Recommended WordPress Security plugins

There are many different security plugins available for WordPress. Below are the most recommended WordPress security plugins and a brief explanation of the plugin from the developers.

WordPress Core Security

Wordfence Security – Firewall & Malware Scan

By: Wordfence

Notes from the plugin developer: “Wordfence Security is a free enterprise class security plugin that includes a firewall, anti-virus scanning, malicious URL scanning and live traffic including crawlers. Wordfence is the only WordPress security plugin that can verify and repair your core, theme and plugin files, even if you don’t have backups. Wordfence is now Multi-Site compatible.”

Read our Wordfence installation guide.

All In One WP Security & Firewall

By: Tips and Tricks HQ, Peter Petreski, Ruhul, Ivy

Notes from the plugin developer: “WordPress itself is a very secure platform. However, it helps to add some extra security and firewall to your site by using a security plugin that enforces a lot of good security practices. The All In One WordPress Security plugin will take your website security to a whole new level. This plugin is designed and written by experts and is easy to use and understand. It reduces security risk by checking for vulnerabilities, and by implementing and enforcing the latest recommended WordPress security practices and techniques.”

Cerber Security, Antispam & Malware Scan

By: Gregory

Notes from the plugin developer: “Defends WordPress against hacker attacks, spam, trojans and malware. Mitigate brute force attacks by limiting the number of login attempts through the login form, XML-RPC / REST API requests or using auth cookies. Restricts access with the Black IP Access List and the White IP Access List. Tracks user and intruder activity with powerful email, mobile and desktop notifications. Stop spam: activates Cerber antispam engine and Google reCAPTCHA for protecting registration, contact and comments forms. Hardening WordPress with a set of security rules and comprehensive algorithms. Malware scanner, integrity checker, file monitor.”

BulletProof Security

By: AITpro Website Security

Notes from the plugin developer: “WordPress Website Security Protection: BulletProof Security protects your WordPress website against XSS, RFI, CRLF, CSRF, Base64, Code Injection and SQL Injection hacking attempts. One-click .htaccess WordPress security protection. Protects wp-config.php, bb-config.php, php.ini, php5.ini, install.php and readme.html with .htaccess security protection. Security Logging. HTTP Error Logging.”

Blackhole for Bad Bots

By: Jeff Starr

Notes from the plugin developer: “Add your own virtual Blackhole trap for bad bots. The Blackhole plugin includes a hidden link to your pages. You then add a line to your robots.txt file that forbids bots from following the hidden link. Bots that ignore or disobey your robots rules will crawl the link and fall into the honeypot trap. Once trapped, bad bots are denied further access to your WordPress-powered website.”

Look-See Security Scanner

By: Blobfolio, LLC

Notes from the plugin developer: “Look-see Security Scanner is a relatively quick and painless way to locate the sorts of file irregularities that turn up when a site is hacked. This is broken down into multiple searches: Verify the integrity of all core WordPress files; Search wp-admin/ for unexpected files; Search wp-includes/ for unexpected files; Search wp-content/uploads/ for hidden PHP scripts;.”

Sucuri Security

By: Sucuri

Notes from the plugin developer: The Sucuri WordPress plugin “will monitor file changes, provide audit trails, apply hardening features and detect various types of malware, SPAM, and other infections. [It] allows Sucuri Firewall clients to access the Firewall dashboard without logging into their Sucuri account. It takes the most common features, like clearing cache and daily monitoring and makes it available to you via your WordPress administration dashboard.”
Read our installation guide.


By: Jetpack

Notes from the plugin developer: “Jetpack Premium and Professional plans include daily, automated security scanning and one-click threat resolution. Jetpack Protect allows you to protect yourself against traditional brute force attacks and distributed brute force attacks that use many servers against your site. Jetpack’s site management tools allow you to choose which plugins update automatically. [Jetpack will also] automatically filter of comments, pingbacks, and contact form submissions for known spam.”
Read our Jetpack Security Features article.

BoldGrid Backup


Notes from the plugin developer: “The WordPress backup plugin by BoldGrid is an automated backup solution that allows you to secure, restore or move your website with ease. [It can add] filters so that any plugin that has an update available will update. Before WordPress does any auto updates, […] a backup will occur before the auto update.”
Read our Boldgrid Backup guide.

Forms Security

Caldera Forms – More Than Contact Forms

By: Caldera Labs

Notes from the plugin developer: “Caldera Form is a free and powerful WordPress plugin that creates responsive forms with a simple drag and drop editor. Caldera Forms has many free user-friendly add-ons for both beginners and web developers.”

Image Security

Secure Image Protection

By: ArtistScope

Notes from the plugin developer: “Insert Secure Image Pro encrypted images to pages and posts from your WordPress page editor that are supported across all web browsers on all operating systems, ie: Windows, Mac and Linux. Hand-held devices that can use Java will also be supported. Easy install. Upload and embed encrypted images using WordPress native media tools.”

Become a master of WordPress plugins! Protect, optimize, secure, and expand the functionality of your website easily with the help of WordPress plugins!

Get started with the most secure WordPress hosting. Look no further than InMotion Hosting’s Managed WordPress Hosting solutions!

check markFree SSLs check markMalware & Hack Protection check markDDoS Protection

View WordPress Hosting Plans

John-Paul Briones Content Writer II

John-Paul is an Electronics Engineer that spent most of his career in IT. He has been a Technical Writer for InMotion since 2013.

More Articles by John-Paul


  • Do you recommend the in the order in which you listed them? — i.e. WordFence is no. 1 on your list? Are there any that you think are simpler for “regular people” to manage, but still give good protection. I know that for some of these plugins, there are some dangerous settings! Thanks.

    • Hello Susan,

      They are not listed in order of preference, but WordFence was one of the better ones. As for which one is easier to use, that is entirely up to the individual so feel free to see which one you are more comfortable with.

      Kindest Regards,
      Scott M

  • Do you need to install more than one? I was thinking of installing the All In One WP with the  Wordfence security plugins. Bad Idea?

    • It is typically a good idea to only install one of these as multiple installations of different security plugins can cause unexpected results.

  • Hi,

    Is there any chance that you could please include the All In One WP Security & Firewall plugin on your “recommended-security-plugins” page?

Was this article helpful? Let us know!