WinningWP content is free to all. If you make a purchase through referral links on our site, we earn a commission (learn more).
Tags – ,

The Best WordPress Security Plugins and Services – Both Free and Premium

WordPress Deals

Are you one of the many webmasters taking a passive approach to WordPress security? If so, you’re playing with fire, because the reality is just one security breach could be enough to turn your entire online enterprise to dust!

When it comes to running an online business, website security is arguably (and sadly) one of the most undervalued areas of importance — and many folk simply don’t realize the devastating impact on a business a security breach can have.

A temporary loss of traffic and sales is fairly easy to measure, of course, but how do you quantify the potential cost of a permanently damaged reputation and/or search engine ranking? In fact, plenty of businesses have been ruined forever off the back of a high-profile security breach — and I’m sure these businesses won’t be the last, either.

In this post, I hope to bolster your website’s security by introducing you to some of the very best WordPress security plugins and services around.

Quick WordPress Security Tips

First things first: When it comes to website security, a proactive approach is always, always, always better than a reactive one. Preventing a problem before it occurs will save you time, stress, and money, and is far better than fixing the fallout from a security breach after it’s happened!

Keep Everything up to Date

Be absolutely sure to follow all basic security practices, such as keeping everything up to date (plugins, themes and core) and making regular backups of your site (just in case something goes wrong and you need to revert to an earlier version that existed before anything bad happened).

But how do you make a WordPress website even more secure? As usual, in the world of WordPress, it starts with choosing a reputable host. And never has the old adage been more true — you get what you pay for.

If you’re simply looking to purchase space on a server, sure, you can probably find a shared hosting service for under $10 a month. However, if you wake up to a hacked website, don’t expect these hosts to lift a finger to help — their staff probably have neither the time nor the know-how.

Managed WordPress Hosting: The Best Website Security Investment?

What you really need is a managed WordPress hosting service. Yes, these services are a little more expensive, but they take care of the overwhelming majority of WordPress security tasks automatically.

For example, just about all managed hosting will automatically update the WordPress core, and some may even push updates for your themes and (most importantly) plugins when necessary to ensure your website is as up-to-date as possible at all times.

Why is this important? Because there are millions of WordPress users, many of whom are using the same plugins. Hackers need only dig around for a vulnerability in one of the popular plugins, then they can potentially exploit millions of sites.

Most plugin updates slam shut known vulnerabilities. This is why outdated plugins are bad news, and why managed hosting services ensure everything is regularly updated.

Managed hosting services also typically support a dedicated WordPress firewall and malware scanning, plus they’ll have their own systems for managing and blocking known and potential threats (think brute force attacks and the like). Perhaps most importantly of all, they’ll have highly knowledgeable staff on hand to help out (click here to read more about other major difference between managed and shared hosting services).

Strong Login Credentials

In addition to managed hosting, there are also a couple of other particularly simple things you can do that take barely any effort at all on your part, such as ensuring your login credentials are secure, never using anything as simple as ‘admin’ for your username, and using strong passwords.

The Best WordPress Security Plugins and Services

Depending on the size and importance of your website (and just how much peace of mind you’re after), it’s well worth giving site security some serious attention. Below, we’ve listed eleven exceptional WordPress security plugins and services (both free and premium; some simple and some complicated) that we’d strongly advise you to learn about and consider. Depending on what’s already provided by your web host, many won’t be necessary, of course — the trick is to be aware of what’s available and decide what you need for your business before it’s too late!

Let’s get started.

iThemes Security Pro (from $80)


As iThemes is one of the biggest names in WordPress security (and has been for some time now), it’s no surprise its all-in-one security plugin, iThemes Security Pro, is one of the market leaders.

This plugin tackles all of the main website vulnerabilities, starting with brute force attacks. To keep the bad guys out, iThemes Security Pro moves the default WordPress login page, enforces super-strong passwords, and blocks users after too many login attempts.

If that’s not enough login security, iThemes Security Pro also supports two-factor authorization — this sends a passcode to the user’s mobile device, which is required alongside the standard password.

If you know you’re the only person accessing your admin, the plugin also offers a handy out of office for the WordPress dashboard. This essentially locks the dashboard when you know you won’t be using it — such as when you’re asleep.

Its other important functionality is file change detection. When a hacker accesses your website, chances are the first thing they’ll do is edit one of the core files. The plugin will monitor for this type of activity, sending you email notification whenever something suspicious occurs.

For just $80 a year, iThemes Security Pro will handle all of your website security needs. If you want to take it for a test drive, a free version of iThemes Security Lite is available, and happens to be one of the best free security plugins in its own right, so it’s well worth checking out!

Official website

All in One WP Security and Firewall (FREE)


The name of this plugin tells you everything you need to know about what it does.

First and foremost, All in One WP Security and Firewall offers comprehensive WordPress protection with its powerful range of functionalities. The plugin is heavy on brute force attack protection, helping you to combat the most common form of website security breach.

