The WordPress Developer’s Guide to Security: Security & Backup Plugins

If you joined us last week, you know we talked in-depth about proper WordPress management with a particular emphasis on logins. Controlling how people access your site can dramatically reduce hacking attempts.

Sometimes, you have to take it a step further, however. Though WordPress Core is fairly secure to start with, you might want to consider a security plugin to ramp up effectiveness and to protect your site even more. That’s precisely what I’m going to talk about here today. Plus, I’ll even go over a few backup plugins to protect your data, too.

In case you missed a previous installment, feel free to click back anytime:

If you’re ready to move forward, however, keep reading!

Why Do I Need a Security Plugin?

Primarily, security plugins provide an added layer of protection against brute force attacks and malware. They give you a set of tools, that when properly configured, help to put some of the main security tasks you’d have to complete on a regular basis on autopilot. The best plugins also help you to recover more quickly from a hack, should you fall victim to one.

For Mark Maunder, founder of Wordfence, the idea was to build a plugin that sits comfortably on top of WordPress and enhances the great features already built into Core.

With that in mind, let’s take a look at some of the top security plugins out there right now and what it is that makes them so beneficial.

iThemes Security

iThemes SecurityThis is a very popular plugin choice for security. Formerly called Better WP Security, iThemes Security offers numerous ways to secure your site. In fact, it does many of the things we’ve discussed in previous posts automatically like implementing obscuring tactics. For instance, this plugin changes your login and admin URLs, removes the meta generator tag, renames the “admin” account, and more.

It also offers several protection features like conducting security scans to locate malware and vulnerabilities, improving server security, banning users with too many invalid login attempts, banning bots, strong password enforcement, and more.

iThemes Security also offers detection features and can signal you when unauthorized changes have been made. It can also detect bots and can be configured to send you emails when someone attempts to login too many times unsuccessfully. Recovery features are also available since iThemes performs backups as well. This actually pairs well with iThemes’ dedicated backup plugin, BackupBuddy.

There’s a Pro version of iThemes Security available, too, which offers user action logging, two-factor authentication, malware scans, and more.

All in One WP Security & Firewall

All in One WP Security FirewallAnother security plugin option is called All in One WP Security & Firewall and it has a long track record of providing high quality results to small-time bloggers and big-time developers, alike. I think what makes it stand out is how easy it is to set up and put to use right away. It also includes a security points grading system that lets you see just how well you’re doing in terms of protecting your site from hackers. From there, you can turn on and off different features to see the effect it might have on your rating.

This free plugin allows you to set up a variety of security protocols with just a few clicks. For instance, you can change the “admin” username, identify users with identical login and display names, and enable a password strength tool.

An included login lockdown feature protects your site from brute force attacks since you can ban IPs and users that make too many bad login attempts. You can also force user logouts, view account activity, and even whitelist specific IPs. Database and file system security features are included as well, along with htaccess and wp-config.php backups.

The included firewall feature lets you modify your htaccess file to prevent hackers from even getting access to your site’s code. All in One WP Security & Firewall truly lives up to its name and also includes a security scanner, text copy protection, a whois lookup function, SPAM security, automatic updates, and more.

Sucuri Security

Sucuri SecuritySucuri Security is another very popular security plugin for WordPress that no list on the subject would be complete without. The SiteCheck feature lets you check your site for current security vulnerabilities and malware. You can scan for all sorts of issues from malware, as I said, to spam injections to phishing attempts, to redirects, to defacements, and so forth. It can also detect cross site scripting, obfuscated JavaScript injections, PHP mailers, hidden iFrames, anomalies, and IP cloaking.

The scanner also uses APIs for several popular blacklisting detectors to give your site a thorough scan. These external sources include Norton, McAfee SiteAdvisor, and AVG to name a few. Once you’re done with the scanning process, you can then “harden” your site by enabling a variety of one-click features. While they don’t offer the topmost level of security individually, together they do offer ample site protection.

Some of these features include protection for your uploads directory, restricting access to wp-content and wp-includes, verifying the WordPress and PHP versions, and disabling the plugin and theme editors. You can also opt to verify every WordPress core file to see if any changes have been made and if they are any hidden backdoors on your site.

Sucuri also offers several security plans in addition to its free plugin, if you’re looking for a more robust security solution.

Wordfence Security

Wordfence SecurityAs I mentioned earlier, Wordfence Security is another high-quality plugin-based security solution for your site. Once installed and activated, it conducts a thorough scan of your site to see if the source code matches the official WordPress core files. If all checks out, security features are then enabled to protect your site from the possibility of future hacking attempts.

It offers a free and premium version but both are based on the Wordfence Cloud Platform, which means the firewall and the scanning process is conducted largely on its own servers. That means virtually no load on your site at all. “We have our own dedicated physical servers in our data center in Lynwood, Washington,” says Maunder, saving “customers from using additional CPU, memory and disk on their own servers.”

