WordPress Security Plugins That Are a MUST to Keep Hackers Away

Making your website secure is not a one-time thing. It’s not a switch you can flip to “SECURE” and then not worry about it again. Web security is built in layers. The point of each layer is to make it a little more difficult for bad actors to get in and do bad things. Our goal is to put up just enough layers so that they give up and move on to a site with fewer layers.

Exactly, what is “WordPress Security”?

A lot of web site owners I talk to think that WordPress security is a plugin they install or a service they buy. Nothing could be further from the truth. Security is a mindset, it’s not a specific thing. It is something you should think about in every decision you make about your website.

  • Want a new theme? What is the theme developers reputation security-wise?
  • Want to add a new plugin in? How secure is it? Have there been any vulnerabilities reported in it?
  • Want to hire a new contractor? What do others have to say about their work? Is their code secure?

Every decision you make needs to be wrapped in the question “How will this affect the security of my site?” If you can’t say for sure that the answer to that question is either increase it or at least not hurt it, then you need to re-think the decision.

The other analogy I use a lot is that security is not one specific action, but a series of layers you wrap around your site.

  • The top layer is a network firewall
  • The next layer is is your application firewall (in WordPress, this is usually a plugin)
  • The next layer in is strong passwords
  • The next layer in is Two-Factor authentication
  • The next layer in is moving your wp-admin directory to a different name.
  • The next layer in is not using the login name “admin”
  • The next lawyer is to disable XML-RPC

None of these things by themselves are going to make your site secure. However, all of them together may make your site secure so that bad actors move on to a site with less security. Another good news is that you can nowadays easily secure your website by hosting your website with a high quality hosting partner that commits to security.

You may notice that Installing an SSL certificate is not in the list above. This is because having an SSL certificate is what we call “table stakes” these days. This means that it’s not a security measure, it’s something you should do when you setup any and every website. They improve your security and your search engine ranking. Since they are now free, there is absolutely no reason for any website to be running without one. Moreover, on SiteGround, they install free Let’s Encrypt SSL certificates shortly after the creation of each website to make it even simpler for you.

>> If you are interested in knowing more about WordPress Security, download now for free our eBook 21 Tips to Keep Your WordPress Secure <<

What are the best WordPress security plugins to secure each layer of your WordPress site?

To set up the layered setup described above will take most people some time. As mentioned before, almost everything can be accomplished these days by non-technical site owners. That having been said, if you are nervous about it or unsure of your ability to commit the time to do things right, hire someone you trust to do it for you.

Network Firewall

If you are using a reputable hosting partner like SiteGround, this will be configured for you. If you are unsure if your hosting partner provides this service for you, ask them. If you don’t get a very clear “Yes, we provide you with a network level firewall.” consider finding a new hosting partner.

Application Firewall

In the WordPress ecosystem, “Application Firewall” usually means a plugin. There are several good ones with solid reputations to choose from. I don’t usually recommend specific plugins because as soon as I do, someone writes to me to tell me how my recommendations are wrong. Still, since a lot of users have asked me for recommendations about security plugins, I am going to break my rule and make a few recommendations. It is important to note that these are in no particular order.

By the way, most of these plugins do a lot more than just APplication Firewall. 

  • Malware scanning
  • Security audits
  • Security hardening
  • Website firewall

Some of the companies behind these plugins also provide malware removal and hacked site cleanup. If you are looking for peace of mind, that’s a great feature to have.


Jetpack is Automattic’s omnibus plugin. It has a lot of functionality and most of it doesn’t deal with security. It does however have some security features built into it. If you already have Jetpack installed, consider purchasing the security features.  

If you don’t currently have Jetpack installed and don’t need any of the other features, this might not be the best solution.

Sucuri Security

Sucuri has been around for a while and has a great reputation. In addition to offering a Web Application Firewall Sucuri offers a lot of other features:

  • Malware Removal & Hack Cleanup
  • Advanced DDoS Mitigation
  • Malware & Hack Scan Frequency

These three features are important and covered by their basic level. All-in-all, Sucuri is a well rounded offering that would be an important lawyer in any website’s security.

iThemes Security Pro

I’ve actually used this one before. I am not currently using it but at the time I was using it it was one of the best – if not the best – on the market. (It is important to note that I do not think the plugin has degraded in any way, my needs changed.) 

The one thing that I remember about this plugin is that it’s admin page is complex. Make sure you block out a few hours over a couple of days to read and understand every option available to you so that you can make the right decisions. That advice is equally applicable to every security plugin. 

Unlike other plugins, iThemes gives you all of the features on every pricing level. The difference in price is based on the number of sites you want to protect.

Strong Passwords

Though there are plugins available for this layer, strong password support is thankfully built into the WordPress core. I strongly encourage you to enforce strong passwords on any user that has any security above Guest or Subscriber. If they can manage anything, they should have at the very least, a strong password.


