I put these 5 Security plugins on every site I have.
Because the world is filled with creepy people who hack sites for seemingly no reason at all. WordPress powers a huge percentage of the world’s websites, so it falls victim to a fair amount of hacking.
Don’t make the mistake of thinking you’ll never be hacked. As they used to say in the X-Files… “Trust no one”.
Except me, of course 🙂
Akismet is a plugin that comes pre-loaded when you install WordPress and is used for blocking comment spam.
Why do you get comment spam?
Because everybody knows that you can leave links in comments and that helps with SEO.
So people want links but instead of asking a blog owner to leave a link, they spam them with automated programs that leave immensely stupid comments and links. What they do is use automation to leave the comments on millions of blogs hoping that out of millions of tries, a few will stick.
Anyway, to avoid a lot of this nonsense, Akismet is probably one of the best plugins for controlling comment spamming.
Anti-Malware Security and Brute Force Firewall (Free, sort of)
This is a free plugin, but to get to use all the ‘definitions’ you’ll have to make a contributions of $15, $29 or some other amount. So I never liked their little method of extracting money, but this plugin works.
One of my clients in Mexico was hacked a few years ago (he had around 10 different websites and all went down). I did not know of this plugin back then, but after doing a little research on the best method of cleaning a hacked site, nearly everyone said this plugin was very helpful. So I shelled out the $29 and got all the definitions and it really did clean up all the injections, viruses and malware that had been loaded onto my client’s sites.
It is a good plugin and worth the cost.
IQ Block Country (Free)
Most of the hacking attacks on your site will come from outside the US. Not all, but most of them are from a few countries in Europe, Asia and Africa.
This plugin gives you the option of not allowing a visitor to your site with an ip from certain countries that you can designate. In other words, it allows you to restrict access (both frontend and/or backend) to your site to only countries that you allow.
I think its worth adding this plugin to your site, but do not expect it to eliminate the possibility of a hack. These days people who know what they are doing can use a vps (virtual private server) and route their attack through ip’s in the US or Canada.
So, this plugin is good at preventing some attacks but certainly not all.
Wordfence security (free)
I also discovered this plugin when I was helping my Mexican client with his hacked sites. Wordfence is actually very good and I use it on every site I have now. No list of the best site security plugins would be complete without it.
It is very good at blocking attempts and scanning for malware, etc…
You can also set up a firewall, which is a good thing, but be careful when you do. You could easily block yourself from entering. Just do it carefully.
By the way, you don’t have to use or set up the firewall. Even without it, it’s still a great plugin.
One last note, it’s a free plugin, but you can get their ‘Premium’ version that has real time monitoring, real time virus signature updates, and a bunch of other stuff that’s very helpful for preventing or stopping attacks when they happen. It’s a bit pricey at $99/ year for a single site license, but there are lots of worse ways to spend $99. 🙂
p.s. I don’t think you need the premium version right away – if you install the free version of Wordfence and the other plugins I mention on this page.
Rename wp-login.php (free)
This is a great little plugin and definitely one of the best site security plugins.
Everybody knows that you can get to the WordPress backend login by typing in:
https://mysite.com/wp-login or https://mysite.com/wp-admin
Those are the default ways of accessing your WordPress site.
What this plugin does is it allows you to define a new ‘address’ which will be the only way you can log in to the backend.
So, what used to be mysite.com/wp-admin, now becomes something like: https://mysite.com/bv9q
You tell the plugin (when you set it up) what you want your login ‘address’ to be.
The advantage to doing this is it stops almost all ‘brute force’ attacks. A brute force attack is just a program that will go to any site, and attempt to use the well known wp-login or wp-admin addresses and if it succeeds in getting to the login page, it’ll start trying various combinations of usernames and passwords until the cows come home or it succeeds in logging in.
If you do nothing to stop it, the hosting company will be very upset because brute force attacks use up a lot of their resources.
You should also limit the number of failed login attempts. (you can do that in wordfence). Set it to 3 attempts and then it will lock the user out for however long you designate (15 minutes, an hour, 24 hours etc…). I recommend three because otherwise you could lock yourself out simply for putting in a typo error when you try to login.
I’ll be adding to this list as I come across other good security plugins.
Read my other WordPress plugin reviews