Security is crucial for websites, and especially for WordPress websites.
There are a lot of things to think about for your website’s security. There’s adding in two factor authentication, limiting the number of login attempts a user can make, checking files to make sure they haven’t been changed by a bad actor and so much more.
So it makes sense that you might want to look for a plugin that can help you out with these potential security issues. It’s definitely the quickest and easiest way to make your website more secure, whether you’re an experienced developer or someone new to WordPress.
So in this blog post, let’s go through some of your best options for WordPress security plugins – from the all in one type plugins to plugins that do one job really well – so that your site can be better protected today.
Table of contents
All in one security options
One of the best plugins you can get for security on your website is one that does “all in one”. That way you just need to add one plugin to do a whole lot of things to keep your website secure.
The good news is that there are a lot of great options in this area, and there are free and paid versions for most of them. Here are the three best ones I would recommend for your website.
WordFence
WordFence is one of the best all in one security plugins you can get for your website.
Now, I will say that I am a customer of WordFence, and have the premium version of it, just so you know. But I am a very happy customer, and my website is better for having them.
There are a ton of great features for both the free and premium version of the plugin. There is login security to protect against brute force attacks as well as adding two factor authentication to your login process.
Also, it comes with malware scanning, which compares your core, plugin and theme files with the official copies in their respective repositories, so you can know if malicious code has been added to the files. Plus, they have a great firewall that they update regularly to protect your websites from known vulnerabilities and threats.
And finally, they have an amazing security blog that can help you keep track of security threats in the WordPress ecosystem, whether or not you use their plugin.
iThemes Security
iThemes Security is another great option for protecting your website with just one plugin.
There are a lot of great features that come with the plugin. In addition to stopping automated brute force attacks, it can also force your users to use strong passwords, add two-factor authentication and even allow you to use passwordless logins.
iThemes Security will also block bad bots from accessing your website, and like WordFence, it will also scan your files to see if any malicious code has been added to them. And they are also very active in protecting your website from known threats.
Plus, it adds a cool dashboard in the admin area of your WordPress website where you can monitor everything security-related on your website. And there are free and paid versions too.
Finally, one of my favorite features is that you can get database backups in case something goes wrong, which is an added bonus if your web host doesn’t already provide this.
Sucuri
The final all in one security plugin I would recommend is Sucuri.
One of the more unique features of Sucuri is the ability to add in an SSL certificate to your website right from their plugin. Most web hosts these days make it easy to add in an SSL certificate, but if yours doesn’t this is a neat little feature to make your site a little bit more secure. You will have to pay for the certificates though.
Also, it does include a firewall, but only in the paid version of the plugin. It also includes notifications if your website goes down at any point and DDOS protection.
Another neat feature is the ability to see if you’re on any blocklists (and therefore not getting as much traffic as you could) and can send requests to remove your websites from those lists.
And like the other plugins, you’ll get malware scanning for all of your core, plugin and theme files.
Two-factor authentication plugins
Two-factor authentication is a great way to keep bad actors from guessing your password or the password of other users and gaining access to your website.
It requires a user to input another passcode (generally sent to another device or email) after entering in their password. That means if someone wants to get into your account, they would need your password and that other device, which adds a layer of security.
The good news is that setting up two-factor authentication is super easy in WordPress, and there are both free and paid plugins you can use for your site. Here are the three best that I would recommend for your website.
Two Factor Authentication
The Two Factor Authentication plugin is a great option to use for your website. And in fact, I even use it on my websites.
To start out, it’s completely free to use, which is always a plus. But beyond the price, it’s really easy to set up, even if you’re not a developer. It allows you to use a QR code to connect it with another authentication app quickly and easily.
Oh, and it works with Google Authenticator, Authy and any other applications, which means you don’t have to wait for a text message to continue logging in (although the plugin does not have support for text message authentication). All you need is just that other device with one of those apps.
Plus, you can force all users to have to use two factor authentication or just a subset of users (like maybe just administrators need to use TFA). It also works with WooCommerce and WP Affiliate login forms.
