35 Security Plugins to Make Your WordPress Bulletproof

Preview-wordpress-security-tools-tips-pluginsWordPress is the most popular blogging platform today. It’s being used by thousands of people all around the world. But because of the popularity, it’s getting more attention by hackers and spammers too. WordPress is very secure by itself, but there’s never too much ascertainable.

For simple users,who don’t code a lot, plugins is the best way to secure your blog. They’re free, easily usable and safe. This post assembles 35 best plugins to make your blog bulletproof. They’re each devised for different purposes, so you will get the best protection from each field.

Secure Your Login

1. Semisecure Login Reimagined

Semisecure Login Reimagined increases the security of the login process by using a combination of public and secret-key encryption to encrypt the password on the client-side when a user logs in. JavaScript is required to enable encryption. It is most useful for situations where SSL is not available, but the administrator wishes to have some additional security measures in place without sacrificing convenience.


2. Stealth Login

This plugin allows you to create custom URLs for logging in, logging out, administration and registering for your WordPress blog. Instead of advertising your login URL on your homepage, you can create a URL of your choice that can be easier to remember than wp-login.php, for example you could set your login URL to http://www.myblog.com/login for an easy way to login to your website.


3. Login LockDown

Login LockDown records the IP address and timestamp of every failed login attempt. If more than a certain number of attempts are detected within a short period of time from the same IP range, then the login function is disabled for all requests from that range. This helps to prevent brute force password discovery.


4. Chap Secure Login

Whenever you try to login into your website, you can use this plugin to transmit your password encrypted. The encryption process is done by the Chap protocol. By activating the Chap Secure Login plugin, the only information transmitted unencrypted is the username, password is hidden with a random number (nonce) generated by the session – and opportunely transformed by the MD5 algorithm. In the first login there will be an error, but don’t worry is only a technical error. Indeed in the next login’s operation, if the values are correct, there will not be errors.


Admin Area

1. Admin SSL

Admin SSL secures login page, admin area, posts, pages – whatever you want – using Private or Shared SSL. Once you have activated the plugin, you have to go to the Admin SSL config page to enable SSL.



1. WP-DB-Backup

WP-DB-Backup allows you easily to back up your core WordPress database tables. You may also backup other tables in the same database.


2. Remote Database Backup

This plugin creates SQL dumps of your WordPress database. It is based on the WordPress Database Backup plugin (http://www.ilfilosofo.com/blog/wp-db-backup) – but it removes some of the security restrictions in the plugin to enable automated remote backups. You still need the admin user name and password to do a remote backup.


3. WP-DB Manager

This plugin allows you to optimize database, repair database, backup database, restore database, delete backup database , drop/empty tables and run selected queries. It supports automatic scheduling of backing up and optimizing of database.


4. BackUpWordPress

BackUpWordPress is a backup & recovery suite for your WordPress website. This plugin allows you to back up database tables as well as files and comes with a rich set of options.


5. WordPress 1 Click EZ Backup

EZ Backup has been turned into a simple one click operation. Click the button and watch your files and database backup be created. You can create a backup of all your webspace files or backup just your wp-content folder all from this one plugin. Unlike the Full EZ Backup plugin this one does not require any special information such as usernames or passwords etc. This plugin costs $5.

6. myEASYbackup

This plugin allows you to back up, restore, migrate your WordPress installation, both files and mySQL tables with a single click. When performing a backup, myEASYbackup creates a compressed data set file that can be stored outside the WordPress installation directory. A list of all data sets on the server is also logged in the admin area.



1. Antispam Bee

AntispamBee protects blogs from digital rubbish. It is made up of sophisticated techniques and analyzes comments including pings. Also, for reasons of data privacy, the use of AntispamBee is a safe solution, as it is anonymous and registration-free.