As the name implies, the plugin also adds a firewall to your website. This firewall has several preset configurations that can be activated at the click of a button, letting you select the level of protection you want.

All in One WP Security and Firewall also comes with htaccess and wp-config.php backup, anti-spam measures, and front-end copy protection. It protects the WordPress database, too, by swapping the ‘WP’ prefix found as default. And, to ensure your core files are protected, the plugin is consistently scanning behind the scenes for changes.

However, best of all, All in One is one of the most user-friendly security plugins around. It assigns your website a security score, which is useful for monitoring improvements, and, before you make changes to the plugin’s settings, it will tell you how this will impact your overall security score — this is also an excellent way to learn about the most important aspects of on-site security.

Official website

Jetpack (FREE and Premium from $99 a year)


Jetpack is well known in the WordPress community. Part of the Automattic family (the people behind, Jetpack is best described as a mash-up of loads of completely unrelated functionalities. Perhaps surprisingly, the combination works, and the Jetpack plugin is extremely popular.

If you want the free version of Jetpack to strengthen your site’s security, you’ll need to turn on the Protect module, which guards you against brute force attacks.

However, it’s the paid versions of Jetpack that boast all the serious security features. Paid Jetpack comes in two flavors:

For $99 a year, you can pick up a Jetpack Premium license, which provides daily malware scanning, scheduled off-site website backups, and automated website restores.

A Jetpack Professional license takes the Premium license one step further, offering real-time backups and on-demand malware scans. It’s available for $299 a year.

Both licenses also include access to Automattic’s highly trained support team for all matters pertaining to website security.

Official website

VaultPress (from $9 a month)


Next up we have VaultPress — another member of the Automattic family. VaultPress is secure, reliable, and super-usable, making it probably the best dedicated website backup service around.

Now, no website is ever completely secure. No matter how much effort you put into protecting your website, breaches can still happen, which is why it’s imperative you back up your website. Unfortunately, not enough beginner webmasters follow this advice — don’t fall into this trap yourself!

A website backup is essentially a working copy of your site. If something goes wrong and your website crashes or is hacked, you can simply activate your most recent ‘copy’ and restore it to working order.

This is where VaultPress comes into play.

VaultPress creates scheduled or real-time backups — depending on your membership level — that are stored safely off-site. These backups can be restored in seconds should the worst happen.

VaultPress also scans your website for viruses and malware, which can be removed at the click of a button.

Official website

Sucuri Security (FREE)


Sucuri are WordPress security specialists, and, as such, their free plugin is highly regarded and well worth downloading.

The Sucuri Security plugin automatically scans your website for malware and dodgy files. This latter feature is of particular importance. After installing Sucuri, the plugin takes note of your existing files — a ‘known good’ configuration — and, if a file deviates from this ‘known good’, it could be the consequence of a security breach.

If potential security breaches occur, you can then use Sucuri’s activity monitoring log to investigate what might have happened, and, if your website is found to have been compromised, you can restore the file to the known good. These logs are kept safe and sound in the Sucuri Cloud so that a hacker can’t delete them.

On top of their plugin, another superb Sucuri service well worth considering is their Website Firewall (Cloud WAF).

Official website

SecuPress (from $59)


SecuPress is the new kid on the block in the world of WordPress security. It’s the latest release from WP Media, the team who achieved staggering growth with their WP Rocket plugin, which has seen it garner serious attention, despite being at pre-release stage.

The plugin’s main selling point is the powerful SecuPress Scanner, which scans your website for security vulnerabilities in six key areas:

  • User and login
  • Plugins and themes
  • WordPress core
  • Sensitive data
  • Malware scan
  • Firewall

After the scan flags your site’s weaknesses, the next step is to fix them. This couldn’t be easier — the plugin lists all the security problems, you select a checkbox for the issues you want to fix, then you let the plugin do its thing. With SecuPress doing the hard work, you can resolve countless security problems in just a few mouse clicks.


More features will be included when the Pro version drops, including anti-spam measures, website backups, and malware scans. With the Pro version, you’ll also be able to schedule the scans to happen automatically in the background.

Official website

BBQ: Block Bad Queries (FREE)


WordPress security is a complex issue, so security plugins understandably ship with complicated configuration screens. For many beginners, this is intimidating and off-putting — to the point where they simply avoid all on-site security matters.

Fortunately, the BBQ plugin — short for Block Bad Queries — bucks the trend. It’s a firewall plugin without the bells and whistles, containing only the essential security-enhancing functionality that’s required from a firewall, making it a lightweight plugin that’s super-quick too.

Best of all, the plugin is ‘plug in and play‘ in the truest sense. Just install and activate it, and you’re good to go — no configurations whatsoever.

Official website

AntiVirus (FREE)


The AntiVirus plugin is pretty self-explanatory. It scans your website for malware and spam injections.

The plugin performs these scans primarily on your database and theme files, and, if it finds anything, you’ll be notified immediately via email. Because it informs you in the fastest possible manner, you can respond quickly to prevent the problem from escalating. And, to provide ongoing protection, you can schedule AntiVirus to run automatic scans on your site daily.

