If you put your heart and soul into a website, you want to protect it. If your website represents your business or helps you earn money, you need to keep it secure.
That’s where WordPress security plugins come in.
WordPress is a secure platform. However, with around 455 million websites using it, there’s a lot of temptation to try to hack, attack or cause problems.
That’s why we strongly recommend every website uses at least one security plugin.
With 30,000 websites hacked every day and 64% of companies having experienced cyber attacks, it’s essential you protect what’s yours.
Security plugins add extra features such as firewalls, malware scanning and the ability to automatically block IP addresses that try to attack you.
There are dozens of WordPress security plugins to choose from. Some are free and some are paid for, but which should you choose?
That’s a question this post seeks to answer.
If you’re in a hurry, you can check out the list right here – but we’d recommend reading through the whole post to better understand what each tool does:
|Plugin||Purpose||Free Option?||Price for Pro|
|Sucuri||DNS-level firewall + security hardening||✅||$16.66 /Month|
|WebARX||Application-level firewall + vulnerability monitoring||❌||$14.99 /Month|
|Wordfence||Hardening, login protection, application firewall + malware scanning||✅||$99 / Year|
|MalCare||Malware scanning + basic firewall and hardening||✅||$99 / Year|
|Cloudflare||DNS-level security||✅||$20 / Month|
|iThemes Security||Security hardening, login protection + malware scanning||✅||$80 / Year|
|All In One WP Security & Firewall||Security hardening + login protection||✅||N/A – 100% Free|
|Cerber Security||Hardening, login protection, application firewall + malware scanning||✅||$99 / Year|
|VaultPress||Backups + malware scanning||✅||$39 / Year|
|Security Ninja||Basic security hardening + malware scanning||✅||$39 / Year|
Before we get to the security plugins below, it’s important to explain the difference between a plugin that works at the application level and a firewall that works at the DNS level.
Understanding How These Tools Protect You – Firewalls vs Plugins
A firewall stops threats by automatically filtering out malicious IP addresses and actions. For example, if a malicious bot tries to access your login page to run a brute force attack, a firewall would block that bot before it could even load your page.
There are two types of firewalls you’ll see in this post:
- DNS-level firewall
- Plugin-level firewall (i.e. a firewall that works at the application level)
We recommend using a DNS-level firewall because it can filter out threats before they even reach your server. If you use a plugin-level firewall, the firewall will only start working once the threat has already hit your server.
With that being said, WordPress security plugins that work at the application level are still beneficial because they can help you implement…
- Basic hardening, e.g. disabling file editing, enforcing correct file permissions, etc.
- Login hardening, e.g. limiting login attempts, CAPTCHAs, two-factor authentication, etc.
- Malware and file integrity scans to find malicious files on your server
- User activity logging
For best results, we recommend combining a DNS-level firewall with a WordPress security plugin:
- The firewall will filter out many threats before they even reach your server.
- The plugin will make sure that your site is more likely to withstand any threats that make it through the firewall.
Sucuri offers two WordPress security tools:
- A free security hardening plugin at WordPress.org
- A paid DNS-level firewall and CDN service
Essentially, it’s following the same approach that we recommend – pairing a security hardening plugin with a DNS-level firewall.
The free plugin at WordPress.org will help you:
- Monitor file integrity
- Implement basic hardening best practices
- Monitor your site in Google Safe Browsing
Then, the premium firewall service will automatically filter threats at the DNS-level and protect you from DDoS attacks. The firewall service also includes a CDN, which can help speed up your global load times.
The firewall and CDN service starts at $16.66 per month per site. Or, you can also get the full Sucuri platform, which includes malware scans and hack cleanup with higher plans.
WebARX is a cloud-based website security platform that makes it really easy to manage the security for multiple WordPress sites from one convenient dashboard.
WebARX’s core service is an application-level firewall. While we think a DNS-level firewall is generally a better approach for WordPress security, WebARX’s application-level firewall is still more comprehensive than most of the other application-level firewalls you’ll see in WordPress security plugins.
Beyond its firewall functionality, WebARX also implements some WordPress-specific security rules including:
- Two-factor authentication
- Brute force protection
- User activity logs
- Theme/plugin vulnerability monitoring
And again, one of the really convenient things about WebARX is how easy it makes it to manage multiple sites. So if you’re managing websites for clients, WebARX can simplify that process for you.
