Best WordPress Security Plugin 2018 and 2017 — Review and Comparison of Top Free and Premium Versions of New Plugins and Support Services from Several Companies
This article covers WordPress Plugins to Secure Sites providing Malware Protection, Firewall, AntiVirus, Injection Attack Holes, Vulnerability Issues Scanner and Backup of data.
Contents
Live Article Notice
Why WordPress Needs Security Plugins?
Important WordPress Security Practices
Top List of the Best WordPress Security Plugins 2018 and 2017
WordPress Security Plugin Comparison Side by Side
What WordPress Security Plugin should I Choose?
What if I still Have Security Problems Despite using a Security plugin?
Do Not Wait for a Security Attack to Happen
Other WordPress Security Plugins and Support Services
WordPress Security News
Live Article Notice
This is a live article that will be updated over time to include more plugins and list more relevant security features that may help you to decide what plugin suits better your needs.
If you found some inaccurate information or know of another interesting security plugin not listed here, please post a comment or use the site contact link at the bottom of this page to let me know about the information you have.
Why WordPress Needs Security Plugins?
WordPress is the most popular and widely used blogging platform. It is being used by millions of people around the world. 27% of all Web sites globally uses WordPress. Therefore hackers and spammers have also taken interest in breaking the security of the WordPress blogs.
WordPress security plugins are one of the easiest ways to improve security on a WordPress site. WordPress is very secure by itself and is frequently updated to fix any vulnerabilities that are found. But it is never too much have plugins that can detect security problems as soon as possible.
Security plugins can address some important vulnerabilities or at least harden the aspects of your WordPress site that are prone to manipulation by hackers.
Important WordPress Security Practices
In this post I am reviewing and comparing some of the most popular WordPress security plugins either free and commercial.
Keep in mind that even with all the best plugins installed, common security practices for keeping the WordPress site secure should be used. Your WordPress installation should be updated on regular basis to assure you are not using versions that have known vulnerabilities.
Top List of the Best WordPress Security Plugins 2018 and 2017
Here follows a list of some of the well-known WordPress security plugins that I have tried with a description of their most relevant features.
BulletProof Security
The BulletProof Security plugin secures your WordPress directories with a single click. It provides protection against CSRF, Base64, XSS, RFI, SQL injections. It also provides login security firewalls, database security and backup services.
It is available as a free and Pro version of the that offers BulletProof Security plugin service with more advanced features.
Sucuri Security plugin
The Sucuri Security plugin provides several security services like malware scanning, security activity auditing, blacklist monitoring, effective security hardening, file integrity monitoring, and a Web site firewall.
It is a free plugin and they do offer some premium services. Visit the Sucuri Security Web site for more information.
iThemes security plugin
The iThemes Security Plugin plugin supposedly provides more than 30 ways to secure WordPress site. It enhances user credentials by fixing common vulnerabilities and automated attacks. iThemes Security Pluginplugin offers both Free and Pro versions of the plugin.
Acunetix Security plugin
Acunetix Security plugin is a good fit for securing file permissions, security of the database, version hiding, WordPress admin protection, etc.. It checks the WordPress site for vulnerabilities and suggests the actions needed to be performed to correct those vulnerabilities.
The Acunetix Security WordPress plugin is available for free and they do provide other security services, you can check those out at their web site.
All In One WP Security and Firewall
The All In One WP Security & Firewall plugin checks for security vulnerabilities. It implements and enforces the latest recommended WordPress security practices and techniques.
One if its useful features is a meter on your dashboard that gives your site a score of how secure it is. It can detect malicious code in your WordPress site.
It is free plugin but they offer paid consultancy for your site’s security, you can learn more about it from their website.
6Scan Security
The 6Scan Security plugin security scanner goes beyond the simple rule-based protection of other WordPress security plugins. It employs sophisticated algorithms to find and automatically fix security vulnerabilities.
This plugin is available for free version but they do offer some paid services too. Check the 6Scan Security Web site for more information.
Notice that the version of this plugin that is available in WordPress plugin repository has not been updated in 2 years.
WordFence plugin
The WordFence plugin provides user login security, IP blocking, security scanning, and Web firewall and monitoring.
This plugin allows mobile sign in that saves your WordPress site from brute force hacks. It provides real time threat defense feed. Wordfence Scan leverages the same proprietary feed, alerting you in the event your site is compromised. This plugin is offered in both free and pro version.
AntiVirus for WordPress
The AntiVirus for WordPress plugin is a very lightweight plugin. It can strengthen the protection of your site against exploits, malware and spam injections. This plugin monitors malicious injections and also warns you about any possible attacks.This plugin works to fix common holes, stop automated attacks and strengthen user credentials.
WPBuffs Security Support Service
WPBuffs is not exactly a plugin but rather a support service that you can hire to help you fixing many types of problems with your WordPress site, including dealing with security issues using a suite of tools of their own.
They have a team of people that can provide several support services with plans that may include services like:
- Integrating your site with Google Search Console and Google Analytics
- Update themes and plugins
- Perform backup
- Monitor the site to check if it is up
- Provide traffic, maintenance and security reports
- Optimize sites for mobile
- Test and optimize site page speed
- Scan and remove malware
- Protect against brute force login
- Install SSL certificates
- Detect malicious file changes
- Migration to a dedicated server
WordPress Security Plugin Comparison Side by Side
To understand how WordPress security plugins compare, it is better to show you the features they support or not side by side. So here follow several types of comparisons of their security features.
User Login Security
The user login security features are about what aspects for protecting the process login and after the users are logged. Here is a description of the features compared between all plugins.
Brute Force Protection
Brute force is a trial and error method used by program that attack the login pages by trying different passwords until the find one that works for the attacked account.
