Think only big companies and famous bloggers get hacked?

The truth is the most common hacking targets are small businesses and websites, because they’re often less secure. Tens of thousands of websites are hacked every day according to Forbes, and even WordPress isn’t 100% safe.

Your site may have already been hacked without you knowing it, spreading malicious code to your visitors like a bad virus.

If so, it’s not too late! Some of the plugins listed below can scan your website and tell you what code doesn’t belong and how to fix it.

If your site’s already been damaged and you’re not sure how to fix it, sites like Sucuri offer scanning and malware cleanup services to scrub your code clean and get your site working like new again.

But the best way to deal with hackers is to keep them from gaining any foothold in the first place.

Don’t take any chances on losing all your hard work. Stay ahead of the game and keep your site safe with these top WordPress security plugins.

Top WordPress security plugins

1. iThemes Security Pro

iThemes Security Pro For WordPress

With over 2 million downloads, iThemes Security is one of the most popular security plugins for WordPress.

Easy to install and setup initially, this plugin has an easy one-click option to enable the most common features. It then suggests specific features you can enable to boost your website’s security, sorted by high, medium, or low priority. Some of iTheme Security’s features make complex changes to the structure of your website such as changing database table prefixes, so they’ve also included a backup tool with the plugin.

The premium version comes with priority support, plus many bonus features like the ability to track each user’s actions (such as logging in and out or editing content) and secure 2-factor authentication for logins.

Developers or admins for multiple WordPress sites should consider iTheme’s developer plugin suite. The suite bundles together all of iTheme’s plugins, including BackupBuddy (one of the most popular backup plugins for WordPress), Exchange for e-commerce sites, EmailBuddy for easily building an email list and sending newsletters, and Tipsy for creating tooltip popups. With the plugin suite, you also get a one-year membership that includes unlimited priority support plus immediate access to any new plugins released during your membership year.


  • Keep hackers from logging into your dashboard by changing the login URL, hiding login error messages, banning users after multiple login attempts, and enabling an “Away” mode to temporarily lock out all login attempts.
  • Protect sensitive information about your site by hiding your WordPress version number and update notifications from everyone but the admin.
  • Foil hacker bots by continuously scanning for suspicious activity and banning troublesome users.
  • Includes tons more security features you can individually enable depending on the needs of your site, with easy-to-understand explanations for each one.

Price: $80-$150, depending on the license

Get iThemes Security Pro

2. Bullet Proof Security

Bullet Proof Security is another popular contender with iThemes Security, with over a million downloads. Bullet Proof Security also prioritizes website performance and speed along with security, and doesn’t slow down your website with server requests.

This plugin has a bit of a higher learning curve to when it comes to what its features mean and which ones you should enable. Some users say the design isn’t very user-friendly and is a little tricky to configure at first. Just be sure to put aside a little extra time when installing to set it up properly, and it’ll work great to protect your website.

With the BulletProof Security Pro version, you get unlimited lifetime support for any number of websites for a one-time fee of $59.95.


  • Protect your files with one-click .htaccess WordPress security protection, blocking hackers before they access your website code.
  • Review detailed security logs, including HTTP errors, login attempts, and more.
  • Set email alert options to inform you when users log in or are locked out.
  • Enable a secure Maintenance Mode and deny access to the dashboard by IP address.

Price: Free

Get BulletProof Security

3. Wordfence

With an average rating of 4.9 out of 5 stars, Wordfence is one of the most highly-rated free security plugins for WordPress.

Wordfence is a simple security plugin that starts by scanning your site for malicious code. Besides protecting your websites, it also says it’s caching features can make your website run up to 50 times faster.

The plugin is free, and you can buy premium support starting at $39 for one year for one website key. You can get big price breaks for buying in larger quantities for multiple installations, or for longer periods (up to 5 years). For example, if you buy 5 licenses for 5 years, each key is just $18.65.


  • Increase your site speed up to 50x with Falcon Engine, a caching tool.
  • Improve login security with two-factor authorization using your cellphone.
  • Protect against bots, malicious scans, and hackers with a firewall.
  • Deep scan your website, including WordPress core source code, for malware, and get a simple report on what’s been changed and how to fix it.
  • See real-time traffic information including logins, logouts, and 404 errors.

Price: Free

Important note: The great features of this plugin come at a cost and that cost is your server resources. Use with caution, especially if you’re using shared hosting.

Get Wordfence

4. Captcha on Login

Note: this plugin is no longer available. A good alternative is SI Captcha which does more than just adding a captcha to the login page.

This plugin protects against brute force attacks, one of the most common forms of hacking. A brute force attack is as unsophisticated as the name suggests: a hacker tries to gain access to your website by systematically guessing at your username and password over and over again. Using automated software, a hacker can try logging into your account hundreds or even thousands of times per second.

Brute force attacks are common because they’re so easy and effective. Even if you’re using a strong password that’s harder to guess, the sheer number of requests to the server can dramatically slow down or even crash your website.

One quick and easy thing you can do to protect your website from brute force attacks right now is to install the Captcha on Login plugin:


  • Block bots by requiring users complete a Captcha when logging in.
  • Customize your Captcha, including background image and number of characters.
  • Automatically lock out IP addresses after a chosen number of login attempts.
  • Generate a report of all login attempts and lockouts.

Price: Free

Final thoughts

WordPress security is often something admins don’t think about until it’s too late. With thousands of websites being attacked every day, the risk is too great to ignore.

Now that you’ve got a solution to improve security, check out our post on essential maintenance tasks you should be doing (and when to do them).

Posted by KeriLynn Engel

KeriLynn Engel is a copywriter & content marketing strategist. Keri loves working with B2B & B2C businesses to plan and create high-quality content that attracts and converts their target audience. When not writing, you can find her reading speculative fiction, watching Star Trek, or playing Telemann flute fantasias at a local open mic.