Internet network security concept with person using a laptop in a chair
Image: Tierney/Adobe Stock

WordPress is one of the most widely-used Content Management Systems on the planet. With over 43% of websites using the platform, it’s no surprise that it has a target on its back. That not only means the WordPress developers must be always working hard to secure their software but it also requires those who deploy sites to be diligent about security.

SEE: Password breach: Why pop culture and passwords don’t mix (free PDF) (TechRepublic)

Although out of the box WordPress is somewhat secure, it cannot prevent bad actors on its own. To that end, every admin must consider adding third-party plugins to bolster the security.

Fortunately, there are plenty of security-related plugins available for WordPress. But because there are so many, which ones should you use? I’ve put together the top five plugins I always use for every WordPress site (only one of which is installed by default). Let’s take a look at those five plugins to see if they’ll be a good fit for your needs.


Image: Jetpack

Jetpack is an all-in-one security plugin for WordPress that is developed and maintained by the same people who created WordPress and WooCommerce. That means it not only integrates and protects your WordPress sites, but also your WooCommerce shops. Jetpack does a great job of keeping you abreast of security, anti-spam, backup and protection measures, downtime monitoring, brute-force blocking, and login protection.

Jetpack can scan your site for changes to the core WordPress files, web-based shells and TimThumb vulnerabilities (which allow hackers to upload and execute arbitrary PHP code in your timthumb cache directory).

Jetpack offers free and paid plans. For individual users, the free plan will be enough. For business users, one of the paid plans should be considered a must. There are three paid plans including, Backup ($4.92/month) which offers real-time cloud backups; Security ($12.42/month) which adds all backup features, real-time malware scanning and comment/form spam protection; and Complete ($49.92/month) which adds VideoPress, site search up to 100k records and CRM Entrepreneur.

Stop Spammers

Image: Stop Spammers

Stop Spammers is one of the best tools for blocking WordPress spam. This is especially so if you have comments enabled for posts, pages and products. Without Stop Spammers, you will find your comment sections inundated with spam. With Stop Spammers you get an easy-to-use dashboard, IP address whitelisting, blocklists, reCAPTCHA, request approvals, connection, cache viewing, log reports, DNSBL List checks, Stop Forum Spam lookups and diagnostics.

The one caveat to using Stop Spammers is that you cannot use it in conjunction with Jetpack. So, if you find Jetpack includes some must-have features, go with Jetpack, otherwise, Stop Spammers is the plugin to use to help prevent spammers from doing what they do.

Wordfence Security

Image: Wordfence

Wordfence Security is another must-have for anyone looking to secure their WordPress deployments. This plugin includes a firewall, security issue scan (scan configurations, quarantine files, core files, theme files, plugin files and more), malware protection, reputation checks, performance options (such as low resource scanning), exclude files from scans, login security (including 2FA), live traffic scans, IP blocking, WhoisLookup and more. Wordfence Security should be one of the first plugins you add to your sites. And if you’re looking for only one plugin to do it all, this is it.

There is a free plan as well as three paid plans (Premium for $99/year, Wordfence Care for $490/year, and Wordfence Response for $950/year). If you’re an individual, go for either the Free or Premium plan. If your business depends on WordPress, consider either the Care or Response plan. I’ve been using the Free plan for years and it has served me very well.


Image: WP 2FA

Two-factor authentication should no longer be considered an option. And although a lot of security plugins add 2FA into the mix, I’ve always found WP 2FA to be the best option for login security. Not only does WP 2FA work exactly as expected, when you attempt to log in to your WordPress site, it immediately sends the login code to your associated email address. I’ve found other similar plugins to take a bit too much time to send those codes.

With WP 2FA you can enforce 2FA on all users, specific users or specific users/roles. Although WP 2FA is pretty basic (it doesn’t offer a lot of bells and whistles), what it does it does very well.

Even if you don’t have users on your site, you still have an administrator who must log in, and that account should most certainly be required to use 2-factor authentication. WP 2FA offers a free account as well as a Premium plan, which adds trusted devices, white labeling and policies for user roles.

Really Simple SSL

Image: Really Simple SSL

If you want your site to use SSL, the easiest way to do this is with the Really Simple SSL plugin. This plugin simply forces WordPress sites to use SSL, so users can go to HTTPS instead of HTTP. I’ve run into a number of occasions where a hosting service does use SSL certificates, but a WordPress deployment doesn’t honor them and displays the site as insecure. In this day and age, making sure users know they are secure on your site is an important feature you should not overlook. That’s when I turn to Really Simple SSL.

This plugin does a very good job of automatically detecting your settings and configures your site to run over HTTPS. In theory, all you should have to do is install and enable the plugin and everything should just work. I’ve found that to be the case. The one caveat to using Really Simply SSL is that SSL certificates must be enabled for your site, as the plugin does not create or install certificates for you. But if you already have SSL certificates enabled on your site, and WordPress doesn’t honor them, this is the easiest way to solve that problem.

Subscribe to TechRepublic’s How To Make Tech Work on YouTube for all the latest tech advice for business pros from Jack Wallen.

Subscribe to the Cybersecurity Insider Newsletter

Strengthen your organization's IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices. Delivered every Monday, Tuesday and Thursday

Subscribe to the Cybersecurity Insider Newsletter

Strengthen your organization's IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices. Delivered every Monday, Tuesday and Thursday