WordPress is most popular and well known Content Management System(CMS) available in web market. It is an open source software which is widely known for blogging. According to CodeInWP stat,
WordPress run 28% websites of the entire internet.
59.1% is WordPress share of the global Content Management System(CMS) market.
Envato market has sold 39,125,723 items worth $494,854,209 out of which more than 24% earned with WordPress Themes.
24.7 million files gets uploaded to WordPress.com blogs monthly.
243,161 WordPress projects have been completed on Freelancer.com as of January 2015. That’s a total value of $60,571,205
and much more.
Above stat explain itself, how huge and immeasurable WordPress is becoming day by day.
Many companies developed many plugins to avoid spamming, vulnerability issues, malware attack, login issues. Some of them PAID and some are FREE. I am going to explain 5 top WordPress security plugins which are FREE and used by millions of people right now.
All five plugins have lots of common feature like IP Blocking, strong password enforcement, user activity log, DB rename and backup, etc. But few are uncommon. Those features make difference.
I have used each plugin at least once. Though they have common features, they are quite different in Performance, Results and Compatibility.
WordFence is the most popular WordPress security plugin with more than 33,506,855 (33 Million) downloads with 4.85 rating. It is among top 20 most downloaded WordPress plugins. It comes with lot of feature which protect your site from most of the possible threat.
Features are –
- Live Traffic – Live Traffic view shows you real-time activity including bot traffic and hack attempts.
- Account Activity Log – Login Lock-down(after fixed number of failed attempt), Failed Login Records, Force Logout, Logged In Users, Failed Login Records
- Preventive Blocking – Real-time blocking of known/unknown attackers. If another site using WordFence is attacked and blocks the attacker, your site is automatically protected.
- Security Scanning – It automatic schedule scan for signatures of over 44,000 known malware threats. Scans core files, themes and plugins against WordPress.org repository versions to check their integrity.
- Login Security – Includes strong password enforcement, invalid login throttling. Lock out brute force hacks and stop WordPress from revealing info that will compromise WordPress security.
- Installation Instructions – It makes installation process very simpler for technical as well as non technical user.
- Learning Center – It provide free access to entry-level articles, in-depth articles, videos, graphics and more to get the knowledge of best security practices.
- Paid version – WordFence offer Premium API key that gives you Premium Support, Country Blocking, Manual Scheduled Scanning, Password Auditing, Cellphone Sign In, Real-time updates.
NOTE – Compatible with most of popular plugins.
2. iThemes Security
iThemes Security (formerly known as Better WP Security) is on second position with 9,734,850 downloads and 4.8 rating. iThemes claims to provide 30+ ways to secure and protect your WordPress site. As mentioned on plugin page, it works to lock down the site, fix common holes, stop automated attacks and strengthen user credentials.
Works on following points –
- Backup – It regularly backup database of site. If attack happens or site is not working, you can quickly use backup database to get your site online. You can email these backups at customized schedule.
- Hide Vulnerability – It hides common vulnerabilities through which attackers can make a way into the site. It changes wp-content path, login path, database table prefix, header information, etc.
- Detect – iThemes keep eye on database or files for unknown or unwanted changes. It also detect for bots and vulnerable attempts. Check for modified files.
- Security – Force to have strong passwords, Strengthens server security. Forces SSL for any page or post (on supporting servers), Turns off file editing from within WordPress admin area
- Brute Force Protection Network – It bans users who have tried to break into other sites from breaking into yours. (Same as WordFence feature with different naming).
- Paid Version – Includes File Comparison, Password Renewal at regular interval, Generate strong passwords, Regular updates of WordPress Salts & Security Keys, Two-Factor Authentication, etc.
NOTE – iThemes makes significant changes to your database and other site files. So you must take a backup before makes any changes to your site with this plugin.
3. All In One WP Security & Firewall
” All In One WP Security & Firewall” stands at third position with 3,810,574 downloads and 4.8 rating. It uses grading system to measure how well you are protecting your site based on the security features you have activated. Some features are common like iThemes & WordFence and some features are different.
Features are –
- Security – Includes File Change Detection, Spam Commenting, Malware Scanning, DB Prefix Rename, Scheduled/Manual DB Backup.
