I’m sure that you’ve heard about the recent WordPress security vulnerabilities by now. Not to mention a recent uptick in WordPress attacks. I know it’s been on my mind a lot lately.
Over the past several weeks, I’ve been dealing with a number of security issues on client sites and even my own websites. In May, I had my server compromised and had to pay for a costly clean-up to remove all of the infected files. Not a fun scenario, as you can probably imagine.
Since then, I’ve dedicated numerous hours to increasing security on the websites that I maintain, to be sure that hacks and malware are blocked as often as possible. Let me be clear, this is no 100% fool-proof security online, but you can do a lot to remove most of your risk of threats. This is an important consideration if you plan to protect your website visitors from malware attacks or have any interest in keeping your website from being blacklisted by Google…and I hope that you do!
Getting Started with WordPress Security
Now, this is by no means the most exhaustive round-up of WordPress security plugins or a complete guide to securing your WordPress website, but I hope that this post can at least give you a good start and some basic protection for free. Because dealing with a hacked website is really the last thing in the world you want to deal with this week. Am I right?
So, let’s get started.
Wordfence is one of the most all-inclusive free plugins available for WordPress security. It’s also pretty simple and straightforward. Once installed, you can visit the “Options” page to select one of five security levels. You also have the option to go through all the settings on the “Options” page and create your own custom level of security.
With Wordfence, you’ll be able to view live traffic, get alerts about who’s logging into your site and which themes or plugins need updating. You’ll also have the option to whitelist or blacklist certain IPs an enable a firewall that blocks most known threats.
I use this plugin with a lot of my clients and on my own websites, and I highly recommend it. There is also a Wordfence premium version available with additional features.
Download the free plugin here: https://wordpress.org/plugins/wordfence/ or add it in your WordPress dashboard (Plugins → Add New → Search “Wordfence Security”).
iThemes Security (formerly Better WP Security) has been a leader in WordPress security for years. Their free plugin will fix common issues and stop automated attacks. It will also help you to harden security and optimize user login credentials to strengthen your overall WordPress security. The iThemes Security plugin includes malware scanning, protection from brute force attacks, 2-factor authentication, and more if you upgrade to premium services.
If you haven’t heard of them before, you might recognize another one of their popular products, Backup Buddy, which allows you to backup your complete WordPress website, including database.
Download the free plugin here: https://wordpress.org/plugins/better-wp-security/ or or add it in your WordPress dashboard (Plugins → Add New → Search “iThemes Security”).
Sucuri is one of the most trusted WordPress security companies on the web. They have a leading blog on WordPress security that I recommend following for the latest updates and security tips.
In the free Sucuri Security plugin, you’ll get activity logging, alerts of any suspicious activity or file changes, blacklist monitoring, malware detection, and various settings to harden your overall website security. The setup might be a little more complex for the free plugin, but there are lots of good features available.
Download the free plugin here: https://wordpress.org/plugins/sucuri-scanner/ or add it in your WordPress dashboard (Plugins → Add New → Search “Sucuri Security”).
Sucuri also offers the option to upgrade to premium security services. Find out more about that here:
Other Popular WordPress Security Plugins
I haven’t tested all of these plugins myself, but they are highly recommended by other WordPress users.
- Anti-Malware and Brute-Force Security by ELI — This Anti-Malware scanner searches for Malware, Viruses, and other security threats and vulnerabilities on your server and it helps you fix them.
- BulletProof Security — WordPress Website Security Protection: Firewall Security, Login Security, Database Security.
- All In One WP Security & Firewall — A comprehensive, user-friendly, all in one WordPress security and firewall plugin for your site.
- Simple Security Firewall — Comprehensive and Easy-To-Use WordPress Security. Comes With Business Grade Support, with no “premium” restrictions.
Stand Alone WordPress Security Plugins
If you’re looking for added protection in just one specific area, here are a few great plugins I have personally used and highly recommend.
- Activity Log — Tracks virtually ALL user activity. Visit the link for a full list.
- Akismet – Automatically detects and blocks most spam comments.
- Disable Comments – During brute force attacks (or just because), prevent users or bots from accessing your comments area.
- Limit Login Attempts – Limit how many times users can attempt login or get locked out.
- Simple Login Log – Track logins on your site for all users.
- WP-CopyProtect – Prevent non-admin users from using right clicking or highlighting functions on your site.
Did I miss anything? Leave your favorite security plugins in the comments.
