4 Best WordPress Security Plugins

..what WordPress security plugins are most reputable and thorough, and how realistic is it to get by with the free version.

Where themes are required to display WordPress content, plugins are required for increasing the functionality of a WordPress website. Security plugins in particular, taking the lead in essential WordPress addons. 

Plugins have come a long way over the years and have managed to seamlessly marry the tried-n-true services of WordPress security providers with DIY website efforts.

This doesn’t mean that installing a plugin will single-handedly keep my website safe from nefarious scoundrels threatening its oblivion, but at least I can be alerted to potential intrusions so that I can take proactive measures to ward off their efforts.

Thing is, of all the security plugins out there, how do you know which one to use?

After what should have been a quick Google search for reviews and testimonials of the best WordPress security plugins, I managed to fill the better part of a week mulling over features and technical explanations that I never wanted to know, just so I could make a semi-educated decision.

Understanding the nuances of WordPress security is a complicated world. And not something I remotely care to learn. The only thing I did want to know was, what security plugin is most thorough, reputable, and affordable. OK, so I also wanted to know how realistic it would be to get by with a free version.

Plus, in the event of an infection, how much $ and time will it cost to clean any malware.  Or, should I decide to purchase the premium version of a security plugin, will that include cleaning? And if so, how many attacks am I good for?

At the end of the day, I settled on the least confusing information gleaned from unbiased plugin review sites and pieced together the salient points from plugin sales pages to evaluated my options for using one or more free versions of a plugin.

Free WordPress Security Plugin Must-Haves

I looked at four leading security plugins: AIOWPS, iThemes, MalCare, and Sucuri, three of which I’ve used for years. I didn’t give much of a nod to WordFence after reading that it uses website resources and creates a significant load on site performance. And while I suspect that that may have to do with knowing how to configure it properly, I didn’t see any other features that weren’t previously covered in my top four plugins.

I’ve used a combination of three of the four since, forever, but have never taken the time to understand what they do. Here’s what I now know…

Firewall

This narrows the field out of the gate because not all security plugins provide this. But from everything that I’ve read, I know I want one. And if I can find a free version, the better.

A firewall creates a buffer between my website and varying levels of ‘back door’ access, depending on which type of firewall you use: DNS or WAF (still don’t know the difference). 

Cloud-based firewalls can simultaneously cache my website content, significantly improving my overall site performance. And who doesn’t want a good search engine boost?  

Does it really matter what type of firewall I use? Maybe. But until I understand the nuances, I think I’m ok with whatever is packaged with the plugin. Which is just half of the field anyway since only AIOWPS and MalCare offer this.

Automatic Malware Scan

Surprisingly, not all security plugins do this (AIOWPS). Or they don’t do a deep scan of all files (Sucuri). Or they scan once/week (MalCare) (a lot of ju-ju can happen in 7 days). Or they only scan with an upgraded account (iThemes). 

I also want to know that scanning is done without using my site’s resources, thereby affecting my site’s performance. 

Remote (cloud?) scans are preferable, but it seems that remote scans may not do as thorough a job as I would like. I’ll assume that that’s just a limitation of the watered-down version of the feature, whereas an upgrade provides the panacea I’m looking for. 

It’s important for me to know what files are being scanned and how that process protects my WordPress website (in case I end up upgrading). For now, I found it helpful to learn how Sucuri’s SiteScan works.

My two remote-scan choices here are between a weekly, deep scan with MalCare, or a more frequent albeit limited browser-based scan with Sucuri

This is when I start looking at using multiple security plugins for creating the ecosystem I’m looking for. 

Brute Force Protection

This one was easy. While most plugins (except Sucuri) have minimal password protection, AIOWPS goes all out with captcha, honeypots, disabling password hints, and changing the login URL. iThemes puts in a comparable effort (sans the login URL change). 

They both also prevent login hints which is important to me. I particularly like AIOWPS‘s honeypot option on the login page (big Winnie the Pooh fan).

WordPress Hardening

A lot of ‘hardening’ efforts can be handled by editing the wp-config file (do-able) and/or the functions.php file (requires too much thought especially if I’m looking at adding multiple hooks, which I am) and/or the .htaccess file (ditto). 

And of course, because I don’t want to lose the added code every time I update my theme, using the functions file also means using a child theme and, depending on the theme I use, can involve more concentration than I’m used to (although Astra makes it crazy easy). 

After all, the whole point of using plugins is to make my life easier. And, since I’m specifically looking at security plugins, finding one with hardening options just makes sense.  

I’m talking about things like, disabling the plugin/theme editor and the author page, protecting WP system files, blocking php execution, XML, pingbacks, iframes, and hotlinking, changing salt keys, folder protection, comment spam, preventing tab-napping, and the grand poobah of hardening options, changing the login URL. 

This is another area where AIOWPS shines although iThemes is a very close second place.

