What’s the Best Security Plugin for WordPress?

Our verdict


Recently, Uber paid a ransom of $100k to hackers who stole data from 57 million accounts so they would delete the data and keep their mouths shut.

While it’s easy to sit and think that of course hackers will target giants look Uber or Yahoo (reportedly all 3 billions accounts that existed at the time were breached in 2013), I’m afraid I have some bad news for you…

It’s not just the big sites hackers target, and you’re not flying under their radar.

In fact, hackers are using automated tools to find sites that have vulnerabilities. I mean, hackers can have control over your hosting account

before you have even get a site fully up and running.

This is where WordPress security plugins come in. These plugins can help to minimize or eliminate the known vulnerabilities in your WordPress site and make it more difficult for a hacker to get in.

I’m going to be honest with you here: using these plugins may not stop a truly determined hacker if they decide to target your site, but they will make it harder and possibly alert you that someone is in there running amok.

Also, by removing obvious vulnerabilities, it makes it less likely that your site will be targeted in the first place.

Think of it like putting a burglar alarm on your house in the hope that it will put off the thieves so they will rob your neighbours instead.

So, which security plugin provides is the best to ramp up your wordpress security?

What Do We Look For In A WordPress Security Plugin?

1. Firewall

A Web Application Firewall (WAF) = a plugin or cloud service that monitors traffic and defends against the bad or malicious stuff.

In a nutshell: the firewall screens traffic before it gets to the site. The good traffic is let through, and the bad traffic is denied entry. Think of it like the doorman: the firewall decides who gets in and who doesn’t.

Firstly, a firewall will block things like blacklisted IP addresses or DDoS (Distributed Denial of Service) attacks.

A firewall can also block malicious acts like:

  • SQL injections that modify your database
  • Users accessing directories to look for vulnerabilities
  • Injecting WordPress shortcodes to interfere with plugins

Not all firewalls are created equally. In fact, there are two main types of firewall:

  • Application-level firewall
  • DNS-level firewall

The application-level firewall looks at the traffic when it reaches your servers. At this point, it compares the traffic against a set of criteria (such as blacklisted IP addresses) and decides whether or not to let it through.

DNS-level firewalls allow you to review your traffic before it even reaches your server. This means your own servers don’t have to screen the traffic. Instead, the provider will screen the traffic on their own servers before sending good traffic on to your site.

What we want

A DNS-level firewall.

It reduces the load on our servers by handling the work on the firewall provider’s servers. The provider’s servers also have a larger capacity to deal with DDoS attacks.

2. Database Protection

Database Protection = making sure that it’s as difficult as possible for anyone to make unauthorized changes to the database.

Everything on your site ends up being saved in the WordPress database.

We’re talking pages, posts, comments, images, menus, everything.

So, imagine how much damage someone can do if they can mess with your database. In fact, deleting your database only takes one line of code.


So, we need a plugin that protects us from SQL injections and makes it difficult for any bad actors (hackers looking for vulnerabilities within our site — not, like, Gerard Butler) to gather any information about our database that they can use to easily gain access to it.

What we want

The ability to stop SQL injection into the database to modify data.

We also want the database to be difficult to access. This means enforcing strong passwords, changing the default username or default table names so they are harder for hackers to guess.

3. Login Protection

Login protection = making it as difficult as possible for hackers to log-in to your site by guessing the admin URL, your username and your password.

The easiest way in the world for a hacker to get into any website is by knowing or guessing the username or password.

Think about it: there is a clear format for most WordPress sites:

Admin URL: domainname.com/wp-admin

Username: ???

Password: ???

If you use a simple username (e.g. Admin), the only thing a hacker needs to figure out is your password. This is why it shouldn’t be something like ‘password’ or ‘123456’.

We need a plugin that can enforce strong passwords for all users, that will limit the amount of login attempts, and that will allow additional wordpress security features, such as:

  • Security questions (‘What is your Mother’s maiden name?’ or ‘What was the name of your first pet?’).
  • Two factor authentication, which turns logging into into a two-step process whereby you enter a code sent to your mobile each time you go to log-in

It must also protect us from brute force attacks where the hackers will try to go through all of the possible passwords until they stumble across the right one.

On top of that, the plugin should be able to change the admin URL from domainname.com/wp-admin (the default login URL) to something else, making it harder to find.

What we want

  • To be able to change the admin URL
  • Two factor authentication or security questions
  • To enforce strong passwords

4. Malware and File Changes

Malware = software that is designed to mess things up or gain access to information. For our purposes, let’s use a simple definition of malware: malicious software.

As you can imagine, this is an issue.

For example, if the malware takes the form of spyware, it can record personal information such as your customers’ credit card details. But it can do lots of other harmful stuff, too (and that’s a list that could go on forever).

What we want

A plugin that regularly scans for malware and keeps a log of site changes so that we can pinpoint the cause of any issues.

5. Common Sense Lockdown

Common sense lockdown = forcing the user to make changes that make it more difficult for hackers to gain easy access to databases, directories or exploit known weaknesses within WordPress.

There are a number of areas on our sites where information is readily available that can aid hackers or that are exposed areas which make things easier for hackers.

