encourage you to be proactive when it comes to WordPress security. Spending just a small amount of time planning and preparing can reduce the risk of your website being hacked.
Best WordPress Security Plugins
In this post, we’re going to cover some of the best WordPress security plugins out there. Some of the plugins reviewed offer more specific functionality than others so before making a choice, be sure you’re comparing features properly.
WordPress Security Vulnerabilities
The number of potential security vulnerabilities faced by WordPress websites is actually much greater than most people realize. Typically we think of the obvious things like using strong passwords and keeping WordPress core files up to date. Truth be told, those particular items cover only a small percentage of the total vulnerabilities. Other things that need to be considered include:
- Server vulnerabilities
- Theme security
- Plugin security
- File permissions
- Securing specific files (like wp-admin and wp-config and wp-includes)
- Database security
- Computer vulnerabilities
- FTP vulnerabilities
- and more
As you can see, the list is long and we’ve only just scratched the surface. To make matters more complicated, no single plugin is really capable of covering all the security holes. And that shouldn’t really be your goal either, after all, managing WordPress security is a balancing act. You could spend all day trying to secure your website, but hey, you’ve also got a business to run, right?
How to Tell if Your WordPress Site Has Been Hacked
Figuring out whether or not your WordPress site has been hacked is not always as easy as you might think. There are a few ways to assess your site, none of which is perfect or foolproof. Other than that, it comes down to plain old detective work – and hackers are a sneaky bunch.
Performing regular scans of your website using free third-party services is a good idea. Google Webmaster Tools is the best place to start since their interpretation of your website will have the greatest impact on your ranking within the SERPs. Just be aware, that even GWT is prone to errors – a problem free website in Google’s eyes may, in fact, have problems. Also, remember to take a look at how your site is indexed by typing “site:yourwebsite.com” into Google search. Scan through a decent sampling of your page/post results and look for anything suspicious.
A free service like Sucuri Site Check will scan your site for free. Most of the time, Sucuri will alert you to any sign of malware, spam injections, defacing or blacklisting. Alternatively, there are also inexpensive paid services like CodeGuard that will backup your website every day and alert you to any changes.
Finally, it’s always a good idea to keep an eye on your Google Analytics account for anything unusual. Although GA can be a little tricky these days with the referral traffic causing traffic spikes, you should still keep an eye on the long-term patterns. Monitoring bandwidth use through your hosts CPanel is advisable as well.
Sorting Through the Best WordPress Security Plugins
Protecting your website from the more common WordPress security threats will put you in a much better position than most other sites. The vast majority of website owners don’t give a second thought to security until it’s too late.
Don’t be fooled into thinking that you’ll be able to achieve a 100% secure website – it’s just not realistic. Instead, set yourself a more reasonable goal of limiting your risk and protecting against some of the more common threats.
Remember that protecting against non-targeted attacks is always easier since they are automated and typically scan for common vulnerabilities. Targeted attacks are much more difficult to protect against since it’s your website versus the hacker. Anytime you have an individual who is willing to take time out of their day to analyze your specific website for vulnerabilities, there is an increased risk.
#1. iThemes Security
iThemes Security is available in free and commercial versions
As one of the more popular WordPress security plugins, iThemes Security offers both a free and premium version which means there is really no excuse for failing to improve your current security situation. The different pricing options are available including:
- $80/year for 2 sites + 12 months of support and updates
- $100/year for 10 sites + 12 months of support and updates
- $150/year for unlimited sites and 12 months of support and updates
iThemes manages to cover most of the common security threats including:
- Brute force protection.
- Monitoring core files for any changes.
- Hiding both the login and admin pages.
- Locking out users who enter their username or password incorrectly too many times.
- Two-Factor identification.
- Logging user actions.
- Forcing the use of secure passwords for specific user roles and file permissions.
- Ticketed support is also available to all pro users.
With over 30 different ways that iThemes improves the security of your website, there are a few things to be aware of before jumping in. If you’re installing the plugin on an existing site, there is a possibility that some of the changes might break your site. Of particular concern are the changes made to the database and changing the path of your wp-content directory. As a precaution, you should make sure you backup your website before activating the plugin or enabling any new features.