And there is a premium version that allows you to do more things, like support for other custom login forms and emergency codes if you ever lose your authentication device.
Duo Two-Factor
The Duo Two-Factor plugin is both free and easy for you to set up. In fact, you can be ready to go with two factor authentication on your website in just a few minutes with this plugin.
One of the other big benefits of this plugin is that it has the power of Duo behind it, which I know a lot of companies (including a lot of universities) use already for other logins. You can also control which user roles have to use TFA and which ones don’t. Plus it will even allow you to login without using your WordPress password.
Also, you’ll be able to authenticate through a one tap application, text message or even a phone call.
The only drawbacks is that there isn’t WordPress multisite support and the Google Authenticator app isn’t supported yet.
WP 2FA – Two-factor authentication for WordPress
One of the biggest benefits of using WP 2FA is the power of the developers behind it. It’s built by WP White Security, which also maintains the WP Activity Log plugin, which I’ll get to towards the end of the post.
Besides that, WP 2FA is really easy to set up for everybody. For example, users don’t necessarily need dashboard access in order to set up two factor authentication for their account, which can come in handy for forum users or customers who need to manage their account.
It also supports the Google Authenticator app. And there is support for other plugins, like WooCommerce.
There is also support for text message and phone call authentication, but you will need the premium version of the plugin for that.
Limit login attempts plugins
Another good security tip is to limit the number of failed login attempts someone can make before they are locked out from your website. This helps stop bad actors who might try a million different passwords to try and figure out which one is your password.
There are a lot of really good options here for plugins that can limit the number of login attempts someone can make on your website. Here are the three that I would recommend for your website.
Limit Login Attempts Reloaded
The Limit Login Attempts Reloaded plugin is the most popular limit logins plugin in the directory, and for good reasons too.
It makes it really easy to set the number of failed login attempts a user can make before they get locked out from your site. Plus, you can customize the amount of time they are locked out from your site as well.
You can also create safelists and blocklists for users and IP addresses to make it easier for people who should access your site to get in and harder for those who shouldn’t be able to access your website.
Additionally, it has support for custom login screens, like WooCommerce, bbPress and Easy Digital Downloads. It’s also GDPR compliant. And you will get an email notification whenever a user is locked out from the site.
WP Limit Login Attempts
If you just need something that is quick and easy and aren’t worried about a ton of features, the WP Limit Login Attempts is probably the option for you.
This is a light-weight plugin that does what you need it to do: limit the number of failed login attempts. And it does it quite well.
It comes with GDPR compliance to protect the person’s identity. And there’s an added CAPTCHA included to detect bots and keep them out.
Another interesting little feature that I haven’t found anywhere else is if there is a weird request, it will redirect the user to the homepage to keep them out. That could be quite handy to keep bad actors out.
Limit Login Attempts
Finally we have the Limit Login Attempts plugin. This one is built by miniOrange, which has a suite of various security and login plugins, so it will be well supported.
It also comes with a CAPTCHA to detect bots and keep spam out of your website. It also makes it really easy to rename the slug for your login page, which can be a great way to keep bots from even accessing the login form in the first place.
And it can also help block against fake user registrations through detecting odd and suspicious email addresses. And it can also help limit the number of requests coming from one IP address to your website for added protection.
Finally, it even makes it easy to protect your plugin and theme files by hiding them from being edited in the admin area.
Scanning plugins
Another type of security plugin you might want to add to your website is a scanner plugin. These plugins will scan your files and compare them to either earlier versions or copies of core, plugin and theme files from wordpress.org. That way you can be alerted in case malicious code has been added to your website.
Here are three scanner plugins that I would recommend for your website.
JetPack Protect
One of the best options for scanning plugins is the JetPack Protect plugin. For starters, it’s developed by Automattic, so you know that it’s going to be well maintained and developed.
Beyond that, not only will it scan your files to see if anything has changed, it also uses WPScan’s database of vulnerabilities to see if you have any in your WordPress core, plugin and theme files.
JetPack Protect is free to use and you don’t need to have the Jetpack plugin installed and activated on your website for it to work. And the setup process is pretty easy.
