One Best Security Plugin For WordPress or Combination of Plugins?

Share the knowledge...Share on Facebook
Tweet about this on Twitter
Share on LinkedIn

the best security plugin for WordPress

1. Intro

Let me assume you are concerned about your website safety or have already been hacked. And you would like to know what is the best security plugin for WordPress out there. You might have heard of some of them and you don’t know which one to choose to make your site protected from hackers and malicious bots.

I’ve made a research on WordPress security plugins and solutions and would like to report my results and thoughts.

I’ve written this article with the following aim: to help you protect your WordPress site using security plugins, combinations of plugins and solutions (both free and paid) and help you understand why you may want to choose this or that WordPress security solution.

Although I published an initial version of this article in 2015, all the points of this article are valid today. I keep an eye on the main changes and update the article when anything significant should be added or modified. The conclusion is the first part that I keep up-to-date above all.

This article is one of the most popular ones on my website. And I keep it ever-green for the best benefit of you (my readers).

By the way, you can find A LOT OF of useful information in the comments. (Ctrl+F can be a good friend to save time 🙂 )

This article was last updated on March 27, 2021


2. Answers to what questions you’ll find in this article

  • What are the levels of website security? (hint: it’s not just a plugin)
  • How different are WordPress security plugins? (hint: compared features of Sucuri, iThemes (Better WP security), WordFence, BulletProof Security)
  • Which plugin or product for your WordPress website do you need? (hint: compare plugins by their functionality, usability and price)
  • How you can protect your WordPress site to be more confident about its security? (hint: combine security plugins and other tools)

This article is pretty huge, so apart from the table of contents below I’m putting now links to the take-aways for more convenience:

For easy navigation in this post use these links:

3. Before we get into details… Or what I kept in mind when I wrote this article

Unlike many other bloggers who just list the most well-known security plugins and underline their features and benefits, I’d like to make it more detailed and useful for you.

My uttermost aim in this post is to help you with protecting your WordPress website and make security issues more clear for you so that you don’t just install a plugin or two, but could also understand more details about security.

Otherwise, if you don’t want to see what this or that security plugin or product does, you may get a false feeling of security or even break your website completely.

But you may say, “Hey, I just want the stuff that works and don’t want to read about security or any technical details! Just tell me what is the best WordPress security plugin and I’ll go!”

You desire may be reasonable (and I will answer this question fully in the Plugins and Solutions section), but before all, I’d want to say that I’d like you to become a frequent reader of my blog (and maybe a good friend, why not?)

And so I feel a big responsibility for what I tell you. That’s why I have to explain why this or that security plugin may be a good fit for your WordPress site and what limitations this or that security plugin has.

By the way, if you don’t want to take responsibility for your website safety and you’re not going to learn the basics of WordPress security), then go with managed hosting. A great and comparatively inexpensive choice for beginners is WP Engine (see my review here). They don’t just take care of your website server-side technical and security issues, but they will also fix your site for free if it gets hacked (they use Sucuri service for that; by the way – see more details about this service reviewed below in this article).

But if for some reason you don’t want to use managed hosting or some other mamaged solution (for example, in case you have a small budget or you prefer keep a fuller technical control over your website), then you may find this article very useful for you.

Alright, here we go.

4. The anatomy of WordPress security – general overview

In order to choose the best security plugin or solution for your WordPress site, you need to understand what different plugins do, what vulnerable areas and defensive barriers of your website they are designed for. If you don’t understand the basics of website security, then you may get a false feeling of being secure after installing some plugin that does not protect you as much as you thought (I repeat this idea, because it’s important).

So here’s the general overview of a website security protection nodes (I’m talking about personal or small/medium business websites, not corporate web applications):
wordpress security levels

This picture above will help you understand what you can control directly and what you can not control directly. As you can see on the simple image above, your website security can be presented within the following levels:

  • Outer network level (outside of your server – it may be proxy, software/hardware firewalls)
  • Hosting level (it includes server level and a part of networking)
  • Website application level (your WordPress site) – this is the main part of this article
  • Client level (your computer’s security, safe network environment and your common-sense security measures)

Some information below may be or may be not a breaking news for you, but I include it for consistency so that you could see the whole picture and the ways how your website can be compromised and protected.

5. Hosting and server level of security

Who is directly responsible for your hosting and server level security:
If you use a shared web hosting (not VPS or dedicated server), then hosting and server level security is up to your hosting provider. They should setup properly their servers and protect them, set up network firewalls, organize a safe hosting account environment for you, do constant monitoring, scanning, auditing etc.

What if your hosting is managed not properly:
If your hosting is poorly managed, then you not only get much more threats and attacks on your website (which is theoretically tolerable if you have a good website security), but your website can be hacked on a server level, kind of from the inside environment. And there’s no way you can fully protect from it on your own – only your hosting can do it.

How you can protect your site on this level:
The best thing you can do is to choose your web hosting wisely and take into consideration hosting companies’ professionalism, and do not fall for shining misleading marketing of many hosting providers on the market.

6. Network level of security (web application firewall)

This is kind of filter between outer world and your website. It’s purpose is to additionally protect your website from malicious traffic (spam, bots, DDoS attacks etc) and hacking attempts providing more performance to your website.

Who is directly responsible for your hosting and server level security:
It’s you who decide whether to use this additional level of your website protection.

How you can protect your site on this level:
It’s as simple as subscribing to the cloud/proxy-based and caching service such as Sucuri Website Firewall (the most professional), Incapsula, MaxCDN, CloudFlare etc.

7. Client level of security

How you can protect yourself on this level:
Consider these four areas of client level security:

  1. Protect your computer (use antivirus software plus firewall for your computer).
  2. Use safe network environment (e.g. don’t use sensitive data when using public wifi hotspots).
  3. Take basic security measures to protect your sensitive data (e.g. don’t keep your passwords written on sticky notes that can be lost or stolen).
  4. Be cautious when working online or with alien files and programs (e.g. don’t open emails, files or URLs that look suspicious).

Who is directly responsible for client level of security:
Of course, it’s you 🙂

What if you fail to secure your computer and your action online:
If you fail in this area, your website may be contaminated via the files you upload to your website or simply your password can be stolen by malware program.

8. Website application level of security (Secure your WordPress site!)

Here’s the main part of this post. It’s about hardening your WordPress site and using plugins, products and services to secure you website.

Who is directly responsible for this level of security:
If you do the technical part of maintaining your website on your own, then it’s you who is in charge of it.

But if you don’t want to do WordPress security yourself, the very cost-effective solution is to choose a fully-managed hosting that apart from many other things provides necessary security for your website so you feel confident.

What if you do not secure your website on this level?
Sooner or later you will be hacked. Malicious bots and human hackers first of all target the easiest websites. So if you don’t do proper preventive security measures, it’s very likely that you’ll be hackers’ victim soon.

What you can do to protect your WordPress site:
I will talk about it below in this post. For now, I will just list the areas that you should be aware of in order to be sure that you handle your website security properly.

Here is what you should pay attention to when securing your WordPress website:

  1. Protection (or prevention, i.e. don’t let hack happen in the first place)
  2. Monitoring (watch for suspicious activity like file changes, unauthorized logins etc. – yes, security is not a set-and-forget thing)
  3. Scanning (find vulnerabilities and hacks before they do too much harm for you)
  4. Post-hacking (restore or clean up your hacked online assets the most effective way with the least losses)

The above list is important because different plugins and solutions focus on different areas above. So WordPress security is not a simple thing, but as you can see, it is a complex issue. And all aspects of website security are not covered very well by one single plugin (unlike many people may think).

I know that most people don’t want to do anything until it may be too late. If you one of these people, I’d recommend you focusing at least on basic protection and post-hacking strategy. It will let you avoid most hacking issues and restore your website (almost) without losses.

Having said that, if you think you don’t want to deal with any plugins yourself and you don’t have a budget to go with managed hosting, then do at least some actions and follow approaches from this article about securing WordPress with your own hands and free of charge. It’s basically about updating regularly, having a strong password and always keeping a fresh backup of your site. If you do at least this, then you are already more protected that an average website owner.

Although WordPress itself is a pretty secure thing, there are weak spots in its security which are themes, plugins and a lack of expertise or awareness of an end-user. That’s why WordPress sites get constantly hacked. It makes security plugins a hot topic.

So next sections are about plugins and solutions that will help you enhance protection of your WordPress site.

9. Plugins and solutions to protect your WordPress website

How to choose a security plugin – General factors for consideration

Before all, I’ll emphasize one more time – no single plugin is designed to cover all aspects of WordPress security. For a complete security protection you need to use a combination of plugins and/or paid products and services and be security-concerned while you work online in general. You will see below suggestions on both single plugins and complete solutions.

One of the ideas how I could structure this article was making a comparison table of security features that different plugins offer. But I decided not to go only this way and here’s why:

  • Judging only by a number of features is not the best way to choose a security plugin or product, because the competition of which plugin has more features after some limit becomes kind of marketing game and not really useful reasoning.
  • Features should be taken into consideration, but it’s better if you understand the overall principles of security, otherwise you can be misled by a mass of security slang words and user interface sugar promises that can be really good but not the most important thing.
  • In addition to considering number of features, I believe it makes a lot of sense to focus on the most prominent features and areas that this or that plugin is very well designed for (the areas are listed above, and I repeat them now: protection, scanning, monitoring, post-hacking).
  • The tricky thing is to know (or trust a developer) whether each feature in a plugin works properly.
  • What also matters is efficiency of security plugins (or solutions) and users’ feedback.
  • The convenience of plugin usage plays also an important role (especially for newbies) considering everything else equal.
  • Professionalism of developers is also a very important factor, not only because security is vital, but because it’s a constantly evolving sphere that requires dedication, fast and reliable updates. That’s why it’s not recommended to use security plugins developed by amateurs, for marketing purposes, or abandoned plugins.

The list of cornerstone security plugins that are featured in this article

I’ve chosen the most well-known and established WordPress security plugins developing companies and brands that offer comprehensive security solutions and have a good reputation according to feedback:

  • Sucuri Security
  • iThemes Security (former Better WP Security)
  • Wordfence
  • BulletProof Security

There are also some well-known plugins that are targeted not as comprehensive WordPress security solutions, but focus on some specific areas (for example, firewall, authentication, backup tools). I’ll mention some of them in this article as well.

Please note that I haven’t tested in-depth the mentioned plugins and solutions against actual malware, backdoors and attacks. But these both free and paid products are very well-established and are ones of the best on the market in this WordPress security segment.

My research results and ratings are based mainly on features that these security plugins and solutions have as well as on information and reviews found on the web and from my readers. Also I take into account my own experience with the products.


9.1. Sucuri Security – Auditing, Malware Scanner and Security Hardening (Free)

Sucuri company’s general overview

  • Sucuri is a company that specializes in website security protection, monitoring, scanning and cleaning up.
  • Sucuri’s market advantage is that they have developed a unique functionality of a semi-automated mechanism of website cleaning up. So you can get you website cured (and then protected for a subscription period) for a unbelievably low subscription fee.
  • Sucuri offers 3 products (one of them is free) that covers a full range of protection, monitoring, scanning and post-hack cleanup solutions for WordPress.
  • Sucuri is founded and managed by web security technicians rather than marketers. In my opinion, from many perspectives it may be considered as a huge advantage.

What the free Sucuri Security plugin does

The most prominent features of free Sucuri Security plugin are:

  • Easy (1-click) website hardening (restricting access to some vulnerable WordPress directories, disabling theme and plugin editor and less critical options)
  • Your WordPress core files integrity checking (checks if your WordPress files were changed against a remote sample installation and shows you the changes with option to restore)
  • Comprehensive logging of activity on your website (logins, plugins installing/updating etc)
  • Remote website scanning (powered by Sucuri‘s service SiteCheck) is to check if your site is hacked, contaminated or blacklisted. (Hacking/contamination scanning is not in-depth compared to a paid Sucuri Antivirus, but it’s good and convenient considering it’s free)

For the full list of features see the detailed features comparison table.

User experience

Very easy and beginner user-friendly.
Sucuri Security plugin dashboard:

Sucuri Security Plugin dashboard

You may find some videos demonstrating user interface of this plugin on the plugin’s page on

Other notes

Sucuri Security plugin does not provide the whole range of security measures, so it’s recommended to use it with other plugins (see some solutions below).
Check out free Sucuri Security plugin

Rating chart for free Sucuri Security scanner

Sucuri Security - Auditing, Malware Scanner and Security Hardening (Free)
Price (for 1 website)
Quite effective but not as complete as desired
Not in-depth, but good as a free product
Neat and good, but providing more utility tools could be an advantage
Provides just additional hardening measures, but no complete solution
Beginner user
Easy, comprehensive, helpful explanations and tips
Great in conjunction with additional plugins (see Combination of Plugins section below)


9.2. Sucuri Website Firewall (CloudProxy)

What it does

In short, Sucuri Website Firewall (CloudProxy) is a proactive (unlike monitoring and malware detection, which is reactive) approach to your website security. It’s a cloud-based protection for your website (all traffic goes through Sucuri cloud environment).

The most important features are:

  • stops attacks before they reach you website
  • prevents vulnerabilities exploitation
  • optimizes performance (four caching options)

Also, you can read here more about what is WAF (website applicatoin firewall).

User experience

Sucuri Firewall dashboard

Sucuri Firewall dashboard

To activate the Sucuri Firewall all you basically need is to change your A record for your domain. If you don’t know how to do that, you may open a support ticket and the support will do it for you.

Also, you may fasten your website by enable caching option and specifying optionally a server location (for example, if your traffic goes mainly from the North America, you select US server location). By the way, according to my research Sucuri Firewall made my website faster by 2.3 times.

Other notes

Although there’s a separate product Sucuri Firewall, you may want to install a free Sucuri Security – Auditing, Malware Scanner and Security Hardening plugin where Sucuri Firewall’s interface is included as an add-on feature (see the image above).

Also consider using paid Sucuri Antivirus solution, which already includes Sucuri Firewall. (I review it in the next section below.) In this case you can set up the Firewall within Antivirus dashboard.

Check out Sucuri Website Firewall (CloudProxy)

Rating chart for Sucuri Website Firewall (CloudProxy)

Sucuri Website Firewall (CloudProxy)
Price (for 1 website)
Starting from $9.99/mo - one of the most affordable options among other cloud-based solutions
Great as cloud-based firewall, but not enough for a complete security solution
Does not do it
Does not do it
Does not do it
Beginner user
Sucuri support can set everything up for you

The product is great in its niche, but for a complete security solution it’s recommended to use it together with other plugins or products (see Combination of Plugins section below)

See Cloud Proxy price options here. By the way, there’s a special offer for agencies.


9.3. Sucuri Website Antivirus (Paid)

What it does

Sucuri Website Antivirus is a comprehensive WordPress security solution that provides a great balance between functionality, usability and a peace of mind.

The advantages of this paid product that add up to the free Sucuri Security Scanner plugin are below.

The most important ones are the following:

  • in-depth scanning,
  • malware and other security issues monitoring and detection,
  • file change detection (the core files),
  • and the most outstanding one – cleaning up in case you gets hacked (unlimited times, no charge).

Antivirus includes Firewall Product (CloudProxy). So its main features are:

  • stop attacks before they reach you website,
  • prevent vulnerabilities exploitation,
  • performance optimization (four caching options; making a website faster by 35%-136% according to my research),
  • premium support.

In my opinion, Sucuri Website Antivirus is the product of choice if you want the most complete and hassle-free security for your website.

User experience

User interface of Sucuri Antivirus product is presented with its easy-to-use dashboard that is available from Sucuri external web application (it’s not a part of your WordPress dashboard):
Sucuri Antivirus dashboard

A free part of this product is Sucuri Security – Auditing, Malware Scanner and Security Hardening plugin which you can access within your WordPress dashboard. But if you use Sucuri Antivirus, then this free plugin is redundant.

Other notes

Although Sucuri Antivirus is quite a complete solution, consider combined solutions below in this article that add up backup system and additional authentication protection.

Also, it’s worth saying once again that Sucuri Antivirus offers unlimited cleaning up service which means that without additional charge in case of your website contamination it will be cleaned up from any malware, blacklisting and everything that goes or may go with it. It’s a winning advantage among other product I review in this article.

Check out Sucuri Website Antivirus

There are also agency plans which allow to manage multiple sites for less price.

By the way, Sucuri security products for websites gain more and more recognition not only by website owners, but also by hosting companies. For example, WPEngine hosting‘s plans include Sucuri protection for free. another hosting that partners with Sucuri and that I recommend is A2Hosting.

Rating chart for Sucuri Website Antivirus

Sucuri Website Antivirus (includes CloudProxy - Sucuri Website Firewall)
Price (for 1 website)
$199.99/year - Good price for the service (btw, prices for agencies are cheaper)
Adding two-factor authentication protection would make it 5 stars (see Combination of Plugins section below)
Very well covered
Very well covered
It's great, and adding backup solution would make it even greater (see Combination of Plugins section below)
Beginner user
Easy and clear
Very convenient and practical solution


9.4. iThemes Security (formerly Better WP Security) (Free)

General overview

  • iThemes is a company that focuses on web design training and developing plugins, themes and other solutions for WordPress.
  • iThemes security plugin focuses on protecting website. Besides, iThemes suggests using free remote malware scanning service) and post-hacking (third party paid services)
  • iThemes also offers packages that include not only security products, but also backup service, themes, WordPress management and other plugins, which can be cost effective when bought together.

What the free iThemes Security plugin does

The most prominent features of this free plugin are:

  • A prioritized to-do list of security-hardening items to help you protect your site with 1-click for each security item
  • File change detection (it compares files with their versions saved at a previous check to help you find out if the changes were made not by you)
  • Remote website scanning (powered by 3-d party service – which can identify if your website contains virus or other malicious content. (Note that it’s not in-depth scanning tool and can not be used as a comprehensive alternative to a antivirus/scanning software that is installed locally on your server).

For the full list of features see the detailed features comparison table.

User experience

A screen shot of the plugin front page:

iThemes security entire short to-do list

More screenshots are here.

The plugin may seem to have a lot of settings (which can be a bit frustrating for a newbie), but on the other hand it gives more control and flexibility.

Logging (as a part of monitoring) is detailed but at the same time it may be overwhelming or not friendly for a non-technical newbie.

It may cause some server load when working with file change detection (may cause slowdowns or other issues if your server is not good enough – it’s recommended to have 128 MB of RAM on your server).

Other notes

Since free iThemes Security plugin offers some powerful features, some people experience troubles with their websites when starting using the plugin (in general, any plugin can break something in your website, so make a complete backup before installing plugins).

Rating chart for the free iThemes Security plugin

iThemes Security plugin
Price (for 1 website)
Quite good, but would be more efficient with firewall features (see Combination of Plugins section below)
Not in depth, but good as a free product
Provides detailed log of file changes which is great if you are a bit tech-savvy, but newbies may find it not friendly
Not a complete solution - provides only scheduled database backups
Beginner user
Some parts are easy and clear, some parts are more technical and settings may seem a bit puzzling for a newbie
Good plugin. Recommended to use with other plugins and/or solutions (see Combination of Plugins section below)


9.5. iThemes Security Pro (Paid)

What iThemes Security Pro does in addition to the free version

Paid product iThemes Security Pro offers:

  • Security activity auditing (logins, logouts, file changes, intrusions etc)
  • Malware/backdoor scheduled scanning/detection (application-side, which is more reliable and in-depth than any remote scan)
  • Scheduled file change detection
  • Adds some protection (e.g. forbids php execution in uploads folder, enforcing strong passwords, anti-spam solution and others)
  • Database backups management
  • Two-factor authentication
  • Premium support

User experience

Technically it’s the same plugin as the reviewed free iThemes Security plugin but with additional features.

Rating chart for iThemes Security Pro product

iThemes Security Pro plugin (paid)
Price (for 1 website)
Good, but would be more efficient with firewall features (see Combination of Plugins section below)
Very well covered
Very well covered
Not a complete solution - provides only scheduled database backups
Beginner user
Some parts are easy and clear, some parts are more technical and settings may seem a bit puzzling for a newbie
Good solution, and for more functionality see Combination of Plugins section below


9.6. Wordfence Security (Free)

General overview

  • Wordfence is a department of Feedjit Inc. which provides live traffic feed and WordPress security software.
  • Wordfence is famous for its free plugin that has a powerful application-side (i.e. not remote) malware detection/scanning and live traffic audit features.

