10 WordPress Security Plugins to Harden your Site

WordPress is the most popular and most widely used CMS in the internet, accounting for more than 40% of the most popular sites. And that makes it a regular target for hackers trying to hack into WordPress sites. WordPress on it’s own is very secure if you keep it updated and don’t install rogue plugins and themes that might open your site to hackers. In this post, I will be sharing with you 10 WordPress Security plugins you can use today to harden your site and increase it’s security. Some of the plugins can work in conjunction with others, while some should be used on their own.

wordpress security

Recommended Reading: How To Protect Your WordPress Site From Brute Force Attacks

1. Limit Login Attempts

Limit Login Attempts is a much needed plugin on every WordPress site. WordPress by default allows an infinite number of login attempts, so what this plugin does is to limit the number of times you are allowed to enter the username and password in the lofin page before your IP becomes locked out for a set period of time. I use this plugin on this site and set login attempts to 3 and lock-out time to 1 hour.


  • Limit the number of retry attempts when logging in (for each IP). Fully customizable
  • Limit the number of attempts to log in using auth cookies in same way
  • Informs user about remaining retries or lockout time on login page
  • Optional logging, optional email notification
  • Handles server behind reverse proxy
  • It is possible to whitelist IPs using a filter. But you probably shouldn’t.

Limit Login Attempts


2. Wordfence

Wordfence Security is a free security plugin that includes a firewall, anti-virus scanning, cellphone sign-in (two factor authentication), malicious URL scanning and live traffic including crawlers. Wordfence is the only WordPress security plugin that can verify and repair your core, theme and plugin files, even if you don’t have backups. I use this on this site and it has proved quite adept at keeping the site safe. It also includes Two Factor Authentication so that you can log into your site after receiving a code on your mobile phone. The features are way too many for me to list here, but you can view them on the plugin page at WordPress.org. I will be writing a concise guide on how to set-up and  configure Wordfence for maximum WordPress Security, so keep your eyes peeled out.


3. BulletProof Security

BulletProof Security protects your WordPress website against XSS, RFI, CRLF, CSRF, Base64, Code Injection and SQL Injection hacking attempts. One-click .htaccess WordPress security protection. Protects your WordPress Core files with .htaccess security protection. Security Logging. HTTP Error Logging. Login Security/Login Monitoring: Log All Account Logins or Log Only Account Lockouts. Website Maintenance Mode (HTTP 503). Additional website security checks: DB errors off, file and folder permissions check.  Built-in .htaccess file editing, uploading and downloading.

bulletproof security


4. WordPress File Monitor Plus

Monitors your WordPress installation for added/deleted/changed files. When a change is detected an email alert can be sent to a specified address.

wordpress file monitor plus

5. Block Bad Queries

Block Bad Queries (BBQ) is a simple script that protects your website against malicious URL requests. BBQ checks all incoming traffic and quietly blocks bad requests containing nasty stuff like eval(, base64_, and excessively long request-strings. This is a simple yet solid solution that works great for sites where .htaccess is not available. The BBQ script is available as a plugin for WordPress or standalone script for any PHP-powered website. This plugin is actually written by Jeff Star of PerishablePress and based on his 5G Blacklist.

6. WP Security Scan

WP Security Scan checks your WordPress website/blog for security vulnerabilities and suggests corrective actions such as:

  • Passwords
  • File permissions
  • Database security
  • Version hiding
  • WordPress admin protection/security
  • Removes WP Generator META tag from core code

7. Bad Behavoir

Death to comment spammers! Bad Behavior prevents spammers from ever delivering their junk, and in many cases, from ever reading your site in the first place. Bad Behavior complements other link spam solutions by acting as a gatekeeper, preventing spammers from ever delivering their junk, and in many cases, from ever reading your site in the first place. This keeps your site’s load down, makes your site logs cleaner, and can help prevent denial of service conditions caused by spammers. I use this.

8. Better WP Security

This takes the best WordPress security features and techniques and combines them in a single plugin thereby ensuring that as many security holes as possible are patched without having to worry about conflicting features or the possibility of missing anything on your site.

  • Scan your site to instantly tell where vulnerabilities are and fix them in seconds
  • Ban troublesome bots and other hosts
  • Ban troublesome user agents
  • Prevent brute force attacks by banning hosts and users with too many invalid login attempts
  • Strengthen server security
  • Enforce strong passwords for all accounts of a configurable minimum role
  • Force SSL for admin pages (on supporting servers)
  • Force SSL for any page or post (on supporting servers)
  • Turn off file editing from within WordPress admin area
  • Detect and block numerous attacks to your filesystem and database

Wp better security

9. AntiVirus for WordPress

Useful plugin that will scan your theme templates for malicious injections. Automatically. Every day. For more blog security. It is an easy and safe tool to protect your blog install against exploits, malware and spam injections.


  • Virus alert in the admin bar
  • Cleaning up after plugin removal
  • Translations into many languages​​
  • Daily scan with email notifications
  • Database tables and theme templates checks
  • WordPress 3.x ready: both visually and technically
  • Whitelist solution: Mark suspected cases as “no virus”
  • Manual check of template files with alerts on suspected cases
  • Optional: Google Safe Browsing for malware and phishing monitoring.

wordpress antivirus

10. Stealth Login Page

Without locking down access via IP address or file permissions, this plugin creates a secret login authorizaiton code. Those who do not enter this additional authorization will be automatcally redirected to a customizable URL.

stealth login page

Now What?

Be diligent! You as a human are always the weak link. Always keep WordPress updated and use strong passwords.

weak security link

There you have it, 10 WordPress Security Plugins you can use today to harden and ensure that your precious site is not hacked into.



Leave a Reply

Your email address will not be published. Required fields are marked *