Lock It Up: Security Plugins for WordPress

WordPress has a few security plugins that can help secure your website.

WordPress is a widely used platform, for that reason alone, you should make sure that your WordPress blog or site is as secure as possible. If your website is not secure, you search engine results may get lowered, your information stolen or worse. A plugin alone will not keep your WordPress site safe from attacks; you should make sure that your site has the latest version of WordPress. Let’s take a look at some of the security plugins available.

iThemes Security: (formerly Better WP Security)

iThemes Security is a free plugin created and maintained by iThemes.

iThemes Security used to be known as Better WP Security, is one of the most popular security plugins in the WordPress plugin repository. The plugin is maintained by the iThemes team and is completely free. As the plugin states, there are over thirty ways to secure WordPress. Keep in mind that there is only one other language available is Spanish. It is also advised, by iThemes, that you should make a backup of your current website in the case that the plugin breaks your WordPress installation. There also may be some issues with shared servers, so please make sure that you have enough space before installing.


You can take a look at the list of features here. Here’s a summary:

  • Database Backup
  • Set up a notification email
  • Blacklist and Whitelist
  • Lockouts
  • Log files

The UI

The first thing that happens when you activate the plugin is a notification that appears. You will also have a new bar item added to your admin sidebar.

iThemes Security adds a new admin mar to your admin panel. There are various subsections that you can test out here.

Click on the button to begin securing your website. Afterwards, you will see this screen:

You will see this screen after activating the plugin. This is a guide to secure your plugin.

This is a step-by-step guide that will lead you to secure your WordPress site with iThemes Security. iThemes has included a video that you can watch to learn more. Above the video, you can see various tabs: Dashboard, Settings, Advanced, Backups, Logs and Help. Let’s take a look at the Dashboard:

The main UI for iThemes Security for WordPress

Here, you can view your high, medium and low priority tasks. To secure your site, it is important you fix these issues; otherwise, your site may be in risk of an attack. You can navigate this list in two ways: by using the tabs or scrolling down. You can also download a book written by the iThemes team found on the right side of the plugin menu. If you scroll down even further you can find some of your local/server information.


iThemes Security is a robust and powerful plugin that you should look into. You can set up a notification e-mail, set up a blacklist and thirty other ways to lock down your site. Remember to make sure that your WordPress site is up-to-date. If you are going to use this plugin, make sure to backup your website content and database. The last thing to check, before installing and activating, is to make sure that you have enough space, especially on a shared server!


Wordfence security is one of the most popular plugins on WordPress.

WordFence is another popular security plugin for WordPress sites. WordFence was created by the WordFence team and you can even view real-time attacks as they happen on their website. There is a premium version of their plugin that you can find on their website. In order to use this premium version, you must purchase a licence which can be done via their website.

You can view real-time attacks as they happen on WordFenc'es main website.


WordFence has the following features:

  • Includes Falcon Engine, the fastest WordPress caching engine available today. Falcon is faster because it reduces your web server disk and database activity to a minimum.
  • Real-time blocking of known attackers. If another site using WordFence is attacked and blocks the attacker, your site is automatically protected.
  • Sign-in using your password and your cellphone to vastly improve login security. This is called Two Factor Authentication and is used by banks, government agencies and military world-wide for highest security authentication.
  • Includes two-factor authentication, also referred to as cellphone sign-in.
  • Scans for the HeartBleed vulnerability – included in the free scan for all users.

You can find the full feature list here. Premium features include country blocking in which you can block IP addresses from specific countries. You can purchase a premium WordFence license here.

The UI

The WordFence plugin adds the appropriately named sidebar menu item:

The WordFence admin bar adds submenu items to configure WordFence to your desire.

At the top, you might notice that WordFence is giving you a warning:

You will need to specify an administrative email so WordFence can warn you about issues.

It is very important, as the plugin suggest, to set up an administrator e-mail address so WordFence can let you know about your website’s status. For example, the plugin might let you know about someone who has recently tried to attack your site; it will also let you know when one (or more) of your plugins are out-of-date.

You can also set up a schedule with WordFence by clicking on the Scan Schedule submenu item in the menu bar.

You can set a schedule in WordFence to scan your website.


The great thing about WordFence is it’s simple UI and the many options available. Some features are not available in the free version but the need for them will vary from site to site. Another interesting feature is that you can view live traffic as it happens on the screen. For these reasons and many more, WordFence is a decent choice for your site.

BulletProof Security

BulletProof Security is a WordPress security plugin that can make your WordPress site bulletproof.

BulletProof Security is another plugin, and the last major one that we will take a look at, that can improve the security of your site. If your web server is running Apache, you will need to create a secure .htaccess file. BulletProof Security is feature-packed and has a free and paid version. When you first install and activate the plugin, you might be presented with a list of notifications at the top of your admin panel. Do not worry about these warnings as they will be easy to fix by following the instructions.


You can find a full list of the features by clicking here.

The UI

You can see the BulletProof Ui below. At first, the user interface may seem daunting, but you can just click on each of the tabs to view each section. As you can see, there are a few errors to fix here, the most important one is to make sure that your WordPress installation is protected by BPS, or Bullet Proof Security. This is done by modifying your .htaccess folder (if you are running an Apache server) and the wp-config.php folder.

This is the BulletProof Dashboard where you can see all of the security tasks you have left.

You can edit the security files within this plugin.


I would recommend Bulletproof Security for more advanced users, but for what it does, it can give you advanced control of your .htaccess and other files.


Honorable Mention

Limit Login Attempts

The Limit Login Attempts plugin has not been updated in two years but still used on some sites today. It is a simple plugin that limits the amount of times that a person can login into your site.

Other tools

WordPress Exploit

WordPress Exploit will show you all the latest hacks and exploits available for WordPress. You can and should use this as it will keep you up to date.