- Login Security – Includes Brute Force Prevention, Honeypot (special hidden field on the WordPress login page. Visible only to robots and not humans), Rename Login Page, Force Logout, Login IP Whitelist
- File Permission – You can change the file and folder permissions with this setting. PHP File Editing (disable the ability for people to edit PHP files via the dashboard)
- New Registration – Includes Manual Registration Approval (Set a newly registered account to “pending” until the administrator activates it), Registration Captcha, Registration Honeypot
- Account Activity Log – Includes Login Lock-down(after fixed number of failed attempt), Failed Login Records, Logged In Users, Failed Login Records.
- Other – Includes Comment Spam Security, Front End Text Copy Protection, Prevent other sites from displaying your content via a frame or iframe, Remove WordPress Version, Firewall Protection, etc.
NOTE – If you have any question, go on support forum. They do not have premium version.
4. Sucuri Security
Sucuri stands is at Fourth with 1,901,735 downloads and 4.8 rating. Its also like other plugins. It is globally recognized authority. Can be used on multiple platforms like WordPress, Joomla, Magento, .Net, etc. But, it is much more specialized in WordPress.
Features are –
- Security Activity Audit Logging – It records the log of the changes being made in any files, user logins, etc. This log is kept on Sucuri cloud. If, in case, attacker breaks all the security, the log will be safe.
- File Integrity Monitoring – It compares the last know good files with current files system. If current files system differs from last known good files, we understand, something is wrong..!!!
- Malware Scanning – IT scans for malware to protect site from threats.
- Blacklist Monitoring – This is quite different feature than all other. It incorporates with few other engines. With the help of these engines, sucuri notify you with negative flagging issues.
- Post-Hack Security Actions – Sometimes, site gets hack after all major precautions. In such situation, Sucuri follows three key things to secure the site.
- Security Notifications – If Sucuri finds any issues, it will notify you.
NOTE – As mentioned, it works on multiple platforms like Joomla, Magento, etc. GoDaddy announced in its blog that, it has entered into an agreement to purchase Sucuri. It has Premium version too.
5. Bulletproof Security
BulletProof Security (BPS) is fifth in the competition with 2,340,000 downloads and 4.8 rating. It is also a great plugin with common features just like above and few different one too.
Features are –
- .htaccess Protection – It primarily use .htaccess file to harden the site security as it execute even before the actual code. It protects site against 100,000’s of different hacking attempts.
- DB Security – Includes DB Prefix name change, DB backups (Manual/Scheduled), DB backup logging. You can email backups and schedule cron job to delete old backups.
- Login Security – Includes All user login activity log. Stealth Mode to enable or disable login Password reset capability.
- Idle Session Logout – It automatically logout inactive user. It has many options like go to particular URL after logout OR leave Custom Message OR Idle Session Logout Time in minutes.
- Cookie Expiration – WordPress default cookie expiration time is very long. You can short it down with this option. You can change expiration time user-wise like admin, editor, author, etc.
- Maintenance Mode – Set maintenance page with countdown timer. An reminder email fired to remind you of end of countdown.
- Different Skin – It have 3 different skins to keep freshness in site. Use can change it manually as he liked one.
NOTE – Only one thing to consider is that it heavily work with .htaccess to harden the security. And .htaccess is not that much easy to understand even if you are developer. You must have to have htaccess knowledge to make significant changes in it.
All the five plugins have various common features like DB backups, DB prefix name change, Strong Password Enforcement, Maintenance Mode, Login URL change, Malware Scanning, User Activity Log, IP Blocking, etc.
WordFence, iThemes have a great feature i.e “Preventive Blocking“. It automatically bans users who tried to break into other sites from breaking into yours. Both have paid version to use pro features.
Whereas “All In One WP Security” have feature like “Honeypot” (hidden field on login page visible only to robots) and “File Permissions” through which user can give manual permissions to folder and files.
Bulletproof Security have Stealth Mode to enable or disable login Password reset capability.
Overall, you can use any of the five plugin, as per your need. All are powerful. The only thing that will matter is, “compatibility“ of these plugins with other plugins in your site.
If you think, I have missed any point to mention, please share it through comment. It will be helpful to our readers and me as well.
And if you liked the post, please share it with your friends and colleagues.