The Best WordPress Security Plugins and Services (Both Free and Premium) 2017

Are you one of the many webmasters taking a passive approach to WordPress security? If so, you’re playing with fire — because, the reality is that, potentially, just one security breach could be enough to turn your entire online enterprise to dust!

When it comes to running an online business, website security is arguably (and sadly) one of the most undervalued areas of importance — and many folk simply still don’t realize the devastating impact on a business a security breach can have.

A temporary loss of traffic and sales is fairly easy to measure of course, but how do you quantify the potential costs of a permanently damaged reputation and/or search engine ranking positions? In fact, plenty of businesses have been ruined forever off the back of a high-profile security breach — and I’m sure these businesses won’t be the last, either.

In today’s post, I hope to bolster your website’s security by introducing you to some of the very best WordPress security plugins and services around.

Quick WordPress Security Tips

First things first, though. When it comes to website security, a proactive approach is always, always, always better than a reactive one. Preventing a problem before it occurs will save you time, stress, and money — far better than fixing the fallout of a security breach after it’s happened!

Keep everything up to date!

Secondly, be absolutely sure to follow all basic security practices, such as keeping everything up to date (plugins, themes and core) and making regular backups of your site (just in case something goes wrong and you need to revert to an earlier version before anything went bad happened).

But how do you make a WordPress website even more secure? As usual in the world of WordPress, it starts with choosing a reputable host. And never has the old adage been more true — you get what you pay for.

If you’re simply looking to purchase space on a server, sure, you can probably find a shared hosting service for under $10 a month. However, if you wake up to a hacked website, don’t expect these hosts to lift a finger trying to help — their staff probably don’t have either the time or know-how.

Managed WordPress Hosting: The Best Website Security Investment?

What you really need is a managed WordPress hosting service. Yes, these services are a little more expensive, but they take care of the overwhelming majority of WordPress security tasks automatically.

For example, just about all managed hosting will automatically update the WordPress core, and some may even push updates for your themes and (most importantly) plugins if necessary, to ensure your website is as up-to-date as possible at all times.

Why is this important? Because there are millions of WordPress users, many of whom are using the same plugins. Hackers need only dig around for a vulnerability in one of the popular plugins, then they can potentially exploit millions of sites.

Most plugin updates slam shut known vulnerabilities. This is why outdated plugins are bad news, and why managed hosting services ensure everything is regularly updated.

Managed hosting services also typically support a dedicated WordPress firewall and malware scanning, plus they’ll also have their own systems for managing and blocking known and potential threats (think: brute force attacks, etc) and, perhaps most importantly, will have highly knowledgeable staff on hand to help out (click here to read more about other major difference between managed and shared hosting services).

Strong Login Credentials

In addition to managed hosting, there are also a couple of other particularly simple things you can do that take barely any effort at all on your part, such as ensuring your login credentials are secure, never using anything as simple as “admin” for your username, and using strong passwords.

The Best WordPress Security Plugins and Services:

Depending on the size and importance of your website (and just how much peace of mind you’re after), it’s well worth giving site security some serious attention. Below, we’ve listed twelve exceptional WordPress security plugins and services (both free and premium) that we’d strongly advise you to learn about and consider: some simple and some complicated. Depending on what’s already provided by your own particular web host, many won’t be necessary of course — the trick is to be aware of what’s available and decide which are necessary for your own particular business: before it’s too late!

Let’s get started (listed in no particular order)…

iThemes Security Pro (from $80)


iThemes have long been one of the biggest names in WordPress security. As such, it’s no surprise that their all-in-one security plugin, iThemes Security Pro, just so happens to be one of the market leaders.

iThemes Security Pro tackles all of the main website vulnerabilities, starting with brute force attacks. To keep the bad guys out, the plugin moves the default WordPress login page, enforces super-strong passwords, and blocks users after too many login attempts.

If that’s not enough login security, iThemes Security Pro also supports two-factor authorization — this sends a passcode to the user’s mobile device, which is required alongside the standard password.

If you know that you’re the only person accessing your admin, the plugin also offers a handy “out of office” for the WordPress dashboard. This essentially locks the dashboard when you know you won’t be using it — such as when you’re asleep.

The plugin’s other important functionality is file change detection. When a hacker accesses your website, chances are, the first thing they’ll do is edit one of the core files. iThemes will monitor for this type of activity, sending you email notification whenever something suspicious occurs.

iThemes Security Pro will handle all of your website security needs for just $80/year. If you want to take it for a test drive, a free version of iThemes Security Lite is available — this is one of the best free security plugins in its own right, so it’s well worth checking out!

Official Website

All in One WP Security and Firewall (FREE)


The name of this plugin tells you everything you need to know about what it does.

