Top 5 Free WordPress Security Plugins

WordPress is by far the most popular software used to power websites. Around 34% of all websites on the internet use it which equates to somewhere between 60-80 million websites including almost 30% of the top 10,000 websites.

These jaw-dropping numbers are a testament to the endless possibilities you have when creating with WordPress, but also the very reason why it’s a very common target for hackers. They work tirelessly trying to discover exploits in the core software, plugins, and themes to either help you secure your website or destroy it. As we don’t want to fall victim to those with malicious intent, it’s a good idea to secure your WordPress installation and plugins are a good way to do just that. Let’s take a look at our Top 5 Free WordPress Security Plugins!

But first…

Plugins aren’t a catch-all option for stopping hackers, you must first make sure to follow these essentials. You are making your website an easy target otherwise!

  • Automated protection gives you more time to focus on your website.
  • Protects your websites SEO. Spam comments with low-quality links can potentially hurt your rankings!
  • Better user experience. Nobody wants to see spam, it is discouraging.

With that out of the way, let’s dive straight into the list of best WordPress security plugins!

1. WP Cerber

WP Cerber is our favorite WordPress security plugin. We’ve found it to be the easiest to use plugin with the most robust set of features. It has almost zero impact on website loading times and, best of all, nearly every feature is available in the free version! It currently has an average rating of 4.9 stars out of 5 on

As you can see from the images above, WP Cerber has a very tidy user interface with lots of options available to the user. Almost everything is covered and you will not be left vulnerable.

WP Cerber Top Features

  • Mitigates brute force attacks by limiting login attempts
  • Monitors logins made by login forms, XML-RPC or auth cookies
  • Create a custom login URL (rename wp-login.php)
  • Whitelist and blacklist manager for IP addresses
  • Protect forms such as login, register, and comments with reCAPTCHA
  • Security scanner to verify core WordPress files, plugins, and themes
  • Monitors file changes and sends email reports notifying of changes
  • Hides admin dashboard from guests
  • Disable REST API, XML-RPC and feeds completely (or restrict its usage)
  • Live traffic monitor
  • Stop user enumeration

…and much more! WP Cerber truly is an all-in-one solution for WordPress Security and we highly recommend this great plugin!

WP Cerber Ratings

  • Security: 5/5
  • Features: 4.75/5
  • Interface: 5/5
  • Support: 4.5/5
  • Overall: 4.8/5

2. Shield Security

Next up is Shield Security and just like WP Cerber, it is a feature-packed plugin with only a few of them locked into the “Pro” version (which is only $1!). With an average rating on of 4.9 stars out of 5, Shield Security may be exactly what you are looking for in a security plugin.

The interface of Shield Security is quite nice with the overview color-coding what is good, what could be improved, and what is dangerous. There’s also a nice amount of information and statistics right in front of you.

Shield Security Top Features

  • Easy setup wizard
  • Limit login attempts to stop brute force bots
  • File scanners to detect modified files
  • Automatic IP blacklist
  • 2-Factor Authentication
  • Audit Trail & user activity logging
  • Firewall
  • Block automated comment spam
  • HTTP header control
  • Google reCAPTCHA
  • Automatic updates control
  • Block REST API & XML-RPC

As you can see, Shield Security has some great features and the list above is by no means exhaustive. Aside from a few annoyances trying to select the navigation buttons, we really enjoyed using Shield Security and definitely recommend it!

Shield Security Ratings

  • Security: 5/5
  • Features: 4.5/5
  • Interface: 3.5/5
  • Support: 4.5/5
  • Overall: 4.4/5

3. BBQ: Block Bad Queries

Unlike the first 2 plugins on this list, BBQ is not a full-fledged security suite and it’s not meant to be. BBQ is simple, super-fast firewall plugin which can block a whole host of bad requests. With an average rating on of 5 stars out of 5, BBQ is incredibly efficient at keeping the baddies out!

Note: BBQ is 100% plug-n-play, there are no settings and therefore no images to show.

BBQ Top Features

  • 100% plug-n-play, no configuration required
  • Blocks directory traversal attacks
  • Blocks executable file uploads
  • Blocks SQL injection attacks
  • Based on the popular 5G/6G Firewall
  • Scans all incoming traffic and blocks bad requests
  • Scans all types of requests: GET, POST, PUT, DELETE, etc.

Adding BBQ to your WordPress website really is a no-brainer. There is no noticeable performance hit, no complex setup and is claimed to be future proof. Truly a “set and forget” plugin!

Note: This plugin probably isn’t needed if you are utilizing the WAF (web application firewall) provided by CloudFlare Pro.

BBQ Ratings

  • Security: 5/5
  • Features: 4/5
  • Interface: N/A
  • Support: 5/5
  • Overall: 4.6/5

4. Ninja Firewall

Our fourth entry is a very robust web application firewall plugin, Ninja Firewall! This plugin is especially useful to those of you not using ModSecurity or the CloudFlare web application firewall, although you can this plugin with both. Ninja Firewall scores an impressive 4.8 out of 5 stars on, a rating well deserved.

The interface is clean and easy to understand, options have descriptions, and modules have simple on/off switches. We appreciate this standard approach.

Ninja Firewall Top Features

  • Scans and sanitizes requests before they ever hit your website
  • Brute force protection
  • File Guard detects changes to files in real-time
  • Watch website traffic in real-time
  • Event notifications for admin login, plugin upload, update, and more
  • Set HTTP security headers
  • Auto-updates to protect against the latest WordPress vulnerabilities

We’re really impressed with Ninja Firewall. It has a great set of features, and nice UI, and is blazing fast. The developers claim it won’t slow down your site and we have to agree! You could use Ninja Firewall in addition to WP Cerber or other security plugins as they have usually different features.

Ninja Firewall Ratings

  • Security: 5/5
  • Features: 4.5/5
  • Interface: 4.5/5
  • Support: 4.5/5
  • Overall: 4.6/5

5. Security Ninja

Sticking with the ninja theme, we have Security Ninja! Unlike the previous four entries, this plugin is not for real-time protection (pro version adds this capability), but rather a manual checker. This plugin runs over 50 security tests and provides you a detailed analysis and instructions on how to fix any flaws it finds. Security Ninja scores 4.2 out of 5 stars on

Security Ninja is keeping it simple with a list of tests your website passed, warnings, and failures. On the next tab are details on how to fix the failures and secure your website.

Security Ninja Top Features

  • Check your site for vulnerabilities and other issues
  • Prevent 0-day exploits
  • Database optimization
  • Brute force simulation to test password strength
  • Checks file permissions
  • Hides WordPress and plugin versions
  • Plugin compatibility checker
  • Apache and PHP related tests

…and the list goes on. Security Ninja checks all the basics and lots more. This is a plugin you should run perhaps once a month just to be sure there are no commonly exploited flaws in your website. We recommend this plugin to everyone!

Security Ninja Ratings

  • Security: 4/5
  • Features: 4.5/5
  • Interface: 4.5/5
  • Support: 5/5
  • Overall: 4.5/5

Those are our top 5 WordPress Security plugins! Are you using them? Do you recommend something else? Leave a comment below and tell us!

Leave a Comment