Want to know the best WordPress security plugins to protect your site?
Read on because I’ve done a review on them and tested their most important features. I’ve had some client sites get hacked recently and simply didn’t have the time to thoroughly compare files so I fired up the usual security plugins and was surprised by what I found. Some were designed quite intuitively and extremely helpful whereas others were IMO a collection of garbage of common htaccess tweaks.
Let’s cover their differences…
What features are most important in a WordPress security plugin?
I generally don’t bother with WordPress security plugins (having previously complained that security plugins “sucked”) but will admit their convenience for quickly detecting issues and guessing where the rest of the dirt might be. They do have useful functions for others if not even for myself.
The MOST IMPORTANT security function to me is SCANNING (blocking malware, code injection, backdoors, file changes). The typical malware hacks where your website files and code is changed. Those are the most common website defacements that immediately affect your website appearance. Malware scanning is absolutely the most important security function in a plugin because it’s so much more efficient than manually scanning with your own eyes and comparing files for changes. With that said, scanners are very helpful but not 100% perfect. You may still have to manually check access logs and scrutinize entire directories (and subdirectories) to make sure you get everything out.
The SECOND MOST IMPORTANT security function to me is FIREWALL (blocking entry attacks, flooding, brute-force). Brute-force into login pages, XML-RPC spam, DDOS (levels 3, 4, 7), or constant flooding into other services and ports and what not. The problem with these attacks is that while they often don’t get into your site, they quickly overwhelm your server with requests and take it down or cause outtage to actual users. So in a way, firewall scans are more a performance more than anything. They prevent hackers not only from getting in but also from taking down your server. The reason why it isn’t the most important function is because it should be done from server already
The THIRD MOST IMPORTANT security function are the CHECKLISTS (file permissions, pass strength, login page). These are what I call the ‘common-sense checklists’. I hate to see these in plugins for the most part. Most of them are nothing more than little lines of code put into htaccess that you could do on your own without a plugin. Sure, it’s great for newbies but annoying when you’re a tech-savvy user and just want a plugin for scanning protection and maybe firewall protection. Nonetheless, they are still helpful from time to time when you have a hacked site and don’t know where to begin.
Different categories WordPress security plugins:
- FULL FEATURED plugins – these have everything (scanning, firewall, and checklists). Basically everything built-in. Of course, some features may be locked into their paid version. Like maybe they can scan and tell you which files are affected but they won’t clean it unless you pay. Or maybe they’ll only allow manual scans in the free version, and scheduled scans only allowed in the paid version.
- SCANNING & FIREWALL plugins – these do only scanning & firewall. IMO, this is all you really need if you know what you’re doing. They’re just there for hack prevention and also to provide a convenient log of where your attacks are coming from so you can beef up your server security. They can also be used for the occasional clean up. Some plugins may even be only scanning or only firewall. There are also plugins that do only one aspect of firewall, like maybe disabling only XML-RPC or only disabling bot traffic. Etc.
- CHECKLIST plugins – these provide a list of basic security tweaks you should do for your site. Some are more helpful than others. Some try to over-inflate the importance of certain aspects. And I really hate when checklist plugins masquerade as “security scanners” when they actually aren’t scanning for malware.
Additional notes:
- Many plugins claim to have a “scanner” but they don’t actually scan your files for malware. They simply scan for basic security stuff…like a “checklist scanner”.
- Many scanners will false detect other security plugins as potential security issues. Hahaha.
- Many security plugins are not worth the price.
- You can STILL get hacked even if you do have a security plugin installed.
Best WordPress security plugins
1. Wordfence Security – Firewall & Malware Scan (FREE & PAID)
If you’ve been hacked or trying to prevent getting hacked, WordFence is easily my #1 pick. It has a good range of functions to help secure your site against the 2 most common and most devastating hacks (brute-force & code injections). All the other million security features are just a bonus.
The malware scanner is full-functioning, intuitive as hell, and so helpful in comparing code differences and letting you repair them easily from their interface. It is by far the most helpful scanner out there. I’m willing to bet it’s even better than their competitors’ paid versions. The firewall features are comprehensive enough and can block a wide range of attacks.
You know why I think this plugin is so good? It’s because it’s used by many people so they probably have the largest collection of hack signatures and what not. This is probably your best bet against zero-day attacks. I also like the cool email function letting you know about admin login attempts.
