Top 3 WordPress Security Plugins

Dennis Plucinik

Companies stake their brand and reputation on WordPress every day. Currently, in 2018, WordPress is estimated to power roughly 29% of the top one million websites. The disadvantage of its popularity is that this makes WordPress an attractive target for hackers. At least half of our business centers around WordPress development from startups and large enterprises.

You can see just how many known exploits there currently are here and here.

Fortunately, WordPress is a well established platform and has been battle tested for nearly fifteen years. The internal WordPress Security Team is made up of approximately 50 experts focused on identifying and fixing bugs around the clock.

In addition to following best practices and updating plugins and core files regularly, the WordPress community has provided us with an exceptional array of additional resources, including the following plugins, to help keep your WordPress site safe and secure.

It’s important to note the difference between these and other traditional “plugins”. Considering the wealth of security risks, and the ever-increasing torrent of major site attacksin the news, it is important to think of security management as an ongoing process. As such, these solutions are less like a one-time plugin install, and more like employing the ongoing service of a professional security monitoring company.

As with most things, you get what you pay for, and good security isn’t free.

There are many posts on the internet that elaborate on dozens of security plugin options but we’re only going to focus on the best. We have determined this list by comparing a variety of attributes including popularity, longevity, company size and focus, and pricing, among other attributes.

We will not be ranking plugins on their ability to block or manage spam comments, enhance SEO, or backup files or data.

Firewall & Malware Scan
Active installations: 2+ million
Last updated: 2 weeks ago (2/11/18)
Company: Defiant, Inc. (private), Seattle, WA, Mark Maunder founded Feedjit Inc. in 2007, $450k Angel funded in 2008 (Crunchbase), Launched WordFence in 2012, Rebranded to Defiant in 2017
Price: $99/year

Notable features

 Endpoint firewall with real-time updates (via Threat Defense Feed)
 Brute-force attack protection and file access rate-limiting
 Malware scanning
 Live traffic monitoring
 Automatic security updates within 24 hours of release


This leading cyber-security company employs a team of security professionals, and has created a viable business model focused exclusively on providing the most advanced WordPress security products. Their CEO regularly writes and speaks on the topics of internet security.

Aside from price, one detractor appears to be performance. Evidently, performing some of the functions like live traffic monitoring, requires a surprising amount of additional database tables, and subsequently large amount of memory (i.e., a more expensive server).

Related to actually providing security functionality, some other security experts have even noted their absence in reporting some issues and false advertising.

Firewall & Malware Scan
Active installations: 900k+
Last updated:  2 weeks ago (2/11/18)
Company: iThemes Media LLC (Acquired by Liquid Web (also owns Rackspace), 1/31/18), Founded 2008, Makers of BackupBuddy
Price: $80/year

Notable features

  File change detection
  File integrity monitoring
 Brute force attack prevention
 One-click default setup
“Away mode” dashboard lock


There are a considerable amount of negative reviews you may notice, however many appear to be related to a mis-configuration by inexperienced site administrators. They also appear to have some users discontented with customer service responses.

Overall, there are some aspects of this UI that are appealing to an average user such as the easy default setup, and “Away Mode”. I personally wish there was an Away Mode option that wasn’t time based and instead forced two-factor authentication in order to come back from Away Mode (two-factor authentication is simply too burdensome for most applications with more than one regular user.) File change detection is also unique and important.

Lastly, I’m torn on whether to consider their acquisition by Liquid Web as a pro or a con. An independent company has no other incentive than to provide great service and though Liquid Web may provide additional resources to bolster the product offering, the fact that Liquid Web’s core business isn’t exclusively security means their motives aren’t perfectly aligned.

Auditing, Malware Scanner and Security Hardening
Active installations: 300k+
Last updated:  1 week ago (2/18/18)
Company: Founded 2010 by Daniel Cid (Founder of OSSEC), Acquired by GoDaddy3/22/17
Price: $199/year

Notable features

  Cloud firewall (WAF)
  Blacklist monitoring
 Malware scanning and unlimited removal
 File integrity monitoring
“File and data security enhancements


Despite the fact that a cloud-based WAF may actually boost performance, when absolute security is necessary, if choosing between the two, we prefer an endpoint firewall solution as opposed to the cloud solution provided by this and other services like CloudFlare. It is, however possible to employ both solutions if following a Defense in Depth strategy, albeit at a higher cost.

All three of these options provide an exceptional solution for managing security. You’ll have to decide which is right for you depending on your own security strategy as each satisfies individual requirements slightly differently.

In closing, security plugins represent one step in a Defense in Depth security strategy. When absolute security is a priority for you, we recommend applying a combination of the most finely tailored solution at each potential layer of vulnerability.

Lastly, if you can afford to make some feature concessions and want to combine ultra-high performance and insanely bulletproof security, read our post on Secure, High-Performance, Static WordPress Sites.

Further reading

Tags: Security, wordpress

Добавить комментарий

Ваш e-mail не будет опубликован. Обязательные поля помечены *