The Top 3 WordPress Security Plugins, and Why You Should Do This Security Thing

August 15, 2019// Category: Digital Marketing // Author: Jenni Parcell

A woman on her laptop using the Wordfence firewall feature

You know the word. You’ve heard it before. If you’ve ever been on the Internet – like you are now (surprise!) – you’ve thought about it.


Those nameless, faceless entities hunched over keyboards around the world trying to get at your information.

But you scoff, “I’ve got a tiny plumbing business in Duluth! Who would want to hack someone in Duluth?” My poor, sweet summer child. They don’t care whether you’re in Duluth or D.C., or whether your business makes four dollars a year or four million. Those malicious actors in their dark corners of the Internet have their bots working around the clock, crawling IP addresses with reckless abandon and poking with sharp scripted sticks at every website and every server they can find. That includes yours.

And don’t you go thinking that WordPress sites are off the radar. Cyber attackers are well aware that WordPress is the most widely used content management system in the world, powering thirty-four percent of all websites; that’s almost twenty-five million sites. Which means that there’s a treasure trove of juicy information waiting beneath the surface for any hacker who can find just the right crack in the foundation.

But before you kill your WordPress site with fire and vow never to touch the Internet again, check it out: I’m here to help you fill in the gaps in your own site’s foundation, strengthen your armor, and fight off those cyber bullies. Let’s do this.

WordPress is super cool in that it was built to be extensible by way of plugins: smallish bits of code that do very specific things, so that your site can be even more awesome and you don’t have to go tinkering in PHP yourself (unless you really want to. But it’s dangerous to go alone!). There are lots of great developers out there contributing lots of plugins to the WordPress ecosystem, so whatever functionality you’re looking to add to your website, you can probably find a plugin (or seven) for it.

Security plugins are no exception. There are WordPress plugins available for every aspect of web security you can think of: email obfuscation, HTTP headers, CAPTCHA, two-factor authentication, and on and on. There are also plugins out there that function as more of a one-stop security shop, and are a great place to start out. We’re going to look at the top three most popular all-in-one plugins (based on number of downloads), so you can find one that suits your needs and get this security stuff going.

Before we jump down that rabbit hole, let’s talk about some of the features these plugins have in common and why they’re important.

Login Security

One highly common method of attacking a site is the good old brute force attack. I’ve watched this type of attack happen in real time; it’s fascinating and terrifying. Basically, the attacker tries a whole bunch of random, frequently-used usernames and passwords against the login page, hoping to find a combination that works. And all too often, they succeed. (If your password is 12345, please go change it right now. I’ll wait.) A good security plugin should allow you to limit the number of incorrect login attempts, as well as block the origin IP for an hour or forever if you like. Other features of login security include various forms of CAPTCHA, whitelisting and/or blacklisting IPs, logs showing successful and unsuccessful login attempts, and forcing users to log back in every so often.

User Account Security

Seriously, I wasn’t kidding about changing your password.

A good security plugin should require strong passwords from all users. It should also detect whether your WordPress installation contains the default “admin” user, allow you to approve new user accounts manually, and enable features to reduce the number of those annoying bot registrations. Although those spammy comments can be entertaining.

File Monitoring

Remember that PHP we were talking about tinkering in earlier? Your shiny new security plugin should be able to scan your WordPress files for any changes that could signal malicious activity.
It should also be able to hide those precious files and folders from prying eyes.


The OWASP Top 10 is a list of the top web security vulnerabilities as rated by the Open Web
Application Security Project. At the very top of their most recent list is something called “injection”. This refers to the act of inputting, or “injecting”, malevolent code into an improperly-validated field. So some unsuspecting text box on some innocent cat rescue website that only wants to know whether you’ll feed your new kitty wet or dry food may end up being the bearer of code that eats away the poor website from the inside out. Terrible, right? But a security plugin with firewall capabilities should detect that bad code and stop it in its tracks, as well as catch various other suspicious forms of web traffic.


Finally, beyond all of the bells and whistles and nooks and crannies, a good plugin – security or otherwise – should be user-friendly. If it has every feature you could possibly want but is clunky, buggy, or confusing to navigate, it may as well have been written in Klingon for the use you’ll get out of it.

