How do you avoid getting hacked? Our last article detailed forty techniques for securing your WordPress site. This follow-up post is a quick reference of the best plugins that look after your security needs.
We’ve focused on highly-rated plugins that cover a range of security features, rather than one-trick-wonders. If your hosting provider doesn’t already have a comprehensive security solution (possibly including the use of these plugins), installing one would be a great first step in your security strategy.
Have we missed your favorite security plugin? Let us know in the comments.
- Cost: Free, Premium from $99/year
- Active installs: 2+ million
- Rating: 4.8 out of 5 stars (3,048 reviews)
Wordfence Security is 100% free and open source. We also offer a Premium API key that gives you Premium Support, Country Blocking, Scheduled Scans, Password Auditing, real-time updates to the Threat Defense Feed, two-factor authentication, and we even check if your website IP address is being used to Spamvertize.
WordFence includes these security features:
- Firewall. WAF with automatically updated firewall rules that block common WordPress security threats.
- Blocking features. Real-time blocking of known attackers and malicious networks and other security threats.
- Login security. Two-factor authentication, enforced strong passwords, security to lock out brute force attacks.
- Security scanning. Scans core files, themes and plugins for malware and backdoors, and checks for files that have been changed.
- Monitoring. Monitors traffic in real time including bots and reverse DNS, monitors for DNS changes and disk space.
2. All In One WP Security & Firewall
- Cost: Free
- Active installs: 500,000+
- Rating: 4.8 out of 5 stars (669 reviews)
A comrehensive, easy to use, stable and well supported security plugin… It reduces security risk by checking for vulnerabilities, and by implementing and enforcing the latest recommended WordPress security practices and techniques.
All In One WP Security & Firewall includes these security features:
- User accounts security. Change the default admin username, check for user display names that are the same as usernames, password strength tool, stop user enumeration.
- User login security. Login lockdown (brute force protection), log out inctive users, view failed login attempts, whitelist IP addresses, see who’s logged in, CAPTCHA.
- User registration security. Enable manual approval, CAPTCHA, Honeypot.
- Database security. Set the default WP prefix, schedule automatic backups.
- File system security. Identify and fix insecure permissions, disable file editing from WP admin, monitor system logs.
- htaccess and wp-config.php file backup and restore. Easily backup, restore and modify these important files.
- Blacklist functionality. Ban users based on IP address or range, or by specifying user agents.
- Firewall. Add firewall protection via htaccess, firewall rules that stop malicious scripts.
- Brute force login and attack prevention. Cookie-based login prevention, CAPTCHA on login form, rename login form URL, Honeypot.
- Whois lookup. Get full details of a suspicous host.
- Security scanner. File change alerts, scan database tables for suspicious strings.
- Comment spam security. Block IP addresses of spammers, add CAPTCHA to comment form.
- Front-end text copy protection. Disables right click, text selection and the copy option.
3. iThemes Security
- Cost: Free, Pro: 2 sites $80/year, 10 sites $100/year, unlimited sites $150/year, Gold $297 lifetime.
- Previously called Better WP Security
- Active installs: 800,000+
- Rating: 4.7 out of 5 stars (3,812 reviews)
iThemes Security Pro takes the guesswork out of WordPress security. You shouldn’t have to be a security professional to use a security plugin, so iThemes Security Pro makes it easy to secure & protect your WordPress website.
The free version gives you some protection, but the Pro version includes these security features:
- Two-Factor Authentication. “Use a mobile app such as Google Authenticator or Authy to generate a code or have a generated code emailed to you.”
- WordPress Salts & Security Keys. “The iThemes Security plugin makes updating your WordPress keys and salts easy.”
- Malware Scan Scheduling. “Have your site scanned for malware automatically each day. If an issue is found, an email is sent with the details.”
- Password Security. “Generate strong passwords right from your profile screen.”
- Password Expiration. “Set a maximum password age and force users to choose a new password. You can also force all users to choose a new password immediately (if needed).”
- Google reCAPTCHA. “Protect your site against spammers.”
- User Action Logging. “Track when users edit content, login or logout.”
- Import/Export Settings. “Saves time setting up multiple WordPress sites.”
- Dashboard Widget. “Manage important tasks such as user banning and system scans right from the WordPress dashboard.”
- Online File Comparison. When a file change is detected it will scan the origin of the files to determine if the change was malicious or not. Currently works only in WordPress core but plugins and themes are coming.
- Temporary Privilege Escalation. “Give a contractor or someone else temporary admin or editor access to your site that will automatically reset itself.”
- wp-cli Integration. “Manage your site’s security from the command line.”
Continue reading %8 of the Best Plugins for Securing Your WordPress Site%