10 Plugins To Help Keep WordPress Installations Secure

Many WordPress plugins claim to protect you from any and all attempts to hack into your installation and wreak havoc with your blog or website, so how do you decide which one is right for your needs? In this article, we’ll share details of ten WordPress security plugins to help you decide.

Wordfence Security


Description: Wordfence is the only WordPress security plugin that can verify and repair your core, theme and plugin files, even if you don’t have a backup available. It works on multiple sites and can be configured to email you when threats are detected. The simple interface is extremely easy to use. Wordfence runs a huge variety of scans (comments, posts, plugins, themes, password strength, unauthorized DNS changes, disk space, etc.) and also looks for malware, phishing, and back door attempts.

Cost: Free and paid. The plugin itself is free, but if you need to block countries and schedule scans, you must purchase an API key at a cost of $17.95 to $89.95 per year, depending upon the number of keys needed.

Last Updated: April 19, 2013 / Downloads from WP.org: 430,534

MVIS Security Center


Description: The plugin identifies problems and locks down your WP installation in a three-step process. A big plus is that it runs through all your installed plugins as well as core WP files, notifying you of known vulnerabilities, which saves you from having to keep up with news about your plugins. The user check step flags potential problems such as weak passwords.

Cost: Free and paid. The paid version (MVIS PROtection) provides email alerts for new problems around your unique WP setup and advice on how to fix and guard against those problems.

Last Updated: April 16, 2013 / Downloads from WP.org: 2,000

BulletProof Security


Description: Protects against XSS, RFI, CRLF, CSRF, Base64, Code Injection and SQL Injection hacking attempts, and features one-click .htaccess security protection. Pro version offers a plugin firewall, safe image upload, php.ini and additional security modes, as well as email alerts and log file options. Secures your ‘wp-admin’ folder and Root website folder with a single click. Although users like the large variety and scope of functionality, the interface can be confusing.

Cost: Free version and BulletProof Security Pro version for $59.95

Last Updated: April 15, 2013 / Downloads from WP.org: 618,279

Login Security Solution


Description: If the only functionality you feel you need is a plugin to help protect against brute-force, dictionary type breaches, Login Security Solution might be just the ticket. It tracks IP addresses, usernames and passwords, as well as monitoring logins from form submissions and cookies. By slowing down response for repeated login failures, the plugin frustrates hackers so they go for easier targets. An idle timeout and maintenance mode are also included. Users have a lot of good things to say about this plugin.

Cost: Free

Last Updated: February 22, 2013 / Downloads from WP.org: 41,517

Better WP Security


Description: Lots of satisfied customers exist for this free plugin whose features rival paid programs. Easy to navigate and color-coded to draw attention to most serious problem areas. If running WP from a sub-directory, the frequent upgrades to this plugin may cause frustration, but its high level of effectiveness at preventing security breaches makes it worthwhile. Can be used in “one-click” mode or features can be customized individually. Requires Apache/LiteSpeed and mod_rewrite/NGINX.

Cost: Free

Last Updated: April 19, 2013 / Downloads from WP.org: 596,890

WebsiteDefender WordPress Security


Description: WebsiteDefender offers three WP security plugins. WP Security looks like it provides the functionality of the other two, which haven’t been updated in over a year (although combined downloads of the two is nearly 2 million). You need to register with the company to activate all the capabilities of the free version. The paid version monitors your site completely for security holes with a daily scan (paid version) and provides info on fixing.

The plugin checks your passwords, file and folder permissions, database security, WP admin protection, WP Generator META tag presence, and some others. Provides information and possible solutions. Also will remove error info on login pages and hide your WP version.

Cost: Free and paid – Details for paid version available once you’ve verified ownership of your site.

Last Updated: February 19, 2013 / Downloads from WP.org: 48,616

Duo Security Two Factor Authenticator


Description: In early April, WordPress announced two-factor authentication for blogs hosted on WordPress.com, but you still need a plugin such as Duo Security’s to enable this functionality on your own sites/blogs. It’s easy to install and after you sign up on Duo’s website, you just need to activate authentication on the user types you choose. Can be set up to work with or without smartphone apps.

Cost: Free for up to 10 users. Paid version for more users.

Last Updated: February 4, 2013 / Downloads from WP.org: 3,502

6Scan Security


Description: Key problems it identifies include SQL injections, cross-site scripting, directory transversals, remote file inclusion, etc. The free version of the plugin includes the scanning software and basic login security settings, but fixing the identified risks, backup capability, zero-day research and additional email support is only available in the paid version. Very easy to use. It may be worth a trial of the paid version to test how

Cost: Free and paid. The paid version is $9.99/month; $49.99/month for enterprise.

Last Updated: February 3, 2013 / Downloads from WP.org: 44,783

Limit Login Attempts


Description: This plugin has only one main function – to put a limit on the number of log-in attempts coming from a particular IP address or auth cookie, which will stymie many brute-force attacks. It also offers optional logging and email notification of multiple attempts to log in. Settings can be customized to notify users of the number of remaining attempts after initial logins have failed, as well as providing the lockout time period. Easy to set up and simple to use.

Cost: Free

Last Updated: June 1, 2012 / Downloads from WP.org: 287,267



Description: If you’ve already identified a number of IP addresses (or IP ranges, host names, referral URLs) you wish to ban from your site as a result of behavior such as brute force attacks, this plugin will accomplish that quickly and easily. Wildcard matching is enabled and a customized message is shown when those who have been banned stop by again. Statistics of login attempts by those previously banned are kept.

Cost: Free

Last Updated: April 10, 2013 / Downloads from WP.org: 106,529