WebARX offers a 14-day free trial. After that, paid plans start at $14.99 per month per site.
By the numbers, Wordfence is definitely the most popular WordPress security plugin – it’s active on over 3 million WordPress sites.
It offers a generous free version with a comprehensive approach to WordPress security:
- Basic security hardening
- Login protection, including two-factor authentication
- Malware scanning and file integrity monitoring
- An application-level endpoint firewall
If you’re managing multiple WordPress sites, it also has a convenient Wordfence Central feature that lets you manage multiple sites from a single cloud dashboard.
After that generous free version, there’s also a $99 Pro version that offers real-time updates to firewall and malware signatures, along with some other perks. The free version’s signatures are delayed by 30 days.
MalCare is primarily a WordPress malware scanning and removal plugin, though it does include some basic hardening and an application-level firewall.
One of the most unique things about this tool is its approach to malware scanning. Rather than scanning the actual files on your server, MalCare copies your files to MalCare’s servers and scans them there. The benefit of this approach is that it won’t slow down your live website.
If MalCare does find any issues, the premium version lets you fix problems with one click.
Beyond the malware scanning functionality, MalCare also helps with:
- A basic application-level firewall to block malicious IP addresses
- CAPTCHA login protection
- Basic security hardening like disabling file editing and protecting your uploads folder
It also provides a cloud dashboard that makes it simple to manage multiple WordPress sites.
You can try out the malware scanning with a limited free plugin at WordPress.org. The Pro version starts at $99 per year.
Cloudflare is a reverse proxy that can help secure and speed up your WordPress site. Like Sucuri, it’s able to secure your site at the DNS level to stop threats before they even reach your server.
To use Cloudflare, you’ll change your domain’s nameservers to point to Cloudflare’s nameservers. Then, Cloudflare will automatically filter out malicious bot traffic and also speed up your site with a global CDN.
Two unique things about Cloudflare are its:
- Comprehensiveness. Cloudflare is a lot more than just security, it’s also a great performance optimization tool in its own right.
- Flexibility. Through the Cloudflare dashboard, you can set up your own custom security rules and change your site’s overall security level. For example, you can apply more strict security to just your WordPress admin area.
Cloudflare includes a free service that provides basic DNS-level protection (and the CDN). However, if you want access to Cloudflare’s DNS-level web application firewall, you’ll need the $20 per month Pro plan.
iThemes Security is a freemium plugin that helps you implement security hardening and file scanning.
The free version at WordPress.org helps you:
- Protect your login page by limiting login attempts and enforcing strong passwords
- Harden WordPress security by disabling file editing, fixing file permissions, etc.
- Check your site against malware blacklists to catch issues
Then, the Pro version can help you with:
- Malware scanning and file integrity monitoring
- More login protection with CAPTCHAs and two-factor authentication
- User activity logging
You can also pair iThemes Security with iThemes Sync if you need to manage multiple websites.
iThemes Security does not include a firewall, though. In fact, the developer specifically recommends pairing it with the DNS-level firewall from Sucuri, though we also think it works well with Cloudflare.
iThemes Security Pro starts at $80 per year.
Active on over 800,000 sites, All In One WP Security & Firewall is one of the most popular WordPress security plugins. It’s also 100% free, which plays a part in its popularity.
Despite the name, All In One WP Security & Firewall does not include a strong firewall. What the plugin calls a firewall is really just a set of .htaccess rules. While those rules are helpful, they aren’t the same as something like Sucuri.
What the plugin does do well is implement a ton of effective WordPress security hardening practices like:
- Disabling in-dashboard file editing
- Identifying files and folders with incorrect file permissions
- Blocking access to your debug log file
- Monitoring file integrity for core WordPress files
It also includes a lot of login hardening features like:
- Limiting login attempts
- Automatically logging out users
- Whitelisting or blacklisting IP addresses
For those reasons, this can be a good free option to pair with a DNS-level firewall.
Cerber Security is a popular freemium security plugin that, like Wordfence, offers a comprehensive approach to WordPress security:
- Lots of login protection tools – limit login attempts, two-factor authentication, user whitelisting, CAPTCHA, and more
- Malware scans and file integrity monitoring
- Anti-spam protection for registration and comment forms
- An application-level web application firewall and real-time traffic log (called Traffic Inspector)
- Lots of basic hardening rules
Cerber Security also includes an option to “slave” different WordPress sites to a “master” WordPress site. While this doesn’t give you a separate cloud dashboard for all your sites, it does let you manage the security of the “slave” websites from the WordPress dashboard of the “master” site.
