Want to know the best WordPress security plugins to protect your site?
Read on because I’ve done a review on them and tested their most important features. I’ve had some client sites get hacked recently and simply didn’t have the time to thoroughly compare files so I fired up the usual security plugins and was surprised by what I found. Some were designed quite intuitively and extremely helpful whereas others were IMO a collection of garbage of common htaccess tweaks.
Let’s cover their differences…
What features are most important in a WordPress security plugin?
I generally don’t bother with WordPress security plugins (having previously complained that security plugins “sucked”) but will admit their convenience for quickly detecting issues and guessing where the rest of the dirt might be. They do have useful functions for others if not even for myself.
The MOST IMPORTANT security function to me is SCANNING (blocking malware, code injection, backdoors, file changes). The typical malware hacks where your website files and code is changed. Those are the most common website defacements that immediately affect your website appearance. Malware scanning is absolutely the most important security function in a plugin because it’s so much more efficient than manually scanning with your own eyes and comparing files for changes. With that said, scanners are very helpful but not 100% perfect. You may still have to manually check access logs and scrutinize entire directories (and subdirectories) to make sure you get everything out.
The SECOND MOST IMPORTANT security function to me is FIREWALL (blocking entry attacks, flooding, brute force). Brute-force into login pages, XML-RPC spam, DDOS (levels 3, 4, 7), or constant flooding into other services and ports and what not. The problem with these attacks is that while they often don’t get into your site, they quickly overwhelm your server with requests and take it down or cause outtage to actual users. So in a way, firewall scans are more a performance more than anything. They prevent hackers not only from getting in but also from taking down your server. The reason why it isn’t the most important function is that it should be done from the server already
The THIRD MOST IMPORTANT security function are the CHECKLISTS (file permissions, pass strength, login page). These are what I call the ‘common-sense checklists’. I hate to see these in plugins for the most part. Most of them are nothing more than little lines of code put into htaccess that you could do on your own without a plugin. Sure, it’s great for newbies but annoying when you’re a tech-savvy user and just want a plugin for scanning protection and maybe firewall protection. Nonetheless, they are still helpful from time to time when you have a hacked site and don’t know where to begin.
Different categories of WordPress security plugins:
- FULL FEATURED plugins – these have everything (scanning, firewall, and checklists). Basically, everything is built-in. Of course, some features may be locked into their paid version. Like maybe they can scan and tell you which files are affected but they won’t clean it unless you pay. Or maybe they’ll only allow manual scans in the free version, and scheduled scans are only be allowed in the paid version.
- SCANNING & FIREWALL plugins – these do only scanning & firewall. IMO, this is all you really need if you know what you’re doing. They’re just there for hack prevention and also to provide a convenient log of where your attacks are coming from so you can beef up your server security. They can also be used for the occasional clean-up. Some plugins may even be only scanning or only firewall. There are also plugins that do only one aspect of the firewall like maybe disabling only XML-RPC or only disabling bot traffic. Etc.
- CHECKLIST plugins – these provide a list of basic security tweaks you should do for your site. Some are more helpful than others. Some try to over-inflate the importance of certain aspects. And I really hate when checklist plugins masquerade as “security scanners” when they actually aren’t scanning for malware.
Additional notes:
- Many plugins claim to have a “scanner” but they don’t actually scan your files for malware. They simply scan for basic security stuff…like a “checklist scanner”.
- Many scanners will falsely detect other security plugins as potential security issues. Hahaha.
- Many security plugins are not worth the price.
- You can STILL get hacked even if you do have a security plugin installed.
Best WordPress security plugins
1. Wordfence Security – Firewall & Malware Scan (FREE & PAID)
If you’ve been hacked or trying to prevent getting hacked, WordFence is easily my #1 pick. It has a good range of functions to help secure your site against the 2 most common and most devastating hacks (brute force & code injections). All the other million security features are just a bonus.
The malware scanner is full-functioning, intuitive as hell, and so helpful in comparing code differences and letting you repair them easily from their interface. It is by far the most helpful scanner out there. I’m willing to bet it’s even better than their competitors’ paid versions. The firewall features are comprehensive enough and can block a wide range of attacks.
