Updated March 1, 2025
Reading Time: 3 minutes
Having the right WordPress Security plugins on your site just makes good business sense. Creating and maintaining a website is an investment of time and money. Why leave it open to the risk of getting compromised? Detractors of WordPress claim that the openness of the source code makes it a poor choice as a content management system. We heartily disagree. The WordPress plugin repository has a plethora of choices that can help harden a website’s defenses against benign intruders or devious hackers.
5 Favorites
Limit Login Attempts
Limit Login Attempts‘ goal is to stop a hacker from trying multiple times (guessing or using specialized software) to gain administrative access to your site. This plugin limits attempts to 4 before being locked out for 20 minutes. Not to worry if you don’t remember your password. Legit users can use the “Lost your password?” link on the sign-in panel. As a side note, this is why you want a robust password. The simpler your password the easier it is for the bad guys to hack.
IP Blacklist Cloud
When a hacker tries to access your WordPress site, you’ll get notified by the Limit Login attempt plugin. It will provide an IP address (kind of like a street address for your computer). IP Blocker lets you register the hacker and permanently block them. Of course, they can use another computer or IP address… just rinse and repeat to block them.
Force Strong Passwords
This 5-star plugin forces you to create a robust password. At the basic level WordPress doesn’t require you to use things like special characters and numbers. Hackers using automated systems can plow through weak passwords like ones that focus on pet names and birthdays. Once this plugin is installed, you’ll be guided to build a strong password.
WP Security Scan
The reason I install WP Security Scan in all my WordPress websites is that it hides the version in the line code. It also checks the tables in the databases to make sure the default prefix “wp_” has been changed. It has a password tool built in (although I recommend using a more robust one) as well as double-checks that you don’t have a user named “admin.”
Exploit Scanner
Exploit Scanner is a little obscure, one that I use specifically when a website has been built by someone other than me. It’s also a plugin that you run if you believe you’ve been hacked. Or, if you’ve installed a plugin and things are going haywire and you’re not sure why. It gives you a bunch of false positive, so you need to use some common sense. It scans the site line by line looking for exploits (unauthorized or unscrupulous code like Trojan horses). It’s kind of like an anti-virus checker for WordPress. It’s a complicated bit of code, and can hog your system. Therefore, it’s best to run it during an off-peak time.
WordPress Security Starts at the Core
Not to sound like a broken record, but one of the simplest ways to keep your website safe is to do the recommended WordPress core updates. There are literally hundreds of WordPress programmers across the globe whose primary focus is to keep the open source code safe. This world-class team stays on top of security trends and makes the necessary adjustments. By not keeping your site running on the latest version of WordPress you are taking an unnecessary risk.
There are literally over 22,000 plugins available, with 200+ of them dedicated to WordPress Security. So lack of choice clearly won’t be an issue. As you review features and functionality I highly recommend checking out the star ratings, user comments, how many times it has been downloaded, and the date it was last updated. It does your website no good if your security plugins are built for an outdated WordPress installation.
Have another WordPress Security plugin favorite? Do tell! As a stickler for security, I’m always eager to hear of other great ones that will keep my sites safe and sound.
Teaching Kids at Stanford University