What free Wordfence Security plugin does

The most advantageous features of this free plugin are:

  • In-depth scanning for malware which runs manually or automatically once per day (paid version offers a scheduled scanning)
  • Live traffic display (including bots, crawlers etc)
  • Firewall which blocks botnet atacks and other common security threats
  • Options to repair files if they have been changed
  • Optimizes your site speed using Falcon caching (you don’t need to use other caching plugins)

For the full list of features see the detailed features comparison table.

User experience

Wordfence scanning results

Wordfence scanning results

See more screenshots on the plugins’ page at

Other notes

In my experience Wordfence’s scan did not work (could not start) after I installed Sucuri and iThemes security plugins. Even removing all these plugins and re-installing only Wordfence did not help.

I did not investigate this compatibility issue this time. I just re-installed my test WordPress site, installed Wordfence and its scan started fine.
It does not mean that there’s something wrong. However, it means that they may not be compatible with each other in some environment.

Also, I’ve noticed that you may need to scan your website with Wordfence multiple times to get all the warning. Running Wordfence multiple times returned different scanning results to me.

You can get free Wordfence plugin here.

Rating chart for free Wordfence Security plugin

Wordfence Security plugin (free)
Price (for 1 website)
Thanks to application-side firewall (but updated with 30-day delay), bruteforce and DDoS protection
In depth, of one the best among free options. And paid version offers even more versatile scanning and more convenience
Great live traffic monitoring, file change detection with showing what has changed, automatically once a day, but does not show the logs - e.g. someone deleted a plugin and it does not record it explicitly. (Paid version offers a scheduled scanning)
It can help you to find what has changed after the incident
Beginner user
Clear, easy, with explanations
Its advantage is in-depth scanning and live traffic monitoring - very good for free product


9.7. Wordfence Security Premium (Paid)

What Wordfence Security Premium does in addtion to the free version

The main advantages of paid Wordfence Security Premium product over a free Wordfence plugin are:

  • Scheduled scanning
  • Checks if the domain sends or associated with spam sending-out
  • Geographic IP banning
  • Premium support

User experience

From a technical point of view it’s the same plugin as the reviewed free Wordfence Security plugin but with additional features.

Rating chart for Wordfence Security Premium plugin

Wordfence Security Premim plugin (paid)
Price (for 1 website)
$99/year and less depending on number of licenses and years
Thanks to application-side firewall, bruteforce and DDoS protection
The core functionality is as in the free version, plus scheduled scanning
Great live traffic monitoring, file change detection with showing what has changed, automatically once a day and scheduled, but does not show the logs - e.g. someone deleted a plugin and it does not record it explicitly
It can help you to find what has changed after the incident
Beginner user
Clear, easy, with explanations
Affordable for more convenient compared to the free version


9.8. BulletProof Security (Free)

General overview

What the free BulletProof Security plugin does

The main security features of this free plugin are:

  • Protecting your website by hardening your .htaccess files
  • Checking files/folder permissions
  • DB backups
  • Brute-force protection (via max login attempts)
  • Providing useful monitoring logs

User experience

  • The plugin has built-in tips for setting up which is convenient, as well as how-to-setup video tutorials
  • At the same time setting up the plugin may seem a bit complicated and too technical at first glance for a total newbie (but once you get over it, you’ll enjoy it 😉 )

Bulletproof Security screenshot

More screenshots are here.

Video overview of the plugin and its settings is here.

Other notes

Apart from set-and-forget protection via htaccess files and backing up database, it’s also like a set of utility tools that users should be able to handle easily if they do their website security themselves.

Don’t be afraid of seemingly complicated interface (if it seemed to you so). Even if you find it not very friendly at first, it’s totally worth making an effort and spending some minutes learning it to start enjoying its performance.

You can get free Bulletproof Security plugin here.

Rating chart for free Bulletproof Security plugin

Bulletproof Security plugin (free)
Price (for 1 website)
Brute-force and protection via .htaccess
Not in-depth, but good as a free product (Sucuri's remote scanning is used)
Security log, helpful in case of attacks
Provides only scheduled database backups
Beginner user
May seem complicated at first for a total newbie
Provides good protection via .htaccess and contains helpful tools for users


9.9. BulletProof Security Pro (Paid)

What the paid version does in addition to the free one

  • more protection (IP firewall, forbidding crawling scanning, forbidding script execution, etc; allowing only valid images in upload folder, anti-DDoS, anti-spam, locking files)
  • better alerting system
  • database changes audit
  • more options for monitoring (alerting and logging options)
  • tools for hacking analysis (decoding malicious scripts, code/db/dns finder etc)
  • quarantine files/folder and logging (view/restore/delete options etc)
  • WordPress files (including root folder files and custom folders) backup and restore
  • premium support

In my opinion, it is the product of choice if your primary concern is protection (the product focuses on protection. Monitoring is also a solid feature. Other aspects such as in-depth scanning, or after-hack cleanup are less developed. This is a fantastic software in the right hands (the plugin provides the best value for technically -skilled users). In addition it’s very affordable.

See the full description of the BulletProof Security Pro plugin here.

User experience

It’s the paid version with one-click install and with additional functionality based on the free Bulletproof Security plugin that I reviewed above.

Here’s the how-to-install-and-setup video tutorial.
Other useful video tutorials are here.

Check out Bulletproof security Pro version.

Rating chart for paid BulletProof Security Pro plugin

Bulletproof Security Pro plugin (paid)
Price (for 1 website)
$69.95 one time payment - the most affordable among premium options
IP firewall, anti-DDoS and anti-spam protection and others added in addition to the free version
Not in-depth, but good as a free product (Sucuri's remote scanning is used)
Good, especially for specialists and analysts
Provides scheduled database backups and WP files backups
Beginner user
Goes with easy 1-click install
Provides good protection via .htaccess, DB and WP files backup and restore and contains helpful tools for users


9.10. Other plugins

For this article I have reviewed some of the most-well known, comprehensive and established WordPress security plugins. But there are more plugins. Many of them do not cover WordPress security quite fully, but they do their work well on their targeted areas.

If you want to protect your WordPress site on your own (especially without using paid products), then you may want to maximize protection of your website by combining plugins. I describe some effective combinations of security plugins below.


10. Combination of plugins/solutions to maximize effectively your WordPress security

Why one plugin may not be enough

When it regards security protection and malware/contamination detection, no single plugin (even a paid one) can give you a complete solution and 100% preventing, protection and detection. Different software work in different ways, covering just a part of security threats and issues. And if you want to maximize the effect, you may want to use more than one plugin.

A note about how I combined plugins into suggested security solutions

  • In the sections below I describe combinations of plugins trying to find a good balance between price and functionality.
  • In each suggested solution below I put one of the paid products from the reviewed companies as a starting point.
  • Also I suggest fully free (but still effective) security solutions.

Warnings before combining security plugins or solutions

There are several issues that you need to keep in mind when making a decision on combining plugins for your final security solution:

  • Security plugins from different providers are not promised to be 100% compatible;
  • Some security plugins may conflict or break other (non-security) plugins;
  • The more plugins you use, the more work you need to do and more time to spend managing/monitoring the plugins;
  • There’s risk that using many security plugins will do more harm than good (e.g. blocking you or the whole traffic or even break your site, excessive information, wasting time dealing with it and so on).

So how many and which plugins do you need?

It’s the question of the balance between your expertise, the level of your website security you need and the efforts/time/money you want to spend setting it up and managing it.

Here are some effective WordPress security solutions that I have compiled below.


10.1. Free minimalistic no-heavy-security-plugin solution


Some people find it difficult or reluctant to setup and manage powerful security plugins. Also, people may want to minimize the number of plugins they use (for example, to avoid risks of damaging website with the plugins and/or have more control over the website).

In this case I suggest applying minimalistic (but effective) security measures for WordPress that I describe in article Protect Your WP Site From Hacking Step-by-Step – Easy And Very Effective

It contains mostly protection measures (that need to be set just once) and important solid pieces of advice on website security.

Rating chart for free minimalistic no-heavy-security-plugin solution

Minimalistic security solution (free)
Price (for 1 website)
Effective, but not complete compared to other suggested solutions
Does not do it
Does not do it
Does not do it (however, the article reminds you to have a fresh backup)
Beginner user
Some protection measures may seem a bit complicated for a total newbie since it requires editing core files

This solution suggests some effective protection measures (need to be set only once) as well as explains some underestimated website security threats and safe onine habbits that everyone should consider.


10.2. Free Solution To Protect, Scan and Monitor


It’s a free solution which focuses on protection, monitoring and powerful scanning.

In brief, this solution includes the following parts:
Bulletproof Security (free) – simply effective plugin for great protection (my review is here)
Sucuri Security – Auditing, Malware Scanner and Security Hardening plugin (free) (see my review above)
WordFence security plugin (free) – for better protection and monitoring (my review is here, how to fix compatibility issue with Sucuri is here). Please note that if you don’t have a specific need in scanning, I would suggest not using Wordfence in order to avoid possible slowdowns of your site. However, in case you need scanning option, you can install theplugin, run the scan, and after you are done you can remove the plugin. I do it this way.
– Two-factor authentication (use e.g. free version of Duo Two-Factor Authentication plugin, also see a relevant section with similar plugins suggestions in my article here)
– Backup (if your hosting provides an independent backup solution, then it’s great. Otherwise, the simplest free option is to make full backups from your hosting account’s cPanel manually and store them somewhere outside of your hosting – e.g. on your home computer)
– Anti-spam solution. There are many great options to fight spam, including free ones (for example, Antispam Bee or Anti-spam plugin).

Rating chart for this free solution

Free solution which focuses on protection, monitoring and powerful scanning
Price (for 1 website)
Quite solid option
Powered by WordFence (in-depth, server-based) and additionally Sucuri (not in-depth, but good as an alternative)
Powered by WordFence (live traffic, file-change detection) and additionally by Sucuri
Some measures are offered by Sucuri, but it's not enough – consider at least making and downloading a fresh backup if your hosting does not offer backup solution for you
Beginner user
Quite clear and easy
Even with no money you can make your website pretty secure


Other notes

  • I also suggest reading this article – it can help you as well in addition to this solution.
  • If you have issues with plugins compatibility or you need other features, consider replacing plugins with other ones. When you do website protection yourself, you’ll need to gain expertise (if you don’t have it yet) by learning and trying.
  • Feel free to use features comparison table for reference when adjusting your solution according to your needs.

– General overview of full solutions based on a cornerstone paid product

The advantages of the full solutions:

  • Advanced protection, scanning and monitoring (each solution below features one or more leaders in WordPress security)
  • Full backup solution which means that you can restore your website from any point or restore single files. (Imagine, that experienced hacker or a new hacking script broke down your site, or even it was you who made some unwanted changes like breaking a website or deleting some data, or your hosting did a bad job and lost your data – you’ll need the most recent backup)


10.3. Full Sucuri Protection and Backup Solution

Overview of the solution

This solution features Sucuri‘s product, which apart from a lot of other useful things allow your website get cleaned up from malware and other contamination, restore ranking in search engines, getting whitelisted again etc in case your site was hacked and blacklisted.

This solution includes:
Sucuri Website Antivirus (it already includes Sucuri Website Firewall – CloudProxy)
CodeGuard Backup service (I use it) – backup and restore from any point, monitor changes. Alternatively you may want to use BackupBuddy, BlogVault or VaultPress (it checks backups against malware/contamination). A backup solution is also offered by Sucuri Website Firewall for additional price. (By the way, there’s a in-depth article about website backup solutions.)
– Two-factor authentication (you may use free version of Duo Two-Factor Authentication plugin, also see a relevant section with similar plugins suggestions in my article here). Also, two factor authentication using Google Authenticator is offered by Sucuri Website Firewall as a free option.
– Anti-spam solution. There are many great options to fight spam, including free ones (for example, Antispam Bee or Anti-spam plugin).

Rating chart for the solution

Full Sucuri Protection and Backup Solution
Price (for 1 website)
$259.99/year = $199.99/year (Sucuri Antivirus) + $60/year (CodeGuard). A good price for a great functionality
Very well covered
Very well covered
Everything from restoring from any point to cleaning up poisoned rankings in search engines
Beginner user
Easy and clear
Very effective and beginner user-friendly solution


10.4. Full iThemes Security with Sucuri Firewall and Backup Solution

Overview of the solution

This solution implies more active participation of you in the hardening of your website (thanks to iThemes Security’s to-do list).

The solution includes:
iThemes Security Pro – protection, scanning, monitoring
Sucuri Website Firewall (ProxyCloud) – more proactive protection
CodeGuard Backup service (I use it) – backup and restore from any point, monitor changes. Alternatively you may want to use BackupBuddy, BlogVault or VaultPress (it checks backups against malware/contamination). A backup solution is also offered by Sucuri Website Firewall for additional price. (By the way, there’s a in-depth article about website backup solutions.)
– Anti-spam plugin (apart from Sucuri’s firewall spam protection and if you don’t like iThemes’ option (Google reCaptcha), consider using an additional anti-spam solution. There are many great options to fight spam, including free ones (for example, Antispam Bee or Anti-spam plugin).

Rating chart for the solution

Full iThemes Security and CodeGuard Backup Solution
Price (for 1 website)
$259.88/year = $80/year (iThemes Security Pro) + $119.88/year (Sucuri Firewall) + $60/year (CodeGuard). A good price for a good functionality
Very well covered
Very well covered
CodeGuard backup solution allows to restore a website from any point
Beginner user
Some parts in iThemes security can be a bit puzzling for a newbie
A good solution that is based on more control (to-do list of protection measures)


10.5. Full WordFence solution with Sucuri Firewall and Backup Solution

Overview of this solution

Functionality of the paid WordFence plugin is different from its free version mainly because of more convenient scanning functionality and additional checking if you are exploited to send out spam.

This solution utilizes the most of WordFence product and adds up to it more protection measures from other products.

The solutions consists of:
WordFence Security Premium (Paid)
Sucuri Website Firewall (CloudProxy) (paid)
– Free Sucuri Security – Auditing, Malware Scanner and Security Hardening plugin. (Also, see this article about compatibility between Sucuri and Wordfence scanning)
– Two-factor authentication (if you don’t like WordFence’s option for any reason, you may use e.g. a free version of Duo Two-Factor Authentication plugin, also see a relevant section with plugins suggestions in my article here)
CodeGuard Backup service (I use it) – backup and restore from any point, monitor changes. Alternatively you may want to use BackupBuddy, BlogVault or VaultPress (it checks backups against malware/contamination). A backup solution is also offered by Sucuri Website Firewall for additional price. (By the way, there’s a in-depth article about website backup solutions.)
– Anti-spam solution. There are many great options to fight spam, including free ones (for example, Antispam Bee or Anti-spam plugin).

Rating chart for the solution

Full WordFence solution with Sucuri Firewall and Backup Solution
Price (for 1 website)
$218.88/year = $39/year (WordFence Premium) + $119.88/year (Sucuri Firewall) + $60/year (CodeGuard). A good price for a good functionality
Pretty solid solution
Powered by Wordfence: in-depth, server-based
Very well covered
CodeGuard backup solution allows to restore a website from any point
Beginner user
Quite clear and easy
A good solution


10.6. Full BulletProof solution with Sucuri Firewall and Backup Solution

Overview of this solution

Funсtionality of the paid BulletProof plugin features mainly adds more detection and protection from spam and DDoS attacks, as well as more utility tools.

Apart from the BulletProof paid plugin this solution includes full backup solution, scanning and some more protection:
BulletProof Security Pro (paid)
Sucuri Website Firewall (CloudProxy) (paid)
Wordfence Security (free)
CodeGuard Backup service (I use it) – backup and restore from any point, monitor changes. Alternatively you may want to use BackupBuddy, BlogVault or VaultPress (it checks backups against malware/contamination). A backup solution is also offered by Sucuri Website Firewall for additional price. (By the way, there’s a in-depth article about website backup solutions.)
– Two-factor authentication (you may use e.g. a free version of Duo Two-Factor Authentication plugin, also see a relevant section with plugins suggestions in my article here)
– Anti-spam solution. There are many great options to fight spam, including free ones (for example, Antispam Bee or Anti-spam plugin).

Rating chart for the solution

Full BulletProof solution with Sucuri Firewall and Backup Solution
Price (for 1 website)
$249.83 first year ($179.88 second and next year) = $69.95 (BulletProof Security, one time payment) + $119.88/year (Sucuri Firewall) + $60/year (CodeGuard). Great price for good functionality
Good solution
Powered by WordFence, in depth, of one the best among free options
Great live traffic monitoring, file change detection with showing what has changed, automatically once a day
CodeGuard backup solution allows to restore a website from any point
Beginner user
Quite clear and easy
A good cheaper solution


11. All-in-one interactive score table for WordPress security plugins and solutions

Hints for the interactive table above:
– Click on the name of a solution in the table above to display scores for that solution.
– Move your mouse over the table above to see score summary.
– You can sort the table by clicking on the area above or below the columns.

If you have issues viewing the interactive table, see the screenshot of the table below.

Please note that the given scores are just approximate estimations of the plugins/solutions functionality. Besides, ‘Overall’ column is calculated automatically and its value is rounded, so it’s also an approximate evaluation.


12. WordPress security plugins compatibility

I have not researched compatibility issues in-depth, but there are some notes that can be useful to you

Some features of plugins may overlap or not compatible between each other, as well as not compatible with some hosting/server configuration. If issues arise, support tickets or plugins’ support forums may help.

And here are a pair of compatibility issues and resolving tips:

  • iThemes Security/Better WP Security is not compatible with BPS or BPS Pro (some more details here)
  • BulletProof Security & Sucuri – scanning compatibility issue and how to resolve it is here
  • Sucuri and WordFence Scanning Conflict and how to resolve it – see here
  • Sucuri’s forbidding PHP execution in wp-content directory may stop Wordfence from working. If you experience this issue, you need to make sure you don’t forbid PHP execution in wp-content directory (it will weaken your protection though). Some more details are here


13. WordPress security plugins and products features comparison table

While working on this article I’ve put together features of the security plugins/products for comparison to see what functional areas they cover.

Here’s a link to the comparison table in a Google Sheet.

And here’s a screen shot of it (click on the image to enlarge):
WordPress Security Plugins Features Comparison Table


14. Conclusion

Website security is the thing that can not be too perfect. There’s always room for improvement.

You may start from a free security measures if you are tight on your budget and have time to do WordPress security yourself.

If you want a more convenient solution or need more robust security protection, then consider a paid security service or product.

If you have read the article and still don’t know what solution you want to go with, then perhaps the following part can give you some ideas.

To help you decide on each individual plugin/product, here are their strong sides very briefly:

1. Why Sucuri Security – Auditing, Malware Scanner and Security Hardening, free.

It has friendly beginner user interface, does a good monitoring (in the class of free monitoring solutions presented in this article). And it’s free.

Check out Sucuri Security plugin or go to the section above to read about it again.

2. Why Sucuri Website Firewall (CloudProxy), paid

It’s great true Website Firewall solution (i.e. it secures from attacks and malicious traffic before they reach your server or website).

Check out Sucuri Website Firewall (CloudProxy) product or read again about it in the article above.

Also, Sucuri Website Firewall can make your website really faster (see my research here).

3. Why Sucuri Website Antivirus, paid

It’s the most hassle-free solution that covers the entire security of your website. And you are completely covered in case of hacks (if you get so unlucky). The Sucuri’s team will clean up your website unlimited times at no additional cost if your site is hacked or gets malware.

Check out Sucuri Website Antivirus or read about it again.

4. Why iThemes Security (formerly Better WP Security), free

It’s one of the best solutions when it comes to dialogue between the complicated topic (website security) and a consumer (user). Its breakdown of protection measures in a to-do list manner is just very natural (and even educational) and so intuitively loved by users. Also it has a good monitoring functionality. And it’s free.

Check out iThemes Security plugin or click here to read again about this plugin above.

5. Why iThemes Security Pro, paid

It’s a great solution. A strategically better thing is just additional website firewall and backup solution.

