Before we dive into some WordPress security plugins, let’s start with an example. Say you buy a new house. This exciting new investment requires a hefty down-payment you’re probably not used to spending. And, of course, you’re hit with inspection fees prior to buying. Then comes the mortgage and insurance payments, all of which come straight out of your pocket.

They say purchasing real estate is one of the best investments you can make, but that investment is a costly one. For such a high-value investment (and something that could make you big bucks in the future,) would you not want to protect it to the best of your ability?

That’s why you buy insurance and consider setting up an alarm system or some security cameras. Many experts suggest at least placing a security system sign on your door, to scare away those who don’t want to risk it. All of this security is meant to protect the initial investment, along with the potential for that investment in the future.

Tired of slow WordPress hosting & subpar support? We do things different at Kinsta.
Check out our hosting plans

And you should think the same way when it comes to your WordPress website.

Starting a blog, ecommerce website, or small business site requires an upfront investment for items for services and products like hosting, themes, plugins, and website development. That doesn’t include any help you must hire, such as customer service reps or salespeople.

This initial investment alone is enough to secure your website from the start. But more importantly, you’re making sure that you don’t forget to protect the potential money you’re going to make in the future.

By default, WordPress core has some security measures in place, but it’s nothing compared to what a reputable security plugin does for you. For example, the top WordPress security plugins deliver the following:

  • Active security monitoring
  • File scanning
  • Malware scanning
  • Blacklist monitoring
  • Security hardening
  • Post-hack actions
  • Firewalls
  • Brute force attack protection
  • Notifications for when a security threat is detected
  • Much more

Your First Priority Should Be Secure Hosting

The security of your site is only as good as the backend and foundation it’s running on. That’s why it’s important, before looking into security plugins, that you choose a WordPress host that has security measures already in place, such as Kinsta. Many of these safeguards are done at the server-level, and can be far more effective, without harming performance on your site. Not to mention you don’t have to spend time fiddling with a bunch of security settings in plugins which in you might not even understand their functionality or purpose.

Secure WordPress hosting

Here are a few security features that Kinsta offers on all WordPress managed hosting plans.

  • Kinsta detects DDoS attacks, monitors for uptime, and automatically bans IPs that have more than 6 failed login attempts in a minute.
  • Only encrypted SFTP and SSH connections (no FTP) are supported when accessing your WordPress sites directly.
  • Hardware firewalls, along with additional active and passive security measures are in place to prevent access to your data.
  • Our open_basedir restrictions also don’t allow execution of PHP in common directories that are prone to malicious scripts.
  • Kinsta uses Linux containers (LXC) on top of Google Cloud Platform (GCP) which provides complete isolation for not just each account, but each separate WordPress site. This is a much more secure method than offered by other competitors. GCP also employs data encryption at rest.
  • Kinsta only runs supported versions of PHP: 5.6, 7, 7.1, 7.2, and 7.3. Unsupported versions of PHP are dangerous due to the fact that they no longer have security updates and are exposed to unpatched security vulnerabilities.
  • Nothing is ever 100% hack-proof, and that’s why Kinsta provides free hack fixes for all clients.

It’s important to note that a lot of security plugins cause performance issues due to their always-on and scanning functionalities. That’s why Kinsta bans some (not all) security plugins. Kinsta also utilizes load balancers with Google Cloud Platform which means in some cases IP blocking features of some security plugins won’t work as intended.

If you’re a Kinsta client we highly recommend utilizing a solution such as Cloudflare or Sucuri, along with Kinsta, if you need extra protection or help to decrease bot and or proxy traffic. Check out our blog post on how Sucuri helped to easily mitigate a DDoS attack.

However, not every host is going to have as tight of security in place as Kinsta, and that’s where WordPress security plugins can be very beneficial.

Best WordPress Security Plugins in 2019

If you’re in a hurry, feel free to click on the following links to test out the security plugins and make your own decisions. If you’d like to see our in-depth analysis, keep reading!

  1. Sucuri Security – Auditing, Malware Scanner and Security Hardening
  2. iThemes Security
  3. Wordfence Security
  4. WP fail2ban
  5. All In One WP Security & Firewall
  6. Jetpack
  7. SecuPress
  8. BulletProof Security
  9. VaultPress
  10. Google Authenticator – Two Factor Authentication
  11. Security Ninja
  12. Defender
  13. Astra Web Security
  14. Shield Security

Most worthwhile security plugins have a price tag, but there are a few that come with limited functionality for free.

We’ll talk about the pricing, but it’s more important to understand what each plugin is going to do for you. Ultimately, it’s all about figuring out the best way to keep the bad guys away from your investment–and sometimes that means spending a little money.

