Are you looking for the best security plugin for WordPress? Do you want to protect your website from hackers? There are too many security plugins around and you don’t know which is the best for your WordPress site?
We get you cover!
WordPress is the most widely used CMS on the internet, and that tremendous popularity makes WordPress websites a perfect target for hackers.
Every year, a ton of WordPress websites are hacked and shut down. Adding a WordPress security plugin to your website is thus highly critical to hardening your security.
In today’s article, we will compare the best WordPress security plugins and share with you the best security practices for WordPress in 2022.
Julio Potier (WordPress security expert and founder of SecuPress) and Ryan Dewhurst (Codebreaker and founder of WPScan) helped me to write this article.
Table of contents
Users of WordPress often use security plugins, which are quite helpful. However, they are not necessary for every website. You may end up slowing down your site or adding unnecessary features if you use a poorly-coded security plugin.
WordPress has the advantage of not requiring security plugins to ‘harden’ your website. Many of the features offered by such plugins can be implemented manually. The convenience of a one-stop security solution is, however, far superior. Hardening website security is a full-time job and we are of the opinion that this should be left to security experts. So yes, if there is money at stake with your website you should get a security plugin.
Websites are like stores. You have to protect them or they get robbed and damaged.
Two years ago, a report from Sitelock revealed that the typical small business website is attacked 44 times a day.
According to a study made by Sucuri in 2017, out of 8000 infected websites, 74% were built on WordPress.
An amazing infographic made by WPClicboard perfectly sums up WordPress security statistics and challenges.
In the first half of 2021, Wordfence (that we will review below) blocked 18.5 billion password attacks on WordPress websites – and WPScan (review below as well) discovered 602 new vulnerabilities in plugins, and themes.
The majority of WordPress vulnerabilities (90%) are caused by plugins. There are 6% of theme vulnerabilities and 4% of core software vulnerabilities.
So yes, you need a WordPress Security Plugin on your website.
WordPress is probably the most secure CMS in the world. However, keep in mind nothing on the internet is 100% safe & secure.
In 2022 1.5 million WordPress websites were hacked because of a core vulnerability. The issue was quickly dealt with: WordPress has been safe and secure ever since.
Here is the reason why: the WordPress community is so huge and so talented that security breaches are identified and fixed almost instantly. But still, so many WordPress websites are hacked every day.
You have to understand that WordPress has some good security measures in place, but it’s nothing compared to what the best security plugins can provide you with like:
Only 3% of the incident affecting websites are discovered.
These are frightening figures that should encourage you to install a security plugin.
WordPress is today a mature and secure software project, trusted by millions of users, which even includes the White House’s official website. In term of security, the main problem that we are seeing is with third-party WordPress plugins. 87% of vulnerabilities within the WPScan WordPress vulnerability database are attributed to plugins. That being said we are seeing a gradual increase in the quality of plugins on the official WordPress plugin directory. To keep your WordPress website secure I recommend that you keep everything up to date choose a strong admin password and install a security plugin.
Vulnerabilities and security breaches are almost always related to human misbehaves.
So the best way to improve your website security is to be watchful about a few things!
According to the WPScan database, 95% of WordPress vulnerabilities are actually coming from themes and plugins.
And 95% of this 95% are actually coming from free themes and plugins.
The best way to protect your website from hackers is to keep your plugins and theme up to date. You should also remove all the unnecessary plugins installed on your website.
This tip might be more tricky to implement if you are not comfortable with the PHP language.
Most of them are harmless, but some might jeopardize your website and lead to downtime.
To know which plugins generate PHP Errors, you need to access the WordPress Error Log.
The easiest way to do this is to install WP Umbrella.
Go to the PHP Monitoring tab et enable the advanced view.
From here you can access all the errors and related information necessary to troubleshoot them and make your WordPress website more secure.
Some people think that a not updated plugin will generate security flaws like it’s growing in it. Of course, that’s not how it works. Every plugin, theme, or even WordPress core itself has some sort of security holes, but until it’s discovered it’s not a problem. The problem exists when they are discovered and not fixed. Luckily, the WordPress community is full of white hat hackers who will disclose the issues. Most of the time, when you see that a plugin/theme flaw has been found, it has already been patched.
Needless to say that selecting a secure hosting should also be one of your top priorities.