The UI could be designed a little cleaner and not look so much like a busy travel booking site, or with such constant upsells for their (paid) PRO version. I also hear some people complaining that it uses more server resources. I’m pretty sure you can configure this in the settings to be less resource-hungry.
2. Cerber Security, Antispam & Malware Scan (FREE & PAID)
In places where WordFence failed to detect hacks or was hacked itself. My very next go-to plugin was Cerber Security. I heard raving reviews about these guys when they first released their Appsumo deal and now I see why. Very clean and unstyled interface that is friendly for admins, although may appear less friendly for users. I love the you can see many options without having to scroll. I love the helpful guides explaining why each optimization is important and additional tips for newbie users to read.
Their malware scan is #2 in my book (although I never tried all the paid scanning services out there). The firewall and checklist features are descriptive enough without taking over my screen. Really great UI, really. I don’t think I could have designed a better UI for a security plugin, myself.
3. Sucuri Security (PAID)
Sucuri Security – Auditing, Malware Scanner and Security Hardening
The best 3rd-party interface plugin. Usually, I hate it when plugins take over the WordPress site design with their own colors and styling…making it feel like another website within your website. But Sucuri does it well. It totally makes you feel like a premium security service is protecting your site.
I love that they focus on 2 things…SCANNING and FIREWALL. They don’t waste your time with the silly ‘common-sense checklists’ (have a good password, file permissions, etc). This plugin is good if you’re a responsible tech-savvy user who only needs scanning and firewall.
My only issue is that I think their automated scanning is probably still not as good as WordFence. Their firewall however, should be better since it goes through their proxy. The issue is that their firewall isn’t free. You have to pay.
I think their plugin is great if you get their paid service and use their human-assisted cleanup services ($200/year is pretty cheap compared to paying a developer to clean up your hacked mess several times). Otherwise, I think their standalone plugin isn’t much help. I do like that it’s simple and doesn’t nag you too hard to pay up. Enter an API key and you’re good to go!
4. Single-function plugins
If you know exactly what you’re doing, I’m big fan of those security plugins that only do one thing. Like for only changing WP-admin login url, or blocking certain bots, or blocking certain protocols. These plugins are great because they allow you to have exactly on the security functions you really need/want and not overlap with security mechanisms already implemented by other plugins or by your web server.
WordPress security plugins (I didn’t like)
1. SecuPress
really great design. reminds me of WP Rocket with the super sexy-simplified interface that lays out many options in a friendly way. Unfortunately, the malware scanner is locked off behind a paid service which means the free version offers very little beyond simple protection rules in htaccess. For all I know this plugin might not be all that good but I give it some benefit of the doubt.
2. Defender
Why do I bother? (It’s WPMU.) Hahahah. ok. let’s be fair. WPMU is not known for good themes/plugins/service but I gave this plugin a try. It’s designed well and looks user-friendly. but has the similar issue as many other free security plugins, the most important features are castrated from the free version. so no malware scanner unless you pay. sorry, no thanks.
3. All-in-One Security
Malware scan requires offsite signup. Ugh, no thanks. All the other security features like blocking specific traffic were great. Ultimately, I just felt this plugin felt kinda outdated. I didn’t like the styling. The ribbons in the UI look so early 2000’s “web 2.0”.
4. iThemes Security
I don’t know this plugin ever gets raving reviews. It’s too bad because I did like their UI. I liked the one simple page where you could see all the options to enable or not. The sad part is that if you know what you’re doing, you’ll quickly realize many of these “security features” are simple htaccess rules, nothing more. Then again, maybe it’s unfair of me to say that since newbie users do find tremendous value in it and it’s great that they aren’t over-cluttering their plugin.
5. MalCare Security (FREE & PAID)
Many people love this one but I wasn’t such a fan. Don’t like the UI taking over my screen and looking completely non-WordPress. The first-time setup was quite slow. It advertises quick scanning but was slower than other top plugins. I do like that it advertises not overloading your server.
I find it amusing when a malware-scanning plugin itself looks and functions like malware. Even their website feels like malware as well. Something between an unfinished website and an advertisement. Kind of like those parked domains that you visit by accident when misspelling a website URL. Also looks like those damn CNET download pages where you couldn’t tell which download button was real or an ad.
Oh look, the scanner finished and didn’t find any of the ones that WordFence found. I totally get the allure of a simple set-and-forget security plugin that promises low server resource usage but this is not a good one. Having no options is almost the same as having no features, IMO. There’s simplicity and then there’s just blindly trusting a plugin to work exactly how you want it to work.