I also want to protect important php files, wp-config, and the .htaccess file. Naturally, AIOWPS and iThemes look after this too.

Salt Keys

Changing salt keys is considered an “after hack” approach to Sucuri and a hardening option for iThemes. And yes, I can do this manually via wp-config, but will I? (I think we both know the answer to that.) iThemes and Sucuri are my friends here.

Preventing php File Execution

Preventing access to php file execution in untrusted files involves hardening the admin, content, and included folders, which often means breaking the functionality of other plugins. Especially backup plugins. So, I either need the additional option of white-listing other plugin folders or a security plugin with built-in backup functionality. iThemes and Sucuri answer this call.

(And while MalCare has a built-in backup option, it’s only available in the paid version and doesn’t address php file execution in the free version.)

Automatic IP Banning

None of the free versions of these plugins do this. From what I can tell. 

Basically, I want the plugin to monitor IPs (still not clear on whether this happens through a firewall or a malware scan) and automatically prevent the bad ones from accessing my site. 

With the free version of any of these security plugins, my best option is to go into AIOWPS’ 404 Detection listing to manually blacklist IPs from there (and subsequently view the banned IP list from the Blacklist Manager). Problem is, this requires me to intentionally take the time to do this. On the flip side, it allows me to see what IPs are regularly bombarding the site. Not a bad thing. Just wish it were automated!

iThemes has the same kind of manual feature, with the addition of enabling HackRepair.com’s blacklist. (AIOWPS gives us the 6G Blacklist firewall list.)

Built-In Backup

This was almost a tough call because I’ve used UpdraftPlus for years and really appreciate its simplicity and reliability. As far as backups and restores go, these guys do a great job of removing the headache factor. 

For that reason, I don’t normally second-guess my go-to plugins but whenever I find myself contemplating culling them (because let’s face it, it’s easy to get carried away with installing plugins), it’s usually because I’m on an optimization spree.

And then I remember Tom Dupuis’ post, validating Updraft’s lightweight coding and I take it off my ‘kill’ list. 

However, if I were considering paid security plans down the road, MalCare bundles BlogVault in theirs, which has some interesting features beyond every day backup duties. But I’m not there yet.

‘Til then, I’m sticking with Updraft because well, I like it, and Sucuri and iThemes recognize its installation and utilize it in their functionality. AIOWPS has a built-in backup feature that backups the database only.

Automatic Malware Removal

Ok, I concede that this is asking a lot. But tucked away in the back of my over-taxed brain is the fact that Sucuri’s upgraded Basic plan does this at, $199USD/year while MalCare’s upgraded plans include it for significantly less at, $99USD/year. 

(That’s a significant price difference but as I would later learn, Sucuri’s cloud-based solutions include more features than MalCare’s plugin-based features.)

Support

I’m a realist and know that free plugins rarely make time for support so all I ask is online documentation or a forum (email access would be gravy). Because I always have questions. 

Best Free WordPress Security Plugins

I’ll be the first one to admit that my approach to analyzing the best WordPress security plugin was far from scientific. But who knows, maybe my minimalist perspective will resonate with someone else trying to decide what security plugin to use for their own website. If nothing else, I’m enjoying a yogi bear clarity for my choices. (And, it will be nice if someone decides to set me straight on any points I may have gotten wrong.)

Of the four plugins I looked at, they each had their own strengths and shortcomings. I’ve always thought that AIOWPS had the most complete feature set but iThemes seems to have outranked them. Didn’t see that coming.

Sucuri is another standby plugin of mine and still holds their own, but not in every must-have category.

MalCare was a newcomer to me and I was impressed with their offerings. Everything about the free version of this plugin is automatic (nothing to configure or tweak), which can be nice.  From their dashboard, I can view traffic and login requests, admin logins, and bot traffic. It’s more an information portal than anything. There’s no need to actively take any action.

Scans occur weekly and since it’s only been less than 24 hours, I only see “insufficient data” or “no bot visitors.” I’m assuming that the first scan is a benchmark of sorts, after which data will become available to view. (Because I’m thinking that I should be seeing evidence that the same IPs I can blacklist from iThemes are also discoverable by MalCare.) Time will tell.

To me, the free security plugins from AIOWPS and iThemes do a very decent job of protecting my website from brute force attempts and have the extra WP hardening that force hackers to work a little harder. With any luck, they’ll move on to easier pastures.

Frankly, any of these free plugins can be eliminated altogether if using Sucuri’s firewall account (elaborated on below). But if you’re not employing the professional services of a security provider for your website, layering these plugins is a feasible first step.

best free WordPress security plugin comparison

Paid WordPress Security Plugin Options

While AIOWPS and iThemes come out on top in the “free” category, Sucuri and MalCare compete for my attention in the “paid” category. iThemes doesn’t make the cut because they don’t include a firewall or malware removal. 

In my mind (right or wrong), this is a significant difference. That said, from a plugin perspective, I’m not sure that MalCare can be beat.

