There are many different security plugins available for WordPress. Below are the most recommended WordPress security plugins and a brief explanation of the plugin from the developers.
WordPress Core Security
Wordfence Security – Firewall & Malware Scan
By: Wordfence
Notes from the plugin developer: “Wordfence Security is a free enterprise class security plugin that includes a firewall, anti-virus scanning, malicious URL scanning and live traffic including crawlers. Wordfence is the only WordPress security plugin that can verify and repair your core, theme and plugin files, even if you don’t have backups. Wordfence is now Multi-Site compatible.”
Read our Wordfence installation guide.
All In One WP Security & Firewall
By: Tips and Tricks HQ, Peter Petreski, Ruhul, Ivy
Notes from the plugin developer: “WordPress itself is a very secure platform. However, it helps to add some extra security and firewall to your site by using a security plugin that enforces a lot of good security practices. The All In One WordPress Security plugin will take your website security to a whole new level. This plugin is designed and written by experts and is easy to use and understand. It reduces security risk by checking for vulnerabilities, and by implementing and enforcing the latest recommended WordPress security practices and techniques.”
Cerber Security, Antispam & Malware Scan
By: Gregory
Notes from the plugin developer: “Defends WordPress against hacker attacks, spam, trojans and malware. Mitigate brute force attacks by limiting the number of login attempts through the login form, XML-RPC / REST API requests or using auth cookies. Restricts access with the Black IP Access List and the White IP Access List. Tracks user and intruder activity with powerful email, mobile and desktop notifications. Stop spam: activates Cerber antispam engine and Google reCAPTCHA for protecting registration, contact and comments forms. Hardening WordPress with a set of security rules and comprehensive algorithms. Malware scanner, integrity checker, file monitor.”
BulletProof Security
Notes from the plugin developer: “WordPress Website Security Protection: BulletProof Security protects your WordPress website against XSS, RFI, CRLF, CSRF, Base64, Code Injection and SQL Injection hacking attempts. One-click .htaccess WordPress security protection. Protects wp-config.php, bb-config.php, php.ini, php5.ini, install.php and readme.html with .htaccess security protection. Security Logging. HTTP Error Logging.”
Blackhole for Bad Bots
By: Jeff Starr
Notes from the plugin developer: “Add your own virtual Blackhole trap for bad bots. The Blackhole plugin includes a hidden link to your pages. You then add a line to your robots.txt file that forbids bots from following the hidden link. Bots that ignore or disobey your robots rules will crawl the link and fall into the honeypot trap. Once trapped, bad bots are denied further access to your WordPress-powered website.”
Look-See Security Scanner
By: Blobfolio, LLC
Notes from the plugin developer: “Look-see Security Scanner is a relatively quick and painless way to locate the sorts of file irregularities that turn up when a site is hacked. This is broken down into multiple searches: Verify the integrity of all core WordPress files; Search wp-admin/ for unexpected files; Search wp-includes/ for unexpected files; Search wp-content/uploads/ for hidden PHP scripts;.”
Sucuri Security
By: Sucuri
Notes from the plugin developer: The Sucuri WordPress plugin “will monitor file changes, provide audit trails, apply hardening features and detect various types of malware, SPAM, and other infections. [It] allows Sucuri Firewall clients to access the Firewall dashboard without logging into their Sucuri account. It takes the most common features, like clearing cache and daily monitoring and makes it available to you via your WordPress administration dashboard.”
Read our installation guide.
Jetpack
By: Jetpack
Notes from the plugin developer: “Jetpack Premium and Professional plans include daily, automated security scanning and one-click threat resolution. Jetpack Protect allows you to protect yourself against traditional brute force attacks and distributed brute force attacks that use many servers against your site. Jetpack’s site management tools allow you to choose which plugins update automatically. [Jetpack will also] automatically filter of comments, pingbacks, and contact form submissions for known spam.”
Read our Jetpack Security Features article.
BoldGrid Backup
By: BoldGrid.com
Notes from the plugin developer: “The WordPress backup plugin by BoldGrid is an automated backup solution that allows you to secure, restore or move your website with ease. [It can add] filters so that any plugin that has an update available will update. Before WordPress does any auto updates, […] a backup will occur before the auto update.”
Read our Boldgrid Backup guide.
Forms Security
Caldera Forms – More Than Contact Forms
By: Caldera Labs
Notes from the plugin developer: “Caldera Form is a free and powerful WordPress plugin that creates responsive forms with a simple drag and drop editor. Caldera Forms has many free user-friendly add-ons for both beginners and web developers.”
Image Security
Secure Image Protection
By: ArtistScope
Notes from the plugin developer: “Insert Secure Image Pro encrypted images to pages and posts from your WordPress page editor that are supported across all web browsers on all operating systems, ie: Windows, Mac and Linux. Hand-held devices that can use Java will also be supported. Easy install. Upload and embed encrypted images using WordPress native media tools.”
Become a master of WordPress plugins! Protect, optimize, secure, and expand the functionality of your website easily with the help of WordPress plugins!
What plugin is best for stopping spam coming from our contact us form on our website? Thank you.
Contact Form 7 has built-in security features and works well with Akismet and Google ReCAPTCHA.
Do you recommend the in the order in which you listed them? — i.e. WordFence is no. 1 on your list? Are there any that you think are simpler for “regular people” to manage, but still give good protection. I know that for some of these plugins, there are some dangerous settings! Thanks.
Hello Susan,
They are not listed in order of preference, but WordFence was one of the better ones. As for which one is easier to use, that is entirely up to the individual so feel free to see which one you are more comfortable with.
Kindest Regards,
Scott M
Do you need to install more than one? I was thinking of installing the All In One WP with the Wordfence security plugins. Bad Idea?
It is typically a good idea to only install one of these as multiple installations of different security plugins can cause unexpected results.
Hi,
Is there any chance that you could please include the All In One WP Security & Firewall plugin on your “recommended-security-plugins” page?
https://wordpress.org/plugins/all-in-one-wp-security-and-firewall/
As this is indeed a great plugin to use, I have added it to our list.