Practical Ecommerce

11 Free Plugins for WordPress Security

WordPress is the most popular content management system on the web, mainly due to its flexibility with nearly 50,000 available plugins. For your own WordPress site, be sure to add an extra layer of security to the WordPress framework, so that your website is protected as much as possible from malicious hackers.

Here is a list of security plugins for WordPress. There are plugins for firewalls, spam protection, two factor authentication, and more. All of these plugins are free, though several offer additional premium features.



Wordfence is a popular security plugin with over 22 million downloads. The firewall stops you from getting hacked by identifying malicious traffic — blocking attackers before they can access your website. Its “threat defense feed” automatically updates firewall rules that protect you from the latest threats. Premium version has country blocking, two-factor authentication and real-time firewall updates. Monitor traffic in real-time, including robots, humans, 404 errors, logins and logouts, and who is consuming most of your content. Price: Free. Premium version is $8.25 per month.

iThemes Security

iThemes Security.

iThemes Security offers more than thirty ways to lock down WordPress in an easy-to-use security plugin. With iThemes Security Pro’s WordPress two-factor authentication, users are required to enter both a password and a secondary code sent to a mobile device such as a smartphone or tablet. Limit the number of failed login attempts allowed per user. Make your WordPress dashboard inaccessible during certain hours. Schedule database backups and have them emailed to you. Assess the security of all your WordPress user accounts at one time and take action on them if needed. Price: Free. Premium plans start at $80 per year.

All In One WP Security & Firewall

All In One WP Security & Firewall.

All In One WP Security & Firewall offers the latest recommended WordPress security practices and techniques as easy-to-use features. All In One WP Security also uses a security points grading system to measure how well you are protecting your site based on the security features you’ve activated. Add advanced security features to user accounts, login, and registration. Ban users by IP or user agents. Block brute force attacks. Get alerts when your files change. Schedule automatic backups and email notifications. Price: Free.



WP-SpamShield is a WordPress anti-spam plugin that eliminates comment spam, contact form spam, registration spam, trackback spam, pingback spam, and every other type of WordPress spam. This plugin works like a firewall to ensure your commenters are actually human, and that those humans aren’t spamming you. WP-SpamShield provides automatic anti-spam protection for all major contact form plugins, including Contact Form 7 forms, Gravity Forms, Ninja Forms, and Jetpack. Price: Free.

Really Simple SSL

Really Simple SSL.

Really Simple SSL automatically detects your settings and configures your website to run over HTTPs. To keep it lightweight, the options are kept to a minimum. All incoming requests are redirected to HTTPs. The site URL and home URL are changed to HTTPs. Price: Free.

Shield WordPress Security

Shield WordPress Security.

Shield WordPress Security is a complete security solution without “pro” feature restrictions. Block malicious URLs and requests, and block all spambot comments. Prevent brute force attacks on your login and attempted automatic bot logins. Verify user identity with email-based two-factor authentication. Review all major actions that have taken place on your WordPress site by all users. Hide your WordPress admin and login page. Easy-to-use kill switch temporarily turns off firewall features without disabling the plugin. Price: Free.

Hide My WordPress

Hide My WordPress.

Hide My WordPress is a plugin to change and hide WordPress admin and login URLs. Hide your admin and login pages, and redirect hackers to a 404 page. Guard against brute force attacks, SQL injection attacks, and cross-site scripting. Price: Free.

Sucuri Security

Sucuri Security.

Sucuri Security plugin for WordPress is a toolset for security integrity monitoring, malware detection, audit logging, and security hardening. Monitor all security related events within your WordPress site. Access multiple blacklist engines to ensure your brand reputation and website integrity. Get help on what to do if your site is compromised. And access CloudProxy, an enterprise grade firewall from Sucuril. Price: Free. CloudProxy firewall is a premium add-on.

WP Antivirus Site Protection

WP Antivirus Site Protection.

WP Antivirus Site Protection is a security plugin to prevent, detect, and remove malicious viruses and suspicious codes. It detects backdoors, rootkits, trojan horses, worms, fraud tools, adware, spyware, hidden links, redirection, and more. WP Antivirus Site Protection scans not only theme files, but also all the files of your WordPress website. Get alerts by email, and view security reports online. Price: Basic version is free. See site for premium pricing.

miniOrange Two Factor Authenticator

miniOrange Two Factor Authenticator.

Rather than relying on a password alone, which can be phished or guessed, miniOrange Two Factor Authenticator adds a second layer of security to your WordPress accounts. It protects your website from hacks and unauthorized login attempts. Price: Free.

Acunetix WP Security

Acunetix WP Security.

Acunetix WP Security plugin is a free security tool that helps you secure your WordPress installation and suggests corrective measures. Safeguard passwords, file permissions, database security, version hiding, admin protection, and more. The solution features easy database backup for disaster recovery, hiding dashboard and info from non-admins, security reporting, live-traffic to monitor your website activity in real-time, and more. Price: Free.

Sig Ueland

Sig Ueland

Bio   •   RSS Feed


Sign up for our email newsletter

  1. Manchun March 16, 2017 Reply

    great list of worpdress plugin for website security. security is big issue in wordpress website. i am also using the wordpress website and hack multiple time. thank you sharing very useful plugin.

  2. Luca May 2, 2017 Reply

    there’s a new WordPress plugin named “WP Security Optimizer” (
    It prevent hackers to sabotage your rankings in search engines. Elude attackers that exploits your website and fight Negative SEO attacks made using Acunetix and WPScan and other penetration testing toolkit.
    Implement features preventing users to be enumerated, and in particular enumeration of installed themes (wpscan –enumerate t) and plugins (wpscan –enumerate vp), generating false positives and forwarding an alert to the site administrator when it detects a scan. And finally, can verify corrupted and infected PHP files stored into “wp-admin” and “wp-includes” folders. Hope it’s useful

  3. Michael Amaral May 4, 2017 Reply

    Nice, you mentioned some great plug-ins! Thank you for that.
    I have used User Blocker Plugin.
    It has fantastic features for block or unblock users. Have a look:

  4. Dimitar Ivanov January 21, 2018 Reply

    Nice list Sig, thanks. To protect from clickjacking, cross-site scripting (XSS), and man-in-the-middle (MITM) attacks you should try out the HTTP Headers plugin

  5. Alan Wiat February 14, 2018 Reply

    Hey !

    Great post ! We would be very grateful if you would try and then express your opinion about our plug-in. it’s not as popular yet, but we are receiving good reviews from our users. Our product offers an all around website protection and security modules as well as several interesting additions such as an automatic version updater

    It’s the WordPress “WebDefender” :

    Many Thanks,