Top 28 WordPress Security Plugins (Why Hack You?)

These plugins will serve as secret agents, gathering intelligence on the enemies of your site.

 

Generally the plugins will target the following areas for protection and analysis, generating valuable data knowledge.

• Brute Force Attacks (Fighting)
• Spam Attacks (Kill)
• Data Analysis 
• Protect Logins
• Saving Backups

Let's list.


Protection Against Hackers (The Gates)

1. WORDFENCE (link: https://www.wordfence.com/) - Over 33 mln downloads.

- Comprehensive WordPress Security Plugin

- Protection Service: 

• Firewall: Web Application Firewall - Country Blocking - RealTime Threat Defense Feed - Advanced Manual Blocking - Block Brute Force Attacks
• Scan: Malware Scanner - Check if Site is Spamvertized - Remote Scans - Check if Site IP is Generating Spam
• Live Traffic: View Blocked Intrusion Attempts - View Google Crawl Activity - View Logins and Logouts - View Human Visitors - View Bots and Crawlers
• Cell Phone Sign In - Repair Files - Audit Existing Passwords - Advanced Comment Spam Filter - Monitor Disk Space - Get Detailed IP Info


2. BULLETPROOF SECURITY (link: https://wordpress.org/plugins/bulletproof-security/)

• One-Click Setup Wizard
• AutoRestore Intrusion Detection & Prevention System (ARQ IDPS)
• Quarantine Intrusion Detection & Prevention System (ARQ IDPS)
• Real-time File Monitor (IDPS)
• DB Monitor Intrusion Detection System (IDS)
• DB Diff Tool: data comparison tool
• DB Backup: Full|Partial DB Backups | Manual|Scheduled DB Backups | Email Zip Backups | Cron Delete Old Backups
• DB Status & Info: extensive database status & info
• Plugin Firewall (IP Firewall): Automated Whitelisting & IP Address Updating in Real Time
• JTC Anti-Spam|Anti-Hacker
• Uploads Folder Anti-Exploit Guard (UAEG)
• .htaccess Website Security Protection (Firewalls)
• Hidden Plugin Folders|Files Cron (HPF)
• Custom php.ini Website Security
• Login Security & Monitoring w/Dashboard Alerting|Status Display & additional options/features
• Idle Session Logout (ISL)
• Auth Cookie Expiration (ACE)
• F-Lock: Read Only File Locking
• FrontEnd | BackEnd Maintenance Mode
• Security Logging
• HTTP Error Logging
• PHP Error Logging
• DB Monitor Logging
• DB Backup Logging
• DB Table Prefix Changer
• AutoRestore | Quarantine Logging
• S-Monitor: Monitoring & Alerting Core
• Pro Tools: 16 mini-plugins
• Heads Up Dashboard Status Display
• UI Theme Skin Changer (3 Theme Skins)
• Extensive System Info


3. ANTI-MALWARE SECURITY AND BRUTE-FORCE FIREWALL (link: https://wordpress.org/plugins/gotmls/)

Free Version: 

• Run a Complete Scan to automatically remove known security threats and backdoor scripts.
• Firewall block SoakSoak and other malware from exploiting Revolution Slider and other plugins from known vulnerabilites.
• Upgrade vulnerable versions of timthumb scripts.
• Download Definition Updates to protect against new threats.

Premium Version:

• Patch your wp-login and XMLRPC to block Brute-Force and DDoS attacks.
• Check the integrity of your WordPress Core files.
• Automatically download new Definition Updates


4. iTHEMES SECURITY (link: https://wordpress.org/plugins/better-wp-security/)

Stop Automated Attacks
Strengthen User Crednetials
Manage Away Mode
Updates
Brute Force Attack Protection (Automatic IP Add. Report - Host Banning)
Failed Login Attempts (Time-Line Blocking)
Site Scans
Bot - Host - Agent Banning
Server Security
Strong Password Enforcement
Force SSL (for Admin Pages and Posts if supoprted by server)
Turns Off File Editing
Filesystem and Database Protection
Bot Detection
Filesystem Monitoring
Malware and Blacklist Scanning
Email Notifications
URLs Protection/Hiding
Temporary Login Protection
Removing Plugins and Themes
Remove Header Information (Windows Live Write - RSD)
Admin Acc Rename
User ID Management
Database Table Prefix Protection
Content Path Protection (wp-content)
Login Error Message Management
Etc.

