The Best WordPress Security Plugins

Any serious strategy for WordPress security should involve solutions at the server level. Still, these plugins can provide additional security benefits.

Security and Scanning Plugins

Ninja Firewall / Ninja Scanner

I haven’t tried this plugin myself yet, but it comes highly recommended and has rave reviews. It processes incoming HTTP requests before most of the WordPress machinery loads, making it good for hardening against brute-force attacks.

Ninja Scanner is its sister plugin that does malware scanning.


WordFence is the industry standard in security plugins. Does regular scans for malware and blocks known evil IP addresses. Not perfect, but the scanning can be very useful when recovering from a hack.

Sucuri Security

The free version of this plugin provides scanning of your WP installs for hacks. A lighter-weight alternative to WordFence if all you need is scanning.

Plugins that Reduce Your Attack Surface

Disable REST API

Did you know that your WordPress site’s REST API is enabled for anyone to use? That means someone can easily download all of your posts with a simple script (I know: I wrote one). I use this on all of my blogs. Should be used on any site where you want to protect your content from scraping via the REST API.

Disable XML-RPC

XML-RPC is a fairly useless feature for WordPress (remote publishing anyone?)

The one thing XML-RPC is good at is attracting DDoS attacks on your site. This plugin disables xmlrpc.php by adding code to your .htaccess file. One of my clients has a high-traffic site that was attacked about once a month. This stopped it. Note that disabling this will prevent the Jetpack Publicize module and potentially other modules from working.

WordFence now has this functionality built-in (but it must be turned on).

Login Security Plugins

Hiding your login is not considered a great means of security but can be helpful to bypass brute-force login attacks.

Rename wp-login.php

Doesn’t literally rename the file, but does some tricks to redirect. Great for preventing brute-force attacks trying to log into your site. Also lets you rename /wp-admin.

WordFence Login Security

This is a lighter-weight security plugin with a subset of features of WordFence: two-factor authentication (for admins only), XML-RPC protection, and login page CAPTCHA. Great if you don’t want or need all of the features of regular WordFence.


If you just want two-factor and no other security features in a plugin, check out WP 2FA.

WPS Hide Login

I haven’t tested this plugin yet, but could be useful for a client who wants to hide their wp-admin URL. Excellent reviews!

Please leave your comments and questions below! – Brian


Please Leave a Question or Comment

Notify of

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Inline Feedbacks
View all comments