1. Sucuri Security – Auditing, Malware Scanner and Security Hardening

The Sucuri Security plugin offers both free and paid versions, yet the majority of websites should be fine with the free plugin.  For instance, the website firewall requires you to pay for a Sucuri plan, but not every webmaster feels like they need that type of security.

Sucuri Security WordPress plugin

Sucuri Security WordPress plugin

As for the free features, the plugin comes with security activity auditing for seeing how well the plugin is protecting your website. It has file integrity monitoring, blacklist monitoring, security notifications, and security hardening. The premium plans open up customer service channels and more frequent scans. For instance, you might want a scan to be completed every 12 hours. For that, you’d pay about $17 per month.

Best Features of Sucuri Security

  • It offers multiple variations of SSL certificates. You do have to pay for these, but it’s available in the packages.
  • The customer service is available in the form of instant chat and email.
  • You receive instant notifications when something is wrong with your website.
  • Advanced DDoS protection is available through some plans.
  • If you don’t want to pay any money you still receive valuable tools for blacklist monitoring, malware scanning, file integrity monitoring, and security hardening.

Further reading: How to Set up Sucuri Firewall (WAF) on Your WordPress Site

2. iThemes Security

The iThemes Security plugin (previously known as Better WP Security) is one of the more impressive ways to protect your website, with over 30 offerings to prevent things like hacks and unwanted intruders. It has a strong focus on recognizing plugin vulnerabilities, obsolete software, and weak passwords.

iThemes Security WordPress plugin

iThemes Security WordPress plugin

Although some basic security features are included with the free version, we highly recommend upgrading to iThemes Security Pro for the low price of $80 per year. This provides ticketed support, one year of plugin updates, and support for two websites. If you’d like to protect more sites, you have the option to upgrade to a more expensive plan.

As for the primary features in the pro version, iThemes Security Pro provides strong password enforcement, the locking out of bad users, database backups, and two-factor authentication. These are only a few of the ways to protect your site with this WordPress security plugin. You can activate 30 total security measures, making iThemes Security Pro a great value.

Best Features of iThemes Security

  • The security plugin offers file change detection, which is important since most webmasters don’t notice when a file is messed with.
  • Add an extra layer of protection to your login by using the Google reCAPTCHA integration.
  • The plugin compares your WordPress core files with the current version of WordPress, helping you understand if anything malicious is placed in those files.
  • Update your WordPress salts and keys to add an extra layer of complexity to your authentication keys.
  • You can set an “Away Mode” for when you’re not making constant updates to your site and want to completely lock your WordPress dashboard from all users.
  • Other essentials like 404 detection, brute force protection, and strong password enforcement.

3. Wordfence Security

Wordfence Security is one of the most popular WordPress security plugins, and for good reason. This gem pairs simplicity with powerful protection tools, such as the robust login security features and the security incident recovery tools. One of the main advantages of Wordfence is the fact that you can gain insight into overall traffic trends and hack attempts.

Wordfence Security WordPress plugin

Wordfence Security WordPress plugin

Wordfence has one of the more impressive free solutions, with everything from firewall blocks to protection from brute force attacks. However, a premium version is sold starting at around $99 per year for one site. The plugin creators also make it cheaper for developers, providing steep discounts when you signup for multiple site keys. For instance, opting for 25 keys cuts the price to about $29 per year for each site. Overall, it pays to consider Wordfence if you’re developing multiple websites and want to protect them all.

Best Features of WordFence Security

  • The free version is powerful enough for smaller websites.
  • Developers can save tons of money when they signup for multiple site keys.
  • It has a full firewall suite with tools for country blocking, manual blocking, brute force protection, real-time threat defense, and a web application firewall.
  • The scan portion of the plugin fights off malware, real-time threats, and spam. It scans all your files for malware, not just WordPress files.
  • The plugin monitors live traffic by viewing things like Google crawl activity, logins and logouts, human visitors, and bots.
  • You gain access to some unique tools like the option to sign in with your cell phone and password auditing.
  • The comment spam filter removes the need to install a separate plugin for this.
  • It monitors your plugins and lets you know if they have been removed from the WordPress plugin repository (usually due to being unsafe or being hacked) are no longer being updated and have been abandoned.

4. WP fail2ban

WP fail2ban delivers one feature, but it’s a rather important one: protection from brute force attacks. The plugin takes a different approach which many see as more effective than what you get from some of the security suite plugins listed above. WP fail2ban documents all login attempts, regardless of their nature or successfulness, to the syslog using LOG_AUTH. You have the option to implement a soft or hard ban, which is different from the more traditional approach of only choosing one.

WP fail2ban security plugin

WP fail2ban security plugin

There’s not much to know in terms of configuration for the WP fail2ban plugin. In fact, all you have to do is install it and let it do its magic. In addition, the brute force security plugin is completely free so you don’t have to worry about spending any money. This plugin is truly a standout, since the users consistently report that it works flawlessly.

