Popular WordPress security plugins

Millions of websites are infected with malware every week. WordPress is a popular platform and is open to risks if not managed well. While WordPress is fairly secure and is further strengthened by regular patches and updates, it requires constant monitoring and checking for updates and patches.

Some of the suggested approaches include:

  • Keep the WordPress source files, themes, and plugins updated with latest versions and patches.
  • Change passwords regularly and use strong passwords.
  • Actively manage those users who are allowed editing access to WordPress. Ideally, limit access to avoid mistakes impacting the whole site or leaving a vulnerability open.
  • Consider implementing an SSL certificate to encrypt connections to your website and secure any data transfers.
  • Take regular backups.
  • Tighten what is allowed on posts, blogs, comments, and responses. Malware attacks are known to originate through user/subscriber posts and comments with misleading links and the intent to steal users’ personal information. Comments could include spamming or inappropriate language, and these need to be actively managed.

As with all other management needs on WordPress, there are security plugins that help improve and automate a number of these security management tasks.

WordPress security plugins: An introduction

Best practice: Think through your security approach based on the final content of your WordPress website, the site’s structure, and the visitor interactions that will be allowed on the website. For example, will there be multiple users working on website creation, upkeep, and updates? Will there be subscribers who can post comments and write feedback? Knowing the current and future approaches will help with selecting an appropriate security plugin, including decisions around if a free security plugin version will suffice or if a paid version is best.

WordPress security plugins add value by offering automated, real-time security monitoring; scanning of any uploaded files; malware checks, including scans for changes to core files; blacklist monitoring to ensure that users or comments on the blacklist are not allowed in; security hardening; solutions to act in case of a hack; firewalls; protection against denial-of-service (DoS) or brute-force attacks; and other features.

A brief look at plugins

Plugins are applications that can be “plugged in” to your website. Plugins bring in pre-coded features that allow quick feature setup. WordPress has a huge repository of free plugins apart from paid ones. Choose a plugin if it adds value to your users’ experience and enhances communication with your audience. Typical plugins make it easy to fill in forms, upload images, help track website activity by visitors, have chat boxes, enforce security, and more. Plugins are accessed by navigating to the administrative page > My Site > My Home > Tools > Plugins .

  • On clicking Plugins, a menu of available plugins is shown. Plugins can be searched by name or category (Engagement, Security, Appearance, and Writing). You can also sort by featured, popular, and new plugins.

The top WordPress security plugins

1. Jetpack

Jetpack is a plugin platform that consist of multiple plugin options including security, performance, marketing, and design tools. The security component of the plugin provides, site security features including malware scanning, spam protection, brute-force protection, and downtime and uptime monitoring. The security plugin includes capabilities for:

  • Automatic malware and other code threat scans with the option to restore the website from malware in one click.
  • Block spam comments and form responses with anti-spam features powered by Akismet.
  • Brute-force attack protection to protect the WordPress login pages from attacks.
  • Monitoring the site uptime and downtime and getting instant email alerts about any change.
  • Secure login with optional two factor authentication(2FA) for extra protection.
  • Auto-update individual plugins for easy site maintenance and management.

Jetpack details: https://wordpress.org/plugins/jetpack/

  • Version: 9.5
  • Active installations: 5 million +
  • Works on WordPress version: 5.6 or higher
  • Tested up to WordPress version: 5.7
  • Works on PHP version: 5.6 or higher
  • Languages supported: 43

2. Wordfence

Wordfence Security includes an endpoint firewall and malware scanner to protect WordPress sites. Wordfence offers 2FA and maintains a Threat Defense Feed that updates the newest firewall rules, malware signatures, and malicious IP addresses to manage website safety.

Wordfence’s WordPress firewall/security scanner features

  • Protects the site at the endpoint, enabling deep integration with WordPress.
  • ntegrated malware scanner blocks requests that include malicious code or content.
    • Malware scanner checks core files, themes, and plugins for malware, bad URLs, backdoors, SEO spam, malicious redirects, and code injections.
    • Compares site core files, themes, and plugins with what is in the WordPress repository, checking their integrity and reporting any changes.
  • Protection from brute-force attacks by limiting login attempts.
  • Web Application Firewall identifies and blocks malicious traffic.
  • Repairs files that have changed by overwriting them with the original version.
  • Checks site for known security vulnerabilities and alerts to any issues. Also alerts to potential security issues when a plugin has been closed or abandoned.
  • Checks the safety of your content by scanning file contents, posts, and comments for dangerous URLs and suspicious content.
  • Offers 2FA for secure remote system authentication available via any time-based one-time password (TOTP) authenticator app or service.
    • Login page CAPTCHAs stop bots from logging in
    • Disable or add 2FA to XML-RPC.
    • Block logins for administrators using known compromised passwords.
  • [Premium]
    • Real-time firewall rule and malware signature updates via the Threat Defense Feed (free version is delayed by 30 days).
    • The Real-time IP blocklist blocks all requests from the most malicious IPs, protecting your site while reducing the load on it.
    • Checks to see if your site or IP have been blocklisted for malicious activity, generating spam, or another security issue.