For example, leaving your directories open so that people can navigate to them in the address bar.

This lets people view your site structure, allowing them to identify areas of weakness that can be exploited.

Security can be complicated, so we’re looking for a plugin that can take the lead by highlighting the simple steps that you can take to make your site much more secure.

What we want

A security checklist of known issues and mechanisms that allow us (or our users) to solve them with the plugin.

6. Price

You can’t put a price on WordPress security.

Just kidding, of course you can. We’re asking a lot from a security plugin. So, most of the plugins here will be pretty expensive.In general, we usually recommend an all-in-one security plugin.

However, there are also a few free plugins that do a good job with individual functionalities. You can also:

  • Limit access to directories yourself by editing the .htaccess file
  • Change the Admin usernames and passwords yourself
  • Change the prefixes on the database so that they are more secure

We are looking for a plugin that provides value for money. If it does a lot for us we are willing to pay more but if there are two plugins that cannot be separated on functionality it only makes sense to choose the cheaper option.

What we want

A plugin that offers the most functionality at its price — i.e. the most value per dollar spent.

Best Security Plugins for WordPress


SiteLock is a popular WordPress security plugin, mainly because a free version comes included with a number of hosting packages from popular hosting companies (HostGator and Bluehost).

After you install the plugin, you need to sign up to a paid or free plan. While the site does not list plans and pricing very clearly, once you have created an accounted, you are provided the following options:

SiteLock WP Security Plugin

With the free version, you get a basic malware scan and not much more. In the WP Starter pack, I’m honestly not sure what else you get. They say you get “malware detection and removal,” but doesn’t that beg the question: what does the free version do?

Finally, you have the WP Protect package for $39.20 per month.

For your $40, you get everything in the first two packages (a malware scan) and a WAF. This is a DNS server that also comes with a CDN that will boost your website speed. A CDN is nice for site speed, but it’s not a concern for us at the moment.

The DNS-level WAF means there’s reduced server load because the traffic screening is done before the traffic gets anywhere near your server.

Overall, SiteLock is an expensive product that covers some but not all of the bases that we are looking for.

It could be that the products are aimed at enterprise organizations with security teams that know what they’re doing but, for me, it’s not the right product for the kind of sites that we’re building.


  • Includes DNS-level WAF
  • Comes with a CDN
  • Proactive malware scanner


  • Few additional features
  • Expensive
  • Not beginner friendly


Google ‘wordpress security’ and Wordfence is one of the top results. The same happens when you search the WordPress plugin repository.

It’s little wonder, then, that it is one of the most downloaded WordPress security plugins around. But is it actually any good?

Wordfence WP Security Plugin

Upon installation and activation, Wordfence prompts you to perform a scan. This acts as an initial audit to report issues needing to be resolved immediately. These are fairly basic alerts, such as WordPress version being out of date.

To begin with, in both the free version and the paid version, Wordfence only has an application-level firewall. As mentioned, this puts a bit of strain on the server.

Here’s my main beef, though: in the free version Wordfence loads and secures your site after WordPress and some other plugins load. At this point, your site is vulnerable, and if there’s an issue with any of these plugins, it can damage your site before Wordfence has even loaded.

In the paid version, there is an option to rectify this and load Wordfence before anything else.

This is obviously better than the alternative, but we’re still slightly disappointed by the lack of DNS-level firewall, and the loading order feels more like an oversight than a payment-tier feature.

When it comes to database protection, Wordfence scans your database tables including your comments, users table, posts and pages. This is intended to identify vulnerabilities and alert you on what these issues are and how to resolve them.

The plugin can also audit the strength of both new and existing passwords. Strong passwords make it very difficult for a brute force attack to be successful.

Finally, Wordfence has a heap of additional features in the premium version, including advanced spam protection, checking your site against domain blacklists and more.

The paid version will set you back $99.00 per year, which works to be about $8.25 per month. That seems quite reasonable for a plugin that does pretty much everything that we’re looking from in a WordPress security plugin.

However, as we mentioned, it would have been nice to be able to get a DNS level firewall.


  • Initial audit identifies issues
  • Ongoing database scanning
  • Enforces strong passwords


  • Vulnerabilities in the free version
  • No DNS-level firewall

iThemes Security

iThemes Security comes from the same people that brought us Backupbuddy, so they have serious credentials in this space.

iThemes Security WP Security Plugin

There are some interesting features that come with iThemes Security:

  • File Change Detection
  • Database Backups
  • Strong Password
  • Enforcement
  • Two Factor Authentication
  • Password Expiration
  • Away Mode – Only allow edits within a certain time period

To stay consistent, let’s have a look at the criteria we have set out for ourselves.

Here’s the biggest downside: there is no firewall. None.

As I mentioned earlier, there are standalone firewall plugins that you can install, but this is a huge miss for an all-in-one WordPress security plugin.

When it comes to database protection, the plugin can perform complete backups of your database. This is nice, but is more reactive than I would like. I’m looking for a security plugin to prevent the issue rather than solve the issue after it occurs. In an ideal world, you’ll get yourself a plugin that can do both.