There’s a generous free version at WordPress.org. After that, the Pro version starts at $99 / yearly
VaultPress is a WordPress backup and security plugin from Automattic, the company behind WordPress.com and Jetpack.
VaultPress is actually two services in one:
- Automatic daily backups to a secure offsite location, including a tool to help you restore or migrate your site
- File scanning and automatic file repair
It uses the same approach as MalCare – VaultPress first backs up your files to its offsite storage location. Then, it scans the backup copy of your site for malware and other threats. If it finds anything, it offers an automatic file repair tool.
You’d still want to pair VaultPress with a firewall and some basic security hardening, but it does a great job of keeping your site’s data safe and free of malware.
VaultPress is part of the Jetpack Personal plan, which costs $39 per year.
10. Security Ninja
Security Ninja is an easy-to-use WordPress security plugin that helps you implement some of the most popular WordPress security hardening principles.
The free version at WordPress.org runs 50+ tests and gives you tips on how to fix the issues (like providing a code snippet to disable file editing).
Then, the Pro version can automatically fix those issues and also adds other tools like:
- Malware scanning and file integrity monitoring
- An application-level firewall (blocks 600+ million known malicious IPs)
- User activity tracking
The Pro version starts at just $39.
Because it helps you implement a lot of basic security hardening rules, this can be a good option to pair with a DNS-level firewall like Sucuri or Cloudflare.
11. SecuPress Pro
SecuPress Pro works like many of these other WordPress security plugins. It installs quickly, scans your website for vulnerabilities and provides suggestions to address those vulnerabilities.
SecuPress has a simple but effective dashboard that shows everything that’s going on, any detected vulnerabilities, what modules are running and everything you need to know about website security. It can also generate PDF reports of site health.
WordPress security features include:
- Site health scanning and reporting
- Limit login attempts
- Scan for malware and vulnerable plugins and themes
- Blacklist IP addresses and geographical locations
- Alerts via email or Slack of any issues
There’s a free version of SecuPress and a premium version, both provide firewall and defense in depth. The pro version adds a lot more protection. Premium plans cost $69.99 per year per site.
BulletProof Security is a more hands-on WordPress security plugin. Design isn’t this plugin’s strong point, but protection is. It comes with a wide range of features, including most of what you need to protect your website.
BulletProof Security provides login security, database backups and restore, malware scanning, spam protection, anti-hacking tools, security log, exploit protections and FTP file locking.
BulletProof Security helps secure WordPress with:
- Powerful protections covering most attack vectors
- Setup video showing how everything works
- Security logging
- Database backup and maintenance tools
- FTP and file protection tools
There’s a free version of BulletProof Security that offers most of what you’ll need. There’s also a Pro version that costs $69.95 as a one-off fee for use on unlimited websites.
What’s The Best WordPress Security Plugin For You?
If your website is important to your business, or if you’re managing websites for clients, it makes sense to invest in website security.
While it’s never fun to spend money on something without a direct ROI, the damage of a hacked website can far exceed the cost of what you spend on proactive WordPress security.
In our opinion, the best investment that you can make here is combining the free Sucuri plugin with the paid Sucuri firewall and CDN service, which starts at just $10 per month.
Sucuri is very easy to use, is updated frequently and provides the basic security tools to protect your site. The paid firewall delivers DDoS protection and the CDN ensures your website loads fast.
It’s a powerful combination that offers both basic hardening and proactive protection and when combined with other basic WordPress security best practices, should keep your site safe.
If you’re on a budget, another good option is the free iThemes Security plugin. It includes a range of protection tools including login limits, file editing controls and strong password enforcement.
It doesn’t include malware scanning or two-factor authentication though.
Another option we recommend is Wordfence. There’s a free and a premium version and both come with firewall, login protection, two-factor authentication, malware scanning and other protections.
The Pro version adds more tools and real-time monitoring and protection.
Do you have any questions about which of these plugins is best for your situation? Leave a comment and let’s figure it out together!
And if you know a WordPress user who needs some help with WordPress security, share this post with them to save them from a big headache down the line.