WordPress security plugins should be one of the top priorities for any new WordPress blog. You should have an arsenal of plugins that you install with every single free WordPress install. I know some plugins will vary depending on the type of WordPress site, blog, or eCommerce operation you’re starting, but security should always be a top factor in your plugin selection.
Every time you install WordPress you’re investing something. Time and money are both factors in your investment. You want to protect your investment with the best WordPress security plugins on the market. But which ones are the best? That’s what we’re here to uncover.
You might also like our other WordPress security article:
4 WordPress Security Tips From A Hacker
Why Do You Need WordPress Security Plugins in 2020?
I mean, come on now, it’s 2020. Do we not have the technology to secure software right out of the box? Well, yes and no.
Right out of the box the WordPress core does have some decent security features built into it. However, with WordPress being open source, those with malicious intent are able to analyze every single bit of this code to find even the slightest opportunity for intrusion.
There are some off-site security factors that come into play as well. You can beef up your WordPress install’s security with plugins that offer:
- Malware Scanning
- File Scanning
- Protection from Brute Force Attacks
- Blacklist Monitoring
- Active Security Monitoring
Another cool thing some of these WordPress security plugins help with comes in the form of post-hack protocols or actions. Should an intruder gain access to your site, there are post-hack actions that you can take to try to reverse all (or most of) the damage that was done.
Good WordPress Security Starts With Secure Hosting
Many of our readers are first-time WordPress users and a lot of you guys are on a budget. You’re doing the whole internet money-making thing on the side and are trying to cut costs wherever possible.
But secure WordPress hosting isn’t expensive. WordPress is the most popular web platform out there. 35% of all websites on the internet use WordPress. So, of course hosting is going to be cheap with how competitive the market is.
We use this Secure WordPress Hosting through NameCheap (with a free domain name) and it’s more than we need. The cost works out to be around $17 per YEAR. That’s less than $2 per month.
Here’s what we get with that package (or what you should look for with your hosting):
- One-click WordPress installs
- Automatic backups
- Automatic WordPress updates
- FREE SSL certificate (https)
- Cloudflare/CDN capable
Just a quick note about the free SSL certificate: This is good for both security and for SEO. Google absolutely loves it when your url has that S in httpS://. Many hosting companies and domain registrars charge a lot for those. Some of them charge $100-$200 per year.
If you’re just starting then go spend less than $2 per month on hosting that includes a free SSL / https certificate and either a free or heavily discounted domain name. Otherwise, make sure your current host has some security protocols in place.
WordPress Security Plugins For 2020
Alright, now that we’ve got you all warmed up, let’s take a look at these plugins. Some of these WordPress security plugins are free, some of them cost money. Others have free versions with premium upgrades.
It’s also important to note that the list of plugins below is not in any specific order, so don’t think #3 on the list is better than #6. Different WordPress sites have different security needs. Just find which one(s) will work for your specific install.
We’re going to start our list off with one of the most popular WordPress security plugins on the market. WordFence will constantly check your WordPress install for any malware infections of malicious files. The WordFence security plugin scans your core WordPress files and it scans your plugins and themes as well. To top that off, it even scans posts and comments for malicious code as well.
By using the Falcom caching engine, Wordfence claims to make your WordPress install up to 50x faster and 50x more secure. Security factors are enhanced when you use two-factor authentication to block brute force attacks. You can even block traffic from a certain country, or use a firewall to block fake traffic and botnet traffic.
What’s really cool about WordFence is how it goes beyond your WordPress install. The plugin will scan all of the files on your hosting for well-known backdoors such as R57 and C99. I know those are “totally so last year” but they’re still popping up. (All the more reason to go with a secure WordPress hosting company)
WordFence WordPress Security Plugin has a free version that is good for most small operations. Their paid features don’t really come into play until you’ve got a site that has amassed a huge reader base or customer base.
Another great WordPress security plugin that offers both free and paid versions. And, just like with WordFence, most smaller sites out there are fine using just their free version. The Sucuri security plugin comes with it’s own internal auditing tool so that you can see how well the plugin is protecting your site. And, to be honest, the self-auditing tool is quite accurate, it’s not going to grade itself highly if it’s doing a poor job.
File integrity monitoring, security hardening, security notifications, and blacklist monitoring are some of the more popular features of the plugin. The paid version of Sucuri includes SSL certificate variations, advanced DDoS protection, and instant live chat customer service.
Sucuri uses various blacklist engines, such as McAfee Site Advisor, Google Safe Browsing, and their own Sucuri Labs blacklist when they constantly check your website, files, themes, plugins, and comments. Should anything seem out of place you will get an email notification sent to you immediately. All security logs from Sucuri are stored offsite so that if a hacker does make their way in, you have proper documentation of everything.
Another great option for WordPress security is the BulletProof plugin. You will have firewall and database security, you will have constant file monitoring of your core file and addon files. If any infections are found you will be notified immediately.
BulletProof’s star selling points are the vulnerability protections:
- XSS (Cross Site Scripting)
- SQL Injections
- Code Injections
And soooo many more. The BulletProof security plugin is constantly updating itself behind the scenes so that it can protect from new attacks before they become well known in the underground world.
There’s a free version of the plugin and there’s a paid version. The paid version is around $69 (one-time fee) and comes with a 30-day money back guarantee and lifetime support plus updates. The free version is more than enough to secure many WordPress installs out there.
iThemes Security Plugin (Formerly Better WP Security)
This is one of the more popular WordPress security plugins that you will find installed one small-to-medium sized ecommerce sites and sites with a large-ish user base. Their one-click install that includes 30+ security features makes it an easy choice for those that don’t have that much experience when it comes to security, or when it comes to WordPress in general.
It’s great at stopping automated attacks and it will fix common security holes in your WordPress install along the way. It’s also got some great features for the registered users side of things whereby it will add password expiration and two-factor authentication if you so desire.
The plugin primarily just sits there constantly scanning your WordPress install, looking for vulnerabilities. It can automatically detect brute force attacks, stop them, and then ban the ip address(es) associated with the attack. I like how it forces SSL login for the wp-admin area. It’s also pretty cool how they use Google reCAPTCHA to prevent comment spam.
A highly visual interface with graphs and meters help beginners understand security metrics a lot easier. This is definitely a good plugin for those who feel like they’ve got no clue what they’re doing. They even break their security features down into 3 categories: Basic, Intermediate, and Advanced.
It’s great with brute force attacks and will lock the login side of things down very quickly if it detects something going on. It’s got a pretty cool blacklist tool also. The graph really helps newbies understand the various weak points in their WordPress install.
Protecting against malicious codes and outside attacks is what this plugin does best. It enables 5G blacklist and it’s great at preventing various attacks like XSS (cross site scripting), CSRF, and SQL Injections.
You’re not going to find a whole bunch of crazy features on this plugin, and that’s okay. 99% of people reading this don’t need all of these extra bells and whistles. The All In One WP Security & Firewall plugin is completely free to download and use, and they don’t try to upsell you.
More WordPress Security Tips
If you found this article helpful then you might also enjoy my 4 WordPress Security Tips article. If you want more security tips, money-making guides, and interesting stories from my time in federal prison as a computer hacker, then subscribe below: (I’ll never spam you)
Don’t forget to rate this article to let me know how I did!