Keeping your site clean is not just about having a great plugin for a great price, it’s about a service that educates you and is there to support you in your journey.
Something to hold in mind when you’re developing your WordPress security strategy: there are multiple things that go hand in hand with preventing hacks such as keeping regular backups and using a secure web server for your hosting provider.
We’d all love a one shoe fits all solution, but sometimes a little research and development is needed to find the right plugins and services that work for you.
Here are 10 things you should look for in a security plugin:
- Malware scanner, preferably one that runs on an automatic schedule
- Malware removal, preferably automatic
- Plugin security guard
- User account security
- Spam protection and removal
- Securing important files (such as wp-admin, .htaccess, wo-config, wp-includes)
- Login & IP protection
- Detailed reporting and logs
- Fast, helpful, and knowledgeable customer service
Based on the 10 items listed above, reviews, pricing, and overall quality we evaluated the options and put together a list of plugins and services that will help keep your site(s) up and running.
How To Know Whether You Can Trust A Security Plugin?
The first place to look when considering a security plugin is their customer reviews. For most plugins this will mean their WordPress.org reviews home page but individual plugins may have other review sources.
Reviews help you see the experience of customers who already use the service and are an invaluable indicator of what you can expect.
At the time of writing, Shield Security is the highest average-rated WordPress security plugin.
Our top 10 picks for free & paid WordPress security plugins:
WordPress.org Reviews: Shield has the highest 5 ☆ rating per download of any WordPress security plugin.
Shield Security takes the difficulty of fully securing your site out of your hands. The easy to use dashboard that lives in your WordPress site lets you find what you need and easily apply the recommended security options to your site.
When first installed it takes you through a thorough setup guide inside of your WordPress site with videos and articles explaining each section.
Once you set everything the way you want it you can auto sync those same settings from your ‘master site’ to all your other sites that have the ShieldPRO installed.
The documentation and support for ShieldFREE and ShieldPRO covers everything that you need to know for making sure your site does not get hacked and stays malware free.
Our favorite feature has to be the malware scan and auto repair/removal tool.
Simply-put, Shield’s malware scanner will examine every single PHP file on your site and compare it to the original file as it’s found on WordPress.org. If there’s code in there that could be malicious, it gets flagged. Once flagged the settings you applied will either repair or remove the file or wait for you to manually review the results and take appropriate action. You can schedule the scanner to run, remove, and repair files automatically as often as every hour.
It’s like having your own security team cleaning your site 24/7.
There is a 14 day free trial available and no credit card is required making trying ShieldPRO for free is a no brainer.
There are monthly and yearly plans available with pricing starting at less than $7/month. There are bulk discounts applied when you add more licenses to your package and when you choose to be billed yearly instead of monthly.
- Exclusive AntiBot Detection Engine – The most powerful Bot Detection system on any WordPress plugin.
- Automatic Bot & IP Blocking – points-based security system to block bad bots.
- Add Security To Important Forms To Block Bots
- Powerful Firewall Security Rules
- Restricted Security Admin Access
- Two-Factor / Multi-Factor Login Authentication (MFA)
- Block XML-RPC (including Pingbacks and Trackbacks)
- Block Anonymous Rest API
- Block, Bypass and Analyse IP Addresses
- Comprehensive WordPress File Scanner for Intrusions and Hacks
- Create a Custom Login URL by hiding wp-login.php
- Detect (and optionally Block) Comment SPAM from Bots and Humans.
- reCAPTCHA & hCAPTCHA support
- Never Block Google: Automatic Detection and Bypass for GoogleBot, Bing and other Official Search Engines including:
- Automatically Detect 3rd Party Services and Prevent Blocking
- Full Audit Trail – Monitor All Site Activity
- Advanced User Sessions Control
- Full/Automatic Support for All IP Address Sources including Proxy Support
- Full Traffic Log and Request Monitoring
- HTTP Security Headers & Content Security Policies (CSP)
A highly rated free WordPress security plugin that’s made by a company called Tips and Tricks HQ. It has a robust set of features, but is not optimized to handle all your security needs. For example, there are items in it’s intermediate or advanced feature list that can break your site. If you have a complex code infrastructure this might be an issue for you, especially if you need premium support.
Their freemium support library is based on customer questions located in their WordPress repository support forum.
Since this is a free plugin there isn’t a paid option available. This has the benefit of giving you all it’s features for free, but lacks priority customer support.
- User accounts & login security
- Database security
- Schedule automatic backups and email notifications or make an instant db backup whenever you want with one click.
- File system security
- Identify files or folders which have permission settings which are not secure and set the permissions to the recommended secure values with click of a button.
- Htaccess and wp-config.Php file backup and restore
- Blacklist functionality
- Firewall functionality
- The firewall will stop malicious script(s) before it gets a chance to reach the wordpress code on your site.