Login protection is where iThemes really excels, in my opinion. You can use two-factor authentication, change the admin URL, lock out users with too many login attempts, and enforce strong passwords and brute force protection.

It’s belts and braces stuff.

You can purchase the Blogger package, a single site license, for $80 per year or purchase the gold package for a one-off fee of $297.

Overall, I think iThemes is a great plugin. If it had a firewall, it would be almost perfect. Having said that, if you could find a great firewall plugin for a good price, these two plugins could work brilliantly in conjunction with each other.


  • Lots of common sense features
  • Strong login protection


  • No firewall
  • Some features are too reactive
  • Expensive without firewall


I think it’s fair to say that Cloudflare is best known for its CDN option, but there is a security aspect that covers a lot of what we are looking for in a security solution.

Cloudflare WP Security Plugin

From a security perspective, the main thing Cloudflare offers is the DNS firewall. They have a range of data centers all over the world that can absorb all but the most ferocious DDoS attacks.

The firewall can also handle the more mundane tasks of blocking malicious bots and traffic from bad IP addresses.

To prevent threats, Cloudflare leverages big data. They learn with each new web property and share this data to feed back into their tools to gain greater intelligence of where the threats are coming from so that they are easier to deal with.

In terms of data breaches, Cloudflare is doing things that are probably over the heads of most standard site owners (mine included).

However, the end result is that Cloudflare is pretty confident they can prevent code injection, snooping on data while in transit and DNS spoofing, which can all result in data breaches.

Again, there is a downside. Cloudflare tends to focus on stopping traffic before it gets to your site.

So, I wouldn’t necessarily recommend it as a WordPress security plugin. However, the Pro version will cost $20. This could be the option you’re looking for to accompany iThemes if you’re really serious about your security.


  • Strong firewall
  • Protection against snooping and SQL injections


  • Stand-alone firewall plugin, so no additional features


Sucuri pitches itself as a ‘complete website security’ plugin.

Sucuri WP Security Plugin

It protects from DDoS attacks, defends against brute force attacks, stops hackers exploiting vulnerabilities, and cleans sites that have been infected with malware, blacklisted by Google or disabled by their hosts.

Sucuri provides you with a DNS firewall. The CDN is an added bonus that can speed your site up. Beyond that, it also has just about everything else that we are looking for.

Let’s start with the firewall. Like Cloudflare, Sucuri provides a pretty comprehensive DNS-level firewall.

The plugin will do an initial scan to identify vulnerabilities.

Sucuri WordPress Integrity

This includes any issues with the database. Regular malware scans take some of the burden off the user to stay on top of WordPress security themselves.

One drawback with Securi is the lack of login protection. As far as I can tell, there’s no way to limit login attempts, enforce strong passwords or change the admin URL for your WordPress.

However, I would say that Sucuri does everything else so well that you could use some other free plugins to fill the gap that is left here by Sucuri.

Sucuri WP Plugin Payment Plans

At $16.66 per month or $199.99 per year, Sucuri is right in the middle price-wise. The free version doesn’t provide you with afirewall. So, in my opinion, the paid version is necessary.

Overall, it’s a good option, but, as we have found to be the case with all of the plugins that we have featured, it needs additional plugins to supplement gaps in functionality.


  • Common sense checklist
  • DNS-level firewall
  • Vulnerability scans
  • CDN included


  • Lack of log-in protection

WordPress Security Plugins – How Do They Compare?

PluginFirewallDB ProtectionLogin ProtectionMalware and File ChangesCommon Sense LockdownPrice
iThemes Security035533

For each criteria, plugins have been given a score from 0 to 5 (with 0 being the worst and 5 being the best).

If a plugin does not have a feature at all, it will score a zero. If a feature meets the full requirements it will get a 5.

Anywhere in between will get a score on the sliding scale depending upon how close it gets to what we require.

For example, for ‘Firewall’:

  • Cloudflare gets 5 because it has a DNS-level fire
  • iThemes Security gets 0 because it does not have a firewall
  • Wordfence gets 3 because it has an application-level firewall

Which WordPress Security Plugin Should You Get?

Our vote: Sucuri.

I’m going to start by ruling out SiteLock. I don’t like it, and I do not think it has the functionality I’m looking for as a site owner.

Personally, I really like some of the features available with iThemes Security. I think it does a great job of tackling common sense issues and offer solutions to eliminate them.

I also like the common sense aspect of Sucuri.

In terms of firewall, through, Cloudflare is my favorite.

So, when it comes to actually buying one, I would either go for iThemes Security and get a firewall plugin to fill the functionality gap or get Sucuri and install plugins to limit login attempts, enforce strong passwords, change the login URL and add security questions to the login page.

I think Sucuri just edges it.

Share on facebook
Share on twitter
Share on linkedin
Share on pocket
Share on email

Article by:


Related Videos

Shane Dutka
Play Video
Play Video
Play Video
Play Video

Ready To Start Your Journey?

Now it is your turn to get started building your own Authority Website.

To help you get started, we put together a free video training that will give you all the tools and tactics you will need to get started even if you don’t have any prior experience.

Click the button below to join the training and let us show you the authority site model.

Scroll to Top