The above was by no means an exhaustive list, but it gives us a good foundation. Ready to check out some plugins now? Here goes!

In order of downloads, we’ll be taking a peek at the following:

Wordfence Security – Firewall & Malware Scan
5.0 stars based on 3,425 reviews

iThemes Security (formerly Better WP Security)
4.5 stars out of 3,818 ratings

All In One WP Security & Firewall
5.0 stars based on 888 reviews

wordfence logo

Wordfence Security – Firewall & Malware Scan

As you can see, this plugin is by far the most downloaded WordPress security plugin on the market, and boasts over three million active installations. Wordfence, the plugin author, falls under the parent company Defiant, which specializes in WordPress security solutions and incident response for businesses.

I found myself immediately impressed by this plugin’s clean user interface and friendly, well-written tooltips. The pressure to buy the premium version is of course present, but not blatantly so.

Login Security

Wordfence even has a tab named Login Security; fancy that! They’ve made two-factor authentication setup and administration simple, as well as implementing CAPTCHA. Brute force protection looks robust, but is kind of hidden in the middle of the All Options tab; I would have preferred that section to be more visible.

User Account Security

This is another bit that’s buried in the All Options tab under the “Brute Force Protection” section. They have the basics, but not much in the way of foiling those spammy yet entertaining bots, besides the CAPTCHA.

File Monitoring

As we head on over to the Scan tab, we find a veritable wealth of charts, big friendly icons, logs upon logs of results, and configuration options. This plugin’s file monitoring capability appears to be quite customizable and powerful; the scanning functionality is clearly one of Wordfence’s strengths. Detailed scan results are sorted by severity rating, which is quite useful.


Hold up (cue record scratch); let’s chat about firewalls for a second.

Web firewalls are strong yet finicky beasts. If you handle a bouncing baby firewall with care, you will end up with a valiant and loyal protector against the demons of the Internet. On the other hand, neglect your firewall or give it too much power and it will swiftly turn against you.

Firewalls essentially have three modes: off (as in, why do you even have it?), learning, and protecting. In learning mode, your firewall will analyze all site traffic and capture requests that it would have rejected in protecting mode. By logging and reviewing these events, you can check to see whether any of your site’s routine behaviors may trigger false positives and adjust your firewall rules accordingly. The learning phase is critical; it’s important during this period to run your site through all of its paces and comb through the resulting events. Because once you set your firewall to protecting mode… it’s all systems go, Eye of the Tiger time!.

With all that being said, let’s get back to business.

Wordfence sets its firewall in learning mode upon installation, with an option to have it automatically switch to protecting mode after a certain period of time (a week by default). That’s awesome. Although this firewall isn’t nearly as extensive as you’d get with a separate service such as Cloudflare, it’s pretty nifty for a plugin.


As I said before, clean and friendly! Besides some settings being buried in All Options that really should be broken out into their own tabs, it gets a thumbs up here.

Premium… Worth It?

Well… meh. It appears that upgrading allows your installation access to real-time threat data, faster support responses, site reputation checking, and country-based IP blocking.
All of these are nice to have, but not strictly necessary. I probably wouldn’t go for it.

To Sum Up: A-

Much features, many security, wow. There are so many options and reports available that I barely knew where to dive in. If you’re looking for configurability and power, this is it.

ithemes security logo

iThemes Security/iThemes Security Pro (formerly Better WP Security)

As indicated in the name, this is the plugin formerly known as Better WP Security. iThemes, the plugin author, offers a range of WordPress-related services from backup to hosting to landing pages.

The first thing that struck me after installing this plugin was how much it asks/encourages/begs you in big highlighted text to back up your database and site files before making any changes. I can’t say I disagree!

Login Security

There’s a good set of blacklisting and whitelisting options, and a couple of brute force settings. Nothing fancy, but the basics are covered.

User Account Security

Again, only a few no-frills settings here. The option to force strong passwords is either on or off, as opposed to Wordfence, which gives the ability to set for admins/editors or all users.

File Monitoring

There’s only one lonely setting for this that I can see: File Change Detection. As seems to be the running theme, they’ve covered the bases without any room to tweak details such as checking WordPress core files versus plugin files versus theme files, or scanning for file changes in general as opposed to focusing on known malicious patterns. Seems like a recipe for false positives to me.