Then there was another site that was hacked (I already found it via scanning system processes from the server and what not but decided to test Malcare on it). Malcare DID find the hack BUT put a red button that said “AUTO CLEAN”. I click on it and it wants me to “upgrade” to a paid plan in order to clean the malware. Just for the heck of it, I click UPGRADE and then hit an error page that said “error, report this” and also other option that I forgot. I click to go back and sure it enough, it won’t even tell you where the hack is so you can clean it off yourself.
So basically…this thing is like one of those free software you find online that looks like it’s fully functional but then asks for money before running its critical function. I’m just fed up, I feel tricked and don’t even see the point of this plugin. They might as well just be upfront and tell you that it only scans but doesn’t remove any malware unless you pay. Ok…I put Wordfence on and sure enough it finds it.
6. WebARX – Web Application Security
Heard some good reviews about this one but didn’t bother to try since they only have a paid version. Luckily enough, a generous reader gave me his account access and I got to try it for myself. The UI and overall design is really nice. Feels premium, feels like you’re really protecting your site with state-of-the-art security.
The actual experience and overall protection of the plugin was something else. The UI and settings were really nice. Options and settings were laid out comprehensively and explained well with helpful descriptions. But those settings only covered the firewall and typical checklist security features. The malware scanner (OR LACK OF) was a totally different experience. There is no malware scanner?!
I don’t even get how they make any money at all as a PREMIUM-only plugin. There is no free version and yet the paid version itself feels like trial software. So what the heck are we paying for? You’re paying for a firewall, nice user interface, and fancy report charts that show what attacks are being blocked by their firewall. Sorry but this plugin gets a total thumbs down from me. Totally overrated and incomplete as a security plugin. If all you wanted was a fancy firewall plugin, this is it…but then again, the best firewall is probably best done from your server (protecting the entire server instead of only one site).
7. Security Ninja
I’m a little torn. On one hand, the functions and features were laid out in a simple organized manner. On the other hand, the UI made you feel like this plugin wasn’t so native with WordPress. The interface seemed to link out to their website incessantly. 80% of the things you clicked on lead out to their website where you guessed it…and upsell to their PAID VERSION!
The plugin was simple enough but seemed like you had to pay for anything to really work. Sorry, no thanks! This isn’t even trialware or adware. It’s just a catalog plugin of their security features. Hahaha. With that said, the scan is nice if you want to see a quick checklist of which common sense things to fix on your site.
8. Bulletproof Security
Cool name but I’m not a fan. Really clumsy outdated UI right off the bat. Seriously, the UI is a MAJOR turnoff. They make even basic functions look super complicated. The “features” layout is so confusing and unorganized. And why the heck am I seeing CSS styling options throughout security settings? Oh and the scan didn’t find anything whereas other plugins did.
9. VaultPress
Worthless and annoying. 2 big flags for me. One is that it requires JETPACK…uggh, stop forcing that on us! The other disqualifier is that it’s a PAID plugin. So you’re gonna make me PAY to use Jetpack?! Sorry, but no. I didn’t continue any further. I also saw bad reviews of it not being able to detect hacks. Why am I not surprised?! I simply don’t like/trust those Automattic guys.
So basically…it’s built by Automattic/Jetpack and requires a paid subscription to do anything. As with many things by those guys, there’s complaints about it being slow, not working well, and not worth the price they’re demanding. I didn’t bother to pay or try it out at all. Nope, not when they got that reputation.
John
You didn’t mention MalCare, curious if you have any thoughts about it?
Good One
How about resources usage, many shared host ban the account who use Wordfence.
Yin
You can adjust the settings to use less resources.
Aenony
What Shield?
I’ve switched to that recently and it seems very promising – any thoughts?
Aenony
Sorry I meant write – what about shield?*
Akshat Choudhary
Hey.
I am from MalCare. Thank you for your review. I think many of the usability issues are valid and we will work on this feedback. Personally we are not big fans of complicated settings. They give a false sense of security when you do a million things. We use our entire network of sites to auto-configure your site.
Now, regarding the scan, I have seen the video about WordFence scan and that is definitely not a malware. You can see that the big string is commented out and is not malicious at all. WordFence actually has generated false positives that causes you to get scared. We take care of all of this automatically and warn you only when there is a real problem.
Would love to connect and talk to you.
Yin
Hi Akshat! Thanks for stopping by. Clarification: I never said Malcare was malware…only that it looks like malware in its design (colors and appearing like a giant advertisement taking over your string).