2. NoSpamNX

NoSpamNX is the successor of Yawasp (Yet Another WordPress antispam plugin) and is a plugin to protect against automated comment spam (spambots). While Yawasp changed the names of the form fields in the comment template, NoSpamNX works without these modifications, but is equally effective. By eliminating the need for modifications the form field need maximum compatibility with other WordPress plugins or browser is ensured.


3. Akismet

Automattic Kismet (Akismet for short) is a collaborative effort to make comment and trackback spam a non-issue and restore innocence to blogging, so you never have to worry about spam again.


4. Math Comment Spam Protection

Asks the visitor making the comment to answer a simple math question. This is intended to prove that the visitor is a human being and not a spam robot. Example of such question: What is the sum of 2 and 9?


5. Defensio Anti-Spam

Defensio is an advanced spam filtering web service that learns and adapts to your behaviors and those of your readers. Advanced features such as support for OpenID, detailed statistics, charts, RSS feed of our comments (innocent and spam) and counter widget are also available.


6. SI CAPTCHA Anti-Spam

Adds CAPTCHA anti-spam methods to WordPress on the comment form, registration form, login, or all. In order to post comments or register, users will have to type in the code shown on the image. This prevents spam from automated bots. Adds security. Works great with Akismet. Also is fully WP, WPMU, and BuddyPress compatible.



reCAPTCHA is an anti-spam method originating from Carnegie Mellon University which uses CAPTCHAs in a genius way. Instead of randomly generating useless characters which users grow tired of continuously typing in, risking the possibility that spammers will eventually write sophisticated spam bots which use OCR libraries to read the characters, reCAPTCHA uses a different approach.


8. Blackhole

Blackhole is a trap for bad bots. The concept is simple: include a hidden link to a robots.txt-forbidden directory somewhere on your pages. Bots that ignore or disobey your robots rules will crawl the link and fall into the trap, which then performs a WHOIS Lookup and records the event in the blackhole data file. Once added to the blacklist data file, bad bots immediately are denied access to your site.


9. Invisible Defender

This plugin protects registration, login and comment forms from spambots by adding two extra fields hidden by CSS. This approach gave me 100% anti-spam protection on one of my sites.


1. Secure WordPress

Little help to secure your WordPress installation. This plugin removes error information on login page, adds index.html to plugin directory, removes the wp-version, except in admin area.


2. WP Security Scan

This plugin will scan your WordPress installation for security vulnerabilities and it will suggest some corrective actions.


3. AskApache Password Protect

This plugin doesn’t control WordPress or mess with your database, instead it utilizes fast, tried-and-true built-in Security features to add multiple layers of security to your blog. This plugin is specifically designed and regularly updated specifically to stop automated and unskilled attackers attempts to exploit vulnerabilities on your blog resulting in a hacked site.


4. TAC (Theme Authenticity Checker)

TAC stands for Theme Authenticity Checker. Currently, TAC searches the source files of every installed theme for signs of malicious code. If such code is found, TAC displays the path to the theme file, the line number, and a small snippet of the suspect code. As of v1.3  TAC also searches for and displays static links.


5. HTTP Authentication

The HTTP Authentication plugin allows you to use existing means of authenticating people to WordPress. This includes Apache’s basic HTTP authentication module and many others.

6. AntiVirus

Viruses, worms and malware exist for WordPress and could easily attack your WordPress installation. AntiVirus for WordPress monitors malicious injections and warns you of any possible attacks. It also has multilingual support.


7. Secure Files

This plugin allows you to upload and download files from outside of your web document root for security purposes. It can be used to can restrict file downloads to users that are logged in, or have a certain user level.

8. Replace WP-Version

Security your WordPress-Installation and eliminate or replace your wp-version and database-version on easy way with a small plugin. If you’re running an older version of WordPress, anyone can view source to see what attacks might work against your blog. This plugin replaces the WP-version with a random string < WP 2.4 and eliminate WP-version > WP 2.4.

9. WP Email Guard

WP Email Guard protects your email addresses included on any post or page from being crawled by spammers. It converts every email written within your post body into a JavaScript code, so the emails is readable and can be clicked by humans only. Spammers can’t crawl JavaScript.

