WordPress is the most popular blogging platform in the world. Millions of websites including various popular blogs are using WordPress as a content publishing platform. So, hackers are also more interested in hacking WordPress based websites. WordPress usually pushes updates to patch all the known vulnerabilities, but third party themes and plugins make WordPress vulnerable. Sometimes hackers also find vulnerabilities in WordPress that allow them to hack the whole server.

In the past three months, we have seen 2 major zero-day vulnerabilities and mass hacking of WordPress websites. Thousands of websites were hacked by exploiting these vulnerabilities. There are many past examples in which a single vulnerable plugin led to the hacking of whole web server hosting hundreds of websites. A few days back, we discussed SoakSoak malware which affected 100k websites in very little time by exploiting the vulnerability in a plugin. So, if you are a WordPress user, you must take care of security. You must always keep your WordPress installation updated and secure.

Ethical Hacking Training – Resources (InfoSec)

In a previous post, I also discussed WPScanner, a tool for scanning a WordPress website and finding vulnerabilities in it. If you are WordPress user, you can use this tool to find vulnerabilities in your website and patch.

In this post, I will discuss various security plugins available for WordPress. These security plugins offer a wide range of features to make your WordPress blog secure from known threats. These plugins keep their services updated with security from the latest exploits and threats. If you are really serious about your online business running on WordPress, you must use any of these plugins to make it secure. These are the 7 best security plugins available for WordPress.

1. WordFence

WordFence is one of the most popular WordPress security plugins. It keeps on checking your website for malware infection. If scans all the files of your WordPress core, theme and plugins. If it finds any kind of infection, it will notify you. It claims to make your WordPress website 50 times faster and secure. For making your website faster, it uses Falcom caching engine. This plugin is free, but a few advanced features are available for premium users. If you can afford it, do it.

This plugin blocks bruteforce attack and can add two factor authentication via SMS. You can also block traffic from a specific country. It also includes a firewall to block fake traffic, botnet and scanners. It also scans your hosting for known backdoors including C99, R57 and others. If it finds anything, you will instantly get email notification.

It also scans your posts and comments for malicious code. It also supports multi-site. You can also check the traffic on your WordPress website in real time and see if there is any security threat attacking your website.

Download WordFence

2. BulletProof Security

BulletProof Security is another popular WordPress security plugin that takes care of various things. It adds firewall security, database security, login security and more. It comes with four-click setup interface. Just activate this plugin and then relax. It will take care of your website.

It limits failed login attempts and blocks security scanners, fake traffic, IP blocking and code scanners. It keeps on checking the code of WordPress core files, themes and plugins. In case of any known infection, it notifies admin. It also optimizes the performance of your website by adding caching. It comes with built-in file manager for htaccess. It protects WordPress websites against various vulnerabilities including XSS, RFI, CRLF, CSRF, Base64, Code Injection, SQL Injection and many other. This plugin keeps itself updated with new vulnerabilities to keep your website protected. It keeps on updating it according to new exploits and vulnerabilities.

It also has a pro version which offers some advanced features to improve the security of your website. But the free version is popular enough to make your website secure.

Download BulletProof Security

3. Sucuri Security

Sucuri Security is the security plugin for WordPress. This plugin is from the popular website security and auditing company Sucuri. This plugin offers various security features like security activity auditing, file integrity monitoring, malware scanning, blacklist monitoring, and website firewall. It incorporates various blacklist engines including Google Safe Browsing, Sucuri Labs, Norton, McAfee Site Advisor and more to check your website. If there is anything wrong, it will notify you via email.

It protects your website from DOS attack, Zero Day Disclosure Patches, bruteforce attacks and other scanner attacks. It also keeps log of all activities and keep these logs safe in the Sucuri cloud. So, if an attacker is able to bypass the security controls, your security logs will be safe within Sucuri’s security operations center.

If you are willing to pay, you can go for the Sucuri premium service. They are a well known web application security company with a team of experts. So, you can get better service and advice.

Download Sucuri Security

4. iThemes Security (formerly Better WP Security)

iThemes Security is also a nice WordPress security plugin which claims to offer 30+ ways to secure and protect your WordPress website. With one click installation, you can stop automated attacks and protect your website. it also fixes various common security holes in your website.

It tracks registered users’ activity and adds two-factor authentication, import/export settings, password expiration, malware scanning, and various other things.

It scans the entire website and tries to find if there is any potential vulnerability in your website. It also prevents bruteforce attacks and ban IP addresses which try to bruteforce. It also forces users to use secure passwords and also forces SSL for admin area in server support. Unlike other plugins, the GeoIP banning feature is not available. But the company has promised to bring this feature soon. We cannot say exactly when, but it says the feature is coming soon. It also integrates Google reCAPTCHA to prevent comment spam on your website.

Download iThemes security

5. Acunetix WP SecurityScan

Acunetix WP Security Scan is the WordPress security plugin by Acunetix. Acunetix is a well known company in web application security. It offers a security scanning tool to find vulnerabilities in web applications. This plugin helps you to secure your WordPress website and suggests measures to improve the security. It offers file permission security, version hiding, admin protection, removing WP generator tag from source, and database security.