Wordfence details: https://wordpress.org/plugins/wordfence/

  • Version: 7.5.2
  • Active installations: Over 4 million+
  • Works on WordPress version: 3.9 or higher
  • Tested up to WordPress version: 5.7
  • Works on PHP version: 5.3 or higher
  • Languages supported: 5

3. Tips and Tricks HQ

All in One WP Security & Firewall (https://www.tipsandtricks-hq.com/) offers features for securing user registration, login, and accounts; file system security; firewall; spam protection; blacklist referencing; front-end text protection; database security; security scanning; and more. Some of the features include:

  • Reduced security risk by checking for vulnerabilities, and implementing and enforcing the latest recommended WordPress security practices and techniques.
  • Use the security points grading system to measure how well the site is being protected based on the activated security features.
  • Security and firewall rules are categorized as “basic,” “intermediate,” and “advanced.”
  • User-based security features:
    • Detect if user accounts have identical login and display names.
    • Leverage the password strength tool to enforce strong passwords.
    • Prevent user enumeration; this prevents users/bots from discovering user info via author permalinks.
    • Protect against brute-force login attacks using the Login Lockdown feature; get notified via email whenever somebody gets locked out due to too many login attempts. View a list of all locked-out users, and unlock IP addresses one at a time or in bulk.
    • Monitor the account activity of all user accounts on your system by keeping track of the username, IP address, login date/time, and logout date/time.
    • View a list of all the users who are currently logged in to your site.
    • Specify one or more IP addresses in a special whitelist. The whitelisted IP addresses will have access to your WP login page.
    • Add Google reCAPTCHA or plain math CAPTCHA to the WordPress login form and system login.
    • Add a honeypot to WordPress’ user registration form to reduce registration attempts by robots.
  • The file change detection scanner alerts about any files that have been changed in the WordPress system. These can be investigated to check if that was a legitimate change or if bad code was injected.
  • Spam monitoring includes:
  • Monitoring the active IP addresses that persistently produce the most spam and blocking them
  • Preventing comments from being submitted if they doesn’t originate from your domain.
  • Implementing CAPTCHAs on comment forms to add an additional layer of security against comment spam.
  • Automatically and permanently block IP addresses that have exceeded a certain number of comments labelled as spam.

All-in-one WP security and firewall details: https://wordpress.org/plugins/all-in-one-wp-security-and-firewall/

  • Version: 4.4.8
  • Active installations: Nearly 1 million
  • Works on WordPress version: 5.0 or higher
  • Tested up to WordPress version: 5.7
  • Languages supported: 13

4. Sucuri

Sucuri Security – Auditing, Malware Scanner and Security Hardening is a WordPress plugin consisting of a security suite. Some of the key security features include:

  • Security activity auditing: Monitor all security-related events, including changes that occur within the application and its environment. This answers the questions Who is logging in? and What changes are being made?
  • File integrity monitoring: Compare known good file versions with the current state of files. This covers all the directories at the root of the install, including plugins, themes, and core files.
  • Remote malware scanning to boost security posture: SiteCheck from Sucuri is used for malware scanning.
  • Blocklist monitoring: Monitor blocklist engines to prevent known malicious IP addresses and users from accessing the site. Get your site off that blocklist if it has inadvertently been included.
  • Effective security hardening: Use configuration learnings from a cleaned website to harden security.
  • Post-hack security actions: Get help recovering from a hacking event.
  • Security notifications.
  • Website firewall (premium): This includes protection against:
    • DoS or DDoS attacks.
    • Exploitation of software vulnerabilities
    • Zero-days.
    • Brute-force attacks against your access control mechanisms

Sucuri’s website firewall filters out bad traffic before it reaches the website.

Sucuri security details: https://wordpress.org/plugins/sucuri-scanner/

  • Version: 1.8.26
  • Active installations: Over 0.8 million
  • Works on WordPress version: 3.6 or higher
  • Tested up to WordPress version: 5.7
  • Languages supported: 10

5. MalCare Security

MalCare Security – Free Malware Scanner, Protection & Security for WordPress is a malware detection and removal plugin with a one-click malware removal option. It has a cloud-based firewall for website protection. Geoblocking at the country level helps mitigate hack attacks originating from certain geographies. MalCare comes integrated with a website management module that ensures security and site management from a single dashboard. With a notification function if the website goes down, the Performance Check further enables users to keep an eye on site loading speed. MalCare allows white labeling to help developers support customers with their own branding.

MalCare features:

1. Cloud-based malware scanner

  • Daily scan frequency
  • On-demand site scans
  • Scan non-WP files

2. Instant malware removal

  • View details on hacked files
  • Instant automatic malware removal
  • Removal of unknown and new malware

3. Intelligent malware protection

  • Web application firewall
  • IP whitelisting
  • CAPTCHA-based login protection
  • Logs for traffic and logins
  • Geo-blocking
  • Alerts for suspicious logins

4. Website hardening

  • Block PHP execution in untrusted folders
  • Disable files editor
  • Block plugin or theme installation
  • Change security keys
  • Reset all passwords

5. Complete website management

  • Centralized dashboard
  • Plugins and themes management and update
  • Management of users, teams, and clients
  • Generate and schedule reports
  • Whitelabeling
  • Monitoring optime and site speed
  • Blacklist alarm
  • Slack integration

6. Support

  • Email, chat, and social media

MalCare security services details: https://wordpress.org/plugins/malcare-security/

  • Version: 4.57
  • Active installations: 100 thousand+
  • Works on WordPress version: 4.0 or higher
  • Tested up to WordPress version: 5.7
  • Supports PHP version: 5.4.0 or higher

Summary

As the risk of a website being infected with malware remains high, it is a comfort that some of the constant monitoring and checking for updates and patches can be done through security plugins on WordPress. Based on the final website content, structure, and interactions allowed, a security approach needs to be strategized. Knowing current and planned future possibilities will help with selecting an appropriate security plugin, including decisions around if a free security plugin version will suffice or if a paid version is best.

We looked at five popular WordPress security plugins and their features for keeping the source files, themes, and plugins updated with the latest versions and patches, firewall and malware scanning, blacklist- and geography-based blocking, as well as additional features like 2FA and CAPTCHA solutions. As with all security-related processes, it is a good idea to have routine checks to look for areas to improve and harden your site.