You know why I think this plugin is so good? It’s because it’s used by many people so they probably have the largest collection of hack signatures and what not. This is probably your best bet against zero-day attacks. I also like the cool email function letting you know about admin login attempts.
The UI could be designed a little cleaner and not look so much like a busy travel booking site, or with such constant upsells for their (paid) PRO version. I also hear some people complaining that it uses more server resources. I’m pretty sure you can configure this in the settings to be less resource-hungry.
2. Cerber Security, Antispam & Malware Scan (FREE & PAID)
In places where WordFence failed to detect hacks or was hacked itself. My very next go-to plugin was Cerber Security. I heard raving reviews about these guys when they first released their Appsumo deal and now I see why. A very clean and unstyled interface that is friendly for admins, although may appear less friendly for users. I love that you can see many options without having to scroll. I love the helpful guides explaining why each optimization is important and additional tips for newbie users to read.
Their malware scan is #2 in my book (although I never tried all the paid scanning services out there). The firewall and checklist features are descriptive enough without taking over my screen. Really great UI, really. I don’t think I could have designed a better UI for a security plugin, myself.
3. Sucuri Security (PAID)
The best 3rd-party interface plugin. Usually, I hate it when plugins take over the WordPress site design with their own colors and styling…making it feel like another website within your website. But Sucuri does it well. It totally makes you feel like a premium security service is protecting your site.
I love that they focus on 2 things…SCANNING and FIREWALL. They don’t waste your time with the silly ‘common-sense checklists’ (have a good password, file permissions, etc). This plugin is good if you’re a responsible tech-savvy user who only needs scanning and a firewall.
My only issue is that I think their automated scanning is probably still not as good as WordFence. Their firewall, however, should be better since it goes through their proxy. The issue is that their firewall isn’t free. You have to pay.
I think their plugin is great if you get their paid service and use their human-assisted cleanup services ($200/year is pretty cheap compared to paying a developer to clean up your hacked mess several times). Otherwise, I think their standalone plugin isn’t much help. I do like that it’s simple and doesn’t nag you too hard to pay up. Enter an API key and you’re good to go!
4. Single-function plugins
If you know exactly what you’re doing, I’m a big fan of those security plugins that only do one thing. Like as only changing the WP-admin login URL, blocking certain bots, or blocking certain protocols. These plugins are great because they allow you to have exactly the security functions you really need/want and not overlap with security mechanisms already implemented by other plugins or by your web server.
WordPress security plugins (I didn’t like)
1. SecuPress
really great design. reminds me of WP Rocket with the super sexy-simplified interface that lays out many options in a friendly way. Unfortunately, the malware scanner is locked off behind a paid service which means the free version offers very little beyond simple protection rules in htaccess. For all I know this plugin might not be all that good but I give it some benefit of the doubt.
2. Defender
Why do I bother? (It’s WPMU.) Hahahah. ok. let’s be fair. WPMU is not known for good themes/plugins/service but I gave this plugin a try. It’s designed well and looks user-friendly. but has the similar issue as many other free security plugins, the most important features are castrated from the free version. so no malware scanner unless you pay. sorry, no thanks.
3. All-in-One Security
Malware scan requires offsite signup. Ugh, no thanks. All the other security features like blocking specific traffic were great. Ultimately, I just felt this plugin felt kinda outdated. I didn’t like the styling. The ribbons in the UI look so early 2000’s “web 2.0”.
4. iThemes Security
I don’t know this plugin ever gets raving reviews. It’s too bad because I did like their UI. I liked the one simple page where you could see all the options to enable or not. The sad part is that if you know what you’re doing, you’ll quickly realize many of these “security features” are simple htaccess rules, nothing more. Then again, maybe it’s unfair of me to say that since newbie users do find tremendous value in it and it’s great that they aren’t over-cluttering their plugin.
5. MalCare Security (FREE & PAID)
Many people love this one but I wasn’t such a fan. Don’t like the UI taking over my screen and looking completely non-WordPress. The first-time setup was quite slow. It advertises quick scanning but was slower than other top plugins. I do like that it advertises not overloading your server.