Best Features of WP fail2ban

  • Choose between hard or soft blocks.
  • Integrate with CloudFlare and proxy servers.
  • Log comments to prevent spam or malicious comments.
  • The plugin also logs information about spam, pingbacks, and user enumeration.
  • You also have the option to create a shortcode that blocks users immediately before even having a chance to reach the login process.

5. All In One WP Security & Firewall

As one of the most feature-packed free security plugins, All In One WP Security & Firewall provides an easy interface and decent customer support without any premium plans. This is a highly visual security plugin with graphs and meters to explain to the beginners metrics like security strength and what needs to be done to make your site stronger.

All In One WP Security & Firewall plugin

All In One WP Security & Firewall plugin

The features are broken down into three categories: Basic, Intermediate, and Advanced. Therefore, you can still take advantage of the plugin if you’re a more advanced developer. The main ways this plugin works is by protecting your user accounts, blocking forceful attempts on your login, and enhancing the user registration security. Database and file security is also packaged into the plugin.

Best Features of All In One WP Security & Firewall

  • The WordPress security plugin has a blacklist tool where you can set certain requirements to block a user.
  • You can backup .htaccess and .wp-config files. There’s also a tool to restore them if anything goes wrong.
  • The plugin shows one graph to specify how strong your website is and a graph that designates points to certain areas of your site. It’s one of the best features for the average user to visualize what’s going on with the security of a site.
  • The plugin is free without any upsells along the way.

6. Jetpack

Most people who use WordPress are familiar with Jetpack, and it’s mainly because the plugin has so many features, but it’s also because the plugin is made by the people from Jetpack is filled with modules to strengthen your social media, site speed, and spam protection. There are so many features in Jetpack that it’s definitely worth exploring.

Jetpack WordPress security plugin

Jetpack WordPress security plugin

Some security tools are included with Jetpack as well, making it an appealing plugin for those who want to save money and rely on a reputable solution. For instance, the Protect module is free and it blocks suspicious activity from happening. Brute force attack protection and whitelisting is also supported by the basic security functionality from Jetpack.

That said, the paid versions of Jetpack are more powerful when it comes to security. For instance, the $99 per year plan includes malware scanning, scheduled website backups, and restoration if anything goes wrong. Furthermore, the $299 per year plan offers on-demand malware scans and real-time backups for the ultimate protection.

Best Features of Jetpack

  • The free plan provides a decent amount of security for a small website, then you can upgrade to the reasonably priced premium plans and get full support and a plugin that’s one of the best on the market.
  • The premium plans turn the plugin into more of a suite, with benefits like backups, spam protection, and security scanning.
  • Plugin updates are managed entirely through Jetpack.
  • You also get downtime monitoring.
  • Jetpack is also a plugin that eliminates the need for other plugins. For instance, it has features for email marketing, social media, site customization, and optimization.

7. SecuPress

SecuPress is a newer security plugin on the market (originally released as freemium in 2016), but it’s definitely one that’s growing rapidly. It’s actually developed by Julio Potier, one of the original co-founders of WP Media, who you might recognize, as they develop WP Rocket and Imagify. There is both a free version and premium version which includes a lot of additional features.

SecuPress WordPress security plugin

SecuPress WordPress security plugin

If you want a security plugin that has a great UI and easy to use interface, SecuPress is definitely the plugin to go with. The free version features anti-brute force login, blocked IPs, and a firewall. It also includes protection of your security keys as well as blocks visits from bad bots (which you usually have to pay for in other security plugins).

If you want even more features, their premium versions starts at $59 a year per site and includes additional features such as alerts and notifications, two-factor authentication, GeoIP blocking, PHP malware scans, and PDF reports.

Best Features of SecuPress

  • The UI in SecuPress is probably one of the best! This makes it very easy to use, even for beginners.
  • The premium version definitely adds a lot of value. Check 35 security points in 5 minutes, get a nice report, and then harden your WordPress site.
  • It includes the ability to change your WordPress login URL so bots can’t find it.
  • Helps you detect themes and plugins that are vulnerable or that have been tampered with to include malicious code.

8. BulletProof Security

The BulletProof Security plugin has both free and premium versions. The paid option sells for a one-time payment of $69.95 and is actively developed, updated, and probably contains more features than most of the other security plugins on the market. They provide a 30-day money back guarantee, and you receive features for quarantines, email alerting, anti-spam, auto-restore, and more.

BulletProof Security WordPress plugin

BulletProof Security WordPress plugin

I’d suggest you try out the free plugin first, since it offers the following tools:

  • Login security and monitoring.
  • Database backups and restoring.
  • MScan Malware Scanner.
  • Anti-spam and anti-hacking tools.
  • A security log.
  • Hidden plugin folders.
  • Maintenance mode.
  • A full setup wizard.

