‹ Back



Best WordPress Security Plugins in 2020

Dennis Plucinik • April 14, 2020

Millions of companies stake their brand and reputation on WordPress. In 2020, WordPress was estimated to power roughly 33% of the top one million websites (up from 28% two years ago). The disadvantage of its popularity is that this means WordPress is an attractive target for hackers. More than half of our business depends on startups and large enterprises who trust our ability to produce secure WordPress websites.

You can see just how many known exploits there currently are here and here.

Fortunately, WordPress is a well-established platform and has been battle-tested for nearly fifteen years. The internal WordPress Security Team is made up of approximately 50 experts focused on identifying and fixing bugs around the clock.

In addition to following best practices and updating plugins and core files regularly, we all rely on the exceptional array of plugins provided by the community to help keep your WordPress site safe and secure.

It’s important to note the difference between these and other “traditional” plugins. Considering the wealth of security risks, and the ever-increasing torrent of major site attacks in the news, it is important to think of security management as an ongoing process. As such, these solutions are less like a one-time install, and more like employing the ongoing service of a professional security monitoring company.

As with most things, you get what you pay for, and good security isn’t free.

There are many (dozens) of quality security plugins available but we’re only dealing with the best. We have composed this list by comparing a variety of attributes including popularity, longevity, company size and focus, and pricing, among other attributes.

We will not be ranking plugins on their ability to block or manage spam comments, enhance SEO, or backup files or data.


Wordfence WordPress plugin logo

Firewall & Malware Scan
URL: https://wordpress.org/plugins/wordfence/
Active installations: 3+ million
Last updated: 3 weeks ago (as of 4/14/20)
Company: Defiant, Inc. (private), Seattle, WA, Mark Maunder founded Feedjit Inc. in 2007, $450k Angel funded in 2008 (Crunchbase), Launched WordFence in 2012, Rebranded to Defiant in 2017
Price: $99/year

Notable features

✔ Endpoint firewall with real-time updates (via Threat Defense Feed)
✔ Brute-force attack protection and file access rate-limiting
✔ Malware scanning
✔ Live traffic monitoring
✔ Automatic security updates within 24 hours of release


This leading cyber-security company employs a team of security professionals, and has created a viable business model focused exclusively on providing the most advanced WordPress security products. Their CEO regularly writes and speaks on the topics of internet security.

Aside from price, one detractor appears to be performance. Evidently, performing some of the functions like live traffic monitoring, requires a surprising amount of additional database tables, and subsequently large amount of memory (i.e., a more expensive server).

Related to actually providing security functionality, some other security experts have even noted their absence in reporting some issues and false advertising.


iThemes Security WordPress plugin logo

Firewall & Malware Scan
Active installations: 900k+
Last updated:  2 months ago (as of 4/14/20)
Company: iThemes Media LLC (Acquired by Liquid Web (also owns Rackspace), 1/31/18), Founded 2008, Makers of BackupBuddy
Price: $80/year

Notable features

✔ File change detection
✔ File integrity monitoring
✔ Brute force attack prevention
✔ One-click default setup
✔ “Away mode” dashboard lock


There are a considerable amount of negative reviews you may notice, however many appear to be related to a mis-configuration by inexperienced site administrators. They also appear to have some users discontented with customer service responses.

Overall, there are some aspects of this UI that are appealing to an average user such as the easy default setup, and “Away Mode”. I personally wish there was an Away Mode option that wasn’t time based and instead forced two-factor authentication in order to come back from Away Mode (two-factor authentication is simply too burdensome for most applications with more than one regular user.) File change detection is also unique and important.

Lastly, I’m torn on whether to consider their acquisition by Liquid Web as a pro or a con. An independent company has no other incentive than to provide great service and though Liquid Web may provide additional resources to bolster the product offering, the fact that Liquid Web’s core business isn’t exclusively security means their motives aren’t perfectly aligned.


Sucuri WordPress plugin logo

Auditing, Malware Scanner and Security Hardening
Active installations: 700k+
Last updated:  2 months ago (as of 4/14/20)
Company: Founded 2010 by Daniel Cid (Founder of OSSEC), Acquired by GoDaddy 3/22/17
Price: $199/year

Notable features

✔ Cloud firewall (WAF)
✔ Blacklist monitoring
✔ Malware scanning and unlimited removal
✔ File integrity monitoring
✔ “File and data security enhancements


Despite the fact that a cloud-based WAF may actually boost performance, when absolute security is necessary, if choosing between the two, we prefer an endpoint firewall solution as opposed to the cloud solution provided by this and other services like CloudFlare. It is, however possible to employ both solutions if following a Defense in Depth strategy, albeit at a higher cost.



In closing

All three of these options provide an exceptional solution for managing security. You’ll have to decide which is right for you depending on your own security strategy as each satisfies individual requirements slightly differently.

In closing, security plugins represent one step in a Defense in Depth security strategy. When absolute security is a priority for you, we recommend applying a combination of the most finely tailored solution at each potential layer of vulnerability.

Lastly, if you want to combine ultra-high performance and insanely bulletproof security, read our article on Secure, High-Performance, Static WordPress Sites.

If you need reliable WordPress development services, please email us at [email protected] or click “Say Hello” below.


Further reading