I find it amusing when a malware-scanning plugin itself looks and functions like malware. Even their website feels like malware as well. Something between an unfinished website and an advertisement. Kind of like those parked domains that you visit by accident when misspelling a website URL. Also looks like those damn CNET download pages where you couldn’t tell which download button was real or an ad.
Oh look, the scanner finished and didn’t find any of the ones that WordFence found. I totally get the allure of a simple set-and-forget security plugin that promises low server resource usage but this is not a good one. Having no options is almost the same as having no features, IMO. There’s simplicity and then there’s just blindly trusting a plugin to work exactly how you want it to work.
Then there was another site that was hacked (I already found it via scanning system processes from the server and what not but decided to test Malcare on it). Malcare DID find the hack BUT put a red button that said “AUTO CLEAN”. I click on it and it wants me to “upgrade” to a paid plan in order to clean the malware. Just for the heck of it, I click UPGRADE and then hit an error page that said “error, report this” and also other option that I forgot. I click to go back and sure it enough, it won’t even tell you where the hack is so you can clean it off yourself.
So basically…this thing is like one of those free software you find online that looks like it’s fully functional but then asks for money before running its critical function. I’m just fed up, I feel tricked and don’t even see the point of this plugin. They might as well just be upfront and tell you that it only scans but doesn’t remove any malware unless you pay. Ok…I put Wordfence on and sure enough it finds it.
6. WebARX – Web Application Security
Heard some good reviews about this one but didn’t bother to try since they only have a paid version. Luckily enough, a generous reader gave me his account access and I got to try it for myself. The UI and overall design is really nice. Feels premium, feels like you’re really protecting your site with state-of-the-art security.
The actual experience and overall protection of the plugin was something else. The UI and settings were really nice. Options and settings were laid out comprehensively and explained well with helpful descriptions. But those settings only covered the firewall and typical checklist security features. The malware scanner (OR LACK OF) was a totally different experience. There is no malware scanner?!
I don’t even get how they make any money at all as a PREMIUM-only plugin. There is no free version and yet the paid version itself feels like trial software. So what the heck are we paying for? You’re paying for a firewall, nice user interface, and fancy report charts that show what attacks are being blocked by their firewall. Sorry but this plugin gets a total thumbs down from me. Totally overrated and incomplete as a security plugin. If all you wanted was a fancy firewall plugin, this is it…but then again, the best firewall is probably best done from your server (protecting the entire server instead of only one site).
7. Security Ninja
I’m a little torn. On one hand, the functions and features were laid out in a simple organized manner. On the other hand, the UI made you feel like this plugin wasn’t so native with WordPress. The interface seemed to link out to their website incessantly. 80% of the things you clicked on lead out to their website where you guessed it…and upsell to their PAID VERSION!
The plugin was simple enough but seemed like you had to pay for anything to really work. Sorry, no thanks! This isn’t even trialware or adware. It’s just a catalog plugin of their security features. Hahaha. With that said, the scan is nice if you want to see a quick checklist of which common sense things to fix on your site.
8. Bulletproof Security
Cool name but I’m not a fan. Really clumsy outdated UI right off the bat. Seriously, the UI is a MAJOR turnoff. They make even basic functions look super complicated. The “features” layout is so confusing and unorganized. And why the heck am I seeing CSS styling options throughout security settings? Oh and the scan didn’t find anything whereas other plugins did.
9. VaultPress
Worthless and annoying. 2 big flags for me. One is that it requires JETPACK…uggh, stop forcing that on us! The other disqualifier is that it’s a PAID plugin. So you’re gonna make me PAY to use Jetpack?! Sorry, but no. I didn’t continue any further. I also saw bad reviews of it not being able to detect hacks. Why am I not surprised?! I simply don’t like/trust those Automattic guys.
So basically…it’s built by Automattic/Jetpack and requires a paid subscription to do anything. As with many things by those guys, there’s complaints about it being slow, not working well, and not worth the price they’re demanding. I didn’t bother to pay or try it out at all. Nope, not when they got that reputation.