With WordPress security plugins, you can add various types of security features that will help keep your WordPress website safe. This article gives you an overview of the options and briefly cover areas of concern you need to be aware of as a WordPress webmaster.
Keeping a website secure is not a trivial task and if you are using a popular platform like WordPress the threat level goes up a few more steps. It is not that WordPress is insecure in itself, but with hundreds of millions websites out there (and growing virally every day) it is worth the effort for hackers to search for exploits and create automated solutions to do the dirty work.
The community does a great job to keep WordPress a secure system, but whenever new features are added there is potentially a risk. Therefore, priority number one, is to only install extensions from trusted sources and then to keep both WordPress core, your theme and plugins up to date at any time. This is one of the areas where a WordPress security plugin can help you by monitoring your installation and warning you if some files need to be updated. Keep in mind though that it is not only WordPress files that need to be up to date. You need to ensure that your web server is maintained properly to avoid security problems with old versions of e.g. PHP. This is often taken care of by hosting companies if you have a fully managed plan, but if you are not sure, check it!
Another area where WordPress does not have best practice security build in is the user account and login process. There is no restriction concerning how many times a WordPress user can log and no checks on password strength. Again, this is an area where you can use security plugins for WordPress to add additional hardening to your website.
Finally, you may want to secure your site from internal users and keep an eye on what you do. This is very relevant if you run a multi author blog or have many guest writers. There are plugins for helping you manage the editorial work with multiple authors, check this article for inspiration, but from a security point of view you should consider to have audit trails (track who did what – we covered this topic here) and role plugins to have more fine grained permissions set up.
Keeping your website running all the time also require proper backup and restore processes. We have covered this topic previously in a post about WordPress backup plugins. Check it out and make sure you have a working backup when you need it…
In this article, I have collected more than 40 great WordPress security plugins you can use to improve the security level of you WordPress website. Please let me know in a comment
Disclosure: Please note that some of the links below are affiliate links and I will earn a commission if you purchase through those links (at no extra cost to you). I recommend that you do your own independent research before purchasing any product or service. This article is not a guideline, a recommendation or endorsement of specific products.
Article Index, Jump to the section you want to read!
- Full WordPress Security Suites
- Role, Permissions and Login Security
- WordPress Security Scanners
- Content Protection
- WordPress Audit Trail
Security Ninja is a premium WordPress Plugin that performs 31+ tests including Brute-Force Attacks. It also checks your site for security vulnerabilities, takes preventive measures against attacks, prevents 0-day exploit attacks and with code snippets included for quick fixes.
Wordfence Security – MORE INFO
Wordfence Security is a free enterprise class security plugin that includes a firewall, anti-virus scanning, malicious URL scanning and live traffic including crawlers. Wordfence is an advanced WordPress security plugin that can verify and repair your core, theme and plugin files, even if you don’t have backups.
Bulletproof Security – MORE INFO
BulletProof Security protects your WordPress website against XSS, RFI, CRLF, CSRF, Base64, Code Injection and SQL Injection hacking attempts.
Better WP Security – MORE INFO
Better WP Security takes the best WordPress security features and techniques and combines them in a single plugin thereby ensuring that as many security holes as possible are patched without having to worry about conflicting features or the possibility of missing anything on your site.With one-click activation for most features as well as advanced features for experienced users Better WP Security can help protect any site.
Website Defender WordPress Security – MORE INFO
The WebsiteDefender WordPress Security plugin is the ultimate must-have tool when it comes to WordPress security. The plugin is free and monitors your website for security weaknesses that hackers might exploit and tells you how to easily fix them. WebsiteDefender integrates with the plugin which allows you to see all your security alerts from your WordPress dashboard.
Total Security – MORE INFO
The Total Security plugin is the must-have tool when it comes security of your WordPress installation. The plugin monitors your website for security weaknesses that hackers might exploit and tells you how to easily fix them.
Login Ninja is a premium WordPress plugin that protects login and register forms with Captcha test. It automatically bans malicious IPs with a detailed log of all login related activities. It Also redirects users based on roles and usernames, protects from brute force attacks and prevent bots from registering.
User Role Editor – MORE INFO
User Role Editor WordPress plugin makes the role capabilities changing easy. With User Role Editor WordPress plugin you can change user role (except Administrator) capabilities easy, with a few clicks.
Role Scoper – MORE INFO
CMS-like permissions for reading and editing. Content-specific restrictions and roles supplement/override WordPress roles. User groups optional.
Members – MORE INFO
Members is a plugin that extends your control over your blog. It’s a user, role, and content management plugin that was created to make WordPress a more powerful CMS.
The foundation of the plugin is its extensive role and capability management system. This is the backbone of all the current features and planned future features.
User Access Manager – MORE INFO
Advanced Access Manager is very powerful and flexible Access Control tool for your WordPress website. It supports Single WordPress installation and Multisite setup.
One Time Password – MORE INFO
This simple to use plugin enables you to login to your WordPress weblog using passwords which are valid for one session only. One-time passwords prevent stealing of your main WordPress password in less trustworthy environments, like internet cafés, for example by key loggers. The one-time password system conforms to RFC 2289 of the Internet Engineering Task Force (IETF).
WP Login Security 2 – MORE INFO
WP Login Security 2 provides enhanced security by requiring users to white list their IP address. If the IP address is not recognized, the plugin will send an email to the user with a link that contains a one-time key. Optionally the blog administrator can also be notified.If a user logs in from a known IP address no further action is required.
s2Member® Framework – MORE INFO
This is a powerful (free) membership plugin for WordPress®. Protect members only content with roles/capabilities.