Akshat Choudhary
I think you misunderstand my comment. You have mentioned in your video that WordFence found the malware on your test site and we missed it. This is not the case.
Your site did not have malware. The file flagged by WordFence only contains a comment and is not malware. You can clearly see it in your video. Hence you are recommending WordFence for their failure.
We actually correctly identified it as not-a-malware. Hence making sure that you are not alarmed.
Yin
Hi Akshat (and to anyone else following this comment)….I just had a client site who was hacked a day ago and I gave your plugin a try just now.
What was the result?
– It found the hack and said “YOUR SITE IS HACKED”. Then gave me option to “auto clean”.
– BUT, it told me I had to upgrade (I assume pay $$$) if I wanted to auto-clean it. Then I click [UPGRADE] and it says ERROR…REPORT IT or WAIT. I dunno man. Just feels like straight adware, those free programs you download off the internet that seem to work and then ask for payment right before running its critical function.
– Not surprisingly either, your plugin wouldn’t tell me what or where the hacked files were either. Even though I already know.
So here’s where I’m at. Your plugin doesn’t clean or even tell you where the hacked files are unless people pay and on top of it, the process error-ed out even if I was willing to pay.
Luis Medilo
I used to use Wordfence but then it started slowing down my site even when configured for low resource usage. I switched to NinjaFirewall and never looked back. Does the same job without sacrificing speed.
Stephan
Very helpful article, thank you so much for this 🙂 I just have a question as a new WPMUDEV-subscriber who is using the Pro-Version of Defender: Would you mind to re-evaluate their malware-scan-quality again if I send you the Pro-Version of the plugin? I have realized already that even some of their Pro-Versions are not the best fit for my sites. E.g. I have already replaced Hummingbird with LiteSpeed (I have LiteSpeed Webserver operating my sites already), Snapshot replaced with Updraft, Smush replaced with Shortpixel, Forminator with Gravity Forms, SmartCrawl replaced with RankMath and dropped Beehive due to switching from Google Analytics to self-hosted Matomo. So actually Defender is the only plugin that I use, plus as a subscriber they offer cleaning for hacked or broken sites for free, so I can fire support-chat and within minutes the service can start. I don’t have the competence to evaluate their malware-scanning quality, so I wonder if you could include the Pro-Version of Defender into your test? I understand that this can be time-consuming, so I would really appreciate your effort and also understand, if you’d refuse. Anyway, have a wonderful day and thank you for all your valuable insights that you share on your blog 🙂
Yin
Hi Stephan,
I think there is no way that Defender’s signature library can be better or more comprehensive than Wordfence. Since you already have the pro version, try installing WordFence free version and see for yourself. Or yes, you’re welcome to send me the pro version of Defender and I’ll look when I can.
Prasad
Hello,
So, How was Pro-Version of Defender?
I will appreciate your valuable input!
Thank you
Regards
Yin
I haven’t tried but I don’t imagine it being better than even the FREE version of WordFence.
Stephan
Hey Yin,
sorry for late reply, I have uploaded Defender Pro via Dropbox > Privnote and added the URL to my website-field in this comment …
Just in case that the plugin only works with my credentials, you can of course provide me an admin-account for the test-site, so that I can add my credentials there 🙂 I would be happy to assist you with this test.
Kind regards,
Stephan
Yin
Ok, I have it downloaded and will try on the next hacked site I have. Thanks for sharing.
Morgan Reece
According to this IT guy in Germany, Ninjafirewall offers better protection:
Does WordFence protect my WordPress site as well as everyone claims?
https://translate.google.com/translate?hl=en&sl=de&u=https://www.damianschwyrz.de/schuetzen-wordfence-ithemes-security-meine-wordpress-seite-so-gut-wie-alle-behaupten-nein/&prev=search
Most of what he says is Greek to me, but the gist of it is, he explained how he hacked Wordfence to exploit known WP vulnerabilities. Then he did the same tests on NinjaFirewall, and they passed all but one test.
Here are a few salient quotes:
“If you want, you can pack an htaccess into the WP-Admin and enjoy the additional performance because no more bots try to log in.”
“The specialists among us can also deactivate PHP within the writable folder (eg wp-content / uploads). Then maybe you will be able to write there, but you will never really be able to do anything. I have already written quite a bit about this in my article “ WordPress hacked ”.”
“If you don’t update your pages, you’ll be hacked sooner or later – with or without WordFence.”