Go to the product or click here to read again about it in the article above.

6. Why Wordfence Security, free

Great scanning and monitoring (in the class of free solutions) and it’s user friendly.

Check out Wordfence Security plugin or read about it again.

7. Why Wordfence Security Premium, paid

It’s technically like its free version, but it has some more features and more convenient in using.

Check out Wordfence Security Premium or read about it again.

8. Why BulletProof Security, free

it’s very lightweight and truly efficient in terms of protection (and it’s free!). I just love such solutions that work very well without side effects.

Check out BulletProof Security plugin or read about it again

9. Why BulletProof Security Pro, paid

It’s a more powerful version of its free plugin, with more monitoring and backup options.

Check out BulletProof Security Pro product or read about it again in the article above.

And here are my recommendations regarding not individual plugins, but complete website secure solutions:

  • If you make just very first steps in securing your website, or don’t want to deal with serious security plugins for any reason, then look at the free minimalistic solution.
  • If you had to install only one security plugin and you want it for free, check out Bulletproof Security (free). This plugin is not heavy, effective in its performance and focuses on protection which is the most important part of your website security. Click here if you want to go back to the description of this plugin in my article above.
  • If you want a more comprehensive solution that covers also other sides of WordPress security, but you don’t have any budget, then consider this free solution to protect, scan and monitor.
  • If you had to install only one plugin or product and price is very important to you, then I recommend Bulletproof Security Pro which is super affordable, focuses on protection (the most important part of your WordPress security) and does its work very well. Its monitoring options are also very good. Click here to go back and read about it in the article above. Also, you can read my comment below on whether it’s enough using just BPS Pro.
  • If you want a solution that is both very effective and does not require any technical experience from you, then Full Sucuri Protection and Backup Solution can be a good no-worries option for you.
  • And in case you want to avoid dealing with any security and other technically complicated things, then consider managed hosting that will be doing necessary technical maintenance for you.

For my websites I’m using Bulletproof Security products. Also, I had been a customer of Sucuri for several years. But since 2021 I had to cut my costs and now I’m unfortunately no longer using Sucuri. The speed of my site considerable dropped though (front page’s speed went down from 0.5 sec to 1.5 after I quit Sucuri despite I’m using a caching plugin) 🙁
And I have to pay more even attention to backups now as a last resort in case of something goes wrong.

By the way, as regards speed, Sucuri Website Firewall showed brilliant results in improving the speed too (see this article for more details).

WordPress security is a broad topic. Only a part of it has been covered in this article. Feel free to let me know in the comments, if you have any questions or thoughts.

Subscribe to my Free Researches
Work on your blog and small business more efficiently!

BTW, I respect your privacy, and of course I don't send spam, affiliate offers or trade your emails. What I send is information that I consider useful.

Share the knowledge...Share on Facebook
Tweet about this on Twitter
Share on LinkedIn


  1. I have reconsidered and have purchased Bulletproof Pro (paid). The product is excellent, and the price is very affordable. Other than the usual suspects, I question two additional plugins if I need them anymore: Antispam Bee and Salt Shaker. What do you think?

    • John, BPS Pro covers the functionality of the both mentioned plugins. But the ways plugins work may be a bit different. I’d disable the two plugins in question and would see if it’s okay from a functioning point of view. If everything is fine, I don’t see a reasonable point in keeping plugins which overlap in functionality.

  2. Michael, I’m a big fan of yours and value your research and honest opinions. For example, I use GeekStorage hosting and your recommended security plugin combination of BPS free + Sucuri free + WF free. I recently substituted NinjaFirewall (WP Edition) – Advanced Security Plugin and Firewall with NinjaScanner – Virus & Malware scan for Securi and Wordfence. Even with this change, I followed your advice, adding a free firewall and virus scan. Both options do not hurt website performance. And the firewall is one of the few free options and has a considerable following. Thank you for sharing your wisdom with us.

    • Glad to hear that my stuff was helpful, John.
      Yes, I think this is the right approach – to get acquainted with opinions and researches of others, and come up with your own solution, perhaps through some tests and trials.

  3. Michael, your site is a wealth of information, and I can’t thank you enough for the expertise and detailed reviews you so graciously share with us. I have a question about your one plugin vs. combined strategy. I have been using the free versions of Bulletproof, Sucuri, and Wordfence as a combination. My question is, how would the relatively affordable paid option of Bulletproof stack up as a single plugin replacement for the three free plugins? Warmest regards, John

    • Thanks for your kind feedback, John.
      The advantage of the free Wordfence and Sucuri is that they allow scanning options. The paid Bulletproof includes the scanning option. So, from a functional point of view the paid BPS is a good replacement for all the three plugin. If you used the free BPS and you find it OK to use from a user point of view, I think leaving just the paid BPS makes sense.

  4. Wow thank you for the article, btw have you tried 6G & 7G Firewall? What do you think about it?

    • You are welcome 🙂
      No, I have not tried nG Firewall. Also, I can’t find it in the plugin repository. But as far as I can see nG is used in the BBQ (BBQ: Block Bad Queries) plugin which is a simpler alternative to BulletProof Security (BPS) plugin that I prefer and mention above in my article.

  5. This is an excellent post. This is really helpful for my business websites. It saved a lot of time.

  6. Hi…first good article that answers most of my questions except one. This question may or may not matter. I have multiple websites. I want to use Bulletproof security and Sucuri. Both free versions. I am just curious if there is a preferred order to install them? Sucuri first and then BPS or the reverse?
    Thanks and keep up the wonderful information.

  7. Hi Michael,

    Thank you for your deep analysis and it has been very helpful and I still love using Wordfence(free) and ithemes Security.

    I feel bulletproof security pro(paid) is somehow sensitive compared to Wordfence and ithemes security even installed solely.

    Would you be able to give me an advice or share your thoughts about alternative combinations of security plugins such as Wordfence(free) + ithemes Security pro(paid)?
    I would also very much appreciate if you could give me recommendations regarding combinations including Sucuri(Free Version), Wordfence(free) and itheme Security(Paid)

    Thanks again for your valuable researches and analysis.


    • Jay,

      If you are already using a paid version of iThemes Security, I think you may skip other plugins unless you really have a reason to use more plugins. Don’t overload your site unless you really need it (e.g. you site is frequently under attacks and you need to take additional measures and you know where to look at using this or another plugin).

      If you are already using a paid version of any of the best security plugins reviewed here, the only additional security solution that would make sense is the cloud layer which is paid (I recommend Sucuri Firewall “CloudProxy”).

      • Hi Michael,

        Thank you for your reply.

        I think I understand the point that there is no need to overload my website by installing multiple security plugins. I understand your best recommendation would be(as written in your article above)

        One of BPS(which you highly recommend) or ithemes security pro or Wordfence
        and Sucuri Firewall “Cloud Proxy” which provides additional security on cloud layer.

        I think I am fine for now but I will definitely consider using Sucuri Firewall “Cloud Proxy” for websites which would require higher security such as online mall which I may build in future.

        I would just stick to single security plugin(I might test BPS pro and consider start using) for now 🙂

        Thank you for your kind answer.


    I have been using the iThemes Security plugin combined with the MalCare WordPress Security, Firewall & Malwarsee Scanner plugin. I wanted to give your free security combio a try so I deactivated these two plugins and activated the BulletProof Security plugin.

    I received this notice from BulletProof: “An htaccess file has been detected in the wp-content folder that breaks BPS features and functionality.”

    One of the options reads: “To fix the iThemes problem go to the System Tweaks page, uncheck the Disable PHP in Plugins option setting.”

    Since the iThemes plugin was deactivated, this made no sense.

    I deleted iThemes but the notice from Bulletproof remained.

    What’s happening here and what should I do next?


    • Neal,

      It looks like iThemes has left something that conflicts with BPS.
      Look at the htaccess file in the wp-content folder (according to your error message) and remove it if you understand that it’s left after iThemes.
      Then you may need to re-run the Setup Wizard in the BPS plugin.

      If it does not help or you feel it’s too complicated for you, I suggest contacting BPS plugin’s developers. They have support forum for free users too.

      Hope it helps.
      Fixing conflicting plugins can be a bit tricky.

  9. Hi Michael,
    what do you think about combinations of this free plugins?
    1. Ithemes and Wordfence
    2. Wordfence and BPS
    3. Sucuri and BPS


    what do you think are the best combinations of plugins for free?

    Thank you.
    Have a great week.

    • Hi Jiri,

      Any combination can work if:
      1. You know what you want to achieve.
      2. There are no conflicts of the plugins on your site or you could fix them.
      I personally use BPS everywhere as it is super light and very efficient. Sucuri plugin is great for express scanning.
      Wordfence is a great tool, but it can be heavy. I don’t use it just in case, I use it only when I really need it.
      iThemes (and its other products) feels like a bit separate ecosystem to me.

      Now, in short about the options you suggested:
      – Ithemes and Wordfence: I think it’s too heavy combination because of both tools do scanning. Scanning can be a resource hog, especially if your website is large.
      – Wordfence and BPS. Yeah, why not. But remember that Wordfence can be heavy. That’s its main risk.
      – Sucuri and BPS. It’s the fastest combination with awesome security coverage. I prefer (and I’m using) this one.

      As regards the free combination, I recommend the one I described above in this section. You can exclude WordFence or use it occasionally only when you need it not to overload your site (scanning with this plugin can be resource-intensive).
      BPS is for the protection (not scanning or monitoring though which are additional security means actually) is my favorite choice. On many sites I just use this one plugin with the default setting (just install it and run the 1-click Wizard install).

      Hope it helps.

  10. 10 into 10 for your research work Michael, you share the best information according to your title.

    Thanks for sharing!

  11. Hi,Michael

    It’s a great article for selecting wordpress security plugins.Good job and Thanks! Now I have some question hopeing you advice me.I am a exporting representative from a tin box manufacturer,except the product website in English I built,recently I plan to build a Chinese language blog.I have no problem with English ones but I worry about the new blog.

    I concerned 2 issue,one is the Plagiarism,many people here use tools/softwares,which made of crawlers/bots,to collect wp articles and publish on their own sites,a big problem.I don’t know coding,only know they code bots with phython.I want to protect my content and block these bots.

    Now I use 2 plugins:blackhole for bad bots & wp content protection no right click,the first one is add a rule in robots.txt file,it is said that,normal bots always follow rules,but bad bots doesn’t,then it can not access;the second is to simply disable copy/paste by hand.I don’t know if it’s work or not.

    Another issue is:many CN-language blogs get quite many traffic,but large parts of them are fake clicks made by bots or softwares,instead of authentic page view by people.It occupy too much bandwidth and resources,

    I use wordfence once and add some bots in its blacklists,I don’t know if it’s workable well.Please kindly advice which plugin is better for above problem,do I need to collect all bad bots names and add to the blacklist? How to prevent content copy by bots? the blackhole/wp content protection is functional enough?!

    Thanks in advance.Have a nice day!

    • Hi Frederick,

      I understand your concerns.
      Here are my thoughts.

      You can’t fully protect your website from plagiarism. Even if you block some bots the next day a dozen of others appear or the existing ones will change its names/IPs. It’s impossible to hide your content from coping/stealing. What you can do strategically is making your website look more legitimate than the plagiarizing sites. It will make your site rank higher in the search engines than the sites with the pirated content.

      The plugin that forbids the right click, in my opinion, makes more harm than good. It makes your website very unpleasant to use by humans whereas bots don’t care about this plugin.

      The means and the tools which block bad bots make sense only because they can save traffic. But on the whole these tools can’t protect you from plagiarism.

      So, the only practical action you can do in terms of protecting from these threats is to filter traffic as much as possible by blocking not legitimate and bot traffic. I suggest using a website application firewall (WAF) as a third-party service, i.e. block the bad traffic before it reaches your server. I use Sucuri WAF, also known as CloudProxy (I review it in short above) for this purpose (as well for protecting) and it helps greatly. Since it’s a cloud service, it gathers a database of malicious bots from all websites it serves and from some other sources and the service blocks the bad traffic automatically.

      If you don’t want to use a paid cloud-based WAF service, you can try using a plugin that will let you block the bots manually (many security plugins allow to block by IPs), or you can even block the suspicious IPs manually in your .htaccess file (like I show in this article), but for your needs it’s absolutely not enough.

      Hope it helps.

    • Hi,Michael

      Thanks for your reply!Now I get it more clearly.

      Merry Christmas !! Happy New Year!!

      Warm Regards

  12. I’ll give WordFence Security plugin a try. I used wp security scan and exploit scanner for my clients’ blogs. Those two plugins deliver what they promise. WordFence Security plugin you reviewed seems to be more sophisticated. I’ll use it for future projects. Thanks for the review.

    • You are welcome, Loren. This plugin is known to cause performance issues on some sites (when the scan is in process). So, make sure if this affects your site(s). Since this is a plugin (and not a 3d-party service), the all hard work happens inside WordPress.

  13. Another popular plugin for security is Malcare. User-friendly and is designed for those site owners who do not have the time or interest to learn about WP security.

  14. Constantin says

    Hey – thanks for your articel. Check this: the suggested was closed on December 9, 2018 and is no longer available for download. Reason: Guideline Violation. (

    So I suggest you should update your suggestions..

    • Hey Constantin. You are right. I need to research for very neat alternatives of this plugin that will not disrupt users. I will update the article ASAP.
      Upd: have added suggested free anti-spam solutions.

  15. Hi Michael,

    Thanks a lot for this article. It is great! I am wondering about the best combination for WP Cerber Security. I have had this plugin for a while in my website and it has worked fine, it has blocked php files requests in my website. I am searching another plugin to combine with this. What would be your advice? I have also installed Two factor plugin.

    Thanks a lot for your reply in advance,

    • Hi Claudia,

      You already have a plugin inside your WP installation, so from a security point of view, it does not make much sense to use one more plugin for a security reasons. However, if (when) you need some particular option or feature, e.g. for more monitoring/scanning, then you may consider using another or one more plugin. But for now, if you are satisfied with the plugin you are using and you are not experiencing attacks or suspicious activity, don’t overkill it. It’s enough with plugins.

      Anyway, a good additional security that you can get with an external (cloud) firewall like Sucuri CloudProxy that I reviewed above. Unlike adding another plugin for no particular reason, an external firewall does indeed adds up to your website security significantly (because this is NOT a plugin, but a sort of external shield). Apart from that, it will improve your speed.

  16. Oh, I also use Siteground hosting, Genesis framework, and StudioPress themes. Are all of those combined with iThemes Pro good of enough for me to feel my sites and my clients sites are secure?

    • SiteGround, Genesis and Studio Press are good ones to use. And since you use one of the best security products on the market, you are more protected than most website owners. Of course, you need to maintain a security hygiene of your website, i.e. use strong passwords, update the WP version and plugins, always have a fresh backup etc.
      For more enhanced protection, Sucuri Firewall is recommended (as I describe in my recommended solution for Ithemes Security users). The point is that security plugins (including iThemes Security) provide protection only on the level of your application (WordPress). Whereas external firewalls (like Sucuri Firewall) put an additional barrier outside of your server.

  17. HI Michael! I’m a new designer/developer and I only build and manage sites for friends/family and small businesses. I’m wondering since iThemes Pro uses Sucuri if that makes them better now and moved up the list to use for multiple sites especially as it’s less expensive than just Sucuri for 1 site.

    • Melanie, iThemes Security uses just Sucuri SiteCheck. Sucuri SiteCheck is a free plugin. Whereas Sucuri Antivirus is a paid versatile and advanced product. You can’t compare Sucuri SiteCheck and Sucuri Antivirus.

  18. Have a post how you configurate BulletProof Security and sucurity as you prefer? Would be interesting. It´s an intense post since 3/4years!!

    • You know, for most of my websites I simply run Magic Wizard (one-button click) and that’s it! For a small number of projects I use its backup feature and add custom code which is recommended by BPS (the recommendations and the instructions are displayed in the dashboard). There are more options to dig in in BPS, but this is a comparatively advanced stuff and you can always to to website (BPS developers’ site). There are tutorials and also there’s a forum where the developers answer all questions.
      Thus, for most users the configuration is just one-button click and it’s enough.

  19. I want only say THANK YOU… 🙂 It´s the best long writed post what is on the internet.
    But please add more plugins too. (like BBQ, All in one WP security,.. etc)

    • Hey Tommy, thanks a lot for your feedback!
      Although I’ve picked out the best security solutions, you can find some information on the mentioned security plugins in the comments (you can Ctrl-F on the page for search). Adding more plugins to the main body of this article will be too much.

  20. Hello Michael,

    Astonishing examination and work went into this article

    Thank you so much 🙂

  21. This is one of the best articles on WordPress security plugins. Nicely put up Michael.
    I appreciate the time you have spent on this. I have chosen Wordfence after reading your article.

  22. Michael Reed says

    Looking at the recommended options on various WP sites and blogs these seem to be front runners:
    • Wordfence
    • Sucuri
    • WebDefender
    • iTheme Security
    • BulletProof Security
    • All In One WP Security & Firewall

    All have been discussed either in the article or comments, with the exception of WebDefender.
    Have you tried that and if so what’s your opinion on that ?

  23. Thank You Michael for your awesome reaserches.

    By the way, did you try “WP Cerber Security” plugin?
    If yes, what do think about?

    Many thanks

    • Hi Luca,
      I have not tried this plugin. But from what I can see in the plugins description and the paid product overview, its strongest side is the scanning option. Its best part is in the paid product. In general, it’s a rising competitor to WordFence.

    • I have been running Cerber alongside Sucuri and Wordfence buy it’s recently been booted off the wordpress repository which I’m very upset about. It has exceptional anti-bot abilities, and like many security plugins let’s you hide your wp-login page, which is great, but it also gives you the option of leaving a page in place there which simply just doesn’t work regardless of whether you type in correct credentials (while you log in on the secret link). It’s quite a clever security through obscurity device because it doesn’t let them know that anything is wrong and they just get banned after the usual 5 password fails or whatever, which I find hilarious looking at in the logs. I hope they sort it out soon because I’ve not seen anybody else do this

  24. Yeah undoubtedly sucuri is the best. But if you need any support from their team then one needs to have a paid version. As they have different way of response for paid and free users.

  25. I had a bad attack about 3 years ago and my site was spitting out porn sites under deep cover. It took quite a while but it was finally resolved by Sucuri and I was happy with their service.

    Since then they were purchased by Godaddy and even though it all goes through their Sucuri server I get occasional attacks as noted by a “” file that Wordfence sends me.

    This last time when I spoke with the people at Sucuri I got a heavy sales pitch to purchase additional security. I pay $200/year for 1 site and 5 subdomains) and have just been asked to pay additional for the subdomains. Is anyone else having this problem? My security bill would go from $200/ year to $1,200 year. Thanks.

    • Hi Jeff,
      Sucuri pricing policy is based on per-installation basis. $200 per year is the price for covering one website only.
      So, if you have 6 websites (even if it’s a domain and 5 subdomains) then the price increases accordingly.
      Maybe agency license would be cheaper in your case, but I’m not sure, you need to contact Sucuri.

  26. I’ve been using iThemes Security and impressed with all the things it catches. I’ve taken the time to adjust many of its settings, although I haven’t locked everything down that is possible.

    Based upon your observations about BulletProof Security, I’m planning to give it a try and might even go for the Pro version.

    Have you ever run across the “Bad Behavior” security plugin???
    I’ve been using it for years and impressed with all the crap it stops.
    Be sure to look at the “about” page for a description on how it works.
    I’ve been installing it on every WP site I build in addition to iThemes Security. When you take a look at its settings, I always activate the following…
    Security | Strict checking (blocks more spam but may block some people)
    http:BL | http:BL Access Key

    If you are not familiar with Bad Behavior, you might want to take a closer look and share your perspective. I periodically check its Log file and am always impressed with how much junk it is rejecting.

    By the way, thanks for all the work you are doing and also maintaining the EIG list. I’ve been burned several times by EIG buying hosting companies that I was happy with and then EIG screws me in a variety of ways!!!

    • Hi Roger,

      As far as I can see from the plugin description you are asking about, its purpose to fight spam acting like a PHP-firewall against bots.

      I have not analyzed it deep though.

