WordPress is the world's favourite open source web design platform, a brilliantly simple CMS you can use for any and every type of site, from simple brochure-ware to hugely complex online retail presences. There are almost 20 million WordPress sites out there in the wild, and that means there are plenty of mischief makers determined to crack usernames and passwords, get inside sites, and cause havoc.
On average hackers and their bots try to access a website – any website - 44 times a day, day in, day out. WordPress makes it as challenging as possible for hackers. Site owners do the decent thing with strong, hard to guess passwords and non-obvious usernames. But it still makes a lot of sense to set your WP site up with a really good security plugin to stay as safe as possible.
Which to choose? Here are six of the best WordPress security plugins, all designed to you improve WordPress's already great security, prevent brute force attacks, prevent data theft and stop the baddies getting in. Choose the one you like the sound of best, download it, activate it, get it configured, and off you go.
WordPress security plug ins 101 – Meet Sucuri, simply the best
Sucuri is probably the most popular WordPress security plugin of all, respected as one of the best. There's a free basic security plugins from Sucuri that boosts WordPress existing security and also scans sites for common threats. So far, so good. But the paid version is what you need if you want to tap into the very best WordPress firewall protection. This one filters nasty traffic out before it even gets to your server, and because they serve static content from their own CDN servers, you also eliminate any data bottlenecks, enjoy top class performance and achieve top site load speeds.
If you do get hacked, Sucuri will clean your site and remove the damage, and they won't charge you extra. If you have a large and complex website plus a lot of customer data, it might make a lot of sense to pay for the Sucuri WordPress security plug in.
Wordfence – Powerful malware scanning and a slightly less effective firewall than Sucuri
Wordfence has a tough malware scanner, comes with excellent exploit detection, and has some great threat assessment features. A full scan alerts you if it finds any threats, and you get instructions about how to fix things if so. There's an integral WordPress firewall but because it runs on your server just before loading WordPress, it's slightly less effective than Sucuri.
iThemes Security Pro – Lots of options and a really simple user interface
iThemes Security features a lovely simple user interface plus plenty of options. Another of the best WordPress security plugins, this one and uses the brilliant Sucuri’s Sitecheck malware scanner. It checks the integrity of files, improves WP's own security, limits login attempts to help foil hackers, enforces strong passwords, protects against brute force attacks and detects 404 'page not found' redirects. On the other hand it doesn't have a website firewall.
All in One WordPress Security – Basic firewall and manual IP blocking
The All in One WordPress Security plugin is great for security auditing, monitoring, and firewall protection, and makes it easy to apply good security without having to know a lot of technical detail. It locks down logins to prevent brute force attacks, filters IPs, and monitors the integrity of files and user accounts. It also scans databases for suspicious patterns and comes with a basic website firewall – just remember you'll need to blacklist any dodgy IP addresses by hand.
BBQ – Block Bad Queries
WordPress security sometimes comes with complicated user interfaces, but not this one. The BBQ plugin is a firewall plugin that's so simple it only contains the essentials, the security-enhancing features required from a firewall. It's a genuine 'plug and play', too, which means you download it, activate it and that's that. There's no configuration at all. BBQ checks all your incoming traffic and blocks bad requests like directory traversal attacks, executable files uploads, malware and lots more.
BulletProof Security – A hard worker
BulletProof Security has a set up wizard to help you get set properly as well as links to a huge amount of useful information explaining the scans and security settings. The malware scanner checks WordPress files and folders and the plugin hardens WP's own great security thanks to login protection, idle session logout, security logs, and database backups, email notifications for security logs and locked-out user alerts.
You only need one WordPress security plugin
One thing to remember: more than one security plugin can leave you with problems. Choose one, make sure it's configured properly, and you're much more secure than you would be without a WordPress plugin. Remember to update the plugin you choose whenever a new version arrives, and check your settings now and again to make sure they're still appropriate for your needs.