- This plugin offers more than 30 lockdown features, that keep the WordPress security on check. Beside these free version features, you can get the Pro version for more.

Pro Version:

• Two-Factor Authentication – Use a mobile app such as Google Authenticator or Authy to generate a code or have a generated code emailed to you.
• WordPress Salts & Security Keys – The iThemes Security plugin makes updating your WordPress keys and salts easy.
• Malware Scan Scheduling – Have your site scanned for malware automatically each day. If an issue is found, an email is sent with the details.
• Password Security – Generate strong passwords right from your profile screen.
• Password Expiration – Set a maximum password age and force users to choose a new password. You can also force all users to choose a new password immediately (if needed).
• Google reCAPTCHA – Protect your site against spammers.
• User Action Logging – Track when users edit content, login or logout.
• Import/Export Settings – Saves time setting up multiple WordPress sites.
• Dashboard Widget – Manage important tasks such as user banning and system scans right from the WordPress dashboard.
• Online File Comparison – When a file change is detected it will scan the origin of the files to determine if the change was malicious or not. Currently works only in WordPress core but plugins and themes are coming.
• Temporary Privilege Escalation – give a contractor or someone else temporary admin or editor access to your site that will automatically reset itself.
• wp-cli Integration – Manage your site’s security from the command line.


5. SUCURI SECURITY - AUDITING, MALWARE SCANNER AND SECURITY HARDENING (link: https://wordpress.org/plugins/sucuri-scanner/)

• Security Activity Audit Logging
• File Integrity Monitoring
• Remote Malware Scanning
• Blacklist Monitoring
• Effective Security Hardening
• Post-Hack Security Actions
• Security Notifications


6. ALL IN ONE WP SECURITY & FIREWALL (link: https://wordpress.org/plugins/all-in-one-wp-security-and-firewall/)

• USER ACCOUNTS SECURITY
• USER LOGIN SECURITY
• USER REGISTRATION SECURITY
• DATABASE SECURITY
• FILE SYSTEM SECURITY
• HTACCESS AND WP-CONFIG.PHP FILE BACKUP AND RESTORE
• BLACKLIST FUNCTIONALITY
• FIREWALL FUNCTIONALITY
• BRUTE FORCE LOGIN ATTACK PREVENTION
• WHOIS LOOKUP
• SECURITY SCANNER
• COMMENT SPAM SECURITY
• FRONT-END TEXT COPY PROTECTION
• REGULAR UPDATES AND ADDITIONS OF NEW SECURITY FEATURES
• WORKS WITH MOST POPULAR WORDPRESS PLUGINS
• ADDITIONAL FEATURES
• PLUGIN SUPPORT
• DEVELOPERS
• TRANSLATIONS

 


7. SHIELD WORDPRESS SECURITY (link: https://wordpress.org/plugins/wp-simple-firewall/)


• Pro restrictions on security features.
• Easy User Interface
• Admin Security
• Security Group
• Blocking Feature
• Block Spambot
• Hide Standard URLs(Admin/Login page)
• Brute Force Protection
• Two-Factor Auth Identity
• Monitoring
• Audit Trail Log
• WordPress Automatic Updates Settings
• Firewall Protection/Settings
• Fable - Fully Automatic Black Listing Engine
• WordPress Lock Down
• Automatic Updates

 

Anti Spam


8. AKISMET ( link: https://wordpress.org/plugins/akismet/ )

• Automatic Comment Checking
• History/Logging
• URL Demasking on Comments
• Moderator Statistics
• Spam Blocking

 


9. SI CAPTCHA ANTI-SPAM ( link: https://wordpress.org/plugins/si-captcha-for-wordpress/ )

CAPTCHA Security Features and Configurations
Login Forms
Lost Password Forms
Register Forms
Comment Forms
Singup Forms
Checkout Forms
Jetpack Contact Form
Styling
Multi-Lingual

 


10. SPAM PROTECTION BY CLEANTALK (link: https://wordpress.org/plugins/cleantalk-spam-protect/)

Stop Spam Comment
Stop Spam Registration
Stop Spam Contact
Stop Spam Orders
Stop Spam Bookings
Stop Spam Subscriptions
Stop Spam Survey/Polls
Stop Spam Widgets
Stop Spam WooCommerce
Comment Spam Scanning