It removes various information from the source code of the page which can be used in the information gathering process before attack. This includes theme update information, plugin update information, really simple discover meta tag, WordPress version, Windows live write meta tag, error information from login page, versions from scripts, versions from stylesheets, database and php error reporting.

It also offers a database backup tool to take a backup of your website. With its live traffic monitor tool, you can check traffic in real time. It also scans your website to notify known web application vulnerabilities.

Download Acunetix WP SecurityScan

6. All In One WP Security & Firewall

All In One WP Security & Firewall is another popular WordPress security plugin to check vulnerabilities in your WordPress website. This plugin is easy to use and reduces the security risks by adding recommended security practices.

It protect against bruteforce login attack and lockdown if someone tries to bruteforce. It also sends you an email notification if somebody gets locked out due to failed login attempts. It detects if a user tries to save a weak password and forces him/her to use a strong password. It also monitors the account activity of all users and keeps track of username, IP and login date time.

It also allows you to schedule automatic backup and receive email notification. It also protects PHP code by disabling admin area editing. It adds a web application firewall in your website and enables 5G Blacklist to prevent various attacks. It denies bad query strings, prevent XSS, CSRF, SQL injection, malicious bots and other security threats.

It also has a security scanner which keeps track of files and notifies you about each changes in your WordPress system. It can also detect malicious code in your WordPress website. It blocks and protects your blog from comment spam. It also works with most plugins without any problem.

Download All In One WP Security & Firewall

7. 6Scan Security

6Scan Security is a popular auto-fix protection for your WordPress site. It can protect your website from hackers. It offers rule-based protection for your website and tries to keep the security of your website up to date.

It has a security scanner which scans and protect your website against SQL injection, Cross Site Scripting, CSRF, Directory traversal, Remote file including, DOS attack and other OWASP top ten security vulnerabilities.

A notable feature of the plugin is its automatic vulnerability fix. When it finds any vulnerable code, it applies auto-fix by using its auto-fix server-side agent solution. It also has an automatic malware fix for malware related issues on your website. Like other plugins, it also sends email notifications if there is anything serious in your website.

Download 6 Scan Security

8. Defender

Defender is the new kid on the block of WordPress security plugins and probably one of the most exciting free entrants as well. As well as all the usual features (checking your website for security hacks while scanning core files for issues and vulnerabilities) probably the most exciting thing about Defender is that it also comes with a whole pile of featuresz that you usually have to pay for that keep you sites especially secure.
For example, 2 factor authentication (using Google Authenticator), audit logging (especially useful when determining if and when something did go wrong and fixing it), IP blacklisting, 404 limiting and really solid email alerts make sire that you can rest at ease that your WordPress site is well looked after.
Obviously, being a WPMU DEV plugin it also works great wit Multisite and there’s a premium version available with their free trial that will give you some extra frequency and in-depth scans as well as expert WP support to help you fix up any specific problems or run with any super advanced security setup you’d like to implement.

Additional security measures

Along with these WordPress plugins, you should also follow a few security measures from your side. These will help you in improving the security of your blog.

  • Always keep your WordPress installation up to date. Update your WordPress as soon as possible if there is any new WordPress update. Most of the times, hacked websites are those which are using an older version of WordPress. Older versions of WordPress always have a few known security issues. And exploits for these security issues are available for free. Even a kid can hack your website if it is running on a vulnerable version of WordPress.
  • Always keep plugins and themes added in your blog updates to latest version. New versions always come with new features and security fixes. So, updating plugins and themes is necessary. Most of the time, these third party plugins and themes are the reason for vulnerability in WordPress websites. Attackers can exploit these plugins to gain access to your website or inject malicious script in your website.
  • Download themes and plugins only from trusted sources. Nulled themes and themes from untrusted sources generally contain malware in the code. If you install any security plugin, you will be notified, but why to take risk. Avoid any unknown source for download plugins and themes.
  • Avoid using the administrator username ‘admin’, because this is default and common. By using this username in your blog, you are making the attacker’s work easier. He does not need to guess the username now, just bruteforce your website for username admin. Thanks to these plugins, bruteforce will not work anymore.
  • Always use strong password for your WordPress account. WordPress bruteforcing tools are available. So, do not take the risk. Use a long password with capital letters, small case letters, numbers and special characters. A combination of these makes a strong password which is hard to guess.

InfoSec Resources In-line – EH


These are few WordPress security plugins you can use to make your WordPress blog secure. You do not need to download all these plugins. Just try any one and see if it suits you. If you are not happy with its performance, you can download any other plugin to check and use. Every single plugin offers unique security features. You will feel relaxed after having any of these plugins in your website. Malware scanning, exploit scanning and brute force protection are few features which you must have in your website. If you have a good budget and do not want to be in technicalities, you can go for premium versions of the plugins which offer more advanced security features with detail reports. A few plugins also offer free customer support and security assessment with the pro version. With an increasing number of hacking attacks, it is necessary to have security in your website.

If you are a WordPress user, what security plugin do you use in your website? Share it with us in the comments.