First and foremost, All in One WP Security and Firewall offers comprehensive WordPress protection with its powerful range of functionalities. The plugin is heavy on brute force attack protection, helping you to combat the most common form of website security breach.

As the name implies, the plugin also adds a firewall to your website. This firewall has several pre-set configurations — these can be activated at the click of a button, letting you select the level of protection you want.

All in One WP Security and Firewall also comes with htaccess and wp-config.php backup, anti-spam measures, and front-end copy protection. It protects the WordPress database, too, by swapping the “WP” prefix found as default. And, to ensure your core files are protected, the plugin is consistently scanning behind the scenes for changes.

However, best of all, All in One is one of the most user-friendly security plugins around. The plugin assigns your website a security score, which is useful for monitoring improvements. Before you make changes to the plugin’s settings, it will tell you how this will impact your overall security score — this is also an excellent way to learn about the most important aspects of on-site security.

Official Website

Jetpack (FREE and Premium from $99/year)


Jetpack is well known in the WordPress community. Part of the Automattic family (the people behind, Jetpack is best described as a mash-up of loads of different, completely unrelated functionalities. Perhaps surprisingly, the combination works, and the Jetpack plugin is extremely popular.

If you want the free version of Jetpack to strengthen your site’s security, you’ll need to turn on the Protect module — you can read more about the individual Jetpack modules here. With this module activated, Jetpack protects you against brute force attacks.

However, it’s the paid versions of Jetpack which boast all the serious security features. Paid Jetpack comes in two flavors.

For $99/year, you can pick up a Jetpack Premium license. This provides daily malware scanning, scheduled off-site website backups, and automated website restores.

A Jetpack Professional license takes the Premium license one step further, offering real-time backups and on-demand malware scans. It’s available for $299/year.

Both licenses also include access to Automattic’s highly-trained support team for all matters pertaining to website security.

Official Website

VaultPress (from $9/month)


Next up we have VaultPress — another member of the Automattic family. VaultPress is secure, reliable, and super-usable, making it probably the best dedicated website backup service around.

Now, no website is ever completely secure. No matter how much effort you put into protecting your website, breaches can — and do — still happen. This is why it’s imperative that you backup your website. Unfortunately, not enough beginner webmasters follow this advice — don’t fall into this trap yourself!

A website backup is essentially a working copy of your site. If something goes wrong and your website crashes or is hacked, you can simply activate your most recent “copy” and restore your site to working order.

This is where VaultPress comes into play.

VaultPress creates scheduled or real-time backups — depending on your membership level — which are stored safely off-site. These backups can be restored in seconds should the worst happen.

VaultPress also scans your website for viruses and malware, which can be removed at the click of a button. For those considering using VaultPress, be sure to check out WinningWP’s VaultPress tutorial here.

Official Website

Sucuri Security (FREE)


Sucuri are WordPress security specialists. As such, their free plugin is highly regarded and well worth downloading.

The Sucuri Security plugin automatically scans your website looking for malware and dodgy files. This latter feature is of particular importance. After installing Sucuri, the plugin takes note of your existing files — a “known good” configuration. If a file deviates from this “known good” this could be a consequence of a security breach.

If potential security breaches occur, you can then use Sucuri’s activity monitoring log to investigate what might have happened. And, if your website is found to have been compromised, you can restore the file to the known good. These logs are kept safe and sound in the Sucuri Cloud so that a hacker can’t delete them.

On top of their plugin, another superb Sucuri service well worth considering is their Website Firewall (Cloud WAF).

Official Website

SecuPress (from $72)


SecuPress is the new kid on the block in the world of WordPress security. It’s the latest release from WP Media, the team who achieved staggering growth with their WP Rocket plugin. This has seen SecuPress — despite currently being at pre-release stage — garner serious attention.

The plugin’s main selling point is the powerful SecuPress Scanner. This scans your website for security vulnerabilities in six key areas:

  • User and login
  • Plugins and themes
  • WordPress core
  • Sensitive data
  • Malware scan
  • Firewall

After the scan flags all of your site’s weaknesses, the next step is to fix them. This couldn’t be easier — the plugin lists all the security problems, you select a checkbox for the issues you want to fix, then you let the plugin do its thing. With SecuPress doing the hard work, you can resolve countless security problems in just a few mouse clicks.


More features are included when the Pro version drops, including anti-spam measures, website backups, and malware scans. With the Pro version, you’ll also be able to schedule the scans to happen automatically in the background.

Official Website

BBQ: Block Bad Queries (FREE)


WordPress security is a complex issue, so security plugins understandably ship with complicated configuration screens. For many beginners, this is intimidating and off-putting, to the point where they simply avoid all on-site security matters.