It’s not explicitly referred to as such, but there are a few firewall-esque settings, such as “Filter Suspicious Query Strings in the URL” and “Filter Long URL Strings”. There does not appear to be any optimization available.


Just like Wordfence, a whole bunch of stuff has been thrown into the Settings tab. However, iThemes does have a handy little dropdown menu in this tab to get you where you want to go. Also, the dashboard with its color-coded list items and super friendly “Fix it” buttons is a great touch.

Premium… Worth It?

I have to admit, iThemes Security Pro offers some attractive bling, including two-factor authentication via multiple methods, a trusted devices feature, user security check, and an even fancier monitoring dashboard. You also get better access to support (but what else is new?). If I were committed to this plugin, I might honestly consider putting down the money.

To Sum Up: C+

I have used iThemes myself in years past, and never had any reason to complain. This is a down-to-earth, plug-and-play plugin that’ll get the job done for you, and with pretty colors to boot; the pastel, eager-to-please dashboard might just be my favorite. And for the love of Hannah, back up your site files!


All in One Logo

All In One WP Security & Firewall

Interestingly, this plugin has about half the downloads of iThemes (17,585,898 for iThemes versus 8,776,948 for All in One), but almost as many active installations (900,000+ for iThemes, 800,000+ for All in One). The plugin author, Tips and Tricks HQ, is quite active in contributing plugins to the world of WordPress, boasting at least fifteen plugins on their company site.

The very first thing I noticed after Wordfence and iThemes? All in One has separate menus for everything! Things are already looking up.

Login Security

As far as login settings go, this plugin doesn’t seem to have too much more to offer than iThemes, with a couple of notable exceptions: there are several different CAPTCHA options available, and you can also set up a honeypot to catch the bots. (The plugin even explains what a honeypot* is.) Cool!

*A honeypot is anything from an entire isolated system to a bit of code that attracts malicious actors of either the human or bot variety. The genius lies in the fact that it’s set up to appear tantalizing and ripe for the hacking, but its relationship to the real system is such that no legitimate user would ever interact with it.

User Account Security

We’ve got spammy bot blocking, Cap’n! There are also a couple of other intriguing user account options, including an area where you can test the strength of any password you type in.

File Monitoring

File scanning and monitoring is slightly more configurable here than in iThemes, but still not quite like Wordfence. They also suggest an external scanning option.


They’ve got the basics here, as well as an area where you can enter custom .htaccess rules yourself. Done correctly, you can empower the .htaccess file in the root of your WordPress installation to perform lots of cool tricks, including denying public access to certain portions of your site, controlling how users can navigate your file structure, and blocking suspicious HTTP methods, query strings, and referrers. But editing your .htaccess file is playing on expert mode, so don’t try this at home, kids… or at the very least, please please PLEASE back up your original file first.


As I mentioned before, I love that the various settings are all split up into their own tabs, as opposed to being lumped together in one big Settings mishmash. They also have a nice scoring system for each section, with your total score displayed on the main dashboard. And the part I really love is that they’ve made a substantial effort to teach the user about each setting and why it’s important; each tab contains a block of clear explanatory text.

Premium… Worth It?

Unlike the two plugins above, there is no premium version of this one. Instead, All in One encourages you to sign up for Site Scanners, which offers not only malware scanning but also site response time and uptime monitoring. All valuable services to be sure… but alas, all services for which I would go elsewhere.

To Sum Up: B

I still prefer Wordfence for its clean interface and granularity, but All in One is a solid security plugin, and educational to boot.

In Conclusion

In this age when information is money, web security is vital. If you’re running a WordPress website, there are plenty of awesome options available to help secure your site.

Of the three plugins we just explored, which would I choose? Wordfence, hands down. Granularity and configurability FTW, and it’s such a clean-looking plugin. But the other two truly are solid choices, and I would absolutely recommend either one for someone looking to secure their site quickly and easily.

Now that you’re armed with the basics, go forth and fight the bad guys!


Article Categories
Subscribe to Our Newsletter
Test Form

Are you a Graphic Designer or Copywriter?

We have a great network of vetted local talent that we use for white label work, and we would love to talk shop over coffee.

Say Hello!