      I fight spam by using super light Invisible Captcha plugin (blocks automated spam in a very elegant and safe way) in conjunction with BPS plugin which has a lot of in-built options to fight back malicious traffic on .htaccess level.

      I don’t have spam on my website. All spam goes to spam section. Only human spammers get through which I review additionally.

      Besides some time ago I started using Sucuri Firewall which in addition to security stuff saves a lot of bandwidth and speeds up the site.

      I think the strength of the Bad Behavior plugin is that it can be used against spam not just on WordPress sites.

  27. Danial Wilson says

    I would like to suggest one plugin related to security which is User Blocker – WordPress Plugin. This is a free WordPress security plugin that provides the ability to block or unblock user accounts quickly and effortlessly. It has several features such as block user, role based block user, customizable message, etc.

  28. Saw this awesome article at yesterday noon, couldn’t read whole , bookmarked it , later read it at night.

    Michael, you’re just outstanding at explaining every details, I was exploring what’s best security plugins, in all other blogs they’ve just described just the ordinary features , but YOU ! mind-blowing.

    Explanation from every details, comparison, rating all just superior .
    Since I handle 2-3 blogs & at starting level I’m having less money to invest I’ve chosen Bulletproof Security & it’s doing it’s job great. SUCURI might be better, but at this point can’t afford it (hoping in future) .
    What’s your opinion about Bulletproof Security Pro ? Is it sufficient for a starting blog (well, as I mentioned not so wealthy now 😉 ).

    Anyway, have bookmarked some more security post, will go through them deeply soon.
    You really forced me to subscribe your blog at my single glance over your this post man .
    Keep up the good work.

    Very Appreciated 🙂

    • Hi there,

      Bullet Proof Security plugin is one of the best free options available in the Internet. And its Pro version is just the most cost-effective solution on the market (one single license is valid for unlimited number of sites). Many websites (including the website of the plugin’s developers use just the only this security plugin as its security solution. So if you take the maximum out of it, that can be enough. It may seem a bit technical at first time, but once you get used to its interface, it’s all fine and has a lot of options under your fingertips.

      You can also search (Ctrl-F) on this page for “BPS” to read more thoughts on this plugin in the comments (for example this one).

      And by the way, thank you for subscribing!

      • Hi Michael,

        just about to adopt BPS pro 🙂

        so before that I’d like to have some kinda advise/confirmation from you that:

        1) Accepting SUCURI might be topnotch, but while can’t afford that for now, but after BPS Pro, what’d be the best solution to enhance it more , or it’s sufficient for a normal starting blog ?

        2) One of my friend sometimes ping me like “your site is xss vulnerable”, I’m not a security expert or don’t know these things much deeper , so enhancing protection of BPS Pro won’t be a issue for me with other plugin combination , , but compatibility issue + slow down (due to deep scanning) etc etc are things I don’t wanna deal with for now. Yeah ! if there’s pre-solution available then i can fix small issues.

        So, please show me final guide , what & how I should start to claim my site is protected 🙂

        Thank you.

        • Hi Bidyut,

          Thanks for your questions.
          Here are my answers and additional thoughts below.

          Sucuri Antivirus is the most hassle-free product that takes away the security headache from you being comparatively affordable (compared to other products of this kind). It’s main advantage in very simple words for a non-technical user is that not only the risk of being hacked drastically decreases, but also, even if your site is hacked it will be cleaned up for free unlimited times.
          For many not technical (or busy business) people this is just a no-brainer – just use Security Antivirus and make sure you have a backup, and you can fell very safe without bothering how it works. Very convenient.

          Sucuri Antivirus (as well as Sucuri WAF) mitigates XSS vulnerabilities.

          BPS Pro also mitigates XSS vulnerabilities (see this BPS Pro page, unfold the section “htaccess Core (B-Core)”). If you for any reason are lost in the BPS Pro user interface, don’t hesitate to contact BPS Pro’s technical support. They will help you make sure you are protected against XSS threats.

          On the other hand, please note, that if you know that your website is already XSS vulnerable, it makes sense to get rid of this vulnerability if it’s possible. For example, if your theme has XSS vulnerability of a plugin that you use, then contact the theme’s or the plugin’s developer and ask them to fix this vulnerability. Of course, in many ways this can be simply not possible to make the developers fix the vulnerability (developers are gone, theme not supported etc).

          Anyway, for present and future XSS vulnerabilities (and they can be discovered any time in any theme/plugin), using a security product such as Sucuri WAF, Sucuri Antivirus or BPS Pro makes a very good sense.

          That was my additional thoughts about XSS vulnerabilities for you.

          And now answering your question #1. BPS Pro and Sucuri Antivirus are the products which work on different levels. Sucuri WAF (and more powerful product Sucuri Antivirus) eliminates attacks and threats even before they reach your website. Whereas BPS Pro deals with the attacks and threats which have already reached your website. Moreover, Sucuri products have more security options which are very easy to use (monitoring, post-hacking, performance etc), whereas BPS Pro is oriented first of all on protection. That’s why BPS Pro would be a great start, but for enhancing your website security Sucuri products would be superb.

          At the same time, BPS Pro is a very solid protection product. And in many cases using just this one security plugin is enough. Think of it as if you have a good locks on the doors and the windows, an arsenal of weapons in your house, some mines in the backyard, a barbed wire etc. And potential thieves see that you are a hard nut to crack. So, you can feel yourself quite protected and you are protected. But Sucuri Antivirus is like a security guard team that patrols around you house, intelligence, a rescue team and additional services. It’s just a different level of security and service.

          So, if you have a limited budget, then BPS Pro is a really great option. But also, don’t forget about backups. Having backups is essential in any case. When you have additional budget, using Sucuri WAF or Sucuri Antivirus will just make your life safer and more comfortable.

          Security is just the thing that can not be complete. But it can be reasonable. Think again of it as if you are protecting your house. The more security measures you have, the harder it is for thieves, buglers or highjackers to get through. The more your house is vulnerable (multiple/insecure plugins etc) and the more treasures you have in your house (i.e. your website is popular) the more it’s attractive for bad guys (i.e. malicious scripts, hackers) to get inside.

          Finally, my short advice for you now is to get BPS Pro, spend some time on applying the security measures that it offers. It will help to mitigate your XSS issue too. And it will not affect your website speed at all. Also, make sure you have a backup solution. Besides, don’t forget about using secure passwords. And of course, keep your website software updated. This would be a very solid foundation of your website security. Although it would be mainly focused on protection within your website (and therefore this is a limited security solution), this is the most essential part of the website security strategy. Speaking very roughly, this would make your website safer than kind of 90+% of websites in the world.

          • As expected great explanation again 🙂 . In future will attempt to be SUCURI user if BPS Pro somehow disappoints me .
            Just purchased from you aff. link 🙂 .

            Thank you for detailed guide.
            Keep up the good work, researches & force use to be even tired reading your great articles daily 😉 🙂 .

  29. Wow. Just Wow. This article is 3 years old and is still the best description of WordPress security I’ve found. OUTSTANDING job.

    (now to see if I’ll get a reply to the email I sent earlier today… 🙂 )

    • Hi Chris,
      Indeed, what changes continuously in the security field is the number of weaknesses, the ways the weaknesses are exploited. All uptodate security tools catch up to the new threats. Mainly the article is still actual even as I wrote it originally like 3 years ago.
      And even more actual (I’d say ever-green) article on website security is this one.
      By the way, I must have answered your email today. So please check your inbox 🙂

  30. Hi Mike,
    Thanks for such an excellent overview and analysis, it’s clearly the best comparison of WordPress security solutions currently available online. If I am not mistaken, your analysis is done with mainly shared hosting in mind. Based on your experience with these security solutions, I am wondering what would you recommend for a medium size (20K monthly visitors, 300+ pages) VPS-hosted business site? We have no problem paying for premium security solutions, but just want to make sure that there is no unnecessary overlap, as we already use Web Application Firewall (ModSecurity) and IP Address Banning (Fail2Ban jails) on the Apache side.


    • Hi Jeff,

      Thanks for your feedback and the question.

      You are right, the article is mainly for shared hosting users.

      However, 20K monthly visitors doesn’t not look too far away from a shared hosting scale. Or may be you meant 200K visitors per month?
      The number of pages your website has is also quite moderate.

      So, if your numbers are correct, then this article can be fully applied in your case very well too.

      And if you have a bigger traffic (now or in the future) I can add the following.
      Talking more particularly considering that you use VPS, both ModSecurity and Fail2Ban are server modules which are great. But they serve on a server level. To enhance the security, I’d suggest considering hardening application and network level of security. There will be no overlapping in functionality since your current server modules operate sort of “after” the outer network layer and “before” the application layer.

      The most useful addition to your current configuration, in my opinion, would be a cloud-based security service (e.g. Sucuri WAF, Akamai, Incapsula, Verisign etc) and something within your application (assuming you use WordPress, a WP security plugin or a service, e.g. one of the reviewed in this article).

      1. The cloud-based service will protect you from DDoS attacks that your hosting (or a data center) simply can’t handle. And it will filter out the malicious traffic before it reaches your server.
      2. The application-based solution (a WP plugin or a service) will help you to deal with the threats that could get through the preceding security layers. Also it can help with handling the consequences of the successful attacks (e.g. restoring your website after automatic contamination or even human hacks).

      In this respect, I think the best (i.e. the most reliable and hassle-free) solution (and reasonable in terms of price for a medium-sized project like yours) would be a Sucuri Security. It’s a combination of a cloud-based firewall Sucuri WAF and tools/services for securing and handling website-level threats). Sucuri service is great in terms of usability. I.e you don’t need to spend much time and you don’t need any special knowledge to use it.

      In addition to it (either Sucuri WAF or better Sucuri Security), I’d use BulletProof plugin in case you use WordPress (either a free or a paid option of BPS is fine). Even with automatic settings it enables great protection on .htaccess (i.e. application) level. Paid option is fabulous if you spend a bit of time in order to get advantage of it.

      Besides, I love both Sucuri and BPS products/services for being absolutely friendly in terms of performance. Whereas some other plugins may affect website performance, these two guys can’t make your website/application slower (and Sucuri WAF/ Sucuri Security even improves the speed thanks to using a CDN).

      I suggest going to the sections devoted to the mentioned products and read both the short overview there and the products’s websites for deeper details:
      – Sucuri WAF (see the section above),
      – Sucuri Security (it includes Sucuri WAF, see the section above),
      – BulletProofSecurity free (see the section above),
      – BulletProofSecurity Pro (see the section above).

      Also, feel free to let me know if you have any other questions or if you need more details regarding my reply.

  31. Hi Michael

    I’m sorry… my head is full… ^^

    Have a good day 🙂

  32. Hi Michael,

    I have seen CodeGuard offers but your prices are different between their site!
    You are posting $ 60 / year but on their site between $5 and $299 / month.
    This’s not same thing 🙂

    Thank you

    • Hi Olivier,

      Thanks for your comment.

      In my article I mention the prices applicable for 1 website by default. You are right that this is not clearly stated in the pricing tables. I will add the corresponding notes shortly.

      As regards the figures, $5/mo is a price for backing up 1 website. And it’s billed annually which makes it $60/year that I mention in my article. Thus, this is a correct price provided 1 website is considered. More websites will be cheaper to back up calculated per 1 website.

  33. Excellent !
    Thank you very mutch for your post !
    Have you test the solution MAINWP ( ?
    I use this for my personal websites but now I will manage customer websites, and MAINWP is already fine with their options (free and paid), did you test this solution too?
    Thank you

  34. Hello, Michael.
    I’m wondering when you will add All-in-One WordPress Security & Firewall to your comparison. Lately, this plugin popping up a lot in security plugins searches and I see a lot of “top security plugins” and “best security plugins” articles that contains this plugin, many in the detriment of one of the ones in your comparison. Also, it have a pretty large number of installs and a very good score on, so it must be something worth of testing. I do use it on a few sites and I quite like it (it’s user friendly and have a lot of options), but I’m not sure if I should really rely on it or not, or, maybe, if I should combine it with another one for additional features.

    • Hi Ovidiu,

      Thanks for your comment.

      When I initially wrote this article, All in one WP security & Firewall plugin was not as popular as today. So I did not include it in my article that was already too big at that time.

      In general, I think that the major players in the security & firewall plugins field are catching up each other, trying to use the best things of each other. AIOWP plugin has also become one of major players. So I belive it’s also a plugin that can be trusted as other plugins mentioned in my article.

      The advantages that let WordPress security solutions really stand out are the cloud solutions and cloud firewalls (like WAF or CloudProxy offered by Sucuri). So. if you feel not confident enough with a plugin (which makes sense), I’d better look to cloud firewall solutions to anhanceyor security. Any plug is a local software and that is its weak point. Cloud solutions work on a higher level (beyond your hosting server).

      After all, I agree that it’s time for me to include AIOWP plugin to this article. I’m just not sure when I have time for this. Many things are scheduled in my to-do list.

      Anyway, hopefully I helped you somehow with my reply.

  35. Hey !

    Great post ! We would be very grateful if you would try and then express your opinion about our plug-in. it’s not as popular yet, but we are receiving good reviews from our users. Our product offers an all around website protection and security modules as well as several interesting additions such as an automatic version updater

    It’s the WordPress “WebDefender” :

    Many Thanks,

  36. Thank you for this comprehensive article. When you say you use Sucuri and BP – can you tell me the individual apps/services that you combine? Many thanks, Vickie

    • Hi Vickie,
      Thanks for your feedback.
      At the moment I use Sucuri WAF and BPS plugin. This is the fastest and very reliable combination. Moreover, Sucuri WAF improves speed significantly because it’s not just application wirewall, but serves also as a CDN.
      I’d be happier to use Sucuri Antivirus (which includes WAF) to feel even more safer to be absolutely covered in case of hacks, but this is a bit above my budget.
      Hope I answered you.
      Feel free to let me know if you have any other questions.

      • I agree about using Sucuri Antivirus over my budget too. I did buy BPS Pro. I installed it and I had to reinistall my site. I will try again. I also use the free Sucuri plug in with no problems. Still going over your article – very good and indepth. So I just found out that GoDaddy bought Sucuri and as a developer you can get a better price than retail. 🙂 Vickie

        • Hi Vickie,
          BPS Pro support is very helpful and technically skilled. Feel free to contact them if you have any issues.
          As regards Sucuri, yes, there are agency plans as well which are more price-attractive.

  37. Wow Michael, that is a long comprehensive comparison that I was looking for.
    I was about to install iThemes plugin on another website, and thought maybe I should see what the others are about.
    Thanks to you, I am trying out Bulletproof and Securi and making sure my backups are working.

  38. WOW!!!!
    Thank you!
    Amazing research and work went into this article – thankS

  39. I have installed both IThemes and Wordfence security free plugins, which I think seem like a great combination and from my research one the last couple of weeks, from other experts, it seems these are the top 2 to use overall. I did notice that in order to secure the Wordfence firewall and give full protection, that the ‘remove file writing permissions’ have to be tuned off in IThemes to allow WordFence to update the files. It is best to install Wordfence first for this reason. It was good to now that Wordfence come not write to any of the important files, because that meant iThemes was working incredibly well. I am not sure if there will be any other conflicts with using both of these together? I notice both can limit login attempt and at the moment I have them both limiting login attempts. Have you ever tried this combination and know of any conflicts?

    One thing I am not sure if you mentioned, it is good to change the Admin http address so that hackers cannot find it. I have taken advantage of this and love it.

    • Hi Sandra,
      Thanks for sharing your experience.
      Combining iThemes Security and Wordfence together looks like an excessive option to me. I have not used this combination for a significant amount of time.
      Also, using overlapping functions (e.g. limit login attempts) in multiple plugins is not recommended. It’s better to use the option in one of the plugins.
      Yes, changing Admin address is one of the options that can obstruct hacking.

  40. I just installed BulletProof, tried to run a scan, and all of my websites went belly up with a database connection error. I had to have all of my wp-config.php files restored. Not sure if it was BulletProof or not, but seems quite suspect.

    • Hi Colin,
      I’ve used BPS on more than 100 sites and have never had this kind of issue.
      Feel free to contact (the developers of BPS) with your information. The guys will let you know if this could be connected with BPS or not.

  41. Wordfence is also a good plugin for WordPress Security.

    • Yes, I reviewed it above.

      • Michael,
        Superb great site with the best illustartion of all WP securities.
        I am planning to use all 3 FREE versions.
        Which 3 would be the best, perhaps : BPS, Sucuri & Wordfence, with WP Firewall ?
        Or should i buy BPS Pro and use Succuri and Wordfence Free versions to get best 90% results ?

        • Hi Sukumar,

          Before all, I’d go with BPS (or BPS Pro).
          It’s lightweight and efficient.
          Alternatively you can use All In One WP Security & Firewall if you don’t like how to use BPS.

          And then, mostly for scanning purposes, I’d go with either Sucuri or Wordfence. Sucuri is not heavy. Wordfence can be hard if you have a bigger site/weak server.

          If you prefer going free, I’d stick to light-weight options. Wordfence makes much more sense when a paid version is used.

          By the way, if you like how to use BPS, you can get BPS Pro and it can be the only security solution for you focused on protection. On my multiple websites I use just BPS.

          • Thanks Michael and great promptness.
            Pardon me i just have 1 or 2 question more to clear before i buy BPS PRO.
            OK then i can use BPS PRO as it can be used on multiple (1000’s if reqd) sites as it is 1 time payment lifetime.
            (1). But does it quarentine (clean affected sites once damaged), then it would be the best.
            (2). Also is it ok , to use Wordfence (Free ver,) plus WP All in 1 Firewall (free along with it. Feel it would really put a 90% – 95% security on th site.
            Thanks Michael. Good day to you ! I just made a free site (URL Below) – waiting for a good profitable Niche to sell (Oops.. if you know any or any sit for it ! – Not necessary to answer if you like !). Thanks !

            • Hi Sukumar,

              Yes, BPS Pro is a fantastic offer as regards its 1-time paid license allowing using it on as many websites as you need for a lifetime.

              Answering your questions:

              (1) BPS Pro sends files to quarantine if anything susupicious is found. Here’s the description from BPS Pro site:
              BulletProof Security Pro protects your website files and database with multiple overlapping outer and inner layers of website security protection. The most powerful innermost countermeasure website security layer is AutoRestore|Quarantine Intrusion Detection and Prevention System (ARQ IDPS). All points of attack are monitored and protected by the extensive and comprehensive automated security systems and features in BulletProof Security Pro
              ARQ Intrusion Detection and Prevention System (ARQ IDPS) is a real-time file scanner that monitors all of your website files for any changes or modifications on an ongoing basis and will automatically autorestore and/or quarantine website files if any file changes or modifications are found that do not match your backed up files. You can read more here.

              (2) I’ve read in the plugin reviews on there are compatibility issues between WordFence and All-in-One WP Security.
              However, there should be no conflicts between BPS Pro and WordFence (by the way, this thread can be helpful).

              As regards a profitable niche, can’t help you much with it, unfortunately.

              • Michael,
                Thanks a milion. I really do appreciate your keen response and well detailed help.
                Thanks, i really do feel like you are a great true friend to have.
                In all cases of security issues (if and any occur) i may ask for your good help. But not otherwise.
                I wis i could get someone like you for WORDPRESS web making and plugins etc.
                You know of anyone out there. Please give me his Forum. Thanks again Michael.
                have a great day & GOD bless you for your good help !

  42. By the way Sucuri Basic plan for their Website Application Firewall (WAF) DOES NOT support SSL sites!
    You have to pay for their Pro or Business plans. This was from their online chat staff. If I am wrong (or the online chat was wrong) please correct me Sucuri.

    • I work for Sucuri, and we actually include a free LetsEncrypt SSL cert on our Basic plan, which covers the firewall and allows your site to be HTTPS.

      If you want to upload your own cert, you do need the Pro or Business plans. This will allow you to use a wildcard or EV/OV cert if you like. This also ensures that DNS propagation is seamless.

      Hope this answers your question!

      • Thanks for replying, Alycia.
        Ahh, so as my sites are already served through SSL, your basic plan will continue serving my sites thru LetsEncryptSSL. But if I want a different cert (like comodoSSL) i’ll have to upgrade to Pro or Business. Is my understanding correct?

