The Only WordPress Security Plugins You Will Ever Need

I’ve written many WordPress security posts in the years that JournalXtra has been alive. New plugins are released each year. Like nature’s evolution of man, developers interbreed features of old plugins to make superior all-in-one solutions to WordPress security issues. With the evolution of new plugins, old plugins whither and die, eventually to become a WordPress archeologist’s treasure.

So every year I write a new post to surpass all other security posts. This one is no exception. In previous years I wrote top ten lists. This year there is no top ten, not even a top five. This year you will need only two security plugins: Wordfence Security and Better WP Security.

As ultimate as ultimate goes, this is the ultimate guide to WordPress security plugins.

Wordfence Security

Think back to when the WordPress blogosphear was struck down with the heavy blow of the Timthumb security vulnerability. The vulnerability was made public by Mark Maunder, founder of Feedjit. Mark rewrote the Timthumb script then developed Wordfence to secure WP sites from hackers and to detect and remove malware from infected sites. Mark is a true WordPress hero!

What does Wordfence do?

As a quick overview:

  • Scans all files in a WordPress installation.
  • Compares those files with known clean versions.
  • Warns about missing and edited files.
  • Lets admins replace edited files with clean versions via the click of a button.
  • Scans the WordPress database for SQL injections and offers to clean any it finds.
  • Checks site URLs with Google to detect whether Google has flagged any pages as harbouring malicious code or links.
  • Blocks malicious bots and fake crawlers.
  • Detects attempts to hack a site.

How is Wordfence configured?

  • Grab Wordfence here or install it from Plugins > Add New
  • Go to Wordfence > Options.
  • Untick Enable Live Traffic View.
  • Under Scans to Include, tick everything you can except Scan files outside your WordPress installation.
  • Tick Scan files outside your WordPress installation if you know your server can cope with the extra CPU load or if you suspect there may be a malicious file hidden outside of your WordPress folder.
  • Enable Firewall Walls.
  • Enable Login Security.
  • Set Maximum memory Wordfence can use to 128 or to a value lower than your server’s memory limit. I usually set it to half the server’s maximum memory level.

Scans can be initiated from Wordfence > Scans. Results are viewed here too.

Better WP Security

This plugin featured in my last two posts about WP security measures. It picks up where Wordfence finsihes:

  • Makes it easy to change the admin username and user ID.
  • Lets admins put the login script on a timer so the site’s admin interface can only be accessed during set times of the day and/or months of the year.
  • Installs a blacklist of known bad usernames and malicious bots.
  • Hides the wp-content directory.
  • Makes database backups.
  • Changes the database prefix.
  • Hides the login script.
  • Enables SSL throughout the whole site or on a per page basis (server needs an SSL certificate).
  • Sets numerous other security tweaks.

The homepage for BWPS is here.

How is Better WP Security configured?

When used alongside Wordfence, only a couple of Better WP Security’s settings need to be configured:

  • Install it from Plugins > Add New
  • Go to Security > Ban Users.
  • Tick Enable Default Banned List then click Add Host and Agent Blacklist.
  • Click the Detect tab.
  • Untick Enable 404 Detection.
  • Enter the Tweaks tab.
  • Tick everything and save changes.
  • View the frontend of your site using a different browser so that you are not logged in. If gallery or slider images fail to load or other problems occur, untick the following Tweak options one at a time between saving settings and checking the site’s frontend works properly: Filter Request Methods, Filter Suspicious Query Strings and Prevent Long URL Strings.
  • Other tabs to look at are User, Backup and Prefix.


Options for WordPress security have improved a lot since I first began blogging and building websites. No site can ever be 100% secure but WP is getting damn close to it with Wordfence and Better WP Security.

The comment forms are open. Leave tips, suggestions and complaints below.


    • says

      I use both Wordfence and Better WP together. The only parts of Better WP I use are the Ban List and the security Tweaks. Of the security tweaks, depending on the plugins installed in a site, I might or might not enable query string filtering and long URL filtering.

    • says

      Manual. I use Better WP and Wordfence together so only use Better WP to add the blocklist, change the database prefix (when needed), change the admin username and ID (when needed), to hide admin areas, to change the name of wp-content (requires help of a 3rd party script in some cases) and to apply the tweaks.

  1. says

    Answering your accusation of copy, I copied two of yours comment to save them and read them later to can config both security plugins in the same blog ;)

    So, thanks for your comments but no, I have not copy your post :D


    • says

      Oh, so you’re to blame for all the notifications I get! ;)

      I have a plugin installed called CCC which emails me every 5 minutes or so about snippets being copied for later use. It’s great: I know my visitor stats are of real people who find my content useful. The other, the one that creates the pop up, is called Copy Control (from Code Canyon). It’s a nice little plugin.

      Thanks for visiting, Javier.

  2. says

    I see, nice plugin anyway. At least it is useful to incentive comments or sharing, and also you can know if anybody copy something; I hope for good reason like me in that case :)

    If you want to protect yet more your articles you can take a look at safecreative (dot) org ;)


Leave a Reply