10 Must-Have WordPress Security Plugins

WordPress is one of the most popular blogging platform, yet this popularity often make it one of the primary target for hackers. The core of WordPress in itself is extremely secure and whenever new security vulnerabilities are found, the official team ensures that patches and upgrades are issued in a timely manner to address these. It is however possible to even further fortify your WordPress site through the installation and configuration of several free security related plugins. In this post, we take a look at 10 such plugins aimed at making your site even more secure.

Login LockDown

Login LockDown records the IP address and timestamp of every failed WordPress login attempt. If more than a certain number of attempts are detected within a short period of time from the same IP range, then the login function is disabled for all requests from that range. This helps to prevent brute force password discovery.

WP Security Scan

WP Security plugin scans your WordPress installation for security vulnerabilities and suggests corrective actions. It will check for weak passwords, file permissions, database security, and also have option to hide the wordpress version number on the front-end.

Update Notifier

WordPress has a nice built-in feature whereby which new versions of WordPress or its plugins are announced via the admin area. If you do not login the admin area often or not subscribed to RSS feed for update notification, then this plugin will email you each time a new theme, plugin or WordPress upgrade is released.


When hackers infiltrate a blog, the first thing they do is plant hidden files, disguised .PHP, and malicious .HTACCESS files in various directores. Their goal is to litter your WordPress installation and theme with links to their sites.  WP-MalWatch performs a security scan of your WordPress installation nightly looking for evidence of foul play and if WP-MalWatch finds it, a dashboard widget will tell you were you should take a closer look.

Admin SSL

Admin SSL secures login page, admin area, posts, pages – basically on all pages where passwords can be entered – using Private or Shared SSL.

WordPress Firewall

This WordPress plugin investigates web requests with simple WordPress-specific heuristics to identify and stop most obvious attacks. It intelligently whitelists and blacklists pathological-looking phrases based on which field they appear within in a page request (unknown/numeric parameters vs. known post bodies, comment bodies, etc.).

WP Sentry

This is a simple plugin to allow for access-restricted posting, allowing bloggers to discuss sensitive subjects without Google or the world finding the post.  Users may be members of multiple groups. Multiple groups and multiple individual users may be allowed to view each post.


This plugin allows you to backup, restore, migrate your WordPress installation, both files and mySQL tables with a single click. When performing a backup, myEASYbackup creates a compressed data set file that can be stored outside the WordPress installation directory. A list of all data sets on the server is also logged in the admin area.

Admin Log

Admin log displays a list of all admin pages accessed in the Blog admin area. This is updated every time a page in the admin area is accessed. Information logged includes: admin page accessed, user and time of access.

AskApache Password Protect

This plugin allows you to setup password protection for your blog using either HTTP Basic Authentication, or you can choose to use the more secure HTTP Digest Authentication.  The power of this plugin is that it creates a virtual wall around your blog allowing it to stop attacks before they even reach your blog to deliver a malicious payload.

For more WordPress plugins, please visit the WordPress Plugins category on HotScripts


  1. Admin SSL does not seem to be supported anymore. It has not been updated in over 480 days and is reported to be broken with 2.9.x versions of WP. .-= David L´s last blog ..Opera and the System Tray =-.

  2. As a matter of fact, I recently had one of my blogs taken down. There's a tip, my host gave me. They told me to make the admin account non functional as an admin, and to log as another administrator, and have a different login name, then what is displayed. The reasoning is simple, anyone who has ever worked on wordpress, knows that the first account made is admin, no matter what the display name is. So using a brute force attack, they already know the first half of the equation, that the login is "admin". Securing this, will make your site that much more secure. .-= Spitt´s last blog ..Evony: Basic Combat guide =-.

  3. Spitt, You are correct. In WP 3.0, we will easily be able to configure the name of the admin account. However, for now, I use a plug-in called Admin renamer extended to rename it. Other security related plug-ins I use are: Chap Secure Login, and WordPress Exploit Scanner. .-= David L´s last blog ..Opera and the System Tray =-.

  4. Yes I have found quite a few plugins are not supported for wp 3.01, it is a shame, the ones I want tend to stop at around 2.76.