Before looking into security plugins, you should make sure that your WordPress host has significant security measures.
Here are some of the security measures a good WordPress hosting provider should provide you with:
Kinsta, our hosting provider, offers all these services.
Using the same password for every website is the best way to get hacked.
Not all sites are secure. If you use the same password from everywhere and a hacker manages to get it, he will have access to all your accounts.
You must choose a different password for each site you use. The easiest thing to do is to use a secured password generator like the Norton password generator.
If your website has multiple users, each user should maintain a strong password and change it regularly. You should force your team to reset passwords from time to time. This is of utmost importance when it comes to WordPress security.
Secure socket layer (SSL) provides an encrypted connection between a server and a user, so that data can be sent securely between them.
In addition to being a wise security practice, Google requires that websites use SSL. A website running on HTTP instead of HTTPS is generally penalized by the browser by showing “Not secure” instead of the pleasant green lock. This will destroy the trust of your visitors and your brand.
Previously, installing an SSL certificate was quite difficult. Thanks to Really Simple SSL you can now add SSL to WordPress in less than 5 minutes.
It’s no accident that bank websites give users only three attempts to enter their username and password correctly. Once that’s done, your accounts are locked out for a short period of time.
By doing this, brute force attacks can be reduced hackers can be more effectively hindered.
Login attempts are unlimited by default in WordPress. You can increase your website’s security by limiting login attempts so hackers can’t try thousands of combinations to gain access.
This small snippet of code can be manually inserted into the wp-content > Themes > functions.php file to provide limited login protection.
function check_attempted_login( $user, $username, $password ) {
if ( get_transient( ‘attempted_login’ ) ) {
$datas = get_transient( ‘attempted_login’ );
if ( $datas[‘tried’] >= 3 ) {
$until = get_option( ‘_transient_timeout_’ . ‘attempted_login’ );
$time = time_to_go( $until );
return new WP_Error( ‘too_many_tried’, sprintf( __( ‘ERROR: You have reached authentication limit, you will be able to try again in %1$s.’ ) , $time ) );
}
}
return $user;
}
add_filter( ‘authenticate’, ‘check_attempted_login’, 30, 3 );
function login_failed( $username ) {
if ( get_transient( ‘attempted_login’ ) ) {
$datas = get_transient( ‘attempted_login’ );
$datas[‘tried’]++;
if ( $datas[‘tried’] <= 3 )
set_transient( ‘attempted_login’, $datas , 300 );
} else {
$datas = array(
‘tried’ => 1
);
set_transient( ‘attempted_login’, $datas , 300 );
}
}
add_action( ‘wp_login_failed’, ‘login_failed’, 10, 1 );
function time_to_go($timestamp)
{
// converting the mysql timestamp to php time
$periods = array(
“second”,
“minute”,
“hour”,
“day”,
“week”,
“month”,
“year”
);
$lengths = array(
“60”,
“60”,
“24”,
“7”,
“4.35”,
“12”
);
$current_timestamp = time();
$difference = abs($current_timestamp – $timestamp);
for ($i = 0; $difference >= $lengths[$i] && $i < count($lengths) – 1; $i ++) {
$difference /= $lengths[$i];
}
$difference = round($difference);
if (isset($difference)) {
if ($difference != 1)
$periods[$i] .= “s”;
$output = “$difference $periods[$i]”;
This is a tough cookie so I’ll try to keep things as simple as possible.
You should first understand that PHP is a scripting language used for web development. Functions in PHP are blocks of code that can be executed in a program to perform a certain function.
The second thing you need to understand is that a WordPress website is composed of files and folders. It is important to note, however, that only certain files and folders use PHP functions. It is possible for hackers to create new folders on your website, or copy and paste their PHP functions into existing folders. This would be detrimental to your website. Without the proper tool, you could spend weeks without realizing that your website is corrupted.
You can prevent such a hack by blocking PHP functions from unknown folders, or just disabling PHP executions where they are not supposed to happen.
To do so, look for the .htaccess file on your FTP and open it. If it does not exist, you can create it with your HTML editor. Don’t forget to save it as .htaccess.
Add these line of code to the file:
<Files *.php>
deny from all
</Files>
You can edit WordPress theme and plugin files directly from the admin area with WordPress’ built-in code editor.
