WordPress Security Plugins

In this tutorial, we explore different types of WordPress security plugins that help to protect and keep your digital presence secure.

WordPress Security PluginsThis tutorial is part of our tutorial series on WordPress Security. Please also review our WordPress Security Guide For Beginners and our free WordPress Security Checklist.


WordPress Security Plugins

WordPress security plugins can perform a range of functions, including:

  • Preventing malicious and unauthorized users from gaining access to your site,
  • Scanning your files for signs of hacking and injections of malicious code,
  • Keeping your site protected and free from potentially harmful content,
  • Content theft protection,
  • and more.

In this tutorial, we explore different types of WordPress security plugins that help to protect and keep your digital presence secure.


Note: Security plugins alone do not provide a complete website security solution. See the tutorials in the WordPress Security training module to gain a better understanding of how security plugins fit into your overall website security plan.

WordPress Security Solutions

Some plugins provide comprehensive WordPress security and protection against a range of malicious and potentially harmful activities. The plugins listed below fall into this category:

iThemes Security Pro

iThemes Security Pro

(iThemes Security Pro)

iThemes Security Pro is a comprehensive WordPress security plugin that prevents WordPress hacks, WordPress security breaches, WordPress malware and more.

Some of the main features of this plugin include:

  • WordPress Brute Force Protection
  • WordPress Security Grade Report
  • File Change Detection
  • 404 Detection
  • Strong Password Enforcement
  • Lock Out Bad Users (locks users out if they have too many failed login attempts or generate too many 404 errors)
  • Away Mode (makes the WordPress dashboard inaccessible during specific hours so no one else can sneak in and attempt to make changes).
  • Hide Login & Admin (changes the default URL of your WordPress login area so attackers won’t know where to look.)
  • Schedule Database Backups
  • Email Notifications
  • WordPress two-factor authentication
  • WordPress Malware Scanning
  • And more!

For more details on the comprehensive suite of security features provided by this plugin, go here: iThemes Security Pro

WP Site Guardian

WP Site Guardian - WordPress security plugin

(WP Site Guardian – WordPress security plugin)

WP Site Guardian is a ‘must-have’ security plugin for all WordPress users. It is a proactive anti-exploit plugin that monitors & blocks hackers based on behavior.

When any suspicious activity is detected the visitor IP is instantly blocked and the hacker is banned. This prevents the exploit from executing and also shuts down all further hacking attempts. By eliminating the exploit and the bad user, the risk of your site getting hacked is greatly reduced.

The plugin records and keeps a log of all attacks …

WP Site Guardian - Attack History

(WP Site Guardian – Attack History)

And emails you notifications about suspicious activities …

WP Site Guardian - Email Alerts

(WP Site Guardian – Email Alerts)

This is the only plugin on the market that offers active protection against current and future exploits as it looks at visitor behavior rather than the attack code and the only security tool for WordPress that provides real time intrusion detection, live exploit attack blocking and intruder attempt notifications.

WP Site Guardian blocks the 4 biggest attack vectors

(WP Site Guardian blocks the four biggest attack vectors)

This plugin blocks the four biggest attack vectors (Header injection, XSS injection, SQL injection, and Directory Traversal) and protects against most common hack types like:

  • EXPLOITS (92% of direct hack attacks) – Badly written plugins/themes allow a hacker to execute a command/script that gives them control of your site. Most popular security plugins & services don’t offer any protection against this.
  • BRUTE FORCE ATTACKS (8% of direct hack attacks) – Multiple attempts to guess your username/password & take control of your site. Most popular security plugins & services are good at blocking this attack but can’t deal with new amplified XMLRPC attacks.
  • DDOS – (Distributed Denial Of Service i.e. “break the site” hack attacks) – This is where hackers attempt to flood your site with too many requests so your server falls over. Plugins can’t deal with this attack … you would need to use a third party service like Cloudflare or bespoke hardware protection.

Michael Thomas & Chris Hitman, specialists in IT/security and the plugin developers found that some of the best security plugins were completely ineffective against exploits. In fact, they even managed to hack sites with Cloudflare & cache running and have posted a video on their website that shows this.

WP Site Guardian protects your site against most security exploits and attacks

(WP Site Guardian protects your site against most security exploits and attacks)

We highly recommend installing this security plugin on your WordPress site.