        • Yes, but keep in mind once you add your site to Basic, we need to generate the LetsEncrypt cert. This takes a bit of time to propagate. If you are currently forcing HTTPS, that could cause a short disruption.

          We include Comodo certs through Pro/Business plans – so you can either upload your existing cert, or allow us to generate one on our firewall/proxy servers – and then activate the firewall once the generation is completed if you are forcing HTTPS.

          Let me know if you have any further questions! Our Firewall team is always happy to help you out too 🙂

  43. One of my clients is running both Securi and WordFence in unison so occasionally they’ll receive a false positive notification then ask me if it’s ok. I’ve created this image to be sent in every future email that matches the proper context:

  44. Nobody ask for legendary test company “Acunetix” and his plugin or “icontrolwp”, “iThemes Security (formerly Better WP Security)”?

  45. Finally a good page where all is tested and compared!!!

    • hm, All in one security is not there :/

      • Hi Thomas,
        Thanks for your comment.
        The purpose of this article was not to review all the security plugins.
        Anyway, you can find a lot of information on AIOWP plugin in the comments.
        You can search for “AIO” and “WP Security & Firewall” on the page (Ctrl+F if you are on PC).

  46. Hello Michael,

    Thank you for this fantastic info!

    I am hoping to get your opinion on the info presented on the following page by Wordfence.

    Thank you in advance

    • Hi Jonee,

      Thanks for your question.

      Endpoint security (WP security plugins such as WordFence) is a part of website security.
      But Endpoint security can not handle widespread DDOS attacks from disctributed IPs (whereas cloud WAFs can). Deeper level of DDoS attacks protection can’t be handled at all and/or costs of it would be too much to be discussed here (among non-profit bloggers or small and mid-sise businesses).

      So, Cloud WAFs are great and do their part of work great. At the same time cloud WAFs are also only a part of website security. There are several layers of your website security:

      Cloud WAF + Endpoint security (on your server/website level) + Security on hosting level (secure hosting) + your security hygiene (use strong passwords, two-factor authenitcation, don’t use passwords in public Wifi etc) = The best approach

      As regards particularly Sucuri Cloud WAF, it lets you add some simple lines of .htaccess code to protect you even if a hacker (malicious bot) knows you server original IP. Although it can’t protect you from the load that is caused by DDoS attacks on your original IP. And of course, WordFence can’t do that all the more so. This is what your hosting should do. But this level of security is too deep that most hosts (not only shared hosting providers) don’t offer. This is something that can be handled for much higher pricing tag. And most website owners can not cope with such costs (even anything close to such prices).

      Besides, as regards DDOS attacks, Could WAFs inlcuding Sucuri can protect you from the most attacks whereas Wordfence (and other endpoint solutions, i.e. WP plugins) can not.

      Anyway, such threats when deep level DDOS attacks happen are not common. And if they occur, this is rather a specific attack which is sort of ordered by your competitor if you have a very serous business. It’s very unlikely to happen with a typical website.

      Also, Could WAF filter most malicious traffic. This is the most common problem that Cloud WAFs solve (and WP plugins can not solve).

      By the way, however strong your website security is, it’s possible to hack your website. The question is only in how much expensive it is for the hacker. Both CloudWAFs and WP security pugins do their parts of work. And my opinion on the strategies how to protect a website is presented in this article.

      As a resume, the questions raised in the article you linked to are rather marketing wars between website security companies than anything else 🙂 But it’s useful for education purposes though.

  47. Michael,

    Since I know you use Thrive Leads, I thought you might like to know that the team at Thrive Themes just told me Sucuri has problems interacting with Thrive Themes. They recommend WordFence Security if you are on Thrive Themes. (I tried using Sucuri and it caused me to be locked out of logging into WordPress.) Thought I’d mention this in case any of your readers encounter this.

    • Hi Tom,

      It sounds very strange.

      I use both Sucuri and Thrive Leads and no issues.
      Recommending using WordFence instead of Sucuri sounds not clear to me mildly to say.
      Also, I don’t understand how exactly Sucuri may conflict with ThriveThemes and why it could not be resolved easily.
      I’ll contact Thrive Themes guys for details.

      Also, I’ve never had no issues with Sucuri of being locked out. Only when my IP changed, but it’s normal. And I just needed to whitelist my new IP in Sucuri’s dashboard.
      You locking-out case must have been something pretty specific.
      What did Sucuri support tell you regarding it?

      Update: I’ve contacted both ThriveLeads and Sucuri. Here’s the information for all interested: Nothing wrong using both products. If you encounter a problem, this would be an isolated issue that should be handled specifically. if this happens, feel free to contact Sucuri support and the guys will help you resolve your issue.

  48. Hello Michael,

    Thank you for breaking down and clarifying such an important topic! I feel much more informed after reading several posts on your site. What I still am unclear about is SSL certificate. From what I understand, I can get it separately, although reputable hosts usually provide it (too late for me, but will switch to a good one upon renewal). How important is SSL certificate? I don’t think Bulletproof Security and Sucuri Security (the free versions) offer that, correct? I also read that SSL certificate affects Google rankings – is that legit or just hype, do you know?

    Thanks in advance.

    • Hi Angie,

      Thank you for your feedback and your questions.

      SSL is something that your host or SSL Certificate Authorities can provide you, not security plugins.
      Hosts usually provide easy implementation of free SSL certificate called LetsEncrypt.

      As regards whether SSL improves Google ranking etc, here are my thoughts.

      Although Google announced that they give some preference to https websites (1% of websites may be affected), in my opinion and considerations, the ranking effect is more a hype or a bait than something real. I can’t say for sure, but I would assume that the one percent of the affected search queries that Google talks about might be connected with e-commerce sites which didn’t use https or something like that.

      Also, encouraging https might be connected with the drift towards SPDY (http/2). And it’s faster than http. And being faster means indirectly better ranking.

      After all, I believe the phrase ‘Google gives a ranking boost to https sites’ is a hype based on a Google’s strategy of a different kind.

      If your website is not connected with e-commerce or getting your visitor’s sensitive information, SSL did not (and still mostly does not) really make sense.

      So, for ordinary websites or blogs which do not gather users’ sensitive information, SSL is more sort of reputation thing than anything else. I still don’t really see enough practical reasons to use it (and I don’t use it as you can see on this blog).

      However, Google is more and more encouraging people to use https even if you have just a simple blog. For example, Google Chrome web browser may display ‘not secure’ icon in the URL field.

      And if Google goes further in its intention to turn the Internet into https-Internet by adding dreadful warning signs on non-https sites, or if Google announce more arguments, or if my visitors will start telling me that they feel more comfortable seeing my site with https, then I’ll consider moving to https. But, for now, I’m too lazy to switch to https 🙂 But sooner or later I’ll have to switch to https I think.

  49. Hi Michael,
    Great post, it convinced me to go with Sucuri AV solution. My site runs on cloud VPS and I am currently using Wordfence plugin (free) in addition to a “typical” Apache security suite (i.e. ModSecurity, iptables firewall, fail2ban jails). After switching to Sucuri AV, I am planning to get rid of Wordfeence (seems to be redundant with Sucuri WAF), but plan to keep Apache stuff… do you think it’s a good idea?
    Also, you are recommending CodeGuard for backup… I don’t really think I need it as I run scheduled full backups on my VPS and FTP them to my local machine on schedule. This way I can restore the entire VPS, if needed. With this setup, will CodeGuard give me any benefits?
    Thanks for your time reading and answering this!

    • Hi Jeff,

      As regards using CodeGuard, it depends. But I think that in your case it may be not justified if you already have a backup solution that works well for you.

      There are a couple of advantages though that you may benefit using CodeGuard in your case.

      1. CodeGuard’s backups are incremental. So, if you have a big website and making a backup takes a lot of server resources, then it may make sense to use CodeGuard.

      2. CodeGuard sends daily reports by email informing you what has changed on your website. It’s sort of additional layer of a website security that I find pretty convenient from a user point of view. I get notified each day that my backups are generated fine and I see whether there are any unauthorized changes on my server. Not sure if these arguments matter much in your case.

      3. CodeGuard sends alert notifications by email from CodeGuard’s server if creating a backup failed (e.g. your website was down). Most other backup solutions rely on a php function to send emails which may fail as well if there are issues on your website’s server. And you may stay unaware that there are any problems. Using CodeGuard adds a bit more peace of mind this way. Not a deal breaker in many ways, but still it’s a nice addition.

      So, whether or not you may want using CodeGuards depends on how comfortable and efficient your current backup solution is. My general recommendation to use CodeGuard is based mostly on the idea that CodeGuard is more reliable, efficient and comprehensive (and sometimes even cheaper) than WordPress backup plugins or other cloud-based backup services. So, in your particular case your priorities may be different.

      Getting rid of WordFence if you use Sucuri AV sounds like a good idea. WordFence’s strong side is scanning functionality. But if you use Sucuri AV, it already includes a stronger and more efficient server-side (as well as remote) scanning and monitoring. By the way, there’s an article on Sucuri’s site about it). Moreover, Sucuri does its job much more gently than WordFence (WordFence is known to load a server much in some cases).

      As regards Sucuri WAF and a “typical” Apache security suite, I think it’s a good idea to contact Sucuri’s tech support and ask them whether you need to configure specifically your server security. I’ve heard there can be conflicts, e.g. ModSecurity blocked all traffic from Sucuri WAF.

      Hope it helps!

  50. Hi Michael,

    Thank you for your patience but the username is not a default one.
    Any other way to get the job done.

    • Hi Sudeep,

      Hmm, interesting.

      Have you tried to create another user name with Administrator role and log in using that new name (as suggested in the support thread I’ve mentioned)?

      Also, perhaps, your current user name is already locked in the plugin. You need to unlock it.
      (By the way, no need to delete the plugin if you a re locked out. Do this instead: Use FTP or your web host control panel file manager and rename the /bulletproof-security/ plugin folder name to /_bulletproof-security and login to your website. After logging into your website, rename the /_bulletproof-security/ plugin folder name back to /bulletproof-security/. Unlock your User Account on the BPS Login Security and Monitoring page.)

      If the above two solutions don’t help, I suggest posting your issue in the plugin support forum. You should get a better help there and you’ll resolve your issue.

  51. Hi Michael!

    After reading your article, I just installed the BP security but to my surprise, it locked me, I had to uninstall it from the cpanel. Now the dashboard is working fine.
    Any clues? and the turnaround.

  52. Hi Michael
    This is really a great article , and I found some answers to some of my security questions , however , I couldn’t a solution for the worst problem I have now in my blog : Affiliate links Fake Clicks , some how , when I ever write a new article I found hundreds of fake clicks on any affiliate link mentioned in the article , till now I couldn’t find any solution for this problem anywhere !
    Do You have any idea about one?
    any way , thanks for this great article , it helped me a lot with other problems 🙂

    • Hi Mohamed,

      Thanks for your comment.

      As regards fake clicks, I just can think of automated bot crawling events which are counted as clicks.
      I suggest analyzing your analytics data (and logs if you can) to find out from what web agents or referrers this fake traffic comes.
      Look at this article at Moz. It also has some links at the end of the article for more information.

      Also, you can read my short article to see an example how I used to protect my website against some fake traffic.

      By the way, after I started using Sucuri Website Firewall (I review it above) I stopped seeing any traffic from suspicious referrers in my Google Analytics and all my affiliate clicks statistics in all affiliate programs I participate is realistic.

      Hope it helps.

  53. Hey,
    Thanks for sharing such a huge blog of “Best WordPress Security Plugins”. I will surely use one of them and give more security to my website.
    Thank You!!

  54. Awesome article, I was looking for a comparison article that was ‘real’ (and wasnt written by one of the companies SEO guys;)

    I was considering BPS and wanted to get the low down just to make sure the features i was reading stack up in the real world, and against the competitors. I like the suggestion of using with WAF, something im looking into now;)

    Your article has given me the confidence that BPS is going to be spot on, and offer a very good level of security and easily fits the real world budget…in fact its an abosolute steal at the price to be fair:)

    Again many thanks, what you do takes alot of time and expertise and its greatly apprecieated, keep up the great work…just gonna make another coffee and check out some more articles:)


    • Hi Steve,
      Thanks a lot for your feedback.
      Indeed, BPS is a bargain. The guys behind it are developers in their bones and fans of security things. But they don’t (or better to say, can’t) pay much attentions to marketing and visual attractiveness of their both plugin and website. That’s why it makes them the choice of more techy clients.

  55. Hi,

    I have trouble config WF on NGNIX. What solution suggest for this server ?

  56. Hi,

    have you tested that using Bulletproof Security (paid) + Sucuri Security – (free) + WordFence security plugin (free) together in one site without conflicts ?

  57. Super informations here.

    please, if you can tell me , what do you think for about

    All In One WP Security & Firewall

    • Hi Yard,
      Thanks for your feedback.
      As regards All In One WP Security & Firewall plugin, it’s discussed quite a bit in the comments. Please search for “AIO” and “WP Security & Firewall” on the page (Ctrl+F if you are on PC).

  58. thanks for publishing such a useful information related to WordPress security. I have learnt a lot.

  59. Hi Michael,

    I am searching for WP security plugins to enhance my shared host’s security so I’m glad I’ve found your unbelievably informative articles here! I just finished reading the entire article as well as the comments however I’m still on the fence about which plugins to install.

    I’m a complete beginner to WP administration and am working on a project with a limited budget so I’m interested in a comprehensive free solution that is user friendly to a beginner.

    I’ve seen your recommendation for combining BPS free, Securi free, and Wordfence free in section 10.2, however your description of BPS makes me concerned I’ll actually be able to configure it correctly as well as configuring any compatibility issues without breaking my site. In addition, it sounds like I would like to avoid Wordfence due to it’s resource heavy scanning.

    Would you still recommend BPS free + Securi free + WF free for a complete beginner looking for a free comprehensive security strategy, or would something like All In One WordPress Security and Firewall be a better solution for someone like me who is just starting out learning and on a bootstrap budget?


    • Hi Ben,

      Thanks for your question.

      Sometimes a lot of information does not make things more clear. I understand it and I feel your uncertainty.

      Answering your question, BPS free + Sucuri free + WF free is still fine for a complete beginner. You just may try it yourself and see if it’s overwhelming for you or not.

      By the way, BPS has one button setup, so you just install it, press the setup wizard button and you are done.
      Its beginner-user complexity lies mostly in its user interface if you want to apply extra protection or understand it inside out.

      You also don’t need to worry much about WordFence if you have a small website. If you have a big website, then its affect on performance may be an issue. Also, to avoid possible performance issues make sure you disable live traffic view (in case you don’t really need it).

      As regards ‘All In One WordPress Security and Firewall’, it does not fully replace the above combination of plugins. But if you want a lighter solution, you can give it a go.

      And of course don’t forget about security hygiene such as password strength, updating software etc that I describe in my other article about basic website security.

  60. Wow this is very complete review, I came from google to find an information about BPS premium, because no offence their site is confusing. So thanks to create simple review of each products.

    I’m graphic designer and completely beginner in website and hosting area, when first created a wordpress site hacked many times, server collapse because DDOS, got brute force attact, etc.

    Then I’m using BPS free, combined with loginizer paid, wow I never dealing with hackers anymore. I tried wordfence but I think it’s heavy if I checked it on my server resources used.

    And I check at sucury, sucury detect my site has a firewall, I’m not sure where the firewall came? do you think it’s from BPS? And when I ask a cyber security guy to check and test to hack my site, he told me that my site super secure from beginner and intermediate hacker, the one who can hack it must be “another level” hacker, which is impossible they want to hack my site because my site is just small site not ecommerce.

    Btw, even my site is secure but I’m paranoid, do you think I should upgrade BPS to paid version?

    Thanks Michael, I believe you spend many hours to create this detailed article 🙂

    • Hi Kris,

      Thanks for your story and feedback. I appreciate it very much!

      As regards detecting firewall, I’m not sure where it case from. BPS is considered to be a firewall on htacess level. But BPS is not a true web application firewall like Sucuri WAF that is located outside of your installation.

      By the way, how did you find out that your website is under firewall? You mentioned you used Sucuri. If you mean then it does not detect BPS as a firewall.

      As regards updating to BPS Pro, I’d not say this is a must. Getting BPS Pro adds advanced tools and protection against more sophisticated hacking ways and malicious traffic. For beginner websites it’s more important to maintain a clear hygiene such as using plugins from trusted developers, keeping your plugins and WP version updated, using strong password etc that I describe in this article 🙂

      However, if you feel or notice that there’s a suspicious or malicious traffic to your website, then it makes sense to pay attention to additional security measures.

      At the sane time, for peace of mind it’s justified to get a pro version, especially considering it’s just on-time quite little payment. But generally, even a free BPS version in addition to other free preventive measures should be enough for a small site to make it more secure than the most of other websites in the world.

      By the way, most websites are hacked not by human hackers, but by bots which exploit vulnerabilities. From this respect BPS Pro is a more advanced tool.

  61. Hi, Michael, thank you for your awesome post.

    I have a question: If I choose BPS Pro + Sucuri free + Wordfence free, I would have another compatibility issue in addition?

    And what about use with another plugins that works with .htaccess like W3 Total Cache? In this case, is better another cache plugins?

    Thank you very much for your help!!!

    • Hi Jose,
      thanks for your comment.
      There’s a compatibility issue between BPS and Sucuri, and between Sucuri and WorFence. They can be resolved. Look at this section above for the appropriate links.
      As regards compatibility regarding htaccess file, there are no issues. So, you can use W3TC and BPS (Pro) without issues (I use the same configuration).

  62. hi michael,
    thank you very much for this wonderful detailed article that really helped me alot even protect your web site article i implemented most of it on my wp
    even the comments i read them all, ( yea i spent that much time on your articles ;P )
    i just have to ask you i’m new to wp but i believe that i’m fast learner in that field,
    i’m on budget right now so i bought the mail necessary plugins that would save me some
    i’ve bought the next
    WP-Rocket for caching and its really making difference in my wp load time
    Bulletproof Security Pro and configured it well and its really very good plugin and i disabled the JTC antispam part and i installed the free new Invisible reCaptcha by google i also used 2FA with miniOrange 2 Factor Authentication its really good for app generated TOTP Codes,
    and i also used UpdraftPlus – Backup/Restore (i might consider codeguard in da future)
    plus spam protection by Akismet Anti-Spam

    so my question is witch free security plugin for scanning should i use or you recommend something else as i can’t afford Sucuri Antivirus to make it complete my bulletproof security pro.

    thanks for sharing,your effort and help matte.

    • Hi Mohamad,

      Thanks a lot for your kind feedback and being an advanced reader of my articles!

      As regards a free option for scanning, I favor free Sucuri Scanner plugin (I describe it in this section). It’s light-weight compared to WordFence. However, if you want the most powerful scanning option for free then you may want to choose WordFence. Also, see some possible compatibility issues here.

  63. Excellent round up of security plugins that can strengthen our WordPress Websites. I use both Ithemes Security and Wordfence in securing almost all my websites and I can tell the y are really efficient.

    I have also used Securi for scanning and uncovering securtity issues in some clients websites that were hacked It is also a good plugin.

    Thanks for the great post!!

  64. Do you know how the SG Site Scanner powered by Sucuri (~$24/year) offered by Siteground is different that the free Sucuri plugin?
    Here is the url:


    • Hi Jon,

      SG Site Scanner uses basically the same malware/blacklisting scanning functionality as the Sucuri plugin (actually its malware scanning option only). Core integrity is not checked by SiteGround (and checked by the plugin).

      However, SiteGround offers automated malware/blacklisting scanning. Whereas the plugin does NOT do malware/blacklisting scanning in an automated mode – you need to run it manually each time in the plugin instead.

      Also, SiteGround offers scheduled email reporting (scheduled and informing you in case of contamination). Whereas using the plugin you need to go to your WP dashboard to see how it all is going on and whether your site is safe and clean.

      Besides, SiteGround offers even easier user interface/setup (can be a plus for newbies).

      Thus, SiteGround has an integrated and more convenient for end user functionality for malware/blacklisting scanning. But the malware/blacklisting scanning core functionality is basically the same. And the plugins has additional options – core files integrity checks.

