Top 20 Best FREE Security Plugins for WordPress

Most of the websites on the Internet run WordPress. Whether users run WordPress on Windows or Linux doesn’t matter – the popularity of this content management solution (CMS) continues to grow.

But, the downside to using any popular software solution is that it makes for a bigger target for hackers and malicious code.

And so, with that in mind, we will have a look at the top 20 best free security plugins for WordPress.

Note:  we have also included freemium plugins that we deem offer on-par features that are enough without having to pay for the full package.

Top 20 Best FREE Security Plugins for WordPress

The 20 Best free security plugins for WordPress

Ok; let’s jump right in – the plugins are:

1. Wordfence Security

This is a plugin that identifies and blocks malicious traffic. Its integrated malware scanner stops requests that hide malicious code or content.

Wordfence Security offers protection from brute force attacks by limiting login attempts while its malware scanner checks core files, themes, and other plugins for anomalies like bad URLs, backdoors, spam, redirects, and code injections.

2. Sucuri Security

The Sucuri Security WordPress plugin is a free security suite meant to complement existing security features.

Some of these features include security activity auditing, file integrity monitoring, remote malware scanning, blacklist monitoring, security hardening, post-hack security actions, and security notifications.

3. Jetpack

Jetpack Security does have the right to brag that theirs is “the most popular WordPress plugin for just about everything.”

It offers easy-to-use, comprehensive WordPress site security including auto real-time backups and easy restores, malware scans, and spam protection; it also has essential features like optional 2FA (two-factor authentication) for extra protection as well as brute force protection and up/downtime monitoring for free.

4. iThemes Security

Setting iThemes Security up takes all of 10 minutes and offers features like Two-Factor Authentication (2FA).

Administrators can create and enforce password policies in less than a minute, use reCAPTCHA (in the Pro version) to stop bad bots with malicious intent, as well as identify trusted devices (also Pro version) to prevent unauthorized users, block hijack sessions, and even limit Admin account privileges to trusted devices – a feature that would be practical when they install WordPress to server environments, for example.

5. BulletProof Security

With BulletProof Security, we have an effective, reliable, and easy-to-use security plugin. It offers features like a malware scanner, firewall, login security, backups, and anti-spam.

It can be used to automate whitelisting, idle session logouts (ISL), status displays, error logging, and alerting.

6. MalCare Security

MalCare Security is a cloud-based malware scanner – they are proud to announce it is the “only WordPress Security Plugin with Instant WordPress Malware Removal.”

It removes malware that other tools can’t even detect, and continues to offer real-time protection against the latest threats via its firewall; more features include CAPTCHA login to stop malicious traffic.

7. SecuPress

SecuPress is a free WordPress security plugin that can help with GDPR compliance, block incoming malicious requests, SQL injection scanners, and brute force attacks – to name a few features.

This plugin scans the WordPress installation to spot issues and deliver a report on the overall health of the site. It can be configured to send alerts via email, SMS, Slack, and even social media platforms like Twitter.

8. Defender Security

Defender Security is a WordPress plugin that scans for malware, acts as a firewall, and strengthens login security.

Other security features include preventing brute force attacks, SQL injections, and cross-site scripting. It also offers features IP blocking, audit trail, and two-factor authentication. Furthermore, it comes with Google 2-Step Verification and other third-party integrations like Microsoft Authenticator and Authy.

9. NinjaFirewall (WP Edition)

NinjaFirewall is, like its name suggests, a stand-alone web application firewall that stands in front of a WordPress installation. It can hook, scan, sanitize or reject HTTP/HTTPS requests.

It can tackle brute force and distributed attacks – even if they are large attacks originating from a wide range of IP addresses. It also offers File Guard – a unique feature that detects the access, modification, or even creation of PHP files in real-time, and sends out alerts depending on configurations.

It also hooks HTTP requests from malicious shell scripts and sends out detailed alerts to help stop attacks.

10. WP Hide & Security Enhancer

WP Hide & Security Enhancer is used to completely hide WordPress core files, the login page, theme information, and plugin paths.

Anyone sniffing around for information on the WordPress site will have nothing to go on. All references to themes, WP versions, authors – anything to do with this CMS will be hidden. Admins can even change plugin default paths and clean common HTML comments that refer to templates, body, posts, images, and classes. In short, it’s like WordPress didn’t exist.

11. WP Force SSL & HTTPS Redirect

Admins can use WP Force to automatically divert traffic from using the HTTP protocol towards HTTPS. In case HTTPS isn’t configured into the WordPress installation the tool can be used to secure the site using its SSL certificate.

