This post was last updated on 30th July 2018.
When it comes to having a website, one of your main concerns is how to keep it safe, secure, and free from hackers, malware or hijackers. These WordPress security plugins can help you keep your data safe – as long as they are set up right.
We have compiled this short list of our top WordPress security plugins to secure your WordPress website. You can use any or all of them, they all work fine together and each excel in their own specific areas of security. From malware scanning to blocking live attacks, brute-force protection, email alerts, logging traffic and more. These plugins all work great on our website hosting servers and will help you monitor your website and keep it secure.
Install them now and rest easy! While all of these are free plugins, some also have premium options with additional features.
Sucuri can really help toughen up your WordPress website. With a focus on file security and hardening, and cross-checking your WordPress files with the official repository to alert you of any unauthorised modifications. Our favourite part of the plugin is the notifcations – get an email every time a user logs in, updates a post, or changes a setting. Everything is logged in the plugin. We suggest making sure you disable the “IP Address Discoverer” DNS lookups as these can slow down your website.
Our preferred settings are to turn off the API communication and ensure that the IP Address Discoverer is disabled or you’ll inadvertently slow down your website. Turn on the hardening options testing each time to see if anything breaks, sometimes the “Block PHP Files in …” options can stop parts of some theme or plugin functionality from working. If you are using the email alerts functions, we advise to disable the “failed logins” alerts as you’ll likely receive hundreds of brute force attempts from bots – activity like this is normal and not a major worry.
We primarily use the Sucuri plugin for security hardening, activity email alerts, and login logging.
Plugin Website: https://sucuri.net/
WordPress Repository: https://wordpress.org/plugins/wordfence/
It is good for proactive and reactive security including XMLRPC blocking and malware scanning.
Often called “Malware by Eli”, this plugin functions similarly to a virus scanner on your computer – but for your website. Scanning with the plugin will check the core files, and also your custom plugins and theme files for any malicious looking code. The plugin has definition updates regularly and can do scheduled scans of your site.
There are a few protections enabled out of the box, and you can turn on XMLRPC blocking (advisable). It doesn’t do much else but is good to have in case of infection, the regular scans can also help alert you to any problems with your website. You can donate and get brute force protection too, or you can install a separate plugin for that.
Eli’s WordPress Blog: http://wordpress.ieonly.com/category/my-plugins/anti-malware/
WordPress Repository: https://wordpress.org/plugins/gotmls/
Thankfully we now have a new option for brute force protection for the WordPress login. While it isn’t a full suite of security settings like some of the plugins above, this plugin does one thing and does it well. This new plugin replaces one of our old favourite brute force protection plugins Limit Login Attempts which haven’t been updated for 6 years. The options are simple, set the number of failed logins allowed, lockout time, and logging settings. You can also whitelist and blacklist specific IP addresses and usernames which was not possible in the previous plugin it is based on. It also protects the WooCommerce login page. Overall we recommend installing this to handle your brute force protection.
WordPress Repository: https://wordpress.org/plugins/limit-login-attempts-reloaded/
There are a few alternative plugins that are good for brute force protection and many of them work fine. We also like Login LockDown and have used it on many websites with no problems for years. Limit Login Attempts Reloaded wins out simply because it offers the ability to whitelist IP addresses which is often an essential feature. If you are using Login LockDown though we like it because it has very simple options and it starts protecting you as soon as it is activated. The settings we advise are to lockout invalid usernames and mask the login errors for extra security.
This is an effective plugin to help stop comment spam. We’ve all seen the Akismet Anti-Spam plugin installed by default in WordPress, but it requires you sign up for an API key to use it. Antispam Bee is a good free alternative with many simple and advanced options for dealing with comment spam. It also gives you options to keep everything “on site” and allows you to be fully compliant with user privacy and GDPR regulations – unlike Akismet which sends all comment data to their central servers to parse. From our testing we’ve found that Antispam Bee can be very effective at stopping almost all spam comments with few, if any false positives.
WordPress Repository: https://wordpress.org/plugins/antispam-bee/
WordPress Security by WordFence is one of the most popular WordPress security plugins. Our main problem with WordFence is that it uses quite a lot of server resources, it can slow down not only your website but your web host may also complain. It’s not our first choice for a super fast website.
If you do choose to use WordFence, it does have some nice features. The thing I like most about WordFence is the ability to block traffic and use it like a firewall. You can set limiting rules to automatically block spiders and scraper bots from accessing your site when their traffic or page requests hit a predefined threshold. WordFence also makes login security a priority, with features to lock out invalid usernames and enforce strong passwords. One option you will want to disable is the live traffic view as while it sounds useful, you’ll find this option will significantly slow down your website.
Plugin Website: https://www.wordfence.com/
WordPress Repository: https://wordpress.org/plugins/wordfence/
If you would like to hire our experts to help with your website security then our work will usually involve installing and configuring these WordPress security plugins for you. If expert help sounds good to you then look no further than our very affordable website maintenance & support package.