Best WordPress security plugins (free and paid)

Short answer: For most WordPress sites in 2026, Wordfence is the safest mainstream pick (largest user base, deepest feature set, real-time threat intelligence), Sucuri is the right choice if you want a cloud WAF that filters traffic before it reaches your server, Solid Security is the strongest option for hardening-focused users who want a settings-heavy lockdown tool rather than a scanner, and All-In-One Security (AIOS) is the best free alternative when Wordfence’s resource footprint is a problem. MalCare is the pick for sites that cannot afford any server overhead from scanning, and Jetpack Protect is a free vulnerability scanner from Automattic worth running alongside whichever WAF you choose. Most “best security plugin” reviews skip the question that actually matters: where the plugin sits in the request chain, because that is what determines whether it can stop attacks before they consume your PHP workers.

Plugin	Free or paid	Best for	Skip if
Wordfence	Free + Premium ($119/yr+)	Comprehensive WAF, malware scan, login protection, real-time threat feed	Server resources are tight – the scanner is heavy
Sucuri Security + Platform	Free plugin + paid WAF ($199.99/yr+)	Cloud-side WAF that filters traffic before it hits your server	You need a free WAF, not just a free scanner
Solid Security (formerly iThemes)	Free + Pro ($99/yr+)	Hardening, login lockouts, file change detection, settings-driven approach	You want signature-based malware scanning as the primary feature
All-In-One Security (AIOS)	Free + Premium ($70/yr+)	Strong free option with low overhead, .htaccess-level rules, audit logs	You want the largest threat-intelligence network
MalCare	Paid ($149/yr+)	Sites that cannot tolerate server-side scan load – all scanning runs externally	You want a free option
Jetpack Protect	Free (scan) + Security bundle ($120/yr+ for WAF)	Free WPScan-powered vulnerability database, simple status reporting	You do not want Jetpack on your site

The honest framing most security-plugin roundups skip: every plugin in this list runs inside WordPress, after your web server, after PHP, and after WordPress core has loaded. That is fine for detecting and blocking application-layer attacks, but it is structurally limited against volume attacks that exhaust resources before the plugin can intervene. The architectural difference between a plugin-layer firewall (Wordfence, Solid, AIOS) and a cloud WAF (Sucuri Platform, Cloudflare, MalCare’s Atomic Security) matters more than the brand on the box.

What a security plugin actually does#

Every plugin in this list combines some subset of the same building blocks. Understanding which ones matter for your site is more useful than reading marketing pages.

Web Application Firewall (WAF). Inspects incoming requests for known attack patterns – SQL injection, cross-site scripting, malicious file upload attempts, plugin-specific exploits. A plugin-layer WAF runs after the request has reached PHP and started loading WordPress. A cloud WAF runs on the vendor’s infrastructure before the request reaches your server. The latter is more resource-efficient under attack.

Malware scanner. Compares your WordPress core, theme, and plugin files against known-good versions and signature databases of malware patterns. Useful for detecting infections after they happen. Less useful as prevention – by the time the scanner finds malware, it is already on disk.

Login protection. Rate-limits failed login attempts, blocks brute force on /wp-login.php and XML-RPC, optionally adds CAPTCHA, country blocking, or two-factor authentication. The mechanics of these attacks are covered in brute force attacks on WordPress.

File integrity monitoring. Watches for unauthorized changes to WordPress files, alerting you when something modifies core, plugin, or theme files outside of a legitimate update. One of the most practical features for catching active compromises early.

Threat intelligence. A shared blocklist updated by attacks observed across the vendor’s customer base. The IP that attacks one Wordfence-protected site gets added to a list that protects all of them. The size and freshness of this list is one of the few real differentiators between vendors.

Hardening / settings. Disabling XML-RPC, removing the WordPress version string from page output, blocking PHP execution in /uploads/ , enforcing strong passwords, hiding the login URL. Most of these are one-line server changes; security plugins package them as toggles.

When you compare plugins below, the column to focus on is what they actually do well, not the feature checklist they market. Most plugins claim every feature; only some implement each one well.

How we picked these six plugins#

The wordpress.org plugin directory has hundreds of “security” plugins. Most are abandoned, most that are maintained do one thing well and three things badly, and a non-trivial number are themselves vectors for compromise (a “security plugin” with a remote-control backdoor is not a hypothetical).

We covered the six plugins that are still actively maintained, have meaningful user bases (50,000+ active installs or a credible commercial customer count), and offer architecturally distinct approaches.

What we deliberately skipped:

• WP Cerber – functional but smaller user base and slower update cadence than the leaders.
• NinjaScanner – reasonable scanner, but scanning-only with no WAF or login protection.
• Defender Pro (WPMU DEV) – bundled with the WPMU DEV ecosystem; standalone value is hard to compare.
• Shield Security – solid product, but recent ownership changes and pricing model adjustments make it harder to recommend confidently.
• iThemes Security branding – the plugin still exists but rebranded to Solid Security in 2023; we use the current name throughout.
• WP Hide & Security Enhancer and similar “hide WordPress” plugins – security through obscurity is not security.

Verified status as of May 2026 against wordpress.org listings or vendor sites:

Plugin	Source	Last update	Active install signal
Wordfence	wordpress.org	Active development	5 million+ active installs
Sucuri Security (free plugin)	wordpress.org	Active development	800,000+ active installs
Solid Security	wordpress.org	Active development	700,000+ active installs
All-In-One Security (AIOS)	wordpress.org	Active development	1 million+ active installs
MalCare	wordpress.org + vendor	Active development	100,000+ active installs
Jetpack Protect	wordpress.org	Active development	100,000+ active installs

Wordfence#

Use it if: You want the safest mainstream pick. The largest user base, the deepest feature set, the most widely deployed real-time threat intelligence network in WordPress, and a free version that covers what most sites actually need.

Don’t use it if: Your server runs close to its resource limits. The scanner is one of the heaviest in this lineup, and the WAF inspecting every request adds measurable PHP overhead under traffic.

What you get: Free version includes the Wordfence WAF (with rules 30 days behind premium), malware scanner, file change detection, login protection, two-factor authentication, country blocking, live traffic view, and IP/IP-range blocking. Premium ($119/year for one site) unlocks real-time threat-intelligence updates, real-time IP blocklist, country blocking on the firewall (free version only blocks logins by country), Wordfence Central for multi-site management, and premium support.

The defining strength is the threat-intelligence network. Wordfence runs on millions of sites; an IP that attacks one of them feeds reputation data into the blocklist that protects all of them. The free version’s 30-day delay on new firewall rules is a real gap – when a critical plugin vulnerability is published and exploited in the wild, premium subscribers get a blocking rule immediately, free users wait a month.

The architectural caveat: Wordfence runs as a WordPress plugin, which means every request must reach PHP and start loading WordPress before