“After I was asked, I carried out the same attacks on Ninja Firewall and was able to determine that the attacks were successfully blocked by all of the methods mentioned. The only exception here are the PHP Object Injections. However, you can also activate the blocking of serialized strings in the settings. In addition to this attitude, there are many others that are more suitable for the professionals. In other words – you have to know what you are doing and if you activate everything there, you should check the system thoroughly. WordPress works quite a lot with serialized strings – so it may be that you are “safe”, but the website does not work.”
I’d love to know your thoughts after you have a chance to review his article (it’s very long).
Have a blessed day!
Yin
There is truth to what he says. NinjaFirewall is indeed awesome and comprehensive. And sure, in some ways you could say it covers things that WordFence does not. But whether I personally would use it is a different matter. If you are too aggressive with your security without understanding which precautions your site needs or not, you could slow it down and/or block necessary protocols from working.
Morgan S Reece
Yep. I think I did this when I copied free rules into my Cloudflare firewall rules.
Morgan Reece
UPDATE: I did some more research on NinjaFirewall, and found this post about installing it:
https://serverpilot.io/docs/how-to-use-ninjafirewall-for-wordpress/
This was written by creators of HeatShield (https://heatshield.io/docs/modsecurity-alternative/) a plugin that calls itself a ModSecurity alternative. I’d never heard of ModSecurity, but it turns out it blocks bad requests at the server level. Siteground has it enabled by default on all of their shared hosting and they update the rules weekly.
https://www.siteground.com/kb/how_does_siteground_protect_my_website/
So here’s my question:
Do I even need a security plugin? Does NinjaFirewall do something Siteground/ModSecurity isn’t already doing?
I feel like I read somewhere on your site that you don’t bother with security plugins, but might have you mixed up with someone else.
Thanks for being so generous with your knowledge on this site. If you have time to answer I’d appreciate it very much. 🙂
Yin
I think you should read this guide of mine. Nerd Guide to WordPress Firewall Security
And then beyond that, you need to ask your developer. Either A) you try things yourself blindly and see what happens or B) let a developer worry about it for you.
I can’t answer to much as I have no idea how simple or complicated your site is, what kind of hosting environment, what kind of traffic/attack patterns you have.
Morgan S Reece
Ok your guide cleared things up a lot! Time for me to run some more experiments to see what happens. Thanks for helping me learn how!
Morgan Reece
Oh Yin what a goldmine of information you are! Thanks for the link, I will study that article next.
I don’t have a developer, bootstrapping by necessity so learning all I can. The past five years I’ve had a lot of detours on my dream to start a site for women to live on purpose and be creative. On paper I’m at ground zero, but thanks to you and other helpful souls in the developer community each day brings more knowledge and clarity on how to structure things and make my dream a reality. So thank you, thank you, thank you!
Yin
You’re very welcome and I’m glad you like it. Wishing you and your organization all the best.
Roland Ricaurte
Latch It does not have functionalities like wordfence but it is a great layer that I assure very very few will be able to pass through.
SOUMYA MONDAL
Hi, I really loved the way you put all the plugins like they are in the WordPress Official directory, all with their ratings, Download option, Every single thing. Can you teach me how you did so? Is it an iframe? please let me know, I’m really excited to learn that.
Yin
It’s native WordPress embed behavior when you paste the plugin link into your post.
Robert Kok
Hi, I bought the WebARX LTD on appsumo because of FOMO. I decided to look into security plugins and found your website. BTW amazing reviews you have, very helpful.
WebARX is now called Patchstack. I found a review on G2.com from Cory M. from competitor BitFire who does a complete analysis. Take downs:
The firewall includes several Denial of Service attacks in components it is based on. Most of the filters can be easily bypassed with known bypasses since the filtering is based on the defunct open source project: https://github.com/phpids/phpids
On the Owasp Top 10 https://owasp.org/www-project-top-ten/
only XML Entitiy injection is not bypassable
Based on your review I wanted to go for Wordfence, but after visiting the BitFire website and watching their YT video’s this looks very interesting, especially the RASP sandbox and all the extra features you get for free. Hope you can do a review on BitFire. BTW I’m in no way affiliated with BitFire, just found them by accident on G2.com while searching for Patchstack reviews.
Lesly
Hey Yin, I was passing by and found that WP Cerber was removed from WP plugins for security issues on September 2, 2022. You should remove it from your list ;). Cheers mate!