To learn more about this plugin, go here:

WP Shields-Up

WP Shields Up - Stealth WordPress Security Plugin

(WP Shields-Up – Stealth WordPress Security Plugin)

Many newbie hackers use low sophisticated methods like scanning websites for vulnerabilities and deploying basic exploits to take control. many of these methods can be deployed as easily as looking through the website code to see what themes or plugins your site is using and downloading free scripts that can take advantage of known vulnerabilities and help them break into the website.

By default, this information about WordPress is available for anyone to see ...

(By default, this information about WordPress is available for anyone to see …)

WP Shields-Up is a ‘stealth’ security plugin that hides your WordPress site from hackers and bots by disguising information about WordPress that is normally visible to users, such as what WordPress themes and plugins are installed on your site, what version of WordPress you are using, etc.

WP Shields-Up hides WordPress information from online scanning tools!

(WP Shields-Up hides WordPress information from online scanning tools!)

Once installed, WP Shields-Up performs a number of security fixes on your site, including:

  • Blocks direct access to PHP Files
  • Disables Directory Browsing
  • Removes “Tell Tale” elements of WordPress
  • Moves and hides login areas
  • Hides information about WordPress plugins and themes
  • and more.

WP Shields-Up automatically performs a number of security fixes on your site

(WP Shields-Up automatically performs a number of security fixes on your site)

WP-Shields-Up performs one-click security fixes automatically and can be easily installed and activated on your WordPress site.

To learn more about this plugin, go here:

BulletProof Security

BulletProof Security

(BulletProof Security)

BulletProof Security is designed to be a fast, simple and one-click security plugin that adds comprehensive website security protection for your WordPress site.

To learn how to install and use the BulletProof Security plugin, see the tutorial below:


SecureScanPro - WordPress Security Software

(SecureScanPro – WordPress Plugin)

Many WordPress plugins address some but not all areas of WordPress security. One WordPress security plugin that seems to do a comprehensive job of scanning, fixing and preventing issues that could lead to hackers accessing your site files and damaging your site is SecureScanPro.

SecureScanPro is easy to install and easy to use and does a great job of addressing most of the security areas and fixing the issues that WordPress users need to address.

To learn more about this plugin, go here:

Ultimate Security Checker

Ultimate Security Checker WP Plugin

(Ultimate Security Checker Plugin For WordPress)

The Ultimate Security Checker plugin identifies security problems with your WordPress Installation. It scans your blog for hundreds of known threats, then gives you a security “grade” based on how well you have protected yourself.

To learn more about this plugin, see this tutorial:

Acunetix WP Security

Acunetix WP Security - WordPress Plugin

(Acunetix WP Security Plugin For WordPress)

The Acunetix WordPress Security plugin is a free and comprehensive security tool that scans your WordPress installation for vulnerabilities and suggests corrective measures for weak passwords, secure file permissions, database security, version hiding, WordPress admin protection and more.

To learn more about this plugin, go here:

WordPress Brute-Force Attack Protection Plugins

Brute-force attacks on your site attempt to guess your login information by simply trying to log in over and over again. Since this is usually done by automated software, the attack can be very persistent and cause widespread damage …

WordPress Brute-Force Attack Protection

Protecting your WordPress site from brute-force attacks is one of the most important security precautions you can take.

We have created a separate tutorial on plugins that prevent brute-force attacks and unauthorized users accessing your WordPress administration area. To learn how to protect your WordPress site from brute-force attacks using plugins, see the tutorial below:

WordPress File Protection Logins

The plugins listed below will alert and notify you if any of your site’s files have been modified without permission or authorization:

WordPress File Monitor Plus

WordPress File Monitor Plus

(WordPress File Monitor Plus Plugin)

This plugin monitors your WordPress installation for added, deleted, or modified files. When a change is detected an email alert can be sent to the email address you specify.

To learn more about this plugin, go here:

Exploit Scanner

Exploit Scanner - WordPress Plugin

(Exploit Scanner)

Exploit Scanner can help detect damage done to your site so that it can be cleaned up. This plugin searches the files on your website and the posts and comments tables of your database for anything suspicious. It also examines your list of active plugins for unusual filenames.

Exploit Scanner does not remove anything from your site. It only presents the results so you can decide what action to take.

To learn more about this plugin, visit the site below:

Antivirus For WordPress

Antivirus WP Plugin

(Antivirus – WordPress Plugin)

Antivirus protects your WordPress site against exploits and spam injections. It will scan your theme templates for malicious injections automatically, every day.