The theme editor can be found under Appearance » Theme Editor. A list of the files related to your current active theme will be displayed there.
In the same way, the plugin editor can be found at Plugins » Plugin Editor. It will automatically show you the first plugin installed on your site in alphabetical order.
If a hacker gains access to your WordPress admin area, they can access all your data using the built-in editor.
Additionally, hackers can use your WordPress site to distribute malware or launch denial-of-service attacks.
It is recommended that you completely remove the built-in file editors from WordPress to improve its security.
To remove the WordPress theme editor, you need to edit the wp-config.php file.
Add this line of code:
define( ‘DISALLOW_FILE_EDIT’, true );
Just above the line saying /* That’s all, stop editing! Happy publishing. */
Be sure to save your changes before closing the editor.
To encrypt usernames and passwords, WordPress uses salts or security keys. The strings are used to hash your login credentials. Consequently, your credentials cannot be stolen or used to log in to your website since they can’t be distinguished from random characters.
The terms WordPress salts and WordPress security keys both refer to the same 8 strings. A salt is corresponding to each of the 4 security keys. The 4 WordPress security keys are:
In the WordPress security system, keys and salts are random strings, which makes them both strong and unique. Nevertheless, they may still need to be altered on occasion.
For example, when you remove malware, you should change the salt keys afterward.
It is also a wise security practice to update the WordPress salt keys from time to time, just like you would your passwords. Hackers have a harder time breaking through your website’s security when credentials are changed regularly.
Changing security keys and salts is an easy process:
The wp-config.php file is the most valuable for hackers. It contains all your credentials. It’s the heart of your website, and that’s why you need to harden its security.
The best way to secure the wp-config.php file is to deny its access.
To do so, add the following code at the top of your .htaccess file:
<files wp-config.php>
order allow,deny
deny from all
</files>
WordPress core includes some security measures by default. Nevertheless, it can be continuously improved with the help of a security plugin/service. The best WordPress security plugins always deliver the following features:
There are a number of WordPress security plugins out there that throw in more futures, but the ones listed above are the ones worth taking note of.
Without further ados, here is our in-depth analysis of the best WordPress security plugins in 2022.
It’s no surprise that Wordfence Security is one of the most popular WordPress security plugins out there. The robust login security features and security incident recovery tools combine simplicity with powerful protection tools. A major advantage of Wordfence is the ability to track overall traffic patterns and hack attempts.
With a firewall blocker, brute force protection, and more, Wordfence is one of the most comprehensive security solutions available.
You can choose between a free version or a premium option starting at $99 per year.
As an added bonus, the plugin creators give developers steep discounts when they subscribe to multiple site keys. The price per license will drop to $74.25 if you purchase 15+ licenses.
If you develop multiple websites and want them all to be protected, you might want to consider Wordfence.
A complete breakdown of WordFence discount structure:
iThemes Security (formerly Better WP Security) offers you over 30 ways to secure and protect your WordPress site.
With +1 million active installs, it is the second most popular security plugin on the market. iThemes makes all WordPress sites more secure by identifying plugin vulnerabilities, outdated software, and weak passwords.
The free version of iThemes Security does include some basic security features, but we strongly recommend upgrading to the pro version. A year’s worth of plugin updates, ticketed support, and support for 2 websites are included. You can upgrade to a more expensive plan if you would like to protect more sites.
iThemes Security Pro provides two-factor authentication, strong password enforcement, and locking out malicious users.
A single year of iThemes Security Pro security can be purchased for $80. Adding more sites increases the price.
You can choose from the following iThemes Security Pro plans:
Sucuri is a globally recognized authority in all matters related to WordPress website security.
You can protect your website from malware and hacks with the powerful WordPress plugin offered by Sucuri. Your website is protected by multiple layers of security. Your traffic bypasses all Sucuri’s firewalls before being sent to the hosting server through cloudproxy. It prevents malware attacks and hackers from putting your website at risk, ensuring only genuine visitors view your site.
You can try Sucuri for free and get a 30-day money-back guarantee if you don’t like it.
The premium plans are listed below:
Multi-site custom plans are also available on request.
All In One WP Security & Firewall is one of the most feature-packed free security plugins available.
With this plugin, you’ll be able to visualize basics such as your site’s security strength and what needs to be done to improve it.