      After all, please note (just in case) that both tools (SG scanner and the plugin) offer remote malware scanning. For server-side scanning you may want to use Sucuri Antivirus product.
      Also, both options (SG Scanner and the plugin) do NOT do website security protection, only scanning/monitoring is offered. For the pro-active protection you need either Sucuri Firewall or Sucuri Antivirus.

      • Thank you for such a detailed reply. You explained it much better than Siteground.

        Since I do want more pro-active protection, but cannot afford Sucuri’s Firewall or Anitvirus (I have several websites that I need protected which would be about $600 with Sucuri), do you think that Bulletproof Security Pro (paid) would be a good option for a combination of protection and scanning?

        • Hi Jon,
          BulletProof Security Pro is good for protection (the most important part of a website security). It’s very good as a htaccess-level firewall. But BPS Pro is not for scanning.
          As regards scanning, it’s a separate job and it’s most efficient on a server-side (Sucuri Antivirus offers that).
          Plugins for scanning can be also used, but they are less efficient (and more your server resource demanding).
          WordFence or Sucuri free plugins can be used for scanning.
          By the way, using just BPS Pro as a protection layer plus some additional basic tricks and security hygiene that I describe here will actually make your website much more secure than the most websites on the planet.

          • How I ended up here is because of Bluehost. I received an email last week that they had detected malware on one of my websites (they would not tell me which one – I had 9) and immediately deactivated my account and all of my websites. They routed me to Sitelock (a partner) and told me the only way to reactivate my account was to pay them $500. I think the whole thing is a scam, I did not pay them (paid an independent malware remover $260 which took 3 days) and have now migrated to Siteground.

            So not wanting this to happen again (despite using all kinds of security precautions like the ones you mention on your “Protect Your Website from Hacking” article) – although again, I’m not 100% sure I even had any malware (I will never use an EIG hosting company ever again) I’m looking for a more proactive approach.

            When I contacted Siteground they tell me this:
            “Even if malware manages to reach your sites through our 3-level security, we will notify you of it, provide you a list of the infected scans, and allow you 5-7 days to clean out the malware”

            And then another review of Siteground says:
            “Siteground hosting starts with a powerful firewall that blocks access to your site and continues with close monitoring of any vulnerabilities that exist in WordPress files. That includes WordPress core files and popular plugins.

            When the host discovers vulnerabilities, it implements server-level fixes to protect your site while the developers of the files in question work on updates.”

            So now I’m thinking with Siteground’s 3-levels of security, a firewall that blocks access to my site with monitioring, why should I even need to install any other security plugins? Am I missing something?

            Thanks again for your replies. They have been very helpful.

            • Hi Jon,

              Agree about EIG scammy practice.

              As regards your question about why you should or should not protect your site even more than a particular level, the short answer is there’s no such thing as enough protection. Even the most protected servers like Pentagon’s are hacked. The whole point is in balance between the risks of being hacked and the resources you input to protect your site. By implementing more security layers you decrease the probability of getting hacked.

              Here’s a simple example. Assume that a new vulnerability is found in a plugin that you use or in a WordPress core. How do the hosts and WP users get to know that there’s the vulnerability? The simplified answer is that a lot of sites start getting hacked and number of very risky and untypical requests increases very sharply. Security systems (like Sucuri) determine such malicious activity in their net of the websites they monitor, and they issue a blocking firewall instruction (a patch). And then this patch is implemented by other firewalls in other companies (e.g. hosting) and software developers (e.g. plugin or WordPress core developers). This process takes some time and meanwhile alot of sites are vulnerable.

              Before a patch is implemented by all plugin developers, security plugin developers and hosts your site remains vulnerable and can be hacked. you webhost can have a firewall but it still might let this new threat go through.

              It’s a very simplified example, but it demonstrates that the more security layers protecting different parts of your website you have the more secure your website is. But anyway you can’t be 100% secure. Security is a process, it’s an evolving game between hackers and security systems.

              At the same time it is simply not practical to use as many security tools and options as possible because it’s an overkill (overlapping functionality, overloading your server, compatibility issues, too expensive etc).

              As regards SiteGround, it has better security than the most other shared hosts, but it does not guarantee that you are safe (read this). It’s too expensive for a shared hosting to implement very strong security.

              If you don’t have budget to use the best in the field Sucuri products, then I’d recommend using at least htaccess firewall and two-factor authentication. Even a free versions of the plugins which provide htaccess firewall (e.g. All In One WP Security & Firewall or Bulletproof Security) will significantly reduce risks of being hacked by the most spread hacking methods. However, the plugins (as well as custom firewalls of hosts including SiteGround’s firewall) are limited in their efficiency (no or limited pro-active protection). And they are not efficient against newest threats that only the best firewall systems (e.g. Sucuri WAF) can handle. Only after some time plugins and WP developers (as well as hosting firewall rules) can catch up and add new firewall rules to protect you from these threats or update your software.

              Also you can read here about a recent example of WP vulnerability and estimate how much time passed after the malicious scripts and hackers started utilizing the breach and the time when a hosting and developer community became aware of the vulnerability, how much time it needed for WP developers to apply the patch, how much time passed then for WP sites owners to update WP version. And you will see that the point of website protection is a game with risks. Using a hosting with some security layers is good, but still quite risky.

              I would not feel secure relying only on hosting security, unless it’s a fully manged hosting (much more expensive host) that explicitly guarantees with realistic proof to take care of your website security.

              • Thanks for that explanation. Now I better understand why and what’s needed for security. I think I will try BS Pro and implement everything you mention in your protect your website from hacking article. I will also read your article on using UpdraftPlus backup and restore with Google Drive too. Thanks again for your explanations and your website – I’ve bookmarked it for future reference.

  65. Andy Beales says

    HI, thanks for you for this awesome article. I found a number of solutions don’t cover these three simple but dangerous TO DO’s on wordpress https sites. I am using ithemes security and pro, I see no resolution of that. Does Bulletproof help with that?

    1. Missing X-Frame-Options Header
    2. Cookie Not Marked as HttpOnly
    3. Cookie without Secure flag set (Which will cause many DSS PCI scans to fail)


    • Hi Andy,
      Thanks for your interesting question.
      I guess a much better place where you can get a technically precise and detailed answer for your question is the BPS Pro forum. It’s free to register on the forum and post any requests. I’m sure you’ll get a reply that will fully satisfy you. Also, there’s a search form on the forum on the right hand side.

  66. Hi Michael,

    I recently started to deal with WP and of course one of the very first points must be security. Unfortunately I could not find your post immediately but on the other hand it is gave me the chance at least to get ready to understand your rather comprehensive analysis. Indeed I love the way you are approaching this topic.

    I ended up myself at the free version of Wordfence as a first trial. At this point I have to correct your pricing because unfortunately the paid version of Wordfence starts at $99 vs $39: .

    On the other hand I do not fully understand your evaluation concerning its protection. Based on different articles I had the impression that Wordfence is stronger in protection. But of course it could be also the result of their good marketing. I also don’t fully understand why the evaluation is the same for the free and paid version concerning protection. My understanding is that the firewall definition of the free version is behind the paid version with 30 days. That must make a difference. (A 30 days old virus definition on a PC would certainly fail on any security audit)

    I fully agree with your statement that as a start the protection is the most important classifier. (It is better not to get into trouble than find out how to get out of it :)) So as a result of your analysis probably I will try out Bulletproof too.

    Thx. for your article again,


    Obviously I fully agree wit your earlier

    • Hi Attila,

      Thanks for the very detailed comment.

      Indeed, the pricing for WordFence has changed significantly.

      In general, as regards star rating, it’s complex evaluation and can’t be taken as a linear approach. In other words, 3 stars for one product is not always equal 3 stars for another product because of different approach to the functionality.

      However, I fully agree with you about 30-day delay in applying firewall rules in case with WordFence (I think this was added not long ago).

      So I’ve changed the star ratings related to these points.

      Thanks again for your input.

  67. Came across this article recently. I am using wordfence. It does the job pretty well but I have a feeling that it slow down my websites. After reading this, I am planning to switch to Sucuri. Thanks for this wonderful article

  68. Miguel Ángel says

    Hello Michael,

    Thank you very much for all of your hard work gathering accurate information about this important issue.

    I’m developing a site on Siteground.

    For now I’m using free Cloudflare proxy.

    I have no budget at this moment.

    I’m considering the 10.2 free solution but I’m not sure about installing Wordfence because I don’t want to slow down the website.

    What do you think about leaving out Wordfence plugin ?

    Of course, after reading carefully your excelent post, as soon as I have budget, I’would change to Sucuri WAF or Sucuri AV.

    Thank you very much in advance.
    You are doing a great work helping beginners like me.

    • Miguel Ángel says

      BTW, what do you think about replacing Wordfence by NinjaFirewall ??
      Is Ninjafirewall a heavy plugin which could harm the performance of the site ???

      Thank you again Michael.

    • Miguel Ángel says

      Sorry, a last question.

      If I remove Wordfence, would I need another plugin for brute force login protection ?

      Thank you.

      • Hello Miguel,

        WordFence’s strong side is scanning (and the most resource-demanding by the way). Of course, you can leave it out.

        As regards Ninjafirewall, I don’t think it’s a heavy plugin (especially compared to Wordfence). Although Ninja’s functionality is overlapping with Bulletproof Security. I’d use either one of the other.

        As regards brute force attacks protection, Bulletproof does it for you. But remember that like any other plugin (including Ninjafireall, Wordfence) its protection is located on your WordPress (server) level. True brute force protection can be done only with an external web application firewall (e.g. Sucuri WAF).

    • Miguel Ángel says

      Sorry Michael, I can’t see your answer here on the blog.

      I’m browsing with ingonito mode.

      Thank you.

  69. Thanks for sharing your knowledge, I think I’ll stick with standard wordfense free version.

  70. First of all, thank you for this informative article. This is helpful for my website. By the way, I’m using itheme security before its wordfence.

  71. Hello Michael
    You’ve heard this over and over again but I will say this one more time:
    Your content is king!
    King in value, in relevance, in it’s super logical organization, and it’s efficiency.
    Keep it up!
    I found you on Quora while I was looking for answers about website security, and was immediately hooked over your content.
    And yes, I had also subscribed to your newsletter, Thanks!
    Here is my question which I assume could also relate to many other users:
    I am looking to backup and secure my website with Sucuri and Codeguard, but I have a problem connecting to CodeGuard:
    Codeguard provides FTP or SFTP connections, while my host does not enable FTP (plain text) on their shared environment – they provide FTP over SSL/TLS (FTPS) which is not supported by Codeguard.
    Now, I very much want to have Codeguard’s “time machine.”
    What would you suggest?
    Is it worth perhaps to move my website to another hosting service, isn’t that too risky?
    (My WordPress-based website is connected to a database that is hosted on Amazon AWS).
    Could you please advise, and if possible, I would also appreciate if you could suggest me a good tech guy or company that could do this transfer, and maintain my website and add features to my web application.

    • Hello Nissim,
      Thanks a lot for your kind words.
      As regards CodeGuard, have you contacted these guys? I guess they should support your hosting security configuration.
      Transferring website to another hosting is usually free and is done by your new host. But switching hosts only because of backup system incompatibility is sad. Try to contact both CodeGuard and your current hosting so that the tech guys in both companies could resolve the issue if there’s any.

      • Yes Michael, I have obviously tried both support teams, CodeGuard and my hosting and they have both said that these are their given limitations of their systems.
        My hosting suggested that I could transfer my account to their VPS package if I would want to use FTP, but that package is more expensive so I’d rather configure my site all over again with a host that provides SFTP.
        Do you think that this is my better option if I want the CodeGuard service, or else?

        • Hi Nissim,
          Well, I see. Very sad that you can’t use CodeGuard with your current hosting plan.
          So, I don’t see much of a choice here apart from either a VPS with your current hosting or going with a new hosting.
          By the way, in addition to files backup, there can be issue with your database backup as well (I don’t know if CodeGuard can handle the AWS database configuration with your current hosting). If backing up database is also an issue, then switching hosts is the only choice to use CodeGuard fully.
          If you decide to switch your host, then I suggest contacting the new host and CodeGuard to make sure both files and database can be backed up by CodeGuard.

  72. Hello Michael,
    Your article has become my reference. It is the most comprehensive available and often referred to in the various FB groups.
    My only doubt is why you did not include AIOWP. This security plug in definitely belongs in the short list of big ones, although too little known.
    I would be very curious, and many with me, how they stack up against the others,
    Love all your research and honest opinions,
    Best regards,

    • Hello Frans,
      Thanks for your question and sharing my article 🙂

      Answering your questions:

      > why you did not include AIOWP?

      I also answer this question in this comment. The resume is that writing this article was a real challenge and it took much more time than I planned). Including more plugins into the list to review looked like a nightmare 🙂

      Also, AIOWP is mentioned several times in other comments (Ctrl+F and search for “AIO” on the page).

      After all, I have not looked very deep into AIOWP, but it looks good. I’d say it very roughly, that AIOWP from an ordinary user’s perception is something inbetween iThemes, Wordfence and BPS. AIOWP’s strongest side is its combination of firewall options (not very clear topic to most users) and other nice features (familiar to most users), plus friendly user interface.

      BPS offers better advanced security options IMO, but lacks some familiar to beginner users options that AIOWP has.

      At the same time AIOWP looks more user-friendly (and sexier) than BPS and this is a big advantage in the eyes of most users.

      However I favour BPS (especially BPS Pro) more since it’s a more professional tool with more advanced options. But if someone finds BPS too difficult to deal with, AIOWP looks like a good alternative to use.

  73. This is the best security plugin post ever!
    GREAT JOB!!!

    Thanks for posting this info

  74. I notice the Sucuri WordPress Security Plugin is only compatible to WP 4.6.2.

    • Hi Shirley,
      Thanks for the information.
      By the way, I’ve noted that some plugins are still not compatible officially with the newest WP version. For example, W3 Total Cache. But they work 🙂
      Anyway, I don’t see any issues raised in the Sucuri plugin support thread about incompatibility.

  75. Hi, Michael 🙂

    I just would like to mention that in times of lower and lower and lower content quality on the internet your posts are a miracle. You run an upstream trend that I hope will win some day. Be proud of what you do, really. Thank you for this post. Maybe people do not want to read long text, but I do. 🙂


    • Hi Mike,
      Thanks a lot for your comment!
      Yes, I’m proud of what I do 🙂
      Of course, it takes time to gather all the information and write the long posts, but I guess my efforts will pay me back.
      People find my posts useful and it makes me feel I’m on a right way.
      Also, I try to make my posts scannable and I add table of contents so people could easily skip what they don’t need and get to the most wanted parts of the writings.
      And thank you for reading!

  76. Hello Michael,

    what do you think about combining Sucuri Pro Plan with Wordfence Premium paid plan?

    Sucuri is one of the best security for WP and their support is amazing!
    Wordfence has some very interesting & useful tools.
    Do these combinations work well? or does this slow down the loading-time
    or do these both block each other 🙂

    Is this like computer malware scanners? It is not allowed to install two at the same time
    they block each other and have a lot of conflict.

    What do you think? Looking forward your answer.

    Best regards

    • Hello Laith,

      I’ve seen Sucuri and Wordfence conflicting. But it kind of can be resolved. You can read more about it here.

      However, I think it’s not a good idea to combine these two products. In my opinion Sucuri is a more preferable choice for many reasons including performance. WordFence is known to slow down your site because it’s a plugin all the intensive work is done on your server.

      Sucuri Pro includes the best options that you can expect from a website security product including scanning your website back-end. And yes, a part of security products (scanning functionality) can be compared to computer malware scanners.
      By the way, if continuing the analogy with PC protection, Sucuri also has an external proactive protection (sort of a firewall or internet security you may use on your PC). Sucuri has Website Application Firewall included into its Pro plan. And WordFence does not have it because it’s not possible due to the fact that WordFence is just a plugin installed INSIDE your WordPress.

      I described the best configuration for website security and peace of mind in this section.

      However, if you love some specific features or tools from WordFence, I’d try to find a more performance-friendly replacement for them if possible to avoid using the whole WordFence if you use Sucuri Pro.

      Also don’t hesitate to contact Sucuri’s support to know what they could suggest you.

      the bottom line, using these both products at the same time is sort of overkill. I’d stick with just one of them (and I definitely prefer Sucuri because of better results, more peace of mind and better performance).

      • That’s a very interesting information. I have Wordfence on my website and it really does slow it down! According to P3 Plugin Profiler it takes about 40% of my website speed! This happens even though I have done some research and changed some settings (improved about a couple %). So, Sucuri is faster than Wordfence and still gets the job done? Where’s the catch;)?

        • Hi Dave,
          Thanks for your comment and your question.
          WordFence is the plugin that works completely inside of your WordPress and all work is handled by your server. Shared hosting suffers from such load.
          Sucuri is the product that runs its software on its servers, not yours for almost any activity (firewall, monitoring, scanning), and it affects your server to a very little extent. It connects to your server for scanning, but the software does not load your server even close as much as WordFence. You can have a look at these two articles (1, 2)

  77. Hi,
    I read carefully each line of your article and I want to congratulate you! It’s written and contains very useful information that once implemented make your life easier thousand. I want to tell you that I chose Blogvault because allows me to see live the backup that i want to use it. I have only one question, can you please recommend a good solution for security? Thank you

  78. If I may submit a suggestion regarding security: I had myself very good experiences with Sucuri ( not only it does allow for a firewall (one that visitors won’t notice) and is very compatible with WP (minimal configuration required), but cleaning your site in case of hacking is included. However, it depends of your needs. And also, not all WP hosting services allow for Sucuri (the current one that I am using, for instance, has its own safety measures that are not compatible with Sucuri). Anyway, just wanted to report that I had only good experiences with Sucuri: reliable company and products. (Sucuri is not only meant for WP, but for any site.)
    A newcomer to the security field, and one meant for WP only, is Secupress ( this is from the same company behind WP Rocket (cache) and Imagify. But I have only made minimal testing, thus I cannot provide a well-founded evaluation.

    • Thanks for your thoughts and sharing your experience, Jean-Francois.
      As regards incompatibility of Sucuri Antivirus product with some hosts, I guess this is quite a rare case, especially with a typical hosting. For those managed or premium hosts which offer alternative website firewall or cleaning up solutions I assume it can be a case.

  79. Hello Michael,

    Thanks for your comment. Indeed I use Generator for user name and for Password.

    I like the combination: Sucuri + Backup. But it is really expensive! I have two domains and this would cost 500 $ a year. Sucuri does not offer any discount neither for start-up nor for Student! I think their main target group are companies not private persons.

    Thus I moved to BulletProof. It is indeed not very intuitive, hard to setup and configure, but they have the best price for a pro version and they said, in the last 5 years, none of their over 30.000 customers has had a security problem!

    Thank you a gain for this great article. It helped me choose the right security plugin and it is for me definitely Bullet Proof Pro.

    • Hi Laith,
      BPS Pro is a superb security plugin for very affordable price.
      Sucuri indeed targets website owners who can afford at least $10 per month (this is how much their Website Firewall costs). And this company offers the best security products on the market in its segment.
      BPS Pro’s support is fantastic. Even if something is not very clear from a technical point of view for you, you’ll get the assistance you need.

      • Hi Michael, I purchased BPS Pro. It is indeed great, but really hard to install and to configure! I don’t have the time to understand each warning and logs take care about it! It is logging my pro plugins. and to add exception for that ist really not inutiative. I must read the docs. I think Sucuri has user-frienldyl UI. I am thinking to keep BPS Pro for my second site and purchase Sucuri for my other site, which ist informative site and I will offer there services. So what plan do you recommend the basic or the Pro plan from Sucuri? Best regards, laith

        • Hi Laith,

          Sucuri Basic and Pro differ by support time response, frequency of scanning and type of SSL certificate. And from a security point of view, there’s not much difference. So, Basic plan is enough if the above points are not important to you.

          As regards BPS, indeed it frightens off non-technical users. But even if you just install it (running Install Wizard) and leave it as is after that, it does its work well. And the warnings you see in your WordPress dashboard are additional measures for even more security.

          Anyway, of course Sucuri products are a higher-level security/monitoring product and it has unlimited clean-up option included with a beginner user-friendly interface. Sucuri is the best choice a website owner (individual and small/middle business) may have.