ANTI-SPAM PROTECTION FOR COMMENTS
SPAM BOT REGISTRATIONS FILTER
PROTECTION FROM CONTACT FORM SPAM
WOOCOMMERCE SPAM FILTER
NEWSLETTERS FILTER
SPAM FILTER FOR THEME CONTACT FORMS
BBPRESS SPAM FILTER
COMPATIBLE WITH WORDPRESS CACHE PLUGINS


11. WP-SPAMSHIELD ANTI-SPAM (link: https://wordpress.org/plugins/wp-spamshield/ )

TWO LAYERS OF SPAM BLOCKING
- JavaScript/Cookies Anti-Spam Layer
- Algorithmic Anti-Spam Layer

Anti-Spam Comment Protection
Protection Against SQL Injection/DDoS/XSS
Pingback-based DDoS Protection
Web Performance
Zero False Positives
Pingback/Trackback Validation and Anti-Spam
INCLUDES A SPAM-FREE CONTACT FORM, AND ANTI-SPAM FOR CONTACT FORM 7, GRAVITY FORMS, NINJA FORMS, JETPACK CONTACT FORMS, AND MOST OTHER FORMS
WORDPRESS REGISTRATION ANTI-SPAM
STOPS EMAIL HARVESTERS
OPTIMIZED AND SCALABLE


12. ANTI-SPAM (link: https://wordpress.org/plugins/anti-spam/ )

 


Login Protection


13. MINIORANGE 2 FACTOR AUTHENTICATION (link: http://miniorange.com/2-factor-authentication-service.php)

15+ authentication methods to choose from that fits all needs
Cloud-based authentication service – Pay per use (On-Prem option also available)
Ready support for Out of band authentication
Ready support for Phone/SIM/IMEI Authentication – No more phone fraud.
SHA 160/256 Algorithms for Secure Key generation
Global Real-time Delivery via multiple SMS / SMTP Gateways
Easy to Use

Push notifications
Out of Band Email and SMS
Supports Risk based Access with Device, Location, Behavior, Transaction or Custom based policies
Supports all possible Remote Logins ( Radius VPN,Website Protection, AD FS,Windows Logon )
Much lower total cost of ownership with Instant authentication set up and Flexible Licensing model
Performance & Reliability : 24 *7 availability
REST API based integration architecture which supports both Proxy or Agent based architecture
Very user friendly Web Administration Portal
Integration support

Cloud Integrations using Plug and play approach (SAML, OpenID, Oauth, ADFS, WS-Fed)
Enterprise integration including Proxy server integration like Websphere HTTP server, Siteminder, Weblogic/Oracle Server
Social Login support - with Facebook, Google, Yahoo, LinkedIn etc.

 

14. LOGINIZER (link: https://wordpress.org/plugins/loginizer/)


Pro Features :

MD5 Checksum – of Core WordPress Files. The admin can check and ignore files as well.
PasswordLess Login – At the time of Login, the username / email address will be asked and an email will be sent to the email address of that account with a temporary link to login.
Two Factor Auth via Email – On login, an email will be sent to the email address of that account with a temporary 6 digit code to complete the login.
Two Factor Auth via App – The user can configure the account with a 2FA App like Google Authenticator, Authy, etc.
Login Challenge Question – The user can setup a Challenge Question and Answer as an additional security layer. After Login, the user will need to answer the question to complete the login.
reCAPTCHA – Google’s reCAPTCHA can be configured for the Login screen, Comments Section, Registration Form, etc. to prevent automated brute force attacks. Supports WooCommerce as well.
Rename Login Page – The Admin can rename the login URL (slug) to something different from wp-login.php to prevent automated brute force attacks.
Rename WP-Admin URL – The Admin area in WordPress is accessed via wp-admin. With loginizer you can change it to anything e.g. site-admin
Rename Login with Secrecy – If set, then all Login URL’s will still point to wp-login.php and users will have to access the New Login Slug by typing it in the browser.
Disable XML-RPC – An option to simply disable XML-RPC in WordPress. Most of the WordPress users don’t need XML-RPC and can disable it to prevent automated brute force attacks.
Rename XML-RPC – The Admin can rename the XML-RPC to something different from xmlrpc.php to prevent automated brute force attacks.
Change the Admin Username – The Admin can rename the admin username to something more difficult.
Auto Blacklist IPs – IPs will be auto blacklisted, if certain usernames saved by the Admin are used to login by malicious bots / users.
Disable Pingbacks – Simple way to disable PingBacks.
Features in Loginizer include:

Blocks IP after maximum retries allowed
Extended Lockout after maximum lockouts allowed
Email notification to admin after max lockouts
Blacklist IP/IP range
Whitelist IP/IP range
Check logs of failed attempts
Create IP ranges
Delete IP ranges
Licensed under GNU GPL version 3
Safe & Secure

 

15. LOGIN SECURITY SOLUTION (link: https://wordpress.org/plugins/login-security-solution/)


Block brute force and dictionary attacks.
IP Tracking
Login Monitoring
Login Delay Protection
Identity Account Proof / Protection
Notification
IPv6
Password Examination
Password Aging
Session Logs
Maintenance Mode
Multisite Network
Authentication Monitoring
Login Tracking
Backups and Restoration

 

 

16. UPDRAFTPLUS WORDPRESS BACKUP PLUGIN (link: https://wordpress.org/plugins/updraftplus/)

WordPress Backup Support
Task Scheduling
Website Duplicator/Migrator
Remotely Controling
Database Backups


17. WP DATABASE BACKUP (link: https://wordpress.org/plugins/wp-database-backup/)

Database Backup easily on single click.
Autobackup.
Restore Database Backup easily on single click.
Store database backup on safe place- Dropbox,Google drive,Amazon s3,FTP,Email.
Pagination.
Search and sort database backup feature.
Documentation


18. BACKWPUP (link: https://wordpress.org/plugins/backwpup/)

Database Backup (needs mysqli)
WordPress XML Export
Generate a file with installed plugins
Optimize Database
Check and repair Database
File backup
Backups in zip, tar, tar.gz, tar.bz2 format (needs gz, bz2, ZipArchive)
Store backup to directory
Store backup to FTP server (needs ftp)
Store backup to Dropbox (needs curl)
Store backup to S3 services (needs PHP 5.3.3, needs curl)
Store backup to Microsoft Azure (Blob) (needs PHP 5.3.2, curl)
Store backup to RackSpaceCloud (needs PHP 5.3.2, curl)
Store backup to SugarSync (needs curl)
PRO: Store backup to Amazon Glacier (needs PHP 5.3.3, curl)
PRO: Store backup to Google Drive (needs PHP 5.3.3, curl)
Send logs and backups by email
Multi-site support only as network admin


19. BACKUP GUARD (link: https://wordpress.org/plugins/backup/)

Database Backup (needs mysqli)
WordPress XML Export
Generate a file with installed plugins
Optimize Database
Check and repair Database
File backup
Backups in zip, tar, tar.gz, tar.bz2 format (needs gz, bz2, ZipArchive)
Store backup to directory
Store backup to FTP server (needs ftp)
Store backup to Dropbox (needs curl)
Store backup to S3 services (needs PHP 5.3.3, needs curl)
Store backup to Microsoft Azure (Blob) (needs PHP 5.3.2, curl)
Store backup to RackSpaceCloud (needs PHP 5.3.2, curl)
Store backup to SugarSync (needs curl)
PRO: Store backup to Amazon Glacier (needs PHP 5.3.3, curl)
PRO: Store backup to Google Drive (needs PHP 5.3.3, curl)
Send logs and backups by email
Multi-site support only as network admin


20. WPBACKITUP (link: https://wordpress.org/plugins/wp-backitup/)

Community Edition Features (free)

Easy to use, just one click and your site is backed up
Easy to setup because there is no setup required
Simple & easy to understand – not just for techies
Fast backups
Unlimited backups so create as many as you want
Large sites supported – lot’s of content, no problem
Download your backups – no matter how large your site we have you covered
Backup cancellation – cancel your backup at any time
Customize what you want to backup
Status notifications sent to you by email after every backup
Works in low memory & shared hosting environments
Works on all WordPress platforms (Linux, Windows and even Azure)
Complete backups, which includes database, plugins, themes, uploads, media files, everything
Compressed backups (zip format) to save disk space
Customized backup retention so you only keep the backups you want
Tested and supported on WordPress 3.8 and above
Professional support so if you need us we are available


Premium Features (paid)