This plugin offers support for multisite, cellphone sign-ins, popular plugins like WooCommerce, two-factor authentication, strong password enforcement, file scanning, and more. It also includes a firewall for protecting your site against bots, malware, and brute force attacks. Once installed, you’ll also have the ability to block malicious networks and known attackers, all in real-time.


bruteprotectRecently acquired by Automattic, BruteProtect is a security solution for WordPress designed specifically for protecting against brute force attacks. Along with this primary feature, it also offers multisite protection, a dashboard for monitoring attacks, auto remote updates for core files (as well as plugins and themes), and uptime monitoring.

It won’t protect you against every security problem but it’s efficient has the official WordPress stamp of approval.

Acunetix WP Security

Acunetix WP SecurityHere’s another popular choice. Acunetix WP Security is completely free and makes it simple to scan and secure your site quickly. You can easily set up file permissions, establish database security, hide the version of WordPress you’re using, prevent problems with the “admin” username, and more.

It’s compatible with multisite and backups, and provides reports on overall security and file permissions after scans. What I like is that it includes a live traffic tool for checking out who’s on your site as they’re browsing.

Bulletproof Security

Bulletproof securityThe last security plugin I’m going to talk about here today is Bulletproof Security. This plugin offers many of the same features as the plugins I’ve already discussed here like htaccess modifications, database backups, and security logging. It also comes with a UI theme skin changer for customizing your interactions with the plugin.

The pro version includes many more features like one-click setup, autorestore, an IP-based firewall, error logging, and more. You can also count on database backups, brute force protection, IP banning, firewall setup, and so many more features I can’t possibly list them all here. Seriously, go read its plugin directory description and prepare to be taken aback by its thoroughness!

The Importance of Backup Plugins

In addition to leveraging a security plugin, you should also make it a priority to use a backup plugin. As you might’ve noticed, several of the security plugins I talked about here today include backup features or their makers also have backup plugins available.

Backing up your site on a regular basis (and automating the process) is vital for a full security plan. How else do you expect to restore your site’s files to their pre-hacked state should an attack occur? While many backup plugins exist, some of the most popular include VaultPress, WordPress Backup to Dropbox, and BackupBuddy. Ranging from free to paid, these plugins will make good and sure your files and WordPress database are safe and sound, no matter what happens.

In case you didn’t know, ManageWP also offers backups as a part of its main feature set. You can schedule backups in advance and make the process completely automated, which is the best way to ensure they happen on time, every time.


While you can enact many security settings manually in WordPress, opting for the plugin route can make your life a whole lot easier, especially if you have to set up proper security on many sites. The above plugins should help you get started in your research for the best solution.

In the meantime, be sure to let me know your favorite security plugin in the comments below. And check back next week for another security post!

Brenda Barron

Brenda is a writer from southern California, a WordPress enthusiast, and Doctor Who addict. She contributes to several business and technology blogs, including her own, Digital Inkwell. You can follow her on Google+.


  1. Ray Boller

    I have use “All In One WP Security & Firewall” I think this one is the best security plugins

  2. acil kredi

    Wordfence is good but using so much CPU! How to change CPU usage limit?

  3. Casper

    I use the wordfence and WP security plugins. I see alot of security options with the WP security plugin but not an option to delete the malware files. That is a problem for me.

    The payed versions of sucuri are a bit pricy. As an affiliate marketeer I have about 27 websites and 21 of them are infected by malware. (thanks to pop up domination – never buy this crappy plugin). So sucuri would cost me a whole lot of money.

    Anybody an idea how to clean up the malware for all my sites that would not cost me a fortune?


  4. Jan

    To stop spam attack logins to my wordpress back-end, I edited my Apache configuration as described at:

    So far, so good!

  5. Luke Boobyer

    I’ve tried them all out at one time or another and I have always gone back to iThemes Security. I just find it’s the most user friendly and robust of the lot.

    1. Milton Ayala

      Me 2. By far I think is the best. Also I found to be very effective is WordPress Zero Spam works like a charm

  6. Michael Daniel

    Our current wordpress site uses:
    iThemes Security
    Sucuri Security – Auditing, Malware Scanner and Hardening

    Is there any reason why I need all 3?? Is there one plug-in that does all of this??

  7. Mark

    All in One works well for me. Love the choices I am offered and the dashboard -score indicator Works as advertised and can’t beat the price -FREE

  8. Hamza Ghani

    I have just installed “All In One WP Security & Firewall” on your recommendation, lets see how it goes 🙂


  9. CGHill

    After a couple of infections, I tried Sucuri’s Site Scan, and was pleased enough to sign up for their monitoring service.

  10. Atis

    I use Wordfence Security and am satisfied. Though I’d like to hear also others opinion on the topic.

Leave a Reply

Your email address will not be published. Required fields are marked *

Over 65,000 WordPress professionals are already using ManageWP

Add as many websites as you want for free, no credit card required. Sign up and start saving time!

Have questions? Get in touch!

Over 65,000 WordPress professionals are already using ManageWP

Add as many websites as you want for free, no credit card required. Sign up and start saving time!

Have questions? Get in touch!

Over 65,000 WordPress professionals are already using ManageWP

Add as many websites as you want for free, no credit card required. Sign up and start saving time!

Have questions? Get in touch!

Over 65,000 WordPress professionals are already using ManageWP

Add as many websites as you want for free, no credit card required. Sign up and start saving time!

Have questions? Get in touch!