It has a testing tool to make sure the SSL certificate is indeed valid, properly installed, and hasn’t expired. This plugin can also be used to enable HTTP Strict Transport Security (HSTS) – a web security policy mechanism that stops protocol downgrade attacks and cookie hijacking.

12. BBQ Firewall

BBQ Firewall is a light, fast plugin that protects WordPress sites against a wide range of threats and malicious URL requests and exploits.

It checks all incoming traffic and quietly blocks bad requests containing malicious content, scripts or codes. It is a small tool that works as well as the best firewall solutions on the market. It integrates into any WordPress theme to protect against SQL injection attacks, unauthorized file uploading, and many other attacks.

13. Login LockDown

Login LockDown is the security plugin for recording the IP address and timestamp of failed login attempts. It can be used to block any login attempts after a certain number of failed attempts. This helps prevent brute force attacks.

Administrators can set the “lockout” times of an IP address following a certain number of failed login attempts within a set amount of time. The plugin has a comprehensive panel from which it is easy to modify policies as well as do administration work – like manually releasing a locked IP address.

14. Advanced noCaptcha & invisible Captcha (v2 & v3)

Advanced noCaptcha & invisible Captcha is a flexible and customizable plugin for adding CAPTCHA checking features to stop spamming.

It can be used to create CAPTCHA for any type of page – comments, contact us, log in, register or anywhere it may be required. There are three versions to choose from that are highly customizable and all of which can be configured to allow conditional logins following failed attempts. Error messages, themes, sizes, and locations are all customizable to blend into any site design.

15. Salt Shaker

The Salt Shaker plugin hardens WordPress security by changing its salt keys – cryptographic elements used to hash data – either manually or automatically.

By using salt keys, it becomes harder to guess passwords and makes it next to impossible for hackers to gain unauthorized access to the site. This plugin is easy to use, and once set, needs no more configuration as it keeps changing the salts automatically.

16. Blackhole for Bad Bots

The Blackhole for Bad Bots plugin is used to stop bad bots and conserve precious digital resources for genuine users.

It is a rather clever plugin that adds a hidden trigger link in the footer of each WordPress page. A single line is then added to the robots.txt file which instructs bots to not follow the hidden link. Any bots that ignore this rule – and continue to crawl the link regardless – are trapped and denied further access to the site. It is a silent and lithe tool that uses whitelists to allow major search engines to crawl the site.

17. SiteGround Security

Siteground Security offers unique and easy-to-configure features that help secure a WordPress site against threats like brute force attacks, compromised logins, and data leaks.

It stops access by unauthorized users, bots, and scripts with the help of two-factor authentication, disallows common usernames, and prevents users from creating weak usernames. It monitors login attempts – and blocks them after a set number of tries.

18. All In One WP Security & Firewall

All In One WP Security is a free plugin with all the latest WordPress security practices and recommendations.

It is an easy-to-use vulnerabilities checker that is used to implement and enforce all the current best practices. It performs audits to let site owners know how secure their WordPress installation is. It protects sites with features like user lock-outs, IP address banning, and user activity monitoring.

19. Anti-Malware Security and Brute-Force Firewall

This is a plugin for removing known security threats, backdoor scripts, and database injections. It takes its definition files from its home site – – to stay ahead of hackers and malicious code.

The Anti-Malware Security and Brute-Force Firewall, for example, blocks the SoakSoak virus as well as other malware. Once it has been set up, there is no need for manual intervention as the plugin polls the home database for updates.

20. Really Simple SSL

The Really Simple SSL is a plugin that automatically detects WordPress settings and configures them to run the HTTPS protocol.

It is a lightweight, but nifty, tool that needs only a single click to make the move to SSL (or generate a free certificate from Let’s Encrypt). Once set up, it dynamically directs all traffic towards the HTTPS protocol.

Security plugins secure WordPress

Anyone with a WordPress website would be wise to make use of these security plugins. Better yet, it would be a smarter choice to make sure professionals install, setup, and administer the website as a whole.

Avatar for Liku Zelleke
Liku Zelleke

Liku Zelleke is a technology blogger who has over two decades experience in the IT industry. He hasn’t looked back since the day, years ago, when he discovered he could combine that experience with his other passion: writing. Today, he writes on topics related to network configuration, optimization, and security for Cloud Infrastructure Services.

0 0 votes
Article Rating
Notify of
Inline Feedbacks
View all comments
Would love your thoughts, please comment.x