Fortunately, the BBQ plugin — short for Block Bad Queries — bucks the trend. It’s a firewall plugin without the bells and whistles. It contains only the essential security-enhancing functionality that’s required from a firewall, and that makes this lightweight plugin super-quick, too.

Best of all, the plugin is “plug in and play” in the truest sense. Just install and activate the plugin and you’re good to go — no configurations whatsoever.

Official Website

AntiVirus (FREE)


The AntiVirus plugin is pretty self-explanatory. It scans your website for malware and spam injections.

The plugin performs these scans primarily on your database and theme files. If it finds anything, you’ll be notified immediately via email. By informing you in the fastest possible manner, you can respond quickly to prevent the problem from escalating. And, to provide ongoing protection, you can schedule AntiVirus to run automatic scans on your site daily.

Official Website

Wordfence Security (FREE)


With over 18 million downloads and a stellar 4.85/5 rating, Wordfence is King of the free WordPress security plugins.

As with many all-in-one security plugins, Wordfence is big on brute-force prevention. It enforces strong passwords — including the option for two-factor authentication — and blocks excessive login attempts. Wordfence also utilizes its expansive network to take note of known attackers, who are then blocked from accessing all Wordfence websites.

Other useful security features include a WordPress optimized firewall, real-time user monitoring, and security scanning. Again, Wordfence puts its network to good use, searching your site for over 44,000 known malicious malware signatures.

Official Website

Login Lockdown (FREE)


Login Lockdown is a simple plugin that helps prevent brute force attacks. It simply blocks an IP address that registers too many failed login attempts in a short timeframe.

The plugin defaults to three failed attempts in a five-minute window, but this can be changed via the settings screen.

Simple but effective!

Official Website

Clef Two-Factor Authentication (FREE)


Clef Two-Factor Authentication is easily the coolest plugin in today’s list. However, it also plays an important part in protecting your website.

Often a website’s biggest weak point is, well, you. Many of us choose weak passwords and usernames, then wonder what we’re doing wrong when our websites get hacked. Duplicating passwords across all of your online accounts is another big problem, but who has the time to remember hundreds of super-strong passwords?

Enter Clef.

Instead of using passwords, Clef generates a 300 character signature. This lasts for only 30 seconds, meaning it’s practically impossible to guess. And, because the signature is uniquely generated each time, there is no paper trail stored in your database.

To use Clef, first you need to install and activate the plugin, then the free Clef app — available on both Google Play and the App Store. Then, you need to sync the app with your computer. Clef will generate what looks like dancing bars — it’s your job to open the app, point your camera at the screen, and let Clef verify you.

From the WordPress dashboard, you can then choose to disable all passwords. Instead, you’ll login by syncing the Clef app on the WordPress login page — something like this:


Awesome, right?

Official Website

WP Audit Security Log (FREE)


If you already know a bit about WordPress security, you might want to take a more hands-on approach. If so, the WP Security Audit Log plugin could be exactly what you need.

The plugin keeps track of everything happening behind the scenes of your WordPress website. Most notably, it keeps track of your users, allowing you to spot the bad eggs before they do anything too serious. For example, if an existing user creates a new account, edits a published post, or swaps someone’s user role, these are all potential flags that the user is up to no good.

WP Audit Security Log will record all of these suspicious acts so that you can deal with it accordingly.

Official Website

Final Thoughts

Website security is a complex topic, made more difficult by the fact the landscape is constantly changing.

Although it’s good to understand what’s going on, my advice is to always secure your site first, and ask any necessary questions later!

If your budget won’t stretch to a reputable managed hosting service, probably about the best way to protect your website (over and above basic security measures, like keeping everything up to date, never sharing login credentials and ensuring all passwords are secure, etc) is to go for one of the all-in-one plugins featured above, such as iThemes Security Pro, SecuPress, Wordfence Security, or All in One WP Security and Firewall.

Taking this route has the double benefit of also requiring the minimal input from you — everything is handled automatically, without you having to lift a finger.

Which hopefully leaves you to focus on running your online business, safe in the knowledge that your website is about as safe as it can realistically be.

Using/used any of the above? Any others? Thoughts?

Tweet about this on TwitterShare on FacebookGoogle+Share on LinkedInEmail to someone

By Shaun Quarton

Shaun Quarton is a freelance blogger from the UK, with a passion for online entrepreneurship, content marketing, and all things WordPress.
Comments (policy)
More in Plugins, Security
Slider Revolution, LayerSlider 5 or Soliloquy: Which is the Best WordPress Slider Plugin?

In this article, we’ll be comparing the top three WordPress slider plugins -- Slider Revolution, LayerSlider 5 and Soliloquy -- going into what each has...