To start of the firewall comparison, I invite you to read each other’s comparative features: 

At the end of the day, these are the features that influence my decision the most…

Firewall

From everything I’ve read about cloud-based firewalls, I want my site to enjoy the added advantage of cached (faster) page loads versus increased load on my resources and potential bottlenecks. Yep, a cloud-based firewall is a must-have for me.

Sucuri’s WAF is cloud-based, meaning that it doesn’t impede my website’s performance. Perfect. That’s what I want to know.

MalCare syncs your website to their servers, ensuring zero loads on your website. (I’m assuming that this is the case for both the free and premium versions of the plugin.)

CDN Performance Boost

In keeping with the cloud theme, Sucuri incorporates a Content Delivery Network (CDN) in all of their plans, giving my website yet another performance boost. MalCare makes no mention of this. Then again, it’s a plugin, isn’t it?

Malware Removal

Both companies offer unlimited malware removal requests but MalCare has a 1-button cleanup solution that offers an immediate attempt at removing any threats. Very handy. 

It might not be fair of me to be skeptical, but I can’t help wondering how effective a button-click can be, especially knowing that Sucuri devotes an entire team of walking-talking humans to doing the same thing. 

In either case, you still have to create a support ticket for either company to take advantage of their services (which I would do even after clicking the button). Both companies boast fast timelines but it’s unclear what that looks like. 

MalCare reports “going beyond standard signatures and removing complex malware” but Sucuri also claims that, “No hack is too complex for our incident response team.”  I’m guessing they’re both talking about the same things here.

I’m giving the nod to Sucuri because of their remediation process that includes a 9-point response checklist.

Zero-Day Exploits Protection

I didn’t know that “zero day” was a thing until I delved into the world of cyber security. (And frankly, I’m a little surprised that they’re not lumped into everyday scans but what do I know?) 

The fact that MalCare doesn’t address them in their offerings, while Sucuri goes to great depths to explain how they protect against zero-day exploits, is telling. I didn’t have to spend a lot of time on this one.

Built-In Backups

Not as important as I thought it might be. I like using UpDraftPlus. The additional features offered by MalCare aren’t enough to make me change. I need my backup plugin to do only one thing and do it well. This wasn’t a consideration for me after all. 

Support

MalCare has a contact page, email support, a 1-click button, and a “3x your money back” guarantee if they can’t remove your malware. 

Sucuri has a ticketing system (24/7/365 support for Enterprise clients), a 30-day money back guarantee, and a dedicated incident response team (humans).

Final Assessment

During my free plugin research, I honestly expected the upgrading options to be a little more competitive. As it turns out, my decision is pretty one-sided. 

I’m not sure if it’s because of the realization that I was comparing apples (Sucuri firewall) and oranges (MalCare plugin) or that I might be a little scarred from the lack of MalCare’s firewall clarity.

In any case, I managed to happily validate my decision to use Sucuri all these years.

I also get a lot of confidence in viewing their online lab reports alerting me to the latest vulnerabilities and other such things (not that I actually read them), and seeing their impressive client testimonials, of which iThemes is a loyal customer.

I’ve always recommended Sucuri to my clients because there’s only so much a free plugin (or combined plugins) can do. And you can’t put a price tag on peace of mind? Or convenience.

If you’re serious about website security, the basic $199/year plan is a manageable cost-of-doing-business price tag, especially when you think that a one-time fee for malware removal can be in the same price range plus the cost of down time and stress. 

This information was never intended to be a sales pitch for Sucuri – initially comparing free WordPress security plugins, but as a responsible website designer, part of my job is to alert clients to their options for protecting their website.

Security is not the job of a designer.

And like any other asset – home, car, life – the value of your website should be taken seriously. Especially if your business depends on it.

I’d love to hear any pros or cons on the plugins I’ve written about, or the security provider you use (even if it isn’t Sucuri), and why. 

FAQs

Free plugins are better than nothing. And a security provider is better than free plugins. It all depends on how you prioritize your website – do you value your business enough to take every precaution to prevent it from being hacked or are you willing to risk that it won’t?  And do you have the knowledge, resources, and the time to clean your website DIY if anything happened?

Yes. Just be careful to configure it properly (look for tutorials from the developer’s website, or YouTube).

Cyber security is an extraordinarily complex field. Web design is an entirely different animal. 

It’s not realistic to expect your web designer to know the ins and outs of website security or build you an impenetrable website. Their sole job is to make your website functional (UI), and aesthetic (UX). 

That doesn’t mean that they can’t educate you about your options. Ask your web designer to recommend security resources. It also doesn’t hurt to ask how they protect their own website and why they use that solution. 

If you’re lucky, you’ll find a web designer with the marketing prowess to create an effective marketing stack but that’s another role altogether.

Follow Us

Subscribe To Blog Updates

No spam. No schedule. No pressure. 

Partners