Official website

Wordfence Security (FREE)


With more than 18 million downloads and a stellar 4.85 out of 5 rating, Wordfence is king of the free WordPress security plugins.

As with many all-in-one security plugins, Wordfence is big on brute force prevention. It enforces strong passwords — including the option for two-factor authentication — and blocks excessive login attempts. Wordfence also utilizes its expansive network to take note of known attackers, who are then blocked from accessing all Wordfence websites.

Other useful security features include a WordPress optimized firewall, real-time user monitoring, and security scanning. Again, Wordfence puts its network to good use, searching your site for more than 44,000 known malicious malware signatures.

Official website

Login Lockdown (FREE)


Login Lockdown is a simple plugin that helps prevent brute force attacks by simply blocking any IP addresses that register too many failed login attempts in a short timeframe.

The plugin defaults to three failed attempts in a five-minute window, but this can be changed via the settings screen.

Simple but effective!

Official website

WP Audit Security Log (FREE)


If you already know a bit about WordPress security, you may want to take a more hands-on approach. If so, the WP Security Audit Log plugin could be exactly what you need.

The plugin keeps track of everything happening behind the scenes of your WordPress website. Most notably, your users — allowing you to spot the bad eggs before they do anything too serious. For example, if an existing user creates a new account, edits a published post, or swaps someone’s user role, these are all potential flags that the user is up to no good.

WP Audit Security Log will record all of these suspicious acts so you can deal with them accordingly.

Official website

Final Thoughts

Website security is a complex topic, made more difficult by the fact that the landscape is constantly changing.

Although it’s good to understand what’s going on, my advice is to always secure your site first, and ask any necessary questions later!

If your budget won’t stretch to a reputable managed hosting service (probably the best way to protect your website beyond basic security measures, such as keeping everything up to date, never sharing login credentials and ensuring all passwords are secure), your best bet is to go for one of the all-in-one plugins featured above, such as iThemes Security Pro, SecuPress, Wordfence Security or All in One WP Security and Firewall.

Taking this route has the double benefit of requiring minimal input from you — everything is handled automatically, without you having to lift a finger.

Which, hopefully, will leave you to focus on running your online business, with the knowledge that your website is about as safe as it can realistically be.

Using/used any of the above? Any others? Thoughts?

By Shaun Quarton

Shaun Quarton is a freelance blogger from the UK, with a passion for online entrepreneurship, content marketing, and all things WordPress.
Comments (policy)
  1. paul says:

    Great overview – however I’ve been using Wordfence and its left me bemused.
    I have multiple “critical” errors that come up, I have paid people to look at and fix, they do so and they tell me its flagged loads of false positives (like I’m supposed to tell the difference) and then a week or so later I’ve the same situation again.
    Nothing actually broken on the site that I can tell, but feel like I’m getting drawn into spending money with no real quantifiable results or even knowing whats going on.

  2. Nick says:

    Sucuri is the best option in here but with the plugin you definitely need their WAF plan, which starts at $199/yr. Well worth it. In addition, if you are tight on money, you can use the Sucuri plugin, their hardening features, their scanner and use the BBQ: Block Bad Queries Firewall plugin. Both plugins compliment each other.

  3. Tanisia Greer says:

    You’ll need to remove Clef from your list, unfortunately. It’s going out of business, and will be deactivated in June. I’m still grieving over this development, because Clef was the best TFA plugin created.

  4. Luca says:

    Hello, there’s also “WP Security Optimizer” (
    It prevent hackers to sabotage your rankings in search engines. Elude attackers that exploits your website and fight Negative SEO attacks made using Acunetix and WPScan and other penetration testing toolkit.
    Implement features preventing users to be enumerated, and in particular enumeration of installed themes (wpscan –enumerate t) and plugins (wpscan –enumerate vp), generating false positives and forwarding an alert to the site administrator when it detects a scan. And finally, can verify corrupted and infected PHP files stored into “wp-admin” and “wp-includes” folders. Hope it’s useful

  5. Michael Amaral says:

    Nice collection of WordPress security plugins.
    You can add User Blocker Security in the list. It is pretty good.

  6. Danial Wilson says:

    Magnificent! Good list of security WordPress plugins.
    You can try User Activity Log Pro WordPress plugin.

  7. Howard Milstein says:

    Good article! What of the above recommendations for FREE would YOU use? And what does cloudflare do or is it redundant? I have siteground opt cache for speed but does cloudflare give anything else the above security plugins do not?

  8. Mounir HAB-ARRIH says:

    Thank you :) great post, I have an Amazon EC2 VPS with an instance of Windows server 2012 r2 and IIS8 on it … is hosting my WordPress site on it well be a good practice? any advice please.
    Thank you.

Leave a Reply

Your email address will not be published. Required fields are marked *

All comments are held for moderation. We'll only publish comments that are on topic and adhere to our Commenting Policy.