One click restore right from your WordPress dashboard
Automated backups allow you to schedule your backups to run whenever you want
Backups run in background mode so you can keep working while your backups are running
Import your backups right from your dashboard, no matter how large
Single file backup makes moving your backups to another host easy
Restore your backup to a different version of WordPress
Migrate your site to different host, domain or table prefix
Clone your site for development, staging or testing
Priority support gets you right to the front of the line


21. BLOGVAULT REAL-TIME BACKUP (link: https://wordpress.org/plugins/blogvault-real-time-backup/)

Daily, automatic WordPress backup
Managed, off-site backups
Real-time WordPress backup
Backup entire WordPress sites: WordPress files and database backups complete with custom files and tables as well
Efficient, incremental backups
Encrypted, secure backups
365-day Backup history
WordPress Backup to Dropbox
Restore from any backup in one-click; even when your site is down
Most relied on migrations tool, to any URL or web host. Trusted by leading web hosts
Easy-to-use, independent dashboard to manage all sites’ backups
World-class support

 

22. WORDPRESS BACKUP TO DROPBOX (link: https://wordpress.org/plugins/wordpress-backup-to-dropbox/)


23. XCLONER (link: https://wordpress.org/plugins/xcloner-backup-and-restore/)

Backup and Restore your WordPress site easily
Create compressed and uncompressed backups using TAR open source format
Create automated backups from your Scheduled Backups Section
Received email notifications of created backups
Generate automatic backups based on cronjobs, it can run daily, weekly, monthly or even hourly
Restore your backups locally or to a remote location, XCloner will attempt to extract the backup archive files for you, as well as import the mysql dump and update the WordPress config details
Upload your backups to Remote Storage locations supporting FTP, SFTP, Dropbox, AWS, Azure Blog, BackBlaze, WebDAV, Google Drive and many more to come
Watch every step of XCloner through it’s built in debugger
Althrough we have optimized XCloner to run properly on most hosts, we give Developers options to customize it’s running speed and avoid backup timeouts, all from the XCloner Config-> System Options
Ability to split backups into multiple smaller parts if a certain size limit is reached
Generate Differential Backups so your backup will include only files modified after a certain date, giving you the option to decrease the total backup space disk usage
Generate automatic backups before a WordPress automatic update


24. WP-DBMANAGER (link: https://wordpress.org/plugins/wp-dbmanager/)

Allows you to optimize database, repair database, backup database, restore database, delete backup database , drop/empty tables and run selected queries. Supports automatic scheduling of backing up, optimizing and repairing of database.

Email Protection

 

25. OBFUSCATE EMAIL (link: https://wordpress.org/plugins/obfuscate-email/)

Obfuscate email addresses to deter email harvesting spammers, while retaining the appearance and functionality of hyperlinks.

“Obfuscation” simply means that techniques are employed to modify email address strings that appear on your site in such a way that bots scraping your site are unable to identify those addresses; however, at the same time those emails addresses should still look and work correctly for visitors, as much as possible.

 


26. EMAIL ADDRESS ENCODER (link: https://wordpress.org/plugins/email-address-encoder//)

A lightweight plugin to protect plain email addresses and mailto links from email-harvesting robots by encoding them into decimal and hexadecimal entities. Has effect on the posts, pages, comments, excerpts and text widgets. No UI, no shortcode, no JavaScript — just simple spam protection.

 

SSL Helper


27.REALLY SIMPLE SSL (link: https://wordpress.org/plugins/really-simple-ssl/)


The plugin handles most issues that WordPress has with ssl, like the much discussed loadbalancer issue, or when there are no server variables set at all.

All incoming requests are redirected to https. If possible with .htaccess, or else with javascript.

The site url and home url are changed to https.

Your insecure content is fixed by replacing all http:// urls with https://, except hyperlinks to other domains. Dynamically, so no database changes are made (except for the siteurl and homeurl).


28. SSL INSECURE CONTENT FIXER (link: https://wordpress.org/plugins/ssl-insecure-content-fixer/)

Clean up your WordPress website’s HTTPS insecure content and mixed content warnings. Installing the SSL Insecure Content Fixer plugin will solve most insecure content warnings with little or no effort. The remainder can be diagnosed with a few simple tools.

 

  • 7 Users Found This Useful
Was this answer helpful?

Related Articles

Why Hack You? Increase the protection of your WordPress site

Have you ever wondered why your little innocent blog gets constantly hacked (?) - here is why....