- Brute force login attack prevention
- Security scanner
- The file change detection scanner can alert you if any files have changed in your wordpress system. You can then investigate and see if that was a legitimate change or some bad code was injected.
- Comment spam security
- Front-end text copy protection
- Works with most popular wordpress plugins
Anti-Malware Security and Brute-Force Firewall is one of the simplest but effective malware detection, removal, and firewall plugins in the WordPress repository.
Although it does a good job detecting malware, it lacks in automatic removal capabilities, even with the pro version. You still need to manually go into your site and click the “Automatically Repair SELECTED files Now” button.
Once you repair the files a record of each item is moved to it’s quarantine section where you can view them or remove the records completely. It is not necessary to remove them from the quarantine section as the plugin already cleaned the original files.
The settings for the plugin are rather straightforward, but lack in features. If you want more robust security features you might need to pair this plugin with another or go with a completely different option. It would be worth your time to try it out by itself first.
To gain access to download definitions of new threats, automatic removal of known threats, and patches for specific security issues you need to register on their website GOTMLS.NET.
To access these premium features it’s a one time fee, ‘donation’, of $29 per site.
Support for their plugin is available on their WordPress repository and their website FAQ section. They are fast to respond and knowledgeable in resolving any issues you might have.
This plugin claims to add the best security measures to your WordPress website. They offer one-click harding to add layers of protection to your website, becoming your site’s security ‘superhero-suite’.
With regular security scans, audit logging, they have tried to include all the hardening tools you need with quick and easy application. They do offer a firewall in the plugin, but it doesn’t seem to be as robust as the plugins mentioned above.
The pricing tears add features such as backups and access to their suite of WordPress tools. WPMU DEV’s array of other WordPress solutions work well and are worth checking out. They have built a core system that’s made to run your WordPress business all in one place.
- Scheduled security scans
- Login protection and masking
- Audit Logging
- Two-factor authentication
- Blocklist monitoring
- Vulnerability reports
- Changed file restore and repair
- White labeling
7 day free trial available and no credit card is required with pricing starting at less than $5/month after the trial.
Wordfence’s plugin offerings can be a little confusing. They have multiple plugins that add different features, Firewall & Malware Scan, Wordfence Login Security, and Wordfence Assistant. Developing a website can be work enough so you would think they would include all of the features underneath the one main plugin with abilities to activate each one separately.
They provide a dashboard on their website called Wordfence Central where you can manage multiple sites in one place and apply setting ‘templates’ to sync your configurations.
Note: This is a little like iControlWP’s Shield Central, that integrates Shield management directly into the platform for managing all your WordPress site security. You could also use Shield’s MainWP integration to achieve similar functionality.
Their firewall and malware scan plugin is one of the most popular security plugins for WordPress, with a focus on those two features as their strong points. Their model is to protect your site before it gets hacked, and if it does they deal with it appropriately.
The malware scanner checks your site and compares it with the WordPress repositories to find code injections, but you are only able to see real-time malware signature updates, get reputation checks, and control the scan timing and frequency if you upgrade to their Premium plugin.
We could not find any offerings for a free trial of their paid software.
Pricing starts at $99/year but there are slight bulk discounts applied when you add more licenses to your package and when you purchase 2 or 3 years of service.
- Leaked password protection
- View activity on your site in real time
- Advanced manual blocking of traffic from any source
- Blocking countries who are clearly engaging in malicious activity
- It tells you what changed in core, theme and plugin files and helps repair them
- Two-factor authentication
Hide My WP Ghost – Security Plugin is a security through obscurity plugin. Obscurity means the state of being unknown, inconspicuous, or unimportant. The idea here is that if the hackers and bots can’t find you then they can’t attack you as effectively.
This plugin works well with others and is to be used in conjunction with plugins that offer firewalls, malware scans, and backups, but for what it has to offer it does an excellent job.
It adds security layers to prevent injections and attacks. It doesn’t change your actual code structure but it creates redirects in your database to hide them.
The developer, WP Plugins created a free online website security check where you can enter your url and they will create an audit.
They do have a free and paid version. The free version offers a robust set of features, but the paid one unlocks several useful tools.
- Customize Paths, Protect WP Common Paths & Files, Script & SQL Injection Firewall,
- URL Mapping & Text Mapping, Brute Force Protection
- User Activity Logs & Suspicious Activity Alerts
- XML-RPC Protection, Hide WP Headers and more
- Hidden Paths
- Mapping Text and URLs
- Disable Paths
- Brute Force Protection
- Activity Log
- Multiple site Integrations:
- Protection against attacks and scripting
We could not find any offerings for a free trial of their pro software.