There’s no limitation on the number of plugins and themes that it scans. And if it finds any issues with your code, it will recommend what actions you should take in order to correct them and better protect your website.
NinjaScanner – Virus & Malware scan
Another great option for a scanning plugin is NinjaScanner. This is a free plugin, but there is also a premium version if you want a few more features.
The main plugin includes scanning for any issues with your core, plugin and theme files. Plus, it will also compare the current scan with the previous one to see if anything changed between the two scans. And it will also do the same with the database, which is a really nice feature if you have issues with the revisions feature in WordPress.
One of the coolest features that I haven’t found anywhere else is using a sandbox environment to test how your website will run if the plugin needs to quarantine or remove a file with malicious code. This can help you figure out if you can deactivate part of your code to contain the issue and keep the website live while you clean things up.
The premium version includes scheduled scans, WP CLI support and premium help if you run into any issues.
Quttera Web Malware Scanner
Finally, another really good option for scanning on your website is the Quttera Web Malware Scanner plugin.
This one does quite a bit of scanning. It will look through your site and code for malware, trojans, backdoors, worms, viruses, shells and spyware, which is the most that I’ve found for a scanning plugin so far.
It also will go through all of your JavaScript to look for suspicious code that might be code obfuscation, exploits, malicious iframes, malicious code and obfuscation, auto-generated malicious content, redirects and hidden evaluation code.
And it will also tell you if your website has been blocklisted by Google, which is something you would need to fix immediately.
Finally, it will also look for issues with PHP malware and injected PHP shells. And best of all, it’s completely free.
Activity Checking
The final type of security plugin you might want to add to your website is a plugin that logs all of the activity on your website. This could log content changes, such as publishing or editing a post, or other changes to your website, like updating a plugin or changing some settings.
This can be useful in checking all of the actions taken on your website to see if something suspicious happened.
Here are the three activity checking plugins I would recommend for your website.
WP Activity Log
The WP Activity Log plugin is one of the most robust activity log plugins available.
It’s a great way to see what is happening at all times on your website. And it works perfectly for large websites with a lot of accounts where it can be a challenge to figure out what has been changed or updated on a day-to-day basis.
It will keep track of any changes that are made to your website’s settings, database changes (like when a plugin adds or removes a table), plugin and theme changes, changes to users and so much more. Plus, it will track any changes made to content – whether it’s a post, page or custom post type.
And the premium version will send you email notifications so that you can stay updated with everything on your website in real time. And you can store these changes in an external database, like AWS.
Activity Log
Another good option if you don’t need to see every little thing is the Activity Log plugin.
With this plugin, you can track content and WordPress core, plugin and theme changes that are made to the website. Plus, there is also support for WooCommerce and bbPress, so you can see any changes that are made to your online store or forums.
You can also see who did what to various pieces of content, updated various settings, changed menus or widget areas and more. And you can export your log to a CSV file as well.
It’s focused on performance so it won’t slow your website down. And it’s GDPR compliant to protect the privacy of your users.
Oh, and it’s completely free to use.
Simple History – user activity log, audit tool
Finally, another activity log plugin you might want to consider for your website is the Simple History plugin.
It works very similar to the WP Activity Log and Activity Log plugin I just mentioned, tracking changes made to both your site’s settings and content. Plus it also comes with support for various other plugins, including Jetpack, Advanced Custom Fields, Enable Media Replace, WP Crontrol, Beaver Builder and more.
It also allows you to filter out the log by various actions, which can make it easy to find a specific action that was taken on the website. And for developers, there’s even a way to add your own actions to the log.
And it’s completely free for you to use on your website.
Select a WordPress Website Care plan today!
This is all a lot of information, I know. And sometimes dealing with security on your WordPress website can be a challenge and take a lot of time. But by signing up for a WordPress Website Care plan, you no longer will need to stress about security. The best of these plugins will be added to your website, making it as secure as it can be. Plus, you’ll get great web hosting, managed WordPress core, plugin and theme updates, accessibility checks and fixes and so much more. So give your website the care it deserves and take away the stress of website security by signing up for a plan today!