It’s not the most user-friendly WordPress security plugin, but it does the job for advanced developers who want to take advantage of unique settings and features like the anti-exploit guard and the online Base64 decoder. It also has a setup wizard auto-fix feature to help make it a little easier.

Best Features of BulletProof Security

  • It has some of the most unique advanced security tools on the market, with features like BPS Pro ARQ Intrusion Detection and Prevention System (ARQ IDPS) encrypting solutions, as well as scheduled crons, cURL scans, folder locking, and more.
  • The free version is packed with enough features for the average website.
  • The database backups are provided in the free version.
  • You can hide individual plugin folders.
  • The maintenance mode functionality is not something you would find in most other security plugins.

9. VaultPress

It’s important not to forget VaultPress, since it works similar to plugins like iThemes Security Pro and Sucuri Scanner. You need to pay in order to get any type of protection, but the plans start at only $39 per year, making it one of the more affordable premium security plugins. The website states that this plan is more for small businesses and bloggers, but you also have the option to upgrade to a more powerful plan for either $99 per year or $299 per year.

Struggling with downtime and WordPress problems? Kinsta is the hosting solution designed to save you time! Check out our features

VaultPress WordPress security plugin

VaultPress WordPress security plugin

The daily and real-time backups are the bread and butter of the operation, with a beautiful calendar view for specifying when you’d like to complete your backups. You can also complete site restores with a quick click of the mouse. What’s more is that the restore files are logged in the dashboard, and several of them are stored so that you can choose which one you want. The best part of VaultPress in regards to backups is that they are incremental. This is great for performance.

The primary security tools monitor suspicious activity on your website, with tabs for viewing your history and seeing which threats have been dealt with or ignored. You can also check out stats and manage your entire security detail from the convenience of a clean dashboard.

Best Features of VaultPress

  • The pricing is better than most other premium WordPress security plugins.
  • The dashboard looks cleans and easy to understand for all users.
  • You can make real-time or manual backups using a calendar.
  • The stats tab reveals information on the most popular visiting times on your site, while also showing what threats have occurred during those times.
  • You can contact the experts from VaultPress to help you out with tasks like site restores and backups.

If you would like to learn more about the best-rated backup plugins take a look at our other guide: 4 Best Incremental WordPress Backup Plugins (Save Space and Speed)

10. Google Authenticator – Two Factor Authentication

The majority of plugins that have individual security features don’t make much sense to install. The reason for this is because you can typically go with a plugin like iThemes Security Pro and get that one feature along with dozens of other ones. However, two-factor authentication is a different story, since it seems like most security suites don’t include it. Therefore, it might make sense to harden your login security with a plugin like this.

Google Authenticator WordPress plugin

Google Authenticator WordPress plugin

The Google Authenticator plugin adds a second layer of security to your login module, which is rather important since the majority of hacking attempts happen with the login. In addition to your regular password, this plugin either sends a push notification to your phone or some other form of authentication such as using a QR code or asking a security question.

This way, your login becomes far less penetrable since the second layer is most likely something that only you know or have on your person (like your phone).

This WordPress security plugin doesn’t require any payment, and the interface is easy enough to understand. Besides choosing the type of authentication, another cool feature lets you specify which type of user role should have to go through the authentication. So, you can allow admins to get in easier, but you might ask that authors or other users go through the two-factor process.

The only problem is that the two-factor authentication makes it rather difficult to log in to your backend with a mobile device.

Best Features of Google Authenticator

  • It nearly eliminates the vulnerability that is your login area.
  • You can choose which two-factor authentication method is the easiest for you.
  • You can select which user types need to go through the authentication process.
  • The plugin has a shortcode for using with custom login pages.

11. Security Ninja

Security Ninja has been around for over seven years. Starting out as one of the first security plugins sold on CodeCanyon (with four add-ons available) it moved to a freemium model in 2016. Add-ons were ditched in favor of having just two versions – free and premium. The main module (which is the only one available for free) performs over 50 security tests ranging from checking files and MySQL permissions to various PHP settings.

Security Ninja WordPress plugin

Security Ninja WordPress plugin

Security Ninja also does a brute force check of all user passwords to weed out accounts with weak passwords such as “12345” or “password”. This helps educates users on security. It does include an auto fixer module, but for those who want to understand what’s going on, there’s a detailed explanation of every test including code to manually fix the security issue. If you don’t like plugins messing with your site, Security Ninja offers a nice alternative to the usual “just click here to fix it” approach. Other modules in the paid version, start at $29 a year per site.