Limit Login Attempts – MORE INFO
Limit rate of login attempts, including by way of cookies, for each IP. Fully customizable. By default WordPress allows unlimited login attempts either through the login page or by sending special cookies. This allows passwords or hashes to be brute-force cracked with relative ease.Limit Login Attempts blocks an Internet address from making further attempts after a specified limit on retries is reached, making a brute-force attack difficult or impossible.
User Locker – MORE INFO
This plugin locks user account after given number of incorrect login attempts. This makes brute force and dictionary attacks nearly impossible.
Login Security Solution – MORE INFO
Security against brute force attacks by tracking IP, name, password; requiring very strong passwords. Idle timeout. Maintenance mode lockdown.
MVIS Security Center – MORE INFO
MVIS Security Center shows you exactly how to lock down your setup and sends subscribed users real-time vulnerability alerts for their site.
Active Directory Integration – MORE INFO
This Plugin allows WordPress to authenticate, authorize, create and update users against an Active Directory Domain.It is very easy to set up. Just activate the plugin, type in a domain controller, and you’re done.
An add on for Security Ninja WordPress plugin. It is compatible with both Security Ninja & Core Scanner Add on. It is extremely easy to setup, allows email reports from scans and an easy to use GUI.
Block Bad Queries – MORE INFO
Block Bad Queries (BBQ) is a simple script that protects your website against malicious URL requests. BBQ checks all incoming traffic and quietly blocks bad requests containing nasty stuff like eval(, base64_, and excessively long request-strings. This is a simple yet solid solution that works great for sites where .htaccess is not available. The BBQ script is available as a plugin for WordPress or standalone script for any PHP-powered website.
Exploit Scanner – MORE INFO
This plugin searches the files on your website, and the posts and comments tables of your database for anything suspicious. It also examines your list of active plugins for unusual filenames.
Bad Behavior – MORE INFO
Bad Behavior prevents spammers from ever delivering their junk, and in many cases, from ever reading your site in the first place.
WP Updates Notifier – MORE INFO
Monitors your WordPress installation for core, plugin and theme updates and emails you when they are available. This plugin is ideal if you don’t login to your WordPress admin regularly or you support a client’s website.
WordPress Https – MORE INFO
WordPress HTTPS is intended to be an all-in-one solution to using SSL on WordPress sites.
Anti – Malware – MORE INFO
This Anti-Virus/Anti-Malware plugin searches for Malware and other Virus like threats and vulnerabilities on your server and it helps you remove them.
AntiVirus – MORE INFO
Antivirus for WordPress is a easy and safe tool to protect your blog install against exploits, malware and spam injections. Useful plugin that will scan your theme templates for malicious injections.
Private Content can easily lock down any links you want with complete files protection. You have the option to precisely set who can access the links, either by a single user, all of the users or set by a category.
Like many websites, you may be victim of “hotlinking” an external websites using your images without your permission. As the images are hosted on the server, the bandwidth is used and this without any compensation. The plugin “Hotlinked Watermark Images” allows you to take advantage of this situation by displaying a custom message on your images when they are displayed on external websites.
Email Encoder Bundle – MORE INFO
Encode mailto links and plain email addresses on your site and hide them from spambots. Easy to use, plugin works directly when activated.
WP – DBManager – MORE INFO
Allows you to optimize database, repair database, backup database, restore database, delete backup database , drop/empty tables and run selected queries. Supports automatic scheduling of backing up, optimizing and repairing of database.
Three WP Activity Monitor – MORE INFO
Displays a multitude of user actions to keep the site administrator informed that all is well and that the blog or network is not being abused. Three WP Activity Monitor Displays the following: logins (successful and failed) , retrieved and reset passwords, posts/pages created, updated, trashed, untrashed and deleted, comments approved, trashed, spammed, unspammed, trashed, untrashed and deleted, changed passwords, changed user info, user registrations, user deletions and custom activities from other plugins.
WP – Activity – MORE INFO
Monitor and display registered users activity like logins, posts and comments. You can also track and prevent hackering attempts, with IP blacklisting.
Audit Trail – MORE INFO
Audit Trail is a plugin to keep track of what is going on inside your blog. It does this by recording certain actions such as who logged in and then stored this information in the form of a log. It also records the full content of posts and pages and allows you to restore a post to a previous version at any time.
Simple Security – MORE INFO
Simple Security Plugin for WordPress is an access log to track logins and failed login attempts for the admin area of your WordPress Website.
WordPress File Monitor Plus – MORE INFO
Monitor files under your WP installation for changes. When a change occurs, be notified via email. This plugin is a fork of WordPress File Monitor.
NoSpamNX – MORE INFO
This plugin adds invisible form fields to your comment form to protect your blog from automated spambots.
Infinite WP Client – MORE INFO
Install this plugin on unlimited sites and manage them all from a central dashboard. This plugin communicates with your InfiniteWP Admin Panel.
Visitor Maps Extended Referer Field – MORE INFO
Extend Visitor Maps and Who’s Online with extra features, such as IP and referrer banning. Display the referring host name and search string.
WordPress Sentinel – MORE INFO
This plugin acts as a sentinel that watches over your core WordPress programs plus installed themes and plugins and tells you when changes happen.