Strong Password Enforcement
Require that the user uses strong passwords login in the WordPress account.
Block User by IP or by Country
Block users based on their IP addresses or their Country.
User Monitoring
Monitor the actions of logged users and guests.
ReCAPTCHA Integration
Integrate Google ReCaptcha in the login and registration page and any other forms to prevent the access using robot scripts.
Here follows the side by side comparison of the User Login security aspects.
Database Security
The database is where the dynamically created content and user information is stored. Protecting this information is important to avoid damages that may prevent WordPress to work properly.
Backups
Regularly take backups of database and store them on the server and make them available for download.
Errors Turned Off
Ability to turn off the database related PHP errors.
DB Status and Information
Get the information for the DB in your admin panel and live status of the DB server.
SQL Injection Protection
SQL Injection is a way to add a malicious SQL to database queries from data entered by users the user input field.
Change Table Prefix
Change the table prefix for WordPress tables at any time, not just when installing the script for the first time.
Here follows the side by side comparison of the Database security aspects.
File System Security
WordPress uses files to store its source code of course. Source code files must not be changed by any attacker. WordPress may also generate log files. Logs may be watched to understand what happened.
Disable File Editing
Disable the plugin file editor and the template file editor for administrative accounts, so nohacker with access to the admin account can edit the source files.
Monitor System Logs
Monitor system’s error logs and access logs and others through the WordPress administration panel.
Manage File Permissions
Manage file and directory permissions from admin panel and password protect the wp- directories.
Repair Files
Repair altered files that may contain malicious code.
Here follows the side by side comparison of the File System security aspects.
External Access Features
Threats that may compromise the security of Web site based on WordPress usually come from the outside. Some of the most important security features exist to prevent that malicious external accesses compromise WordPress security.
XSS Protection
Cross-site scripting (XSS) is a way to inject JavaScript code in HTML that is displayed on Web pages and be used to steal user data or othet type of sensitive information.
WAF (Web Application Firewall)
Web Application Firewall (WAF) filters, monitors and blocks HTTP requests sent to pages that supposedly should not exist in a Web site but may have been installed by code that exploited a vulnerability.
DDOS Protection
DDOS stands for Distributed Denial Of Service attack. This is a kind of a security attack for compromising the ability of a server to handle requests due to many computers that are used from different world locations to perform attacks at the same time.
DDOS protection is needed to detect when an attack is going on and prevent that it causes the WordPress site be unusable by regular users.
Here follows the side by side comparison of the File System security aspects.
Best Free WordPress Security Plugins
All the plugins mentioned in this article have free versions apart from premium versions that may provide better system.
If you compare all the listed plugins on the criterion that matter most to you, you can find out which is the best free WordPress security plugin.
What WordPress Security Plugin should I Choose?
All the plug-ins mentioned in this article provide good support to the most important security matters that you should be concerned when detecting and mitigating security problems that may arise.
So rather than recommending a specific plugin, let me list the features I think are more important when it comes to security services that a WordPress plugin may provide.
Take a look at these features, look at the side by side comparisons above and see which plugins provide those features and at the same time provide them at price and support level that you desire.
Some of the plugins only support certain features in the premium versions. But at the time of despair when something bad already happened the money that the premium version costs may be well worth compensated by the possibility to get support from qualified professionals.
- Brute Force Protection and Strong Password Enforcement because you do not want an attacker to simply access your administration panel due to weak passwords
- Automated backups sent to secure places , preferrable to a different server because if something bad happens you do not want to be unable to recover your WordPress site at least partially.
- Monitor changes in files such as source code, templates, JavaScript and repair from secure backups because many site defacements are basically that, files that were changed by attackers to make it look different or look the same but spread malware in a way that you cannot notice looking at the pages.
- A good Web application firewall because even if plugins can protect from some kinds of exploits, other exploits may still be performed on the server and new malware files may be installed on the system to make it act in a way that is not intended. A Web Application Firewall will block the access to those new malware files , so their code cannot be executed.
What if I still Have Security Problems Despite using a Security plugin?
Well these security plugins are great but there may always be cases that they did not anticipate. Most newer security exploits were created by people that was smarter than the developers and abused from holes that were foreseen.
So, when the security attacks happen, you will need the help of a security expert. Some plugin developers provide additional services that you may contract to have people solving your specific problem.
Hiring on demand may often be more expensive than hiring an ongoing support service that is ready to act by the time you find about a security incident.
This is why this article lists also one (one for now, more be listed later) support service, in the case called WPBuffs. They provide several plans of subscription based WordPress support service. It includes security services but it also includes other non-security related services such as maintenance.
WPBuffs services are affordable and it may bring you some piece of mind and less headaches when the incidents happen. They have a free trial service for 30 days that you can try to evaluate them without having to commit any payment.
Do Not Wait for a Security Attack to Happen
Security is a very sensitive topic. Many developers wished they never had to deai with security issues but every project will have their own set of security problems, especially large projects like WordPress that is a very visible target due to its popularity.
So, if your WordPress site is very important to you and you must not lose time, money and effort with eventual security problems, do not wait until you have those problems to start acting. Spend some time now and install any plugins you feel that are necessary to keep you more protected.
Other WordPress Security Plugins and Support Services
There are more WordPress Security Plugins out there. Some may be old and not be updated for a while. Others may be new and were not covered in this article yet.
If you know about any other relevant plugins or support services dedicated to WordPress security, please post a comment below or use the contact link at the bottom of the page.
If you liked this article share it with your developer or WordPress site owner friends so they can also be aware of how to protect their sites from security issues.
WordPress Security News
If you want to know all about the releases that implement or fix security aspects of WordPress, the best place to find about that is the WordPress news blog Security category.
There you can file the list of the latest releases of WordPress that reference security features or fixes.
Top comments (0)