Best Features of Security Ninja

  • The security tester module (available in the free version) performs over 50 security tests across your site.
  • Not tech-savvy? No problem, the auto fixer module can resolve any issues detected.
  • Scan WordPress core to ensure the integrity of the core files by comparing them to a secure and latest copy from
  • Scan plugins and themes in search for suspicious code and malware.
  • Take advantage of a huge list of known bad IPs and automatically block them.
  • Log all events that are happening on your WordPress site, from users logging in to settings being changed.
  • You can schedule regular scans.

12. Defender

Defender is layered WordPress security made easy, like stupid, simple. The free and pro version both start with a list of the most effective hardening technics for instantly upgrading your WordPress security.

Defender WordPress security plugin

Defender WordPress security plugin

You can run free scans that check WordPress for suspicious code. The Defender scan tool compares your WordPress install with the directory, reports changes and lets you restore the original file with a click. They also offer a pro version which includes cloud backups with 10 GB remote storage, audit logs for monitoring changes, automated security scans, and blacklist monitoring. Their experts will even help you clean up a hacked site.

Best Features of Defender

  • Google 2-Step Verification.
  • WordPress core file scanning and repair.
  • Login Screen Masking.
  • IP Blacklist manager and logging.
  • Unlimited file scans.
  • Timed Lockout brute force attack shield for login protection.
  • 404 limiter for blocking vulnerability scans.
  • IP lockout notifications and reports.

13. Astra Web Security

Astra Web Security is a go-to ‘security suite’ for your WordPress site. With Astra you don’t have to worry about malware, SQLi, XSS, comments spam, brute force, and 100+ threats, which means you can get rid of other security plugins & let Astra take care of it all. Astra’s super intuitive dashboard doesn’t come with a hundred buttons that make you feel like you’re a pilot in a cockpit!

Astra Web Security for WordPress

Astra Web Security for WordPress

Many prestigious brands like Gillette, African Union, Ford, and Oman Airways use Astra security solution. Their pricing starts from $9/m and they offer flat 20% off if the plan is billed annually. Overall, Astra can be a good investment if you’re planning to spend money on your website’s security.

Best Features of Astra Web Security

  • Astra security solution is installed as a WordPress plugin & there is no need to change DNS settings.
  • They offer immediate malware cleanup, a rock-solid firewall which stops attacks like SQLi, XSS, Code Injection, Bad Bots, Brute force, SEO spam, and other 100+ cyber attacks.
  • Complete security audit including the business error logic for your WordPress website.
  • Intuitive Dashboard logs all attacks and gives you an option to block or whitelist country, IP range or a URL, continuous blacklist and reputation monitoring, hourly admin login notifications and much more.
  • A free community security or bug bounty management platform where you give hackers a safe and secure way to report any vulnerability that they find on your website. Every reported issue is validated by Astra’s engineers.

14. Shield Security

The number one role of Shield Security is to take on your increasing burden of site security. We’re all short on time so we need smarter defenses and a security plugin that knows how to respond to threats without bugging you with emails. Suitable for both beginners and advanced, Shield starts scanning and protecting your site from the moment you activate it. All options are fully documented, so you can dig further into your site security at your leisure.

Shield Security WordPress plugin

Shield Security WordPress plugin

The core of Shield Security is free forever. Professionals and business who need deeper protection and hands-on 24-hour support at the ready, can get Shield Pro for just $12/site. The mission behind Shield Security is ‘no website left behind’ – where the goal is to make Pro-Grade security accessible for every site, not the just wealthy few. Pro brings more scans, that run more often, user password policies, bigger audit trails, support for WooCommerce, traffic monitoring and features that make security policies smoother for its users.

Best Features of Shield Security

  • One of the only security plugins that restrict access to its own settings to certain users.
  • Smarter protection with features that work tirelessly in the background without bugging you with notifications.
  • The only security plugin to offer three types of two-factor authentication for free and an option to select which users that may use it.
  • Pro upgrades for everyone at $12/site – bulk pricing without the bulk purchase.
  • Pro delivers 6x powerful scans to detect problems in all areas of your sites.

Which WordPress Security Plugin is Best for You?

Now that we’ve walked through the best WordPress security plugins, take a look at our main recommendations below. This makes it easier for you to select one or two plugins without having to test every single one out. Remember, that depending on what your WordPress host already offers, security plugins may not be needed.

These suggestions hone in on certain situations where you might choose one security plugin over another.

  • For the best value – Sucuri Security, SecuPress, Jetpack, iThemes Security, or Shield Security.
  • If you want a free WordPress security plugin – All In One WP Security & Firewall, Sucuri Security (free version,) or Wordfence Security.
  • If you’re looking for a security plugin for beginners – All In One WP Security & Firewall, Security Ninja, or Defender.
  • When you require a more advanced brute force protection plugin – WP fail2ban or Astra.
  • If you’d like two-factor authentication – Google Authenticator – Two Factor Authentication.
  • For a beautiful interface – SecuPress or VaultPress.

