Every third site on the Internet runs on WordPress, and their number is constantly growing.
This popularity is explained by the fact that WordPress is very popular content management system. But by default, there is no protection against hacking.
About 80% of attacks on CMS are in WordPress. Hackers believe that if you gain control over one site, then in the same way you can gain control over a large number of sites, which in principle is logical. Now WordPress has more than 100 million sites.
Hackers use bots that bypass WordPress sites with ready-made hacking algorithms. If you do not have protection from them, then it is only a matter of time before such a bot comes to your site and breaks it into the list of known vulnerabilities.
And if your site is of interest to a hacker, then he will come and try to hack it manually. To protect against manual hacking, you will need more advanced security methods.
Website security is an essential foundation of any website. This article is an overview of the 8 best WordPress security plugins. Choose one of the plugins and install on the site.
Many of these plugins have a firewall. Firewalls come in many types, and these plugins use different types of firewalls.
What is a firewall?
The firewall / firewall (WAF – web application firewall ) works as a filter between the site and incoming traffic. The firewall monitors traffic and blocks malicious code before it reaches the site.
There are three types of firewalls:
The firewall at the DNS level conducts all site traffic through its server. Bad traffic is filtered, good traffic goes to your site.
Server-level firewall is usually a program in the server software, or a collection of typical expressions or code patterns that are often used by hackers. And This type of firewall is efficient and least resource intensive.
The firewall at the application level (i.e. plugin) checks the incoming traffic on your site, but before loading most WordPress scripts. It is usually a combination of a program that processes traffic and a set of typical expressions and patterns that hackers use, plus an interface with surveillance data. This method is more resource-intensive, because the load on the processing of traffic and data display falls on your server.
It is better to use a firewall at DNS level, because a separate specially configured server is involved in filtering traffic, but this is a paid feature.
An application-level firewall is cheaper, but also paid option, which consumes quite a lot of resources for processing and displaying data.
The firewall at the server level is effective, the least resource-consuming, but does not report if some kind of attack occurs.
Let’s know about these best featured security plugins for WordPress website.
Author (s): Juices Inc.
Current Version: 1.8.24
Last Updated: 17.02.2020
Sucuri Security is a leader in securing WordPress sites. The service offers a firewall at the DNS level, protection against attacks and malicious code injections, and removing a site from blacklists .
All traffic going to the site goes through their cloud proxy server, where every request to the site is checked. Secure requests go to the site, malicious requests are blocked on their server.
Sukuri increases site performance because it reduces the load on your server. Your server does not have to process malicious requests, as a result, the freed resources are used for good traffic.
The paid version protects the site from SQL injection, XSS attacks, RCE, RFU, trojans, backdoors and all other known threats. In addition, the paid version of the service optimizes the content of the pages and caches them on its own Anycast CDN .
To configure Sukuri, you need to add A-records on your domain and send them to the Sukuri cloud proxy server instead of your site.
The free version has some limited protection.
Price : Starts at $ 199 / year. All in one. The best paid site protection.
Current Version: 3.4.1
Last Updated: 30.08.2019
Cloudflare is well known for its free CDN service, which also includes basic protection against DDoS attacks. But their free tariff does not include a firewall. To connect WAF, you need to buy a Pro subscription.
Basic protection against attacks is provided by a firewall at the DNS level, which checks all traffic on its servers. This increases the protection and performance of the site.
Optimization and caching of pages on CDN speeds up the loading of the site. A distributed network reduces the likelihood of server failure at peak loads.
The Pro tariff includes protection against third-level DDoS attacks and costs $ 20 per month. To protect against more advanced attacks of level 5 or 7, you need to pay a subscription to the Business tariff .
The disadvantages of Cloudflare are that it does not have a site scan, removes a site from blacklists, there is no monitoring of changes to files on the site and alerts about such changes, there are no other standard site protection techniques.
The best performance solution, relatively good security.
Price : Starts at $ 20 / month.
3. Wordfence Security
Current Version: 7.4.8
Last Updated: 16.06.2020
Wordfence is a popular WordPress security plugin with a built-in firewall that monitors the appearance of malicious code on the site, monitors file changes, SQL injections, protects the site from DDoS, brute force and other types of attacks.
Wordfence is a server-level and application-level firewall, that is, part of the malicious traffic is blocked on the server, part – on the site.
This is an effective way to combat attacks on the site, but quite resource-intensive. Wordfence also does not have a CDN network.