10. WordPress File Monitor

Monitors your WordPress installation for added/deleted/changed files. When a change is detected an email alert can be sent to a specified address.


11. WP Dephorm

WP-Dephorm protects your users from the prying eyes of phorm. This is achieved by setting a cookie to opt out of the phorm information mining. Your blog viewers will not have their information stored and used in marketing campaigns whilst viewing your site.

12. WordPress Firewall

This WordPress plugin investigates web requests with simple WordPress-specific heuristics to identify and stop most obvious attacks. There exist a few powerful generic modules that do this; but they’re not always installed on web servers, and difficult to configure.


13. Secure Contact

SecureContact is a drop in form for users to contact you, based on the WP Contact Form plugin by Ryan Duff. It offers enhanced security by using captcha images.

14. Fast and Secure Contact Form

Fast and secure contact form for WordPress. This contact form lets your visitors send you a quick E-mail message. Blocks all common spammer tactics. Spam is no longer a problem. Includes a CAPTCHA and Akismet support. Additionally, the plugin has a multi-form feature, optional extra fields, and an option to redirect visitors to any URL after the message is sent. Super customizable.


15. Ultimate Security Check

The Ultimate Security Check plugin helps you identify security problems with your WordPress installation. It scans your blog for hundreds of known threats, then give you a security “grade” based on how well you have protected yourself.

16. Content Security Policy

Content Security Policy prevents content injection attacks by allowing admins to specify which sites they trust to serve JavaScript and other types of content in their site. Any content which is not explicitly allowed by the policy will be blocked from loading.


Further Resources

Daniels Mekšs

Works at 1stwebdesigner, studies photography at ISSPand seeks to enjoy life. You can check out his photography blog and follow him on twitter.

15 Smart Tools To Help You Build Your Freelance Business

Discover the awesome tools we use in making our clients comfortable and happy in learning new things every day.

Download Now


  1. says

    This is a great list of things to do to secure your WordPress site…

    I recently had some security problems with my WordPress sites, and ended up doing a lot of research into securing WordPress sites…

  2. says

    are there any server space monitoring wordpress plugins? my server used space is increasing day by day. i was only installing plugins and nothing.

  3. Toby says

    Great info on WordPress security. Always make a backup of your site BEFORE you add security, as sometimes you can shut yourself out! Been there!

  4. Edossa Kenea says

    my electronic storage of my electronics documant and protect me. It has use me to avoid exost my secrate by other or others.

  5. Rahasia says

    Hi, thank u for this useful security information.. :)
    I will try the security plugin you explain in the article.. fast and secure contact form is great plugin!! :)

  6. Karl says

    Greetings. We are pleased to announce the release of wSecure. wSecure hides your WordPress admin URL with a special key so that only you can access. The problem with WordPress is that anyone can tell if your site is WordPress by simply typing in the default URL to the administration area (i.e. http://www.yoursite.com/wp-admin). wSecure helps you hide the fact that your website is built with Worpdress from prying eyes.

  7. Marc Connor says

    Powerful list Daniels. I’ve already installed and activated a couple, the rest I’ll do later on today.

    BTW, please note that the ” Stealth Login” plugin is no longer in existence. Either find a replacement one or make a note that it’s no longer there.

    Keep up the great work.

  8. Hazel says

    Great list! I’m interested in the Stealth Login plugin but the link above does not work.

  9. Fred says

    Wow, you saved me a lot of time and research on this subject. I have implemented quite a few of these plugins especially the ones that protect your login.

    Also I wanted to mention, 1 that I found yesterday and offers a lot of options and features. It is called WebsiteDefender WordPress Security. It helped me to fix some vulnerabilites on my blog.

  10. Pulkit Kaushik says

    Fantastic list! I’ve taken about 7 plugins from here. Wonder why this list hasn’t gone viral.