Besides installing a plugin you can take further steps to improve the security of your sites. For example, Lockr’s offsite key management (this is a premium service) solution protects against critical site vulnerabilities and helps to secure your data. A simple integration is available for WordPress.

Of course, we can’t cover all the plugins out there. These are simply those we recommend based on our experience with users. If there is one you think should be included in this list, let us know below in the comments.



  • Total: 240
  • 92
  • 57
  • 26
  • 18
  • 0
  • 41
  • 6
  • 0

.essb_links .essb_links_list li a { margin-top:0px; } @media only screen and (min-width: 64em) { .container–narrow.pb–60, .knowledgebase .user-content { position: relative; } .widget-share { position: absolute; left: -200px; top: 0px; height: 100%; width: 200px; box-sizing: border-box; } .widget-share-aligner { width: 200px; padding-right: 62px; box-sizing: border-box; } .widget-share-inner { padding-bottom: 62px; } .knowledgebase .user-content .widget-share-inner { padding-top: 0; } .widget-share .amount { display:flex; align-items: center; justify-content: flex-end; width: 100%; margin-right:11px; font-size: 14px; font-weight:500; margin-bottom:10px; } .widget-share .amount svg { margin-right:8px; margin-left:10px; } .essb_links .essb_links_list { flex-direction: column; align-items: flex-end; } .essb_links .essb_links_list li { display: block; margin-bottom:5px !important; } .widget-share__total { margin-bottom:0px !important; } .widget-share__total .heading–small { color: #999999; font-size:14px; font-weight: 300; } .essb-total-value { margin-right:4px; } } .essb_links { margin:0px; padding:0px; } .essb_counter_right { display:none !important; } .essb_links.essb_template_circles-retina .essb_link_hackernews a, .essb_links.essb_template_circles-retina .essb_link_reddit a, .essb_links.essb_template_circles-retina .essb_link_mail a, .essb_links.essb_template_circles-retina .essb_link_mwp a, .essb_links.essb_template_circles-retina .essb_link_buffer a, .essb_links.essb_template_circles-retina .essb_link_linkedin a, .essb_links.essb_template_circles-retina .essb_link_facebook a, .essb_links.essb_template_circles-retina .essb_link_twitter a { color: #43414e !important; background: #f3f3f6 !important; } .essb_links.essb_template_circles-retina li a:focus, .essb_links.essb_template_circles-retina li a:hover { border-color: #fff !important; background: #43414e !important; } .essb_links.essb_template_circles-retina a { border-color: #f3f3f6 !important; background: #f3f3f6; } .essb_links .essb_icon:before { font-size:15px !important; top:8px; left:9px; } .essb_links .essb_icon { width:32px; height:32px; } .essb_links.essb_counter_modern_right .essb_counter_right { background: #f3f3f6 !important; } @media only screen and (max-width: 63.999em) { .widget-share-aligner { position: relative !important; top: 0 !important; } .essb_links .essb_links_list li { margin-right: 8px !important; } }

If you enjoyed this article, then you’ll love Kinsta’s WordPress hosting platform. Turbocharge your website and get 24×7 support from our veteran WordPress team. Our Google Cloud powered infrastructure focuses on auto-scaling, performance, and security. Let us show you the Kinsta difference! Check out our plans

Hand-picked related articles

WordPress Security – 19 Steps to Lock Down Your Site

Dedicated IP Address vs Shared IP Address (Debunking Myths)

How to Stop a DDoS Attack in Its Tracks (Case Study)


Leave A Comment
    1. Gravatar for this comment's author

      Derek January 18, 2018 at 8:07 am


      iThemes security (paid version) also has 2FA.

        1. Gravatar for this comment's author

          Brian Jackson January 18, 2018 at 8:12 am


          Thanks Derek! We’ve updated the post above.

    1. Gravatar for this comment's author

      Dimitar Ivanov January 21, 2018 at 10:24 am


      Nice list Brian, thanks. To protect from clickjacking, cross-site scripting (XSS), and man-in-the-middle (MITM) attacks you should try out the HTTP Headers plugin

    1. Gravatar for this comment's author

      Ed Alexander January 21, 2018 at 1:19 pm


      Hi Guys,

      Ed from AITpro, the primary developer of the BPS and BPS Pro plugins. The BPS and BPS Pro info above appears to be a bit outdated. The BPS and BPS Pro plugins now have a malware scanner. The BPS free plugin now has JTC-Lite, which is a stripped down version of BPS Pro JTC Anti-Spam|Anti-hacker. The BPS and BPS Pro plugin versions now have Setup Wizard AutoFix (AutoWhitelist|AutoSetup|AutoCleanup), which automatically provides 100+ fixes for plugins, themes, etc. by running the Setup Wizard and automatically sets up 6 popular cache plugins and performs other various automated tasks.

