The WordPress development community continually combats security threats. The Open Web Application Security Project is an example of community-based security mitigation.
Beyond community efforts, there are many security plugins for WordPress. Here is a list, below. There are plugins for firewalls, spam protection, two-factor authentication, and more. All of these plugins are free, though several offer premium features.
Security Plugins for WordPress
Google Authenticator is a free plugin that provides two-factor authentication to a website, ensuring no unauthorized access. Price: Free.
Login LockDown helps prevent brute force attempts. It records the IP address and timestamp of every failed login attempt and then locks out offending addresses after a set number of failed attempts. Price: Free.
iThemes Security offers more than 30 ways to secure and protect a WordPress site, including two-factor authentication, malware scan scheduling, file change detection, away mode, hide login, database backups, and more. Price: Free. Premium plans start at $52 per month.
All In One WP Security & Firewall uses a security-points grading system to measure how well a site is protected based on its security features. Reduce risk by checking for vulnerabilities and by implementing and enforcing the latest recommended WordPress security practices and techniques. Price: Free.
WP fail2ban logs all login attempts, whether successful or not. It comes with three filters to allow a split between immediate banning (hard) and the traditional approach (soft), with additional rules for custom configurations. Price: Free.
SecuPress Free is a WordPress security toolkit to activate for manual scans. Features include anti brute force logins, firewall, IP block, security alerts, malware scans, and geolocation block. Pro version runs automated scans. Price: Free. Pro is $65 per year.
Defender provides malware scans, a firewall, and two-factor authentication login security to stop brute force attacks, SQL injections, cross-site scripting, and other WordPress vulnerabilities. Defender starts with a list of one-click hardening techniques to add layers of protection to your site. Price: Free. Additional security through WPMU Dev membership.
BulletProof Security is a complete security solution that includes malware scanner, firewall, login security and monitoring, backup, anti-spam, and more. Pro version features real-time file monitor, quarantine and auto-restore systems, intrusion detection system, firewall, and more. Price: Free. Pro software download is $69.95.
Wordfence includes an endpoint firewall and malware scanner, two-factor authentication, and a real-time traffic monitor. Block attackers by IP or build advanced rules based on IP range, host name, user agent, and referrer. The premium version provides advanced support, more frequent scans, geolocation blocking, and real-time updates to Wordfence’s “Threat Defense Feed.” Price: Free. Premium is $99 per year.
Security Ninja provides roughly 50 security tests and allows users to block over 600 million bad IPs with one click. Check your site for security vulnerabilities, issues, and holes, and take preventive measures against attacks. Every test is explained, with instructions provided on how to repair problems. Pro version includes scheduled scans, automated fixes, advanced support, and more. Price: Free. Pro version is $8.99 per month.
Anti-Malware Security and Brute-Force Firewall lets you run a complete scan to automatically remove known security threats, backdoor scripts, and database injections. Block malware from exploiting plugins with known vulnerabilities. Download definition updates to protect against new threats. Price: Free.
Hide My WP Ghost lets you protect your WordPress website by hiding the authentication paths such as wp-admin, wp-login.php, and wp-login. Change the common WordPress paths for the best security against hacker bots. Price: Free.
Cerber Security, Antispam & Malware Scan defends against hacker attacks, spam, trojans, and malware. Harden WordPress with a set of flexible security rules and security algorithms. Run malware scanner, integrity checker, and file monitor. Track user activity with flexible email, mobile, and desktop notifications. Stop spam with anti-spam engine and reCAPTCHA. Prevent access with black and white IP access lists. Configure a schedule for automated recurring scanning. Price: Free. Pro version is $29 per quarter.
WP Security Audit Log lets you keep an activity log of your WordPress install, including multisite. The premium version enables you to monitor visitors and track activity in real-time. Price: Free. Pro is $89 per year.
Shield Security is an easy-to-setup solution that offers protection from attacks and sends alerts only when necessary. Automatically limit login attempts, block brute force attacks, and scan core files to detect malicious changes. Includes two-factor authentication, user activity logging, firewall, automatic IP blacklist, and more. Price: Free. Pro is $12 per year.
WP Hide & Security Enhancer lets you hide your WordPress core files, login page, and theme and plugins paths from appearing on the frontend. Price: Free.
Jetpack offers tools to improve security, performance, and site management. The security portion includes features for brute-force attack protection, site backup, two-factor authentication, changelog, malware and code scanning, automated threat resolution, and more. Price: Free. Premium plans start at $39 per year.
Sucuri Security is a suite that features security activity auditing, file integrity monitoring, remote malware scanning, blacklist monitoring, security hardening, notifications, and post-hack security actions. Price: Free.
Really Simple SSL automatically detects your settings and configures your website to run over https. Insecure content is fixed by replacing http URLs with https. Price: Free. Premium version includes advanced features and support.