Wordfence can also protect your site for free
Wordfence is the second security plugin on our list to feature both a free and premium version. Depending upon how many licenses you are purchasing and how long each license is valid for, Wordfence can provide some fairly steep discounts. For example, while a single site 1-year license will cost you $39, a 5-year license will cost just $29.25/year. If you’re running multiple websites or a purchasing licenses for client sites, you could pick up 10 license keys good for 12 months at $16.90 each. As you can see, the cost drops significantly with greater volume.
Wordfence is more than just a standalone plugin – at regular (free version) or customized intervals, Wordfence servers will scan your site for file changes, code injections, malware, or known backdoors. The premium option offers advanced scanning options so you can coordinate scans with low traffic periods.
Taking a slightly different approach than iThemes Security, Wordfence specializes in the following tasks:
- Scanning for file changes
- Blocking IP addresses
- Two-factor authentication
- Country blocking and country redirects
- Custom alerts
As you can see, Wordfence does a lot to improve the chances of keeping your site secure. It offers some different functionality than the other plugins covered in this post and there is less risk of problems compared to some of the other plugins.
All in One is a very popular free option
As what is probably the top free WordPress security tool, All in One WP Security currently shows over 200,000 installations (versus iThemes 600K). Using a convenient grading system, this plugin makes it relatively easy to see the areas where your website security might need to be improved. The main dashboard has an indicator that ranks your current level of security between 0 and 470 depending upon how many features are currently enabled.
With this plugin, there is also the risk of breaking your site. To reduce the likelihood of this happening they have implemented three categories of changes – basic, intermediate and advanced. The basic features are relatively safe to activate while the intermediate and advanced changes have the potential to break some of your website’s functionality. If something goes wrong there are detailed instruction for fixing the problem but it’s still a good idea to err on the side of caution.
Each primary security feature is contained within its own sub-menu and is supported by a detailed description so you know exactly what you’re changing. A more extensive list of security features includes:
- The ability to disable the WP Meta information
- Monitoring user accounts for obvious vulnerabilities
- Brute Force login attack prevention that’s more extensive than the Limit Login Attempts Plugin
- A setting that requires you to manually approve new user registrations
- Database prefix management
- Protection of specific files including the ability to edit PHP files from within the dashboard
- Blacklisting users based upon their IP address or a range of IP addresses
- Basic firewall protection
- Changing the login page URL, cookie based logins as well as Captchas and whitelists
- Comment spam prevention
- File change detection
- Disable copying of text and the use of your site in an iFrame
#4. Sucuri Security
Sucuri offers scanning and monitoring
Sucuri offers a free plugin which is available in the WordPress repository. Much like Sucuri’s free web-based scanning tool, the plugin is designed primarily as a method of alerting you to potential problems with your site. There are four primary areas that this plugin can help with:
The first has to do with monitoring and recording all activity within your WordPress installation. Sucuri attempts to keep an accurate log of who’s doing what and when. This particular feature is the equivalent of having a security camera set up to monitor what’s happening on your site – which users are logging in and what are they doing while they’re there.
Another key feature of Sucuri Security is the monitoring of all files including WP core, themes, and plugins. If you plan to use this feature properly, it’s important to make sure that the plugin is being installed on clean site. As soon as the plugin is activated it takes a snapshot of all files under the assumption that they are known to be good. From that point forward, you’ll be notified of any changes – including the addition of new files.
Malware and blacklist monitoring are provided and powered by Sucuri’s free scanner. You’ll also be able to tell if your website has been added to one of the many blacklist engines.
Finally, the plugin also helps you take some of the basic but critical steps necessary to harden your website security including:
- Removing the WordPress version information
- Protecting the uploads directory from browsing and PHP execution
- Restricting access to wp-content and wp-includes
- Verifying your security keys
- Restricting access to the file editor from with the WordPress dashboard.
BulletProof Security is packed with features
Although their website is somewhat antiquated, BulletProof Security continues to be a popular WordPress security plugin in the repository with over 100k downloads. BPS offers two versions of their plugin – free and paid. The paid version is a one time purchase of $59.95 and includes lifetime updates and technical support as well as unlimited installations.