      BPS Pro actually has more security features than any other WordPress Security plugins by far. BPS and BPS Pro are actually now the easiest plugins to install and manage due to the Setup Wizard and the new Setup Wizard AutoFix feature. Most BPS Pro security features are automated and self-configuring|self-fixing these days and we are continually increasing that automation with each new plugin version release.

      Best Regards,

        1. Gravatar for this comment's author

          Brian Jackson February 13, 2018 at 9:10 am


          Thanks for the update Ed! We have updated the post above with additional information regarding your BPS plugin.

    1. Gravatar for this comment's author

      Paul Goodchild February 27, 2018 at 4:46 am


      Hey Brian,

      Was hoping you’d consider including our Shield Security on your list? We’ve got stack in our plugin that goes beyond many of those included here. Would be great if you’d consider it! 🙂


        1. Gravatar for this comment's author

          Brian Jackson March 21, 2018 at 3:05 pm


          Hey Paul,
          This article is queued for an update and we’ll make sure to include your WordPress security plugin. Thanks!

    1. Gravatar for this comment's author

      Bodhi Goforth March 4, 2018 at 2:21 pm


      I was surprised to see Wordfence included on the list. It seems to now be on your list of banned plugins:

        1. Gravatar for this comment's author

          Brian Jackson March 19, 2018 at 8:19 am


          Hey Bodhi,
          The reason Wordfence is on our banned list is because it causes performance issues due to their always-on and scanning functionalities. Kinsta also utilizes load balancers with Google Cloud Platform which means in some cases the IP blocking features won’t work as intended.

          If you’re a Kinsta client we highly recommend utilizing a solution such as Cloudflare or Sucuri, along with Kinsta, if you need extra protection or help to decrease bot and or proxy traffic.

          However, not every host is going to have as tight of security in place as Kinsta, and that’s where WordPress security plugins such as Wordfence can be very beneficial.

            1. Gravatar for this comment's author

              Rock December 3, 2018 at 8:11 am


              Hi Brian Jackson,

              You have suggested using Cloudflare or Sucuri along with Kinsta, what is about iThemes?! Is not it better with Kinsta?!


              Are you tired of slow WordPress hosting & horrible support?
              We do things different at Kinsta.
              See plans

    1. Gravatar for this comment's author

      Vincent Ammirato July 18, 2018 at 6:29 pm


      I’m using Sucuri’s service with Stop User Enumeration here on Kinsta. Also utilize iThemes on some installs.

      A few questions:
      – Have you tried any of the above in combination? Is there an ideal stack that plays nice specifically with Kinsta?

      -Sucuri’s CDN vs Kinsta’s. Which one should I use for optimal performance?

      -What about DNS services? Seems like if I use Sucuri I should be pointing nameservers there and not here. Amirite?

      – I see a metric-ton of head-only requests coming from Amazon Datacenters all over the globe. Right now it seems centered from Ireland but it will change. Do these head only requests count as visits? Do they impact the server? Why are the happening, Brian?!?

      Thank you for this (and many other) informative articles.

        1. Gravatar for this comment's author

          Brian Jackson July 3, 2019 at 10:28 am


          Hey Vincent!
          Yes, many Kinsta clients are using similar combinations. Don’t know if I would say we have a particular combo we recommend. We actually offer free hack fixes, so if your site is hacked at Kinsta, we’ll fix it.

          So Sucuri is a WAF + CDN. This is entirely different than our Kinsta CDN. We have an in-depth article explaining all the differences between Cloudflare and our Kinsta CDN: Cloudflare is also a WAF + CDN, so very similar.

          If you’re using Sucuri’s professional WAF product, not just the plugin, you would want to point your A record over to them. We have a tutorial here:

          We also have a KB describing visits and how they are counted. We do not count visits from well-known “bot” user-agents and do our best to filter them out of our analytics data.

          If you’re worried about visits, we always recommend using Sucuri or Cloudflare on top of Kinsta. Referring to Sucuri’s WAF product, not just the free plugin.

    1. Gravatar for this comment's author

      snake October 4, 2018 at 2:39 pm


      A couple of other things worth mentioning about WordFence.

      1. It scans all your files for malware, not just WordPress files. Other plugins I have tried do not do this.
      2. It monitors your plugins and lets you know if they have been removed from plugin repository (usually due to being unsafe or being hacked) are no longer being updated and have been abandoned. This is pretty major, as this is a common reason sites get hacked.

        1. Gravatar for this comment's author

          Brian Jackson July 3, 2019 at 10:35 am


          These are definitely great security features Snake! We’ve added them to the Wordfence section above. Thanks

    1. Gravatar for this comment's author

      snake April 1, 2019 at 8:30 am


      How about a review of malcare?
      This is the only security plugin I have found that removes malware automatically, guaranteed, or they will do it for you manually.