To learn more about this plugin, visit the site below:

WordPress Content Protection Plugins

The plugins listed below will help to prevent and protect your web content from being stolen:


Copyfeed Plugin For WordPress

(Copyfeed – WordPress Plugin)

This plugin helps to identify content theft from your site. It works by extending your content feed with unique identifiable content that automatically gets added to every post in your copyright notice. Additionally, you can add an identifiable “digital fingerprint” and the IP of the feed reader.

The plugin can then be configured to scan search engines in order to find possible content theft. The feed can be also be supplemented with comments and topic-relevant content.

To learn more about this plugin, go here:

WordPress Data Backup Plugins

Backing up your database and files on a regular basis is an important part of the process of keeping your WordPress site content protected.

We have created a separate tutorial on WordPress plugins that automate WordPress data backups. To learn how to automate WordPress data backups, see the tutorial below:

WordPress Spam Protection Plugins

Spam has traditionally been viewed as more of an inconvenience than a security risk.

It can be argued, however, that spam does indeed pose a security risk for online users. For example, spam comments left on WordPress sites can send visitors to sites infected with malware. These sites can then use sophisticated ‘phishing’ methods to deceive users into downloading files containing viruses, worms and other malicious code that can turn their computers into ‘slave devices’ for hacker bots, which then multiply and increase the frequency of attacks and security exploits worldwide on websites.

Spam can thus be considered to be a security threat, and for this reason, we are including the anti-spam plugins below:




Akismet is the anti-spam program that comes pre-installed with WordPress. All it requires is activation. To activate Akismet, you will need to get an API key, which is an access code you can download for free from WordPress.org.

Once activated, Akismet will filter out your spam comments and send them directly to the trash. This plugin is extremely effective at dealing with spam.

Note: Akismet is free for most users (sites that make less than $500/mo are considered “personal” use), but there’s a charge for high traffic profitable blogs (“business” use).

To learn more about using Akismet to prevent spam in WordPress, see the tutorial below:

Bad Behavior

Bad Behavior Plugin

(Bad Behavior)

Bad Behavior blocks link spam and the robots which deliver it.

Thousands of sites both large and small use Bad Behavior to help reduce incoming link spam and malicious activity.

Bad Behavior complements other link spam solutions by acting as a gatekeeper. Not only does it prevent spammers from delivering junk,  in many cases it even prevents them from ever reading your site, delivering instead an error message like the one shown below …

Bad Behavior - WordPress Security Plugin

(source: Bad Behavior plugin site)

In addition to offering the basic spam-blocking features, the Bad Behavior plugin also helps to improve your site’s load time, makes your site logs cleaner, and can help prevent denial of service conditions caused by spammers.

Bad Behavior also works differently than other link spam solutions. Instead of merely looking at the content of potential spam, Bad Behavior analyzes the delivery method as well as the software the spammer is using. In this way, Bad Behavior can stop many spam attacks coming from new spamming methods …

Bad Behavior

(source: Bad Behavior plugin site)

Bad Behavior is designed to work alongside existing spam prevention services to increase their effectiveness and efficiency. Whenever possible, you should run it in combination with a more traditional spam prevention service.

Installing and configuring Bad Behavior is very simple and takes only a few minutes. In most cases, no configuration at all is needed. You can simply install and activate the plugin, and you’re done. Bad Behavior will then automatically protect your posts, pages, and feeds from spam.

Plugin installation and usage documentation can be found here.

To download this plugin, visit the site below:


Note: Because Bad Behavior blocks anything it suspects to be spam, the plugin has been known to create conflicts and issues with other plugins, and to block other sites that need to access your site (e.g. Google search engine spiders). Use this plugin with caution, and if you suspect it is causing issues for you, disable it and contact the plugin software developer.

Additional WordPress Security Plugins

You can search for more WordPress security plugins inside your WordPress dashboard (Plugins > Add New), or the WordPress Free Plugin Directory …

WordPress Plugins - Security

(WordPress Plugins – Security)

Search the WordPress Plugin Repository for security plugins below:

We hope that you have found this tutorial on WordPress security plugins useful. We suggest going through the individual plugin tutorials in this section and installing one or more plugins to keep your WordPress site secure and protected from a host of potentially harmful and malicious activities.

WordPress Security Plugins

(Source: Pixabay.com)


"I was absolutely amazed at the scope and breadth of these tutorials! The most in-depth training I have ever received on any subject!" - Myke O'Neill, DailyGreenPost.com


Originally published as WordPress Security Plugins.