The list of features included with BulletProof security is too long to list but include:
- An easy one-click setup
- htaccess protection against XSS, RFI, CSRF, Base64, SQL injection and other hacking attempts
- Login security and monitoring including max login attempts and lockout time
- Database backups
- Database prefix changes
- File monitoring and quarantine of uploaded files
- Email alerts for a variety of user actions
- Many more
Even though their website is in need of work, their support forums are active within the WordPress repository and questions from users appear to be addressed quickly.
This security plugin for WordPress performs deep scans of all website files to secure WordPress. It detects backdoors, rootkits, trojan horses, worms, fraudtools, adware, spyware, hidden links, and takes necessary actions to remove them. The virus database is updated daily and any threats detected on your site will visible in the WordPress admin area and can also be sent to you by email. Data is scanned using the Siteguarding.com API.
This best plugin is an interesting way to login to your WordPress site. With the Clef app open on your phone, hold it in front of the WordPress login screen and line up the patterns on both devices. They should “detect” each other and you should be able to log in to your WordPress site.
This is great for people who might have trouble remembering their passwords, or simply want a more secure way to log in. The service has free and pro versions, and the mobile app is available for IOS and Android.
Two-factor or two-step authentication is used by this plugin when a user logs in to a WordPress site. In addition to entering a user name and password, another method of authentication is done such as a text, voice call or a mobile app. It also supports security keys plugged in the USB port.
The second step is only required once per device, so if you only use one device, you don’t have to enter the second authentication method again. You’ll only do it again if you log in to another device.
This plugin for WordPress security does only one thing: protect your website against brute force attacks using .htaccess. The plugin blocks an IP address for a specified period of time if it continues to log in with the wrong user name and password.
VaultPress is a premium subscription service made by Automattic, the makers of WordPress. This WordPress security plugin offers an easy way to back up your site daily or in real-time syncing all of your site content. In addition to daily backups, the service also scans and removes threats found in your files.
You can choose from two bundles, Backup or Security, or get both. The Backup bundle costs $9/month or $99/year and the Security bundle costs $29/month or $299/year.
Acunetix WP Security Scan is the WordPress security plugin by Acunetix. Acunetix is a well known company in web application security. It offers a security scanning tool to find vulnerabilities in web applications. This plugin helps you to secure your WordPress website and suggests measures to improve the security. It offers file permission security, version hiding, admin protection, removing WP generator tag from source, and database security.
It removes various information from the source code of the page which can be used in the information gathering process before attack. This includes theme update information, plugin update information, really simple discover meta tag, WordPress version, Windows live write meta tag, error information from login page, versions from scripts, versions from stylesheets, database and php error reporting.
It also offers a database backup tool to take a backup of your website. With its live traffic monitor tool, you can check traffic in real time. It also scans your website to notify known web application vulnerabilities.
12. 6Scan Security
6Scan Security is a popular auto-fix protection for your WordPress site. It can protect your website from hackers. It offers rule-based protection for your website and tries to keep the security of your website up to date.
It has a security scanner which scans and protect your website against SQL injection, Cross Site Scripting, CSRF, Directory traversal, Remote file including, DOS attack and other OWASP top ten security vulnerabilities.
A notable feature of the plugin is its automatic vulnerability fix. When it finds any vulnerable code, it applies auto-fix by using its auto-fix server-side agent solution. It also has an automatic malware fix for malware related issues on your website. Like other plugins, it also sends email notifications if there is anything serious in your website.
Taking any security measure to protect your WordPress site can be considered proactive and will put you in a better position than someone who chooses to do nothing. There are several high-quality security plugins available, all of which are capable of making your website more secure – including the free versions.
While there is no such thing as a site being 100% secure, you’re always better leaning towards the side of caution. Even with a security plugin installed, it’s still important to keep an eye out for anything unusual on your site that could indicate a problem. As well, remember that the higher profile your site becomes the greater the risk of a targeted attack.
If you’ve currently using any of the plugins covered in this post, please share your experience in the comments.