Most of us don’t worry about the security of our WordPress website until it’s too late. Security, backups and website recovery are, most of the time, an afterthought.
Avoiding potential problems until it’s too late is human nature, and that will probably never change – for most people. I’d encourage you to be proactive when it comes to WordPress security. Spending just a small amount of time planning and preparing can reduce the risk of your website being hacked.

In this post, we’re going to cover some of the best WordPress security plugins out there. Some of the plugins reviewed offer more specific functionality than others so before making a choice, be sure you’re comparing features properly.

WordPress Security Vulnerabilities

The number of potential security vulnerabilities faced by WordPress websites is actually much greater than most people realize. Typically we think of the obvious things like using strong passwords and keeping WordPress core files up to date. Truth be told, those particular items cover only a small percentage of the total vulnerabilities. Other things that need to be considered include:

  • Server vulnerabilities
  • Theme security
  • Plugin security
  • File permissions
  • Securing specific files (like wp-admin and wp-config and wp-includes)
  • Database security
  • Computer vulnerabilities
  • FTP vulnerabilities
  • and more

As you can see, the list is long and we’ve only just scratched the surface. To make matters more complicated, no single plugin is really capable of covering all the security holes. And that shouldn’t really be your goal either, after all, managing WordPress security is a balancing act. You could spend all day trying to secure your website, but hey, you’ve also got a business to run, right?

How to Tell if Your WordPress Site Has Been Hacked

Figuring out whether or not your WordPress site has been hacked is not always as easy as you might think. There are a few ways to assess your site, none of which is perfect or foolproof. Other than that, it comes down to plain old detective work – and hackers are a sneaky bunch.
Performing regular scans of your website using free third-party services is a good idea. Google Webmaster Tools is the best place to start since their interpretation of your website will have the greatest impact on your ranking within the SERPs. Just be aware, that even GWT is prone to errors – a problem free website in Google’s eyes may, in fact, have problems. Also, remember to take a look at how your site is indexed by typing “” into Google search. Scan through a decent sampling of your page/post results and look for anything suspicious.
A free service like Sucuri Site Check will scan your site for free. Most of the time, Sucuri will alert you to any sign of malware, spam injections, defacing or blacklisting. Alternatively, there are also inexpensive paid services like CodeGuard that will backup your website every day and alert you to any changes.
Finally, it’s always a good idea to keep an eye on your Google Analytics account for anything unusual. Although GA can be a little tricky these days with the referral traffic causing traffic spikes, you should still keep an eye on the long-term patterns. Monitoring bandwidth use through your hosts CPanel is advisable as well.

Sorting Through the Best WordPress Security Plugins

Protecting your website from the more common WordPress security threats will put you in a much better position than most other sites. The vast majority of website owners don’t give a second thought to security until it’s too late.
Don’t be fooled into thinking that you’ll be able to achieve a 100% secure website – it’s just not realistic. Instead, set yourself a more reasonable goal of limiting your risk and protecting against some of the more common threats.
Remember that protecting against non-targeted attacks is always easier since they are automated and typically scan for common vulnerabilities. Targeted attacks are much more difficult to protect against since it’s your website versus the hacker. Anytime you have an individual who is willing to take time out of their day to analyze your specific website for vulnerabilities, there is an increased risk.

  • iThemes Security
  • Wordfence
  • All in One WP Security
  • Sucuri Security
  • BulletProof Security


If you’ve currently using any of the plugins covered in this post, please share your experience in the comments.