10 Best Free Plugins to Secure Your WordPress Website

WordPress is now powering over 27% of all websites. That’s a testament to its flexibility, ease-of-use and loads of free plugins and themes that are available. But that also means WordPress has a gigantic target on its back from malicious hackers and bots.

They’re constantly scanning for outdated installations and zero day vulnerabilities. Brute-force login attacks hit even the most lightly-trafficked sites.

It’s become absolutely imperative site owners take extra security measures. Some of that is done at the server level, but there is plenty you can do within WordPress itself. In fact, there are a plethora of free plugins out there that will harden WordPress and provide you with an extra layer of protection.

Let’s have a look:

WordFence

With over one million active installs, WordFence is one of the most popular plugins out there. It will routinely scan your install for malicious code and has a real-time firewall that will help secure your site from known (and unknown) threats.

Advanced features like IP blocking and brute-force login protection can give site owners some peace of mind. The premium version includes country blocking, two-factor authentication and the firewall is updated in real time.

WordFence

JetPack

The WordPress jack-of-all-trades, JetPack has added some great security features in recent years. Brute-force login protection is included (and will proudly display how many malicious login attempts have been thwarted on the WP Dashboard).

There’s also a single sign on feature that works with your WordPress.com account.  Paid plans add spam blocking, malware scanning and more.

JetPack

iThemes Security

This is a security suite (in plugin form) that will protect your site with brute-force protection, file change detection, requiring users to implement strong passwords and will even help you run your entire site in SSL. A Pro version enables malware scanning, password expiration and much more.

iThemes Security

Clef

Clef offers a unique method of adding two-factor authentication to WordPress. Users will need the Clef mobile app to scan the “Clef Wave” animated pattern that appears on your login screen with their phone. It’s password-less authentication. It also acts as a single sign on that can work across multiple sites.

Clef

All In One WP Security & Firewall

This plugin will scan your site’s user accounts to ensure that a user’s username and display name aren’t identical – a key method bots use to grab logins. User registration can also be set for admin approval – meaning you’ll have the ability to reject accounts you don’t trust.

You’ll also find brute-force protection, a firewall, malware scanning and protection for configuration files.

All In One WP Security and Firewall

WP-SpamShield

Spam account registration can be a dangerous thing for a WordPress website. WP-SpamShield helps to eliminate registration spam, along with comment/trackback/pingback/contact form spam. The great thing is that it does so without using annoying CAPTCHA fields.

WP-SpamShield

BulletProof Security

BulletProof Security will provide extra security for your site’s .htaccess file, logins, auth cookie expiration and allow for database backups. You can also set a time limit on idle WordPress sessions, which will log the user out of the system after a specified period of inactivity.

BulletProof Security

Really Simple SSL

One of the absolute best things you can do for security is to enable SSL on your site. Once you’ve acquired a SSL certificate and installed it on your server, Really Simple SSL will make sure your WordPress install is optimized to run under https.

Really Simple SSL

Shield WordPress Security

Formerly known as WordPress Simple Firewall, this plugin will automatically block out malicious URLs and requests. It will also protect your blog from spambot comments and adds two-factor authentication.

Shield WordPress Security

Hide My WordPress

One of the telltale signs a site is running WordPress is the use of the default /wp-admin/ and wp-login.php URLs. Hide My WordPress allows you to safely rename these login gateways to help avoid attacks.

Hide My WordPress

Special Note

Note that you should use caution when enabling more than one security plugin. Some can conflict with each other and lead to either a crashed site or a major performance hit. If you do plan to use more than one security plugin, do some research to see how they coexist.

Stay Safe Out There

While there is no silver bullet for securing WordPress (or any other CMS), there are steps you can take to thwart malicious attacks. Most bots and hackers are looking for easy targets. Using a security plugin makes things much more difficult to crack.

(65 Posts)

Eric Karkovack is a web designer with well over a decade of experience. You can visit his business site here. In July 2013, Eric released his first eBook: Your Guide to Becoming a Freelance Web Designer. He also has an opinion on just about every subject. You can follow his rants on Twitter @karks88.

Comments