Two Factor Authentication (2FA) is one of the newer technologies to come to the web but it is an important one. Logins and passwords can be stolen online but a phone can’t. By adding 2FA as a layer to your security, you make it impossible for someone to access your site just because they got access to your login and password.

One plugin I’ve used over the years to implement 2FA is WP 2FA. It only does 2FA. If you already have an application firewall that implements 2FA, use that. But if you do not, WP-2FA is a good choice.

…and the rest

The other layers however, you still need some help with. I’ve tried combinations of dozens of different plugins to implement them and each time something didn’t go quite right. While I love the concept of “one plugin-one feature” Sometimes the plugins don’t play nice with each other and then you end up with a mess on your hands.

 That’s why I was excited when SiteGround released their in-house built WordPress Security plugin. It wraps a lot of security layers into one plugin.

Security Optimizer: The All-In-One WordPress Protection Plugin

This is a newcomer to the group but it has already become my favourite security plugin. I already have it installed on 4 of my WordPress installs, only one of those is actually hosted with SiteGround.

Security Optimizer comes with a lot of security features. Each of them can be turned on or off without bothering the rest of the features. My favourite 4 features of the plugin are as follows:

  • Two-Factor authentication
  • Disabling XML-RPC
  • Disabling the login name “admin”
  • Lock and protect system folders

I’ve installed stand-alone plugins that did each one of these things. Each time I ended up eventually removing the plugin because either it didn’t do the job the way I wanted it to or it became abandonware and was holding up my upgrading of my system.

Security Optimizer integrates all four of these important features in a single plugin. Because it’s created by SiteGround, I know that it won’t be abandoned.

It does a lot more than just these 4 things but these are the 4 that are the most important to me. To see everything it can do, install it, or watch this webinar I did on WordPress Security. In the webinar I install and configure it while you watch.

Concluding on WordPress Security

Spending time thinking about keeping your site secure is always time well invested. It is even more important as we are in vacation time now. Making sure you are up-to-date and as secure as possible means you can spend less time worrying about your site and more time focusing on your vacation activities.

Remember, the whole point of security is not to lock your system down tight so that nobody can get into it, because then…well, nobody can get into it. The point of security is to make it difficult enough so that bad actors move on to a site that is easier to break into. 

“Security is a journey, not a destination.” 

  — Cal Evans

Access email sent!

Sign Up For
More Awesome Content!

Subscribe to receive our monthly newsletters with the latest helpful content and offers from SiteGround.


Please check your email to confirm your subscription.

author avatar

Cal Evans

PHP Evangelist

One of the most admired people in the PHP community, who has dedicated more than 16 years to building the amazing PHP community and mentoring the next generation of developers. We are extremely honored that he is a very special friend of SiteGround too.

Comments ( 6 )

author avatar

Rob Black

Aug 09, 2021

Hi, I like what I see and read about new SiteGround Security, I have a question though. I have been using Wordfence on all my sites hosted here at siteground. In your opion, are they able to work together or should I only use SiteGround Security? I dont really want two security plugins running on the sites if not really required. Thank You Rob

author avatar

Hristo Pandjarov Siteground Team

Aug 09, 2021

You can use only SiteGround Security :) It provides enough protection and we can't guarantee that there will not be a conflict if you use another plugin.

author avatar


Jun 06, 2022

Layer 2 mentions using an Application Firewall and lists a few plugins. Does having SiteGround hosting cover this base? Does the SiteGround Security plugin cover it?

author avatar

Gergana Zhecheva Siteground Team

Jun 07, 2022

The hosting plan on our servers does not include this application firewall by default, as our clients have different types of websites, and WordPress users would use different security plugins than Joomla users or Drupal users. The SiteGround Security plugin is considered a type of application firewall, so it does cover layer 2.

author avatar

Robert DeConti, MD

Feb 14, 2023

I currently run Sucuri firewall. If I add Siteground Security, can I remove the Sucuri Firewall and have the same protection against attacks? Thank you.

author avatar

Gabriela Andonova Siteground Team

Feb 16, 2023

Thank you for the comment, Robert. Although both services operate at the application level, they provide different types of security. It is still possible to use both services simultaneously without any problems though. On a server level, we have a firewall keeping track of WordPress-related vulnerabilities and exploits. We add dozens of security rules each year and we are able to protect your sites even before the official developers release a security update. The SiteGround Security plugin provides users with a comprehensive set of security features at the application level. The following features help protect the site from malware, exploits, and other malicious activities - Disabling XML-RPC, locking and protecting system folders, advanced XSS protection, etc. In addition, it provides login security by limiting login attempts, allowing users to customize their login URL, disabling common usernames, and requiring two-factor authentication. The Activity Log page displays a log of all activity events on your website over the last 12 days. Also, under the Post-Hack actions section, you are able to reinstall all free plugins, reset passwords, and log out all users. To learn more about our plugin, check out this tutorial: https://eu.siteground.com/tutorials/wordpress/sg-security/


Start discussion

Related Posts