  11. Alan says

    can u suggest a plugin where i can block an IP basis the no of clicks or time spent on the site. so if an ip comes to the site and does x number of clicks in a given time frame then it will be blocked automatically.

  12. Adam Haworth says

    Great plug-ins I have been looking for some security plug-ins for my site for a while, and didn’t want to install SSL.

  13. Sandeep Yadav says

    From long time i was searching for Good security plugins and i found here best. I m trying to apply some plugins from this awesome list and hope i make my blog more secure. Thanks for publish this valuable list. It will help new bloggers for create secure environment for WordPress :-)

  14. Annabell Fuleki says

    Do you mind if I quote a couple of your posts as long as I provide credit and sources back to your site? My blog is in the very same area of interest as yours and my visitors would certainly benefit from some of the information you present here. Please let me know if this alright with you. Appreciate it!

  15. says

    haa!!some new stuff about wordpress security i would like to try few…thanx for sharing your knowledge

  16. says

    Good list. BackWPup is by far the best backup plugin. I actually tried about 6 last night to find the best. It lets me set up multiple automatic backup jobs and database optimization. Wicked awesome.

  17. JC Johnston says

    Thanks for sharing these plugins. I got security plugins . But you can never be to safe. I will have to look into these more.

  18. says

    Great article and well written.

    I would like to also talk to you about another plugin I use to avoid spam in comments. This is called “WP Captcha Free” and works without Captacha, only based on some algorithms. Since I use it, I don’t get any spam anymore but still comments from real users.


  19. Udegbunam Chukwudi says

    @Tony: Wp Spam Free is only available via the author’s website. For some reason WordPress took them off the repository and they aren’t saying why. Anyway I still use it on my site as it works pretty well and comes with an easy contact form.

    @Daniels: This is one hell of a list. I’ll be checking out Stealth Login. I hope it works well with Login Lockdown. I’ve also been looking for a way to backup my wordpress installation and Backup WordPress and My Ez Backup would come in handy. Here’s hoping that they all work without a hitch ;)

  20. Brian L says

    Great list. I’ll keep this in my bookmarks. Comment spam always seems to be an issue.

  21. Rick says

    I’m not a wordpress user but it seems to me if you need 35 plugins to make your site secure, you’re using the wrong CMS. Why aren’t these built into WP?

    • Daniel says

      You don’t actually need all 35. You can do just fine with 2 or 3. This article gives you the chance to contemplate and pick the best ones for you.

  22. Sherice Jacob says

    Great article!

    Some other excellent security plugins or services for WordPress include:

    BlogWatch –

    It tells you what vulnerabilities exist in your current version of WordPress and the severity of them, plus whether or not to upgrade.

    SABRE – This keeps the spambots from registering as users on your blog and spamming the heck out of your comments section. I wrote up a review of it on my blog here:

  23. Helene D. says

    Great post.

    Bad-Behavior plugin should be added to this list. It is an excellent gatekeeper plugin that stops link spam, bad bots, and DOS attacks before they get to your site.

  24. says

    Best list ive seen for security on wordpress. I have a few of them but you have a good few I am considering using.


  25. Dave says

    This is a great list. I’m personally not a fan of using Captcha (I think it strongly discourages commenting), but the DB backup utilities are extremely useful. I actually automate my database backups using WP-DB-Backup. Never have to worry about it.

    There’s still a number of plugins here that I’ll have to consider including on my installations.

  26. Nikunj says

    Hi Daniels,

    Nice list of security plugins, enjoying your various post on 1stWD recently on my friend website got hacked with some javascript injection, i think antivirus & Content Security Policy plugin will help me to make my blog more secure from such attacks & even will recommend my friend the same.


  27. Janis Jakobsons says

    I say thanks for author, there is many useful plugins which I have used before and I am using now. They really help to protect your blog. Thanks once more

  28. says


    Nice list of security plugins for WP

    I use Login LockDown in my site

    Thank you for putting in the work of collecting and summarizing all of these security plugins.