          By the way, don’t forget to take care of your website backups. And then you are covered from any disaster and attacks.

  80. Hi Michael,

    great article, thanks. I am setting up my webpage and testing some security plugins.

    What about the plugins that hide the wp-adimn or wp-login-php?! Should we install them as first security level? In the Bulletproof forum I found this answer from Bulletproof staff:
    “Trying to hide things would probably stop a human from clicking around and finding your login page or wp-admin page/folder, but this is not an effective security measure against hacker Bots. 99% of all hacker recon, hacker scans and hacker attacks are automated and done with Bots (not a human). You cannot hide things from Bots because they do not look for things visually. ”

    What are you thinking about that?!

    Best regards


    • Hi Laith,

      Edward from Bulletproof Security knows his stuff very well. And I agree with him.
      I don’t think that hiding your login page should be your first level of security.
      On the first level you should have a strong password and updated software from a reliable developer (and backups). Then you security plugin plugins come into play.
      Hiding your login page is not very effective for the reason Edward mentioned. And in this scenario (bot or human hacker attack) 2-factor authentication or even a free plugin Stealth Login Page in conjunction with login limit attempts functionality work much-much better.
      At the same time hiding your login page can be an additional (and not compulsory) measure. But anyway, it’s not the first level of security.

  81. I am using wondfence but wondfence using high CPU how to set cpu limit on wondfence?

    • Hi Acil,
      Thanks for your question.
      You can not control CPU usage consumed by WordFence.
      The only things you can do are:
      1. In order to reduce CPU load time you can scan your website less frequently than once per 24 hours (you can change it only in paid versions of WordFence)
      2. Reduce interval of how often the live traffic data is updated (read more here).
      3. Upgrade your hosting to have more CPU resources, e.g. take a managed VPS or self-managed VPS (if you know Linux well) .
      4. Change your hosting provider and use managed WordPress hosting that takes care of your website security.
      5. Use an alternative solution to WordFence. In this article you can find information about it. You can find some recommendations above.

  82. Thank you Michael for the very comprehensive article. It made me wonder if my setup with iThemes Security Pro is sufficient or should I start looking into some additional plugins. I have backup with Backup Buddy and I’m happy with it. Also, what is your experience of switching from one security plugin to another? Have you encountered any issues in that area?

    • Hi Michael,

      iThemes is a plugin, so it stays inside of your WP installation and has all disadvantages and risks that any plugin has inside your WP installation and inside your hosting environment. A true website firewall such as Suciri WAF (the one I use) will definitely make your website more secure, protects from DDOS and other malicious traffic and saving you a lot of bandwidth traffic.

      A great bonus of Sucuri WAF is that it can also make your website faster thanks to its caching level (here’s my research on it)

      As regards BackupBuddy, I’m not really a fan of it, although it’s quite popular among bloggers. I explain in this article why. In short, it’s less efficient than incremental backup alternative solutions, more risky regarding how fully it backups and more expensive if you are on a subscription.

      Switching from one security solution to another is not a problem at all. It’s a matter of uninstalling a current plugin or/and adding/installing another product.

      If you want to add another security solution, then you need to look after possible conflicts between plugins. I have this covered to some extent in this article in this section.
      And Sucuri WAF is 100% safe to add, since it’s an off-site and off-you-hosting firewall.

      Feel free to contact me if you have an idea of your new security solution and I can confirm you that you are safe on your intentions 🙂

  83. Wow What an Article, you’ve covered each and every detail in providing valuable information. Definitely going to share among all beginners. Thanks a lot mate 🙂

  84. Frans Kemper says

    Hello Michael,

    What a great read. It took me 2 coffee’s to get through it, but worth while the time. Thank you. It made a lot of stuff clear to me.
    For my sites I am using impossible complicated passwords of 25 characters; random admin login name; Cleff 2-factor; pro version of updraft backups; A2 hosting protection; and AIOWP.
    I am very poisoned to purchase the BPS PRO. Do you think that this could be complementary and not a lot of conflicts? And is there anything else you like to add to complete the hardening package?
    I played around with Wordfence, but that is using a lot of memory resources at the server level.
    Thank you in advance and very best regards,

    • Hi Frans,

      Thanks for your comment and your question.

      BPS would duplicate a lot of functionality of AIOWP. Not sure about conflicts, but anyway I’d use either one or the other. After all, my choice is BPS, because it’s more professional. But at the same time AIOWP has a more beginner user-friendly user interface which can be a deal breaker for some users.

      Also, if you have budget, it makes sense to go with an off-site firewall from Sucuri which is the most powerful and absolutely hassle-free offsite firewall option among affordable solutions on the market. Plus it makes your site faster thanks to its caching level located at Sucuri’s servers (I will publish a post about it in a day). It will be complementary to your security arsenal and that would be enough for your website protection.

      • Just to add to my previous reply, here’s the post about how Sucuri Firewall can make a website faster (and a comparison to some other caching options).

      • Frans Kemper says

        Hello Michael,

        Thank you. I already decided to acquire BPS Pro. After all this is a one time investment and very affordable.
        Regarding the Sucuri Firewall, this is way to costly. I run about 8 sites, mainly for artists, associations and NGO’s. Not a lot of budget there.
        More over, I am based in Brazil and with the USD very high at the moment, the cost of this is higher than a minimum monthly salary here.
        Can you please suggest me another firewall solution that complements BPS Pro and is more affordable?
        And also, are you saying that BPS Pro’s firewall does not cover enough protection?
        Thanks again and very best regards,

        • Hello Frans,

          Protection can never be enough. Anything can be hacked. The point is to make it too difficult for a hacking script or hacker to deal with your website.

          Sucuri Firewall is different from others because it serves as an off-site firewall (a true website firewall). So this is a layer of protection that is located outside of your website and servers. BPS and other plugins is the protection that is located already within your website and it works a bit different way.

          It could be a very rough comparison, but think of Sucuri as the protection suite for a doctor who deals with deadly contamination, and plugins as an immune system of the doctor 🙂

          I have not heard of a more affordable solution that could replace Sucuri in your situation.

          With multiple websites and limited budget, BPS Pro would be the best choice for you. Just one BPS Pro license allows you using it on as many websites as you want. Also, if you buy it, feel free to ask its support about your hesitations about the conflicts with other plugins. BPS Pro’s support is superb and will tell you everything you need.

  85. You should try LCS Security – works really well. My site was under a barrage of failed login attempts and some adware content got injected somehow. This plugin looks like a newcomer, but it really got rid of most hacking attempts and content injection within just a few days after installation.

  86. wow great and detailed information with proper solution.I am new to wordpress and I have tried many security plugins but each and every time my blogs got infected . To overcome this i read many articles, followed huge number of blogs but most of them ended up saying choose whatever suits you . Finally i ended up using iTheme security + wordfence and ninjafirewall . But i was not satisfied with my this combination and finally your article and proper solution mentioned by you is totally satisfactory for me .
    My current setup is :
    Https + cloudflare free plan + iTheme security + wordfence + Ninjafirewall with changed login page and two-factor authentication .

    Please suggest should i replace wordfence with Sucuri Security (mentioned in 10.2) , and remove ninjafirewall or not ? After reading your article your suggestion really means a lot to me .

    Thank you soo much .

    • Hi Saurabh,

      Thanks for your comment and your question.

      I’m not a fan of free Cloudflare plan since as I know from reviews it can decrease the site performance (particularly make your site unavailable). But it works as one more free level of protection. I use a paid website firewall security solution from Sucuri (CloudProxy (WAF)) which is the most efficient website firewall on the market in the affordable pricing range.

      As regards your configuration, I don’t know your concerns, but I think it’s too heavy and can affect negatively your site performance. if the speed is not the issue for you, then it may be okay.

      The free configuration I suggest in 10.2 is optimized for performance with all sectors (protection, monitoring, scanning) being covered.
      However, if you have some budget, I’d recommend simply get rid of the most heavy plugins (e.g. especially wordfence, ithemes) and just use the paid website firewall.

      I try to make my website as fast as possible (as well as highly protected) for a reasonable price. So, I use WAF, BPS (very light weight and effective for protection) and incremental backup solution. It’s the fastest (and very secure) combination I know without paying extra.

  87. saajan bedi says

    I want to use Sucuri Security , iThemes Security and All In One WP Security & Firewall (& clef for two factor authentication) , can you tell me these plugins are compatible with each ohter or not &
    Is All In One WP Security & Firewall is better alternative of BulletProof Security

  88. I tried to subscribe, but I keep redirected to and it doesn’t let me proceed. Perhaps because I have two google accounts, personal and work.

    • Hi Frank,
      Sorry for the issue. Not sure why it does not work for you, I will need to check it out additionally.
      Meanwhile, I’m sending you an email and will gladly subscribe you manually.
      Thank you for letting me know about it.

  89. Great article, but the NinjaFirewall is one of the best options and few talk about it.

  90. Hello Michael, Thanks for the great article! It was very helpful.
    I had a question regarding the MOST secure solution regardless of price.
    Would you say that would also be BulletProof Security? And I was also wondering IF I could combine WordFence Premium with BulletProofs to cover the holes in BulletProof Scan wise and such.

    • Hi Kenneth,

      Thanks for your feedback.

      There are some conflicts between security solutions. Some of the conflicts can be resolved. See this section for more details.

      BulletProof security is a great plugin, but mixing all the possible security solutions altogether is an overkill.
      In my article I’ve suggested balanced solutions.

      I have not heard of unresolved conclicts between Wordfence and BPS. However, potentially mixing these security plugins can interfere.

      If you already have Wordfence premium, I also suggest looking at this solution.
      Basically, in addition to Wordfence, the solution has offsite web application firewall (very efficient!) and fast reliable backup solution.

      Thus, you can try adding BPS to your arsenal, but you will need to check if there are any issues after you start using it. The more security plugins/services you use, the more it’s risky to get a conflict.

      And for the most secure solution regardless of the price and without risking to get a headache of compatibility, I suggest this solution based on Sucuri product.

      Adding BPS to it is an overkill in my opinion, and you will need to resolve a compatibility conflict.

      • Thank you Michael! Wordfence has been good but based on the price and your review of the protections of BPS and Sucuri I think I’ll go with that combo. I’m training in Offensive security myself so I can’t help seeing every opportunity for exploitation now, and there’s a lot! I like the fact that these two groups seem to take it seriously.

        • Kenneth, just wanted to note that before all make sure you have a backup solution (or at least the newest backup at hand all the time). I would put it number one website security preventive measure 🙂

      • Hi Michael,

        Thank for your deep research. I am finding a security plugin for my blog so I see your article. I want to try BPS but I consider can it work on Nginx server because my blog run on Nginx.

        Thank you very much!

        • Hi Dai,
          If you are using both Apache and Nginx together (Nginx as a frontend webserver and Apache as a backend Server) then BPS plugins will work with no restrictions (and you don’t need to do any additional settings or anything).
          But if you are only using Nginx then unfortunately you need to look for an alternative solution. Here’s the reply on this question from BPS’s developers.

          • My server only runs Nginx only. Although I really like BPS, I may have to switch to another plugin. Do you think Shield Security is a good alternative? I consider using it with Wordfence and Sucuri free together.

            • Hey Dai,
              Shield Security can’t replace BPS. BPS plays a role of a firewall on the .htaccess level. Since you are using NginX (and no Apache), just leave BPS out and that’s it.
              However, if you want to dig into some security config for Nginx, you may have a look at this code at github.

              • Thank you. I will try. And I hosted my websites on OVH and Vultr. They have firevall too. What do you think abour their firewall? Are they same sucuri firewall? Sorry because I am newbie on security.

                • No, they are not the same. Any web service has (should have at least) a firewall, but the firewalls are not created equal. Sucuri’s entire business is web security and they are good at it.
                  This is like any person out there has a clothes on them, but only specific (and comparatively expensive) clothes can save you from extreme weather conditions.

  91. Hi Michael,

    After trying all of the above plugins independantly on a local install of WordPress I opted for bullet proof security pro. I am wondering why you only gave a post-hack of 2 stars with regards to my two points below:

    1) It’s file monitoring and file backup restoration looks excellent. On a live site any changes in the WordPress backend to my Gantry 5 framework custom made theme files were immediately quarantined. Even with a manual restore of new or altered files within bullet proof security these files were again immediately quarantined as they should be. I then went through the proper procedure to mark these files as safe.

    2) The DB backup scheduling can be set to hourly with the backup sent by email so surely this should warrant more than a 2 star rating – can you elaborate more on why you gave it such a low score please?

    Many thanks,


    • Hi Phil,

      First of all, thanks a lot for your thoughtful comment.
      And I appreciate you taking security things seriously.

      As regards the score for BPS Pro.
      Above all, BPS is a great stuff and I’m glad you also have this opinion after checking it out.

      Regarding post-hack score particularly, BPS Pro indeed has feature to backup standard WP files. It’s not a complete website backup as CodeGuard makes, but anyway this is much better than simply scheduled DB backups. Not sure how I missed files backup feature of PBS Pro, but this is a good reason to make a score for BPS Pro’s post-hack higher.

      As for quarantine, this feature is eligible for Monitoring in the first place. And monitoring score for BPS Pro is pretty high.
      Of course, quarantine feature can assist with post-hacking procedures as well.

      After all, I agree with you, that considering files backup restoration option, the post-hack score should be higher for BPS Pro. I will fix it and make appropriate amendments in my article soon.

      Thanks again for your comment and asking your questions.

      P.S.: I updated my comment by removing irrelevant information regarding Sucuri free plugin (In my comment I messed it up with free plugin from CodeGuard 🙂 )

      • Many thanks for your reply. I was a little premature in my post as I have had more time to really look at the pro version of BPS.

        I am interested in your reponse about the BPS pro backup feature. I’m not sure what you mean by saying that it doesn’t have a complete website backup. It does have individual functions for backing-up, deleting and restoring all root files; wp-admin folder files; wp-include files; wp-content files and even functionality for creating back-up’s of custom files and folders.

        The quarantine function of files is so good it became a nuisance as I was working on a site and edits and additions weren’t viewable on the front end. Using the in-built auto-restore just leads to an automatic quarantine again unless the proper procedure to mark files as safe is implemented. This is fantastic monitoring and post-hack functionality is it not? The database also has a monitoring tool that can be set to check changes to a combination or all of the database tables as often as one minute with email alerts. If the database is compromised it also has an in-built database comaprison tool to check and see changes to the database – couple this with regular database backups sent by email this seems to be an excellent monitoring and post-hack restoration solution.

        I would be really interested on my thoughts about this as I’m new to WordPress after many years as a Joomla user.

        Many thanks,


        • Hi Phil,
          Before all, I’d like to thank you for your valuable comment and let me note that although you are new to WordPress, you are more skilled than a vast majority of WordPress users. Most people simply are afraid of using BPS since it is not that sexy from a beginner user’s point of view. You can easily deal with BPS and you are kind of a user this software was exactly created for.
          As regards BPS Pro backup option, it’s great, but unlike CodeGuard backup (or some other backup services) its user experience is not that smooth, and as far as I know, it does not allow to send backups to a safe off-site place (sort of a cloud storage). Sending backups by email is cool, but this is limited or more risky by design (e.g. possible issues with backup size, not incremental backups, dependance on email functionality).
          As regards post-hacking, before all, a typical user will find BPS Pro more difficult to use to restore a website after a hack. The user needs to be technically skilled enough to use BPS Pro properly so that when a disaster happens, the user could have everything under control, organized and at hand to restore the website without any hassle.
          Also, BPS Pro does not have malware clean up functionality that Sucuri product has (it’s probably does not look so cool for users who are skilled anough to compare files and database changes and do the clean-up by themselves though and thus analyze the holes in securuty). Again, most users want to have a sort of one-click clean-up or 1-click restore functionality with very little or no prior work with as little skills and knowledge as possible. And BPS Pro is just targeting more professional and tech-savvy users like you. Most other users want much easier, user errors prone solution with cleaner UI and smoother UX.
          Thus, I totally agree with you that BPS Pro is a fantastic monitoring and post-hack functionality, but I have to add that this is so for quite advanced users who know very well what they are doing. For less technical users (i.e. the majority of users, they have even never ever opened cPanel in their life) dealing with BPS is simply not their cup of tea, too difficult and too error-prone because of lack of technical skills or time to devote to managing it.
          As a final note, I’m sure that BPS Pro is an awesome tool in the right hands (like yours:)) And the fact that BPS is very affordable makes it a favourite choice of many advanced WP users.

          • Hello Michael,

            Thank you for your reply and sorry for my late reply. Having thought about it I completely agree with you. I am fully comfortable with htaccess and php.ini files and why they are so important, yet I had to spend a considerable amount of time configuring and understanding BPS Pro as there is so much functionality to configure properly. I feel a beginner with their first WordPress site would really struggle to understand and configure BPS Pro to make the most of it and be able to recover from a successful attack in a short and painless manner. The support is excellent though and for the multi-site license price it is a fantastic tool for more experienced users that may not have a budget to afford Sucuri.

  92. Michael, Very good job in this research.
    It´s the kind of work that save you time.
    I suscribed to your list.

  93. Great article Michael, I have my site on a shared window hosting server, so I think Bulletproof is not a good solution for me as it uses .htaccess. Do you suggest any plugin which will work good for window hosting. I also don’t want to slow down my site while protecting it.

  94. What about WP All In One Security & Firewall plugin?

  95. Hi,
    In 10.3. Full Sucuri Protection and Backup Solution you mention that you use CodeGuard in addition to Sucuri which has a backup option. Since I understand Sucuri now includes the backup option in the pricing, is there no need for CodeGuard with Sucuri?

    • Hi John,
      As far as I know Sucuri backups is an additional service.
      However, I’ve just asked Sucuri support about it to make sure, and here’s the reply:

      Hammer: Hi Michael how are you today?
      Michael: Hi, do you include backup option in full Sucuri protection price? Or is backing up payed additionally?
      Hammer: Backup is an addon runs 5 per month per site or 60 a year 🙂
      Michael: Okay , I’ve got it! Thanks
      Hammer: No problem happy to help

      Anyway, CodeGuard is a more powerful and backup dedicated solution. And CodeGuard is even cheaper 🙂

  96. I personally like All in One Security as well as Sucuri.

    I tried Wordfence and was put off by the confusing UI and the fact that some of its key features (namely, IP blocking of bots using usernames like “admin”) failed when conflicting with some of my other plugins. Full review here:

    Michael, I hate to ask but… did you receive any incentive or product licenses for this review? It’s very impressive and in-depth, but I was surprised All In One didn’t make the list. (I have no connection with AIO.)

    • Hi there,
      Thanks for your comment and your question.

      The story behind this article is quite simple.
      I just wanted to compare very well-known and popular security plugins or products and make up a couple of strategies for securing the WordPress website.

      Since there are many security plugins, I just took some of them. I could not take many, because it would make my article even bigger, which was not what I really wanted.

      So, I’ve chosen the plugins and products to review simply by how popular they seemed to me after quick overview in Google search and in different blogs. Those four products I’ve selected just seemed to me more frequently noted and recommended by both marketing and technical bloggers. That’s it.

      And the article already took so many time and I wanted to finish it as soon as possible without sacrificing the quality of the article. The idea to include some more security products or plugins into the article just made me sick 🙂

      That’s why AIO, as well as many others just did not get into the list.

      Answering your question about compensation – no, I did not have any connection with companies or the plugins developers or compensation for writing this article.
      However, I’ve become an affiliate of Sucuri and BulletProof premium products because after my research I have come to the conclusion that these products are the best in what they do among the others in my article. But I joined these affiliate programs only after several months after I published this article when I realized that these products had affiliate programs 🙂

      As regards your issues with WordFence, I see you make valid points regarding functionality and UI. Let’s see if (how) the support will answer you. Anyway, if there’s something not functioning, it should be fixed.

      I hope I answered your question.
      And thanks again for stopping by!

      • thanks Michael! & thanks for the speedy reply.

        sounds good — I thought your work was too indepth and personal to be a marketing effort, and I’m happy to hear you did this honestly and properly.

        glad you liked my comments about WordFence — hopefully they improve! honestly, none of the products have had 100% of what I wanted, but AIO + IP Blacklist is what I’ve settled on for now. I hope they all improve so I can reduce the number of plugins on my sites!