        1. Gravatar for this comment's author

          Cip April 2, 2019 at 11:29 pm


          are you using it? what are your thoughts?

        1. Gravatar for this comment's author

          Brian Jackson July 3, 2019 at 10:19 am


          Hey Snake! Yes, Malcare is another great option. At Kinsta, we actually offer free hack fixes by our team. No plugins needed.

    1. Gravatar for this comment's author

      Bill Patterson July 9, 2019 at 10:37 am


      If you had to install two plugins which ones would you recommend that are free? Also are compatible with each other.

Leave a Reply Cancel reply

Comment policy: We love comments and appreciate the time that readers spend to share ideas and give feedback. However, all comments are manually moderated and those deemed to be spam or solely promotional will be deleted.




I agree to the Terms and Conditions and Privacy Policy


New & Featured
How to Speed up Your WordPress Site

This longread article has all our 15+ years of experience. From beginner tips to advanced strategies, you’ll find something useful that you can use today.

  • Basic features
  • Advanced features
  • MyKinsta dashboard
  • WooCommerce hosting
  • Enterprise hosting
  • Secure hosting
  • Free migrations

Resource Center
  • Knowledge Base
  • Learn WordPress
  • Feature updates
  • Blog
  • Newsletter

  • Plans & add-ons
  • Clients & case studies
  • About us
  • Why us
  • Careers
  • Press
  • Partners
  • Contact us

Compare Kinsta
  • Kinsta vs WP Engine
  • Kinsta vs SiteGround
  • Kinsta vs Flywheel

Affiliate Center
  • Affiliate program
  • Affiliate Academy
  • Affiliate dashboard

  • Login
  • System Status

Copyright © Kinsta Inc. All rights reserved.

Legal information

Kinsta® and WordPress® are registered trademarks.

Norsk bokmål

We use cookies for some functionality on our website to work properly, collecting analytics to understand and improve a visitor’s experience, and for personalized advertising. You can accept all cookies at once or fine-tune your preferences in the cookie settings.

Cookie settings
Accept cookies
Thanks, we’ve saved your settings, you can modify them any time on the cookie settings page
Cookie settings
Necessary cookies


These cookies are needed for our website to function providing payment gateway security and other essentials. Therefore they are always on but they do not contain personally identifiable information (PII).

Name Purpose
Cookie Settings If you’ve set preferences (which cookies you accept and which you don’t) we store your preferences here to make sure we don’t load anything that you didn’t agree to.
WordPress Cookies WordPress sets a couple of cookies that track logged in users and store user preferences set in their WordPress user profile. These are set for members of the Kinsta website only – members of our staff.
Stripe Stripe is our payment provider and they may set some cookies to help them with fraud prevention and other issues. This is required for our payments to work.
Affiliate cookie This cookie contains information about the affiliate who refered a visitor. The cookie contains no information about the visitor whatsoever.
Google Analytics Analytics help us deliver better content to our audience. We have made sure no personally identifiable information (PII) is sent by anonymizing IPs.
Newsletter Participation If you sign up for our newsletter we’ll remove the newsletter subscription box for you. This cookie has not personal data it just indicates if you have signed up.
Analytics cookies


Analytics cookies allow us to gather data to help us better understand our visitors and offer them a better experience.

Select Provider Purpose
Google Optimize Set and used by Google. It allows us to A/B test our content to make sure we’re providing visitors with what they need most.
Marketing cookies


Marketing cookies help us target our ads better. We mainly use them to target ads to users who have visited Kinsta.

Select Provider Purpose
Twitter Set and used by Twitter, used for targeting advertisements and promoting content to users who have visited
Facebook Set and used by Facebook, used for targeting advertisements and promoting content to users who have visited
AdWords Set and used by Google Ads for remarketing, personalization, and targeting advertisements to users who have visited (Google Ads Settings)
Bing Set and used by Bing Ads for remarketing, personalization, and targeting advertisements to users who have visited (Bing Ads Settings)
Save settings

Send this to a friend

Your emailRecipient email


.wpscraper-hover {outline: 3px dotted #B2E0F0 !important; opacity: .7 !important;filter: alpha(opacity=70) !important; background-color: #B2E0F0 !important;}.wpscraper-hover-parent {background-color:#B2E0F0 !important;} .wpscraper-hover img {opacity: 0.7 !important; filter: alpha(opacity=70 !important);} .wpscraper-selected {outline: 5px solid #19A3D1 !important;background-color: #4DB8DB !important; opacity: .7 !important;filter: alpha(opacity=70) !important;} .wpscraper-selected-parent {background-color: #4DB8DB !important;} .wpscraper-selected img {opacity: 0.7 !important; filter: alpha(opacity=70) !important;}


Content retrieved from: