WordPress now provides support for over 34% of websites. This is a testament to its flexibility, ease of use and the large number of free plugins and themes available. But it also means that WordPress has become an important target for hackers and bot programs.
They’ve been scanning for outdated installs and zero-day vulnerabilities, brute force login attacks that will hit even highly visited sites.
Taking the necessary additional security measures has become an absolute necessity for website owners. Some of these measures are done at the server level, but there’s a lot that can be done with WordPress itself. In fact, there are a number of free WordPress security plugins that will strengthen WordPress and provide additional protection for your site.
WordFence
10 Best Free WordPress Security Plugins
With over a million active installations, WordFence is one of the most popular plugins of them all. It routinely scans your installation for malicious code and has a real-time firewall to help protect your site from known (and unknown) threats.
Advanced features such as IP blocking and brute-force login protection give site owners peace of mind. The advanced version includes country blocking, two-factor authentication, and the firewall is updated in real time.
iThemes Security
10 Best Free WordPress Security Plugins
This is a security suite (in plug-in form) that will protect your site with brute force protection, file change detection, require users to implement strong passwords, and can even help you run your entire site with SSL. The Pro version allows for malware scanning, password expiration, and more.
All In One WP Security & Firewall
The plugin will scan your site for user accounts to ensure that the user’s username and display name are not the same – this is a key way for the rover to capture login names. User registration can also be set to be approved by the administrator – this means you can reject untrusted accounts.
It also has brute force protection, firewalls, malware scanning and protection of profiles.
Hide My WordPress
One of the telltale signs that a site is running WordPress is the use of the default /wp-admin/ and wp-login.php URLs. ” Hide My WordPress ” enables you to securely rename these login gateways to help avoid attacks.
JetPack
10 Best Free WordPress Security Plugins
WordPress is a jack of all trades, and JetPack has added some powerful security features in recent years. These include brute-force login protection (which will proudly display how many malicious login attempts the WP dashboard has blocked).
There’s also a single sign-on feature that works with your WordPress.com account. Paid plans add spam blocking, malware scanning, and more.
WP-SpamShield
Spam account registration can be a dangerous thing for WordPress sites.WP-SpamShield helps eliminate registration spam, as well as comment/quote/pinmail/contact form spam. The great thing is that it eliminates the need for annoying captcha fields.
https://wordpress.org/plugins/wp-spamshield/
BulletProof Security
BulletProof Security will provide additional security for your site’s .htaccess file, login name, authentication cookie expiration, and allow database backups. You can also set time limits for idle WordPress sessions, which will log users out of the system after a specified period of inactivity.
Really Simple SSL
One of the absolute best security measures you can do is to enable SSL on your site.After obtaining an SSL certificate and installing it on your server, Really Simple SSL will ensure that your WordPress installation is optimized to run under https.
Note: This plugin works only if you already have an ssl certificate installed for your site. There’s actually no need to install this plugin for people who will configure SSL and manually fix https errors.
Shield WordPress Security
The plugin, formerly known as WordPress Simple Firewall, will automatically block malicious URLs and requests. It will also protect your blog from spam comments and add two-factor authentication.
https://wordpress.org/wp-simple-firewall/