    That’s the only thing i can say. Impressive amount of data. I don’t even know if so called expert know as much on WP security and i have just read the google sheet comparison table.
    KJeep the good work.

  98. Hey Michael!

    I just wanted to drop in and see if you would be interested to put our security plugin (WP Simple Firewall) through it’s paces and compare how it stacks up against the ones you’ve got in this list?

    We have stacks of features loaded into the plugin, which you can turn on/off as you need. Given the criteria you’re examining, I think you’ll like what you see. Would love for you to take a look!

    Thanks for your time.

    • Hey Paul,
      Thanks for your suggestion.
      WP Simple Firewall is indeed worth looking at. It’s pretty popular and highly rated plugin.
      But this article is already over populated with information.
      I’ll think how to review more security plugins.

      • Hey Michael,

        Thanks for your consideration on this. I know it’s a big enough job to review 1 plugin, nevermind all that you’ve covered already. I totally get that.

        I appreciate you taking the time to at least consider us 🙂

        Let me know if you have questions or need clarification on anything.

  99. Thanks for sharing such a informative information with us .GOOD work..
    For more information:

  100. Thank you very much for all the effort you’ve put into this research, it was very useful. I chose the 10.2 option. I was just wondering why you recommend all three plugins (BulletProof, Sucuri and WordFence). I know it’s never too much security, but some functionality is redundant, like the Login Security, and now I’m confused what I should be setting up on each plugin. I’m a newbie and I’m eager to learn how to protect my WP websites. Could you help me out? (more than you already have)

    • Thanks Ricardo for your comment.
      I recommend all these plugins because they together cover different segments of security (protecting, scanning and monitoring) for free.
      For redundant functionality, just choose what you like most or what suits you better. Section 10.2 covers all these segments for free.

      When you just beginning learning WordPress security, start with protection (read minimalistic solution 10.1 and the corresponding post Protect Your WP Site From Hacking Step-by-Step – Easy And Very Effective) and install BulletProof security plugin. That should be enough for beginning.

      And if you think that you need more functionality for free (more scanning, more monitoring, anti-spam), go on with other 10.2 recommendations.

  101. I prefer combination of plugins. I am using iThemes security, Wordfence security, Anti-malware by ELI. These 3 can offer you great protection. Scan every week with Anti-malware by ELI and block IP’s manually in Wordfence security, add 404 protection and protect your important WordPress folders with iThemes security. why iThemes because iThemes Security now uses Sucuri SiteCheck. 🙂 My site speed is great so no problem if you use combination of security plugins.

  102. Great article ! I gonna buy your solution 10.2… for free. Exactly what I was looking for. Thank you so much. You’ve made me save precious time for a WP beginner carrying a huge project to change the world 😉

  103. Jason Press says

    Thanks so much for this recommendation Michael.

    I explored BulletProof a bit and have ended up purchasing the Pro version. It really is, like you said, a fantastic deal and the support has been top notch. There’s definitely a learning curve but, while discovering how to use this plugin, the instructions are also teaching me a lot of things about website security that used to seem quite foreign (it’s almost like you get a free web security training class along with the plugin!)

    I reached out to the developer of BulletProof and he didn’t think there would be any conflicts with AIOWPS. However, since BulletProof basically generates the .htaccess file for the site, I would need to place any AIOWPS .htaccess code (such as IP blacklists) into the BulletProof “custom code” area manually. This wouldn’t be too difficult but I’ve actually removed AIOWPS for now anyway as it seems BulletProof has us well covered.

    I am still planning on using the “BBQ: Block Bad Queries” plugin and possibly the “WP Security Audit Log” plugin as well for extended protection and functionality. We do have great backup systems on our GoDaddy Managed WordPress and SiteGround shared hosting environments, so if we can combine great backups with a good security system that has great monitoring, then even if something does get hacked we will hopefully find out about it right away, be able to revert to a backup, and patch the issue swiftly.

    Thanks again,

  104. Jason Press says

    Hi Michael, thanks so much for this comprehensive article!

    Do you have any experience with the All In One WP Security & Firewall plugin ( I’m at the stage where I will need to increase security measures on 20+ WordPress sites and we’re looking for the best fit in terms of a free solution that will work across the board to supplement a couple other paid security products (SiteLock through GoDaddy and HackAlert through SiteGround).

    I’d love to hear if you have any thoughts about the AIOWPS plugin and how it might rank against (or in combination with) your other recommendations. The main reason I ask is that we already have this plugin installed on all our sites, though we have little experience with the other plugins in terms of comparison. The easiest approach for us would be to simply add on another plugin or two in addition to AIOWPS, but we are ready to start fresh with a whole new configuration if needed.

    Thanks again,

    • Hi Jason,

      I’ve wanted to include All in one WP security & Firewall plugin in this article, but it just overlaps other plugins, so I decided not to clatter my article which is already too big for one read 🙂 Anyway, AIOWPS is a good thing.

      If you want to increase the security and do it for free, and if you use Appache (and not ngnix), then the best thing I can recommend for you is Bulletproof Security plugin. It’s very light and very effective from protection point of view. Its free version is very powerful, and its paid version costs comparatively very little and has unlimited license (it can be installed on as many websites as you want).

      However, I have not investigated very deep, if it’s compatible with AIOWPS. But I think it should be. If you decide to use a free version of Bulletproof Security plugin, you may install it on one of your websites and check if it works fine. And if you want a paid version, I think you can also contact its author and ask him to make sure about compatibility with your environment. You are welcome to let me know in the comments how it will go for you.

      Also, I’d recommend above all is to have backup strategy, because it’s much more important than any other measures (it’s obvious, but just in case). If you already do backups regularly, then that’s great, I’m repeating this for other readers 🙂

  105. If I have 30 domains under one cPanel account (1 root domain and 29 “addon domains”) and I am about to subscribe to Sucuri WAF Pro… do I need to pay 30 x $19.98 per month… or just $19.98 per month?

    • Hi Ray, I guess $19.88 is the price for one installation (website). So, in your case I guess it will be 30 x $19.88. But go and ask them directly (e.g. via online chat form). Maybe in your case they will give you a bulk discount (why not try asking? 😉 )

  106. Great round-up. Really good effort. My only question is that iThemes is not recommended at all in your conclusion? Is there are reason it doesn’t make the cut in comparison? I’ve had good experience so far using Sucuri, WordFence, and iThemes – individually, and together. You do seem to favour Bulletproof above the others? (And the link to the Pro version is an affiliate link). I don’t mind you making a $$$ either as all the other links are free/direct links. BUT does that bias your conclusion? I guess the Conclusion I want is almost a 1-liner for each product, about why one is 1st, 2nd, 3rd, or 4th? Don’t get me wrong, great article – but WHY Bulletproof above all the others? And why not iThemes at the finish. 🙂

    • Sorry – I stand corrected. It’s not an affiliate link to Bulletproof. It’s their stoopid domain name!!! So I take back anything relating to $$$ bias. BUT my questions still stand about why one over the other – in 30 seconds…. GO! 🙂

      • Hi Damian.

        Thanks for your comment and questions.

        I’ve got no affiliate links to any security plugin at all. So far at least. But I’d add them if I could, because all of these products are great.
        Update from October 22, 2015: I do have some affiliate links now.

        As regards one-liners, it’s a good idea to make such, although it would be a (sort of misleading) simplification. I even hesitated very much whether to include a final comparison chart with star rating or not. It makes more sense to me to compare stronger/weaker sides of each solution like I did when analyzing them one by one.

        Anyway, here are summaries emphasizing the strong sides of each product:
        click here (will open in a new window – I added it in the article)

        Besides, it’s true that I favor BulletProof security, because it’s very lightweight and truly efficient in terms of protection, and absolutely not expensive (or even free). I just love such solutions that work very well without side effects. And its free version is very good. Maybe even too good to be free 🙂
        One big caveat though that many beginner users mention is that it seems too technical for them from the first sight.

        By the way, it’s not Bulletproof above all the others in the conclusion, but Full Sucuri Protection and Backup Solution as a complete and easy-to-use solution 🙂 But it’s expensive.

        And here’s about iThemes.

        Before all, I did not mean don’t use it. Quite the opposite – I recommend it, if it’s what you need. And see the analysis in this article to see if it’s what you need.

        The point is that the solutions presented in this article are doing their work differently and sometimes target different segments of website security (such as protection, monitoring, scanning etc). User is better to understand these segments to make a right choice without being misled by a false feeling of security.

        So, each plugin has its weak sides (for example, price, server load, compatibility, or the fact that they cover some segments of website security worse compared to other plugins).

        iThemes is a strong solution, so if you use it and it works well for you well (no conflicts with other stuff etc), then it’s really fine.

        If you use its paid version, then the only thing to enhance is taking care of your backups (a must for everyone). Also you may consider using a true website firewall (e.g. Sucuri CloudProxy) if you experience heavy ddos/botnet attacks and other malicious traffic assaults that load your server.

        The reason why iThemes is not in the conclusion section, because the conclusion is my personal recommendation for those who finds the article difficult. I could include iThemes paid version to the conclusion, but then it would be logical to include paid version of Wordfence as well etc. But in this case it will be a sort of repetition of “Combination of plugins/solutions” section. I needed to make choices narrower.

        Also, iThemes is not compatible with Bulletproof Security that made it impossible to mention it in combination with other plugins.

        The conclusion part is just my own answer to the question “Ok, all of these plugins/products/solutions are great, but what would you finally recommend after all from your point of view for different kinds of users?”
        So I answered it my way, considering balance between efficiency, priority (which is protection IMO), budget and user-friendliness for different kinds of users.

        But again, iThemes Security Pro is a great choice.

  107. Just wanted to drop a note to say thanks for putting together this in-depth article.

    I use iThemes Security Pro on several sites & Wordfence on a couple of others. They both seem to be effective for what they do. I am also going to add the Sucuri WAF Firewall to all sites…it’s hard to argue with it at that price.

  108. A pretty good plugin: Ninjafirewall
    Can you give me a comment of it and itheme sercurity?

    • Thanks Triều for your comment.
      Ninjafirewall is especially great against distributed DDOS attacks.
      As regards iThemes Security plugin I think I covered it in my post. Or what do you mean?

      • Hello Michael,
        I’m talking about the combination between ninjafirewall and iThemes Security. Is there a better combination between iThemes Security and Full Sucuri Protect? I think it’s a more save money solution.

        • Oh I see now.
          Full Sucuri Protection includes is a powerful and hassle-free solution – it’s not just a firewall, but also in-depth scanner and unlimited auto-hack cure service. So you can’t replace it with Ninja Firewall.
          But if you meant Sucuri Firewall (which is a part of Full Sucuri Protection), then yes, to some extent (only to some extent) Ninja Firewall can replace it. For instance, Sucuri Firewall is an external service that sanitizes your traffic, whereas Ninja Fireall is still a part of your WordPress site (which is less secure).

          • I tried to use, sucuri on my website! However, I have a feeling my website became slower after IP pointing to Sucuri (1-1,5s & ping my website from 4ms increased to 60ms)! I am considering between security and performance! This is really not easy! Why i don’t see you mention CloudFlare? Is it not good?

  109. murad abuseta says

    Hello again i visit your site every time to see if it has a new posts like that one… protect your site…
    thank you, you’v saved me two times now.

    one thing here i need to know
    how i can made a post like this one
    you did a
    For easy navigation in this post use these links:
    i mean how i can made a navigation links like you did here ?

    • Hello Murad,
      Thanks for visiting my website again. Feel free to subscribe to the updates (if you have not subscribed yet) to get notifications to your inbox about my new posts when they come out.
      As regards links you are asking about, it’s a free plugin “Table of Contents Plus”.

      • murad abuseta says

        i have subscript now I’ll verify it when i open from my personal pc.
        thanks for the plugin.

        one thing here i need to make sure of, before i was only using one plugin “Wordfence”, but after this great research i need to ask you.
        if i use Wordfence with Sucuri Security and BulletProof Security, does this affect my website slow ?
        i mean did this three plugins make my site slow ? mention that i use hostgator hosting plan.

        • In brief, BulletProof Security does not slow down your website since it’s a neat firewall on a .htaccess level.

          SucuriSecurity (free) includes a scanner that is not heavy, so I would not bother about loading your website too.

          But Wordfence may be a heavy-loader for some websites, since it’s a in-depth scanning tool and real-time traffic view. It depends on your website though – the more you website is, the heavier the more noticeable the load may be. So you will just need to run the scanning and see how long it lasts for your website and if it loads your website site during this time.

          Hostgator is EIG brand that is not respected at all by professionals. EIG can turn off your website without any prior notice if they think you can be using some heavy plugin. I’ve seen cases when Hostgator switched off sites blaming that some plugins including Wordfence are loading the server without looking into the issue properly. A decent hosting company should assist you to resolve the load issue if there’s such and not just cut you off without letting you know.
          But if you have not a big site, perhaps it can be ok for you.

          • Phil Yonge says

            I have VPS hosting with a company owned by EIG. When I recently upgraded Apache and PHP there were warnings in the PHP installation logs. The culprit was a Worpdress rule in an HTACCESS file in the root drive of the server. I couldn’t get a proper response from the company due to the PHP upgrade warnings and this file. I have been considering moving my clients websites for a while and this has jus confirmed my good reasoning for moving. Thanks for the list of decent providers in your other article.

            • Thanks Phil for your comment.
              EIG is definitely not the company that I would stay with.
              Feel free to let me know if I can be helpful to you in any way.

              • Can you post a link to your article with the “list of decent providers” as mentioned in the comment above? Thanks!

              • Excellent article and I am really glad that I found your site, a lot of interesting reading there. I am wondering whether your conclusions re best security combo still stand almost 2 years after writing this? I run my website on VPS and considering switching the firewall from ModSecurity to Sucuri WAF. Yet, I still have to make the decision regarding going with Sucuri AV “package” (10.3) vs. Sucuri WAF + Bulletproof” (10.6. BTW, you mentioned in another article that this is what you’re using). One very important criteria for evaluation that is missing in your article is performance penalty for implementing these security solutions. Obviously, nothing comes for free but I would be interested to learn which out of these two has heavier toll on performance. In other words, what is less performance intensive the monitoring/scanning part of Sucuri AV or Bulletproof?

                • Hi Mike,

                  Thanks a lot for your feedback.

                  Your questions and my answers:

                  > I am wondering whether your conclusions re best security combo still stand almost 2 years after writing this?

                  Yes, this article is up-to-date. This is one of the most popular articles on my blog. And I update it each time when I notice anything needed to be changed.

                  > Sucuri AV “package” (10.3) vs. Sucuri WAF + Bulletproof”

                  Bulletproof security (BPS and BPS Pro) requires some technical knowledge for the most efficient use.
                  Sucuri WAF and Sucuri AV are very easy to use. At the same time Sucuri (both AV and WAF which is included in AV) is considered to be the most efficient product on the market in this segment (website and web applications security). There are more professional services for bigger enterprise usage, but their prices are like 10x times bigger (i.e. simply another market segment).
                  Also, as regards the most important differences that matters a lot for a typical user, option 10.3 (AV) includes among others unlimited and free clean-up in case of virus,malware etc contamination. Option 10.6 does not include it (Sucuri WAF does not go with clean-up option).

                  > 10.6. BTW, you mentioned in another article that this is what you’re using

                  I’d go with Sucuri AV, but this is too expensive for me right now. In fact, I decided for now sort of to wait till I get hacked (if this happens one day) and then I will order Sucuri AV which includes clean-up from then and forever 🙂 Maybe I will go with Sucuri AV sooner (as soon as I get more budget). After all, option 10.3 is my desired aim. For now I ignore monitoring and scanning options, focusing on protection and backups (that’s why Sucuri WAF (external firewall) + BPS (internal firewall) + Backup solution is enough for me for my website at present time as a minimum accepted solution for my website).

                  > One very important criteria for evaluation that is missing in your article is performance penalty for implementing these security solutions.

                  That’s true. I don’t have a detailed research on performance for these options. But meanwhile I mention in the article which options are significantly more resource-intensive. Sucuri (WAF and AV) and BPS (BPS Pro) are the least demanding from this perspective. In fact Sucuri WAF even improves performance thanks to caching level (sort of CDN, but not really a CDN). I even have a test-based research on it. And BPS plugins are super light-weight (it does no scanning, so it’s quite seamless).

                  As regards iThemes and especially Wordfence, they are making harm too often IMO to limited resources of the server, since all the works is done on your server (these guys are the plugins). Especially on shared hosting. Although on VPS it can be fine. But again it depends on your website size. I haven’t tested these guys on VPS nor I haven’t paid special attention to reviews from VPS users. But I know for sure shared hosting users often complain about performance issues (especially this is so for Wordfence).
                  Sucuri’s core software is based on their servers, which makes it very comfortable for your server to use it.

                  > what is less performance intensive the monitoring/scanning part of Sucuri AV or Bulletproof?

                  I have no research on this, unfortunately. But in fact I don’t really think this should be a question. Both options raise no issues with performance, although these two product do different things. BPS does no scanning as Sucuri AV does (the most resource intensive operation is scanning). And Sucuri AV does the scanning very carefully and gently (e.g. compared to Wordfence).
                  However, if we compare options 10.3 and 10.6, then 10.6 is much more heavier because it includes Wordfence which features scanning. Option 10.3 includes Sucuri AV which does the scanning much more efficiently from a server performance point of view (and also AV is more efficient from contamination- and other security malfunctions-finding perspective).

                  Also, compared to plugins, Sucuri AV is the next (or simply another) generation of products. Option 10.3 is not only the best and easiest practical solution for most users (especially without deep knowledge and desire/ability to analyze server logs), it’s the least server resource-demanding. The only its disadvantage is the price.

                  Hope it helps.

                  • Thanks for such a detailed response. I’ll follow your advice and switch to Sucuri AV package, it is $80/year more than Sucuri WAF but I want simplicity and a piece of mind, I run business website and any outages/downtime cost us a lot. Once again, thanks for such a great website, you got another dedicated subscriber here 🙂

                    • Hi Mike,

                      Just wanted to notice about the Sucuri prices for e-commerce:

                      Sucuri Firewall (WAF) (for e-Commerce websites you need PRO plan since it covers https and custom SSL) costs $19.88/mo * 12 months = $236.76/year.

                      Sucuri Antivirus (you need PRO plan as well for the same reason) costs = $299.88/year.
                      So the difference is $63.12

                      Anyway, Sucuri AV is absolutely the right choice. Especially for e-commerce.

  110. Hi Michael ,
    This is Vrey Interetsing Article Really Ammezing Information and Guide lines , I agree with You Superb and Good Points , very Long WordPress Informative Plugin Best Security Guide , Thanks a lot For Sharing me , its my First Visit Your Blog i am Really inspire Keep it up
    Have a great week,

    • Hey Jassica,
      Thanks for your feedback!
      By the way, it’s not your first visit to my website 😉 – I see you have already left a comment for the article about hosting companies to avoid.
      And I’ll be happy to see you again!

      • First time to your website….very informative and useful. Have had loads of troubles in past and vowed never to have blog again after loosing full site a few times etc. Now I am back trying to set them up again. Have already got infection that spread to my static websites. Hate the cost of Sucuri but think I will go for the full cover for my 2 wordpress sites

        • Hi Cynthia,

          Thanks for your feedback.

          Sorry to hear about your security issues. In fact, getting your site infected in most cases (but not always though) means that you did not follow the rules of website hygiene. Anyway, Sucuri Antivirus service is a reliable and comfortable option. In particular, it cleans up your website as many times as it’s required. And what is more important, they help to avoid further contamination by consulting you in case the issues take place again (looks like it’s your case).

          Anyways, infections is not the reason to drop a blog. I wish you overcome the difficulties and get your online presence up and running smoothly.

          By the way, if you have not read it yet, here’s my other article on website security which covers the topic of website security hygiene. The “hygiene part” will be useful to you regardless of whether you use Sucuri or not. I.e. simply skip the technical part (especially if you are going to use Sucuri’s paid service) and pay attention to what you can understand easily.

          And feel free to let me know if you have any questions.

It's important for me to know what you think