There are three categories of features: Basic, Intermediate, and Advanced. In other words, if you are an advanced developer, you can still use this plugin.
User account security is the primary function of this plugin, as it prevents forceful attempts to log in and enhances the security of user registrations. The plugin also includes database and file security.
Free.
WPscan was acquired by Automattic in November 2021. It scans WordPress installations to determine if they have vulnerabilities.
Usually, WPScan is used to perform penetration tests, security assessments, and vulnerability scans. Security professionals, system administrators, and pentesters are the intended users of this tool.
WPScan pricing is not disclosed. You have to ask for a quote. The pricing is linked to the number of API calls you perform every month.
There are more features in BulletProof Security plugin than most other security plugins on the market because it is actively developed, and constantly updated. Besides quarantines, you receive email alerts, spam detection, and auto-restore features.
Considering that it handles database backups and login security, it works quite well as an all-around WordPress security plugin.
There is a free and a premium version of BulletProof Security. You can purchase the paid option for $69.95 and get a 30-day money-back guarantee. The license is valid for an unlimited number of websites.
SecuPress is another great security plugin for WordPress. This plugin will protect your WordPress website from malware and block bots & suspicious IPs. Our favorite thing about SecuPress is its focus on blocking malware and viruses. Probably the best of all WordPress security tools.
SecuPress is an option to consider if you’re looking for a security plugin with an easy-to-use interface. Firewalls, anti-brute force logins, and blocked IP addresses are all included in the free version.
Additionally, it protects your security keys and blocks bots (which you often have to pay for with other security plugins). Malware scans detect suspicious activity and block intruders when necessary.
You can upgrade to their premium version if you want even more features, including alerts and notifications, two-factor authentication, IP Geolocation blocking, PHP malware scanning, and PDF reports.
The free version is suitable for basic website security, such as malware detection and bot blocking. Premium versions start at $69.99 per site per year. As you increase your number of sites the price per site decreases dramatically down to $5.78 per site per year.
In order to detect anything from plugin issues to risky IP addresses, MalCare Security plugin provides a cloud-based malware scanner that considers your entire website. Besides bot protection, it’s an excellent malware finder.
You can clean up your site with the plugin’s one-click removal tool before search engines notice any issues.
MalCare Security also notifies you when your site goes down so you can respond to an attack in time.
MalCare Security is lightweight, which is important since bulky plugins are common in malware scanning software.
MalCare has a pricing complex to understand. You have 3 plans (Basic, Plus and Pro) and the pricing lower by bundle of websites.
If you select a bundle of 20 websites the prices lower a bit
The Jetpack Security plugin provides WordPress site security with backups, malware scanning, and spam filtering that is easy to use.
Jetpack is known to most WordPress users, mainly because it has many features, but also because it was developed by WordPress.com.
Taking the time to explore Jetpack’s many features is well worth your time.
You can use Jetpack for free if you want spam protection (powered by Akismet). The majority of other security features, however, are subscription-based (about $25/month per website for malware scanning and backups).
WP Cerber Security vigilantly defends WordPress against hacker attacks, spam, and malware. The plugin blocks malicious activity before it harms your data, and offers an anti-spam solution, and a malware scanner.
Cloudflare integration, exporting security data, and scheduling regular scans are all possible. Futherthemore, WP Cerber Security will delete affected files and restore previous versions of your site.
WP Cerber Security offers a free version including the Cerber security local protection and automated spam protection of an unlimited number of websites.
The pro version includes everything you need and costs $29/quarterly for one website or $39/monthly for 5 websites. This pricing is confusing and misleading.
Your website will be secure once you’ve selected and configured the security plugin of your choice, making sure you, your team, and most importantly, your visitors and customers are protected.
However, your work does not end here.
WordPress is popular among hackers because of its security vulnerabilities.
In addition to installing a plugin, you can take further steps to improve your site’s security – like the one mentioned in the first part of this article.
Last but not least, it might be worth considering Cloudflare to take care of traffic and DDOS attacks.
Discover the ultimate list of dev tools for WordPress that can help you in every aspect of the development process.
Learn how to manage multiple WordPress sites effortlessly with the best WordPress management tools.
We reduced load times on our WordPress websites by 1410%. Read the full story.