The plugin has a site check on demand and on a schedule, the ability to manually control traffic and block suspicious IPs directly in the WordPress panel.
In the free version, firewall is updated 30 days after the threat is added to the plugin database. To enable online updates you need to apply for a Premium subscription.
My personal opinion is that plugin is somewhat complicated and confusing, it will take some time to master.
Price : The premium version starts at $ 99 / year for a license for 1 site. Good discounts on licenses for several sites.
4. iThemes Security
Current Version: 7.7.1
Last Updated: 20.04.2020
iThemes Security is a top three plugin that has a database with the latest hacks, backdoors and other threats.
In the free version, the plugin has basic settings for protecting an uninfected site, but if you want to know when the files changed and make a detailed scan of the site, you need to buy a premium version .
Another cool feature of the paid version is the site backup. If you find out that a site has been hacked, instead of searching for a hack, you can restore an earlier version of the site.
Price : Starts at $ 80 / year for Blogger.
Current Version: 4.0.5
Last Updated: 20.04.2017
SiteLock is another company that offers a DNS firewall to protect the site from attacks, scan the site for malicious code and remove malicious code from the site.
To protect and speed up the loading of the site, SiteLock offers a DNS firewall and its own CDN network. The service offers daily scanning of the site, monitoring changes in files, notification of events and removal of malicious code.
All tariffs include basic protection against DDoS attacks, more advanced protection against DDoS attacks is available as an addon. On the site you can place a branded banner that says the site is protected by SiteLock.
Price : Starts at $ 20 / month for the Pro tariff, and $ 200 / month for the Business tariff.
6. Security Ninja
Author(s): WP Security Ninja
Current Version: 5.104
Last Updated: 28.05.2020
A very good security plugin that connects to a malicious IP database. The database contains more than 600 million malicious addresses that can be completely prohibited from entering the site, or only the ability to log in is prohibited.
The plugin has many settings for protecting the site from various types of attacks, including brute force attacks, attacks on the database, on outdated versions of software, and so on.
There are 2 scheduled scanners: comparing kernel files with files in the WordPress repository and scanning files for malicious code. There are also event logs, notification by e-mail and database optimization.
Compared to the previous plugin, it is configured intuitively.
Price : The premium version starts at $ 39 / year for a license for 1 site. A license for 1 website with live-time updates costs $ 89.
7. All in One WP Security & Firewall
Current Version: 4.4.4
Last Updated: 21.06.2020
A large free plug-in with many settings, has a built-in firewall at the server level, protects site files and the database.
Changes the standard authorization page, hides the WordPress version, changes the database prefix and dozens of other functions. There are descriptions for all functions.
The plugin is more likely to prevent infections than to treat it, so it’s better to install it on a fresh site. In my opinion, the best free plugin.
The paid version adds a site scanner for malicious software, checks for the site being blacklisted by search engines, messages on the site’s email, up-time of the site, cleansing of infections and deletion from blacklists.
Price : The premium version starts at $ 49.95 / year for a license for 1 site.
8. BulletProof Security
Author(s): AITpro Website Security
Current Version: 4.0
Last Updated: 29.04.2020
Another popular security plugin for WordPress, which has a site-level firewall, authorization page protection, database backup, site maintenance mode and some settings to increase site security.
The plugin has a somewhat complicated interface, but it has an installation wizard that helps you configure the plugin and includes a firewall.
The free version of the plugin does not have a file scanner for malware infection; in paid version, the function of tracking intrusions and malicious files in the folder is added
Price : Free basic version of the plugin. The pro version costs $ 59.95 for an unlimited number of sites and life-time updates.
The better protection a service or plugin offers, the more expensive it costs. Sucuri offers the best protection and the best service : comprehensive site protection, processing of all incoming requests on the Sukuri server, CDN network and a guarantee of free site treatment in case the site is hacked.
Cloudflare is more specialized in website speedup, but offers a good level of protection that can be enhanced with some kind of plugin.
Wordfence offers very good protection, but of the minuses – an annual subscription and a firewall at the site level that will load the server.
The Security Ninja plugin has 2 scanners with a scan schedule, notification by email, connection to a dynamic database of malicious IP and many other passive settings.
You can add several settings to these settings manually and strengthen the plugin to the level of protection of the paid version of Wordfence.
A very good free All in One WordPress Security plugin, but it does not have a website scanner, there is no schedule and email alerts. All this is in the paid version.