What's your take on the best WordPress security plugins


HD Moderator
Staff member
Unfortunately, a ton of WordPress websites get hacked or defaced everyday around the Globe. I personally recommend WordFence Pro, but am curious what others recommend and why?
iThemes Security Pro is a solid security program. My favorite feature is the ability to hide you would log in page making it difficult for hackers to find your login page. Instead of wp-admin, you can rename it to anything you want.
Using WordFence Pro + Server Side Security Solutions = Working Like Cherry - No Issue By Far.
I really like IThemes. The most practical feature is that it will Ban an address for too many login attempts except the administrator is address. I used Jetpack Backup, and don’t believe it’s worth the money, I think they charge $250 per year. I mainly got it to use it for video storage but had integration problems with my website. l never used WP Security.
WordFence BASIC is installed on all our sites, and PRO on a few that need to restrict IPs by country etc (if the host doesn't have GeoIP enabled).

Most of our sites are configured with a 100% BLOCK with 2 failed login attempts, and an instant BLOCK if they attempt any of the common admin usernames or sitenames. We also run 2FA for admins (a pain in the butt sometimes, but worth the headache).

Monitoring plugins is the biggest issue for most people. We use several different scripts to monitor plugin versions, but there are also some plugins like WP Manage, MainWP, even GoDaddy has a site manager so you can view what plugins are installed on sites and make sure they're up to date.

Constant vigilance!
My sites are configured for maximum lockout with 3 failed login attempts, and also 2FA enabled. I also monitor Tools and manually ban IP addresses when needed and then block them permanently. Do you use WordFence Central?
Do you use WordFence Central?
I actually never even heard of Central before! How could I not have?!

Looks like you'd still need a pro license for each site, but having them all in one spot is nice. Of course, if a site doesn't use WordFence, or is on ******* Host's Internal Security platform etc, then you can't sync directly to there, but would work for others.

Haven't personally used it. Have you?
Wordfence is the best solution for us we sometimes pair it with BBQ for websites. Also for a free package, it has a ton of features. It does require a bit of tweaking. Like rate-limiting, hide wp version, bruteforce settings, etc.

For some international sites, we get a lot of bad attention so we pair wordfence with Cloudflare with allows you 3 rules on the free tier and really helps with geo-blocks and bot blocks.

GOTMLS is very good if you want to run a scan of all your content and find look for any potential problems.

Lastly, immunify 360 on Cpanel if you have it. Wipes malicious code in real-time.

We did try AIOWS which isn't bad either from the small amount of time we spent with it. We also had a look at Jetpack, now maybe this is us not configuring things properly but we found it lacking and especially draining on server resources.
Some may disagree with me, but the best WordPress security solution is a good hosting provider. Combining that with Cloudflare and Two-Factor Authentication would be ample for most sites. In my experience, most security plugins are incredibly bloated and cause more harm than good. I've found they also provide the most drawbacks in eCommerce WordPress sites. Most will claim they integrate well, but it's debatable.

Out of them all, I've enjoyed iThemes the most. However, their recent updates have been questionable, and it's features seem pretty minimal for the cost.

Forum statistics

Latest member