They have lifetime discounts when you sign up with pricing starting at $23.99/year. You can still download and use the plugin at the last updated version after the subscription expires.
Sucuri Security – Auditing, Malware Scanner and Security Hardening’s free plugin is made to complement your existing security setup.
Sucuri’s activity monitoring is said to be one of the top performers in the WordPress security field. It scans your site on an automatically set basis and displays an audit log of file modifications, removals, and code vulnerabilities such as malware injections. It’s DIFF feature allows you to see exactly what in the file has been altered. The audit logs and alerts are also very detailed and good if you have developer knowledge.
They do have a free security scanner that anyone can use even if you don’t have their plugin installed – SiteCheck. It’s important to note that results from such a scan may be misleading as it’s severely limited in what it can check, without the ability to perform an in-depth scan.
Our favorite feature has to be it’s hardening section. Listed there are hardening optimisations that you can apply from the screen with the click of a button. Not all of the hardening optimizations are available with the free plugin, but it gives you a good direction if you want to tackle the hardening of them yourself.
Sadly, you don’t get access to their firewall unless you have a paid account.
Their paid accounts are rather expensive, but once enrolled their tech does a good job of keeping your site up and running. They do give you access to an online dashboard where you can manage all of your sites.
Their customer support is fast and knowledgeable, but they do require an extra fee for malware removal if your site is down due to a hack, even with a paid account.
We could not find any offerings for a free trial of their paid software.
- Security Activity Auditing
- File Integrity Monitoring
- Remote Malware Scanning
- Blocklist Monitoring
- Effective Security Hardening
- Post-Hack Security Actions
- Security Notifications
- Website Firewall (premium)
The MalCare Security – Free Malware Scanner, Protection & Security for WordPress plugin claims to be better than the other top contenders, but we have something else to say.
Their free plugin allows you to control basic settings within your website, but the pro plugin requires you to login and use their independent dashboard. All these clicks add up, especially when you’re trying to deal with site security issues.
They claim to keep your site up and running with auto daily malware scans and instant removal. If you have ever dealt with hackers and malware you would know that scanning and cleaning your site once automatically per day isn’t enough to keep it up and running the whole time.
We have received feedback that the malware cleanup feature doesn’t work as well as you would expect and users have struggled with their sites going down due to malware injections. Once the premium customer support was contacted the sites would appear to be fixed with no explanation.
Overall ending up with a cleaned up site doesn’t sound like a bad deal, but how they actually clean your sites is often obscured. It may be worth having a good read of their WordPress.org reviews to build a better picture of their service.
Malcare Free vs. Malcare Premium:
- Cloud based malware scanner (free)
- Cloud-based malware scanning (free)
- Deep malware scanning – files & database (free)
- Website firewall (free)
- Web application firewall (free)
- Plugin based firewall (free)
- Rules update every 7 days (free)
- Login protection (free)
- Bot protection (free)
- Rules update every 5 mins (paid)
- Geo-blocking (paid)
- Website hardening (paid)
- Instant malware removal (paid)
- View malware insights (paid)
- Instant one-click clean ups (paid)
- Automatic clean-ups (paid)
- Unlimited clean-ups (paid)
- Personalized customer support (paid)
- Support on wordpress forum (free)
- Support via email and chat (paid)
A 7 day free trial is available and no credit card is required.
Their pricing starts at $99/year.
iTheme Security is a well built plugin that covers the basics of protection such as preventing WordPress hacks, WordPress security breaches, WordPress malware detection, and more.
The feature that stands out the most is the ability to take backups of your site, but to do so you need to buy their backup plugin, BackupBuddy.
There are a lot of other backup solutions out there for a more affordable price. A couple of recommended alternatives is the UpDraft plugin or simply using a good WordPress hosting service such as SiteGround that provides backups for you.
As far as their malware scanner goes, it automatically checks for known vulnerabilities installed on your site. If an issue is found and you have paid for the pro version of the plugin, it will automatically apply a solution. This is great for known threats, but lacking in the AI capabilities to report, sort, maintain, and repair your codebase. They currently do not support the ability to intelligently identify malware in it’s file level malware scanning, and delete or replace compromised files in it’s malware remediation.
- WordPress Brute Force Protection
- File Change Detection
- 404 Detection
- Strong Password Enforcement
- Lock Out Bad Users
- Away Mode
- Hide Login & Admin
- Database Backups
- Email Notifications
We could not find any offerings for a free trial of their PRO software.
Their paid packages’ pricing starts at $80/year.
VaultPress is a real-time backup and security scanning service. Designed by Automattic, it works seamlessly with your JetPack plugin.
It’s not a robust security hardening plugin. It does not offer auto malware removal, a firewall, login protection, etc. but the features that it does offer add a lot of value. It is especially useful if you are already using JetPack’s plugin.
- Automated daily backups (off-site)
- One-click restores
- Unlimited site storage
- All Backup Daily features
- Scan (daily, automated)
- Comment and form protection
- Unlimited video hosting
- All Security Daily features
- Backup (real-time, off-site)
- Scan (real-time, automated)
- CRM: Entrepreneur bundle
- Site Search: up to 100k records
They offer a 14 day risk free trial with a money-back guarantee.
Pricing starts at less than $5/month, but renewals are at full price.
Their paid version is one time purchase of $69.95 and includes lifetime updates, technical support as well as unlimited installations, and a 30-day money back guarantee.
Their support consists of forums within their WordPress repo, but questions seem to be answered quickly.
- One-Click Setup Wizard
- Setup Wizard AutoFix (AutoWhitelist|AutoSetup|AutoCleanup)
- MScan Malware Scanner
- .htaccess Website Security Protection (Firewalls)
- Hidden Plugin Folders|Files Cron (HPF)
- Login Security & Monitoring
- JTC-Lite (Limited version of BPS Pro JTC Anti-Spam|Anti-Hacker)
- Idle Session Logout (ISL)
- Auth Cookie Expiration (ACE)
- DB Backup: Full|Partial DB Backups | Manual|Scheduled DB Backups | Email Zip Backups | Cron Delete Old Backups
- DB Table Prefix Changer
- Security Logging
- HTTP Error Logging
- FrontEnd|BackEnd Maintenance Mode
- UI Theme Skin Changer (3 Theme Skins)
- Extensive System Info (System Info page)
- WordPress Automatic Update Options
- Force Strong Passwords (FSP)
To wrap it up, there are many different options out there.
Every site and plugin has its own specific use cases.
Ultimately it comes down to overall protection, ease of use, price, and support.
This is what we strive for. Snag our 14 day risk free trial of ShieldPRO and you’ll see why we recommend it so highly.
Don’t just take our word for it, here are a few things our customers have said about ShieldPRO:
- After deciding to get the Pro version I’m very happy and feel my site is in safe hands.
- Paul generously spent his time personally answering my questions on a Zoom call and has gone out of his way to provide a beta version of his plugin to address my needs.
Great Plugin and awesome support
- Thanks to this plugin, I can sleep peacefully at night. I had a request and it was answered within an hour. The answer was solution-oriented and easy to understand. Many thanks to Paul. I can only recommend the plugin. I look forward to further cooperation. I wish you success.
Support is super, Best Security Plugin in WP
- This Plugin is insane. You got a bunch of securtiy and help without needing much knowledge. There is a board, which shows you all risks and how to fix it.
- Also the support is quick. I had a probleme and got an answer in less then an hour which fix this problem instantly.
- WordPress is pretty unsafe by itself. Such a plguin is a musthave. In the free version is all you need. A must have!
Shield Pro does what it says
- After having had a website hacked and taken down twice despite having a security plugin, I discovered Shield Pro. I run 5 WordPress websites and Shield Pro works well. Each summery email I receive shows how Shield Pro has protected my sites.
- Also the people at Shield are so helpful whenever a problem is encountered even if it’s not directly a shield issue.
- I was recently blocked from accessing my site by WordPress. It was due to insufficient PHP memory set by the web host. Advised by Shield to contact host. Memory limits were increased by host and full access regained.
It scans & monitors file changes with automatic removal! Literally the best
- I can not say enough about Shield Security’s service and product. It’s always a big ordeal to maintain the security of my wp site and I have not found a plugin/service that can keep my sites safe, detect file changes & remove them automatically until I found Shield Security.
- This plugin literally does it all, if any file is changed or added it notifies you & with the scanner running every hour I never miss a malware injection. It scans and monitors WordPress core files for changes, files for malware infections, and plugin & theme files for changes. THEN you can set it to AUTOMATICALLY delete these unrecognized files. What?!? How perfect is that!
- I just went in and removed all my other security plugins (malcare pro, wordfence, sucuri pro, Anti-Malware from GOTMLS.NET) because I am so sold on Shield Security Pro. It literally does everything and can I say that the pricing model is UNBEATABLE!
- I also need to mention that their customer support is also literally the BEST that I have ever encountered with any security/any product.
- I had a big issue I needed hands-on help with and they happily helped me with everything. They are so knowledgeable, down-to-earth, and kind. Such a great experience.
- This product has really been a lifesaver go try the week free trial or just buy the subscription, it’s a no brainer!
Very good and easy to set up
Great Plugin, Makes site security easy
it has almost eliminated the bots and secured my sites very well
Consolidated and easy Security
Easy to handle, Consolidated Views, good Security
Simple, does what it claims,well designed and no bloat. I use it on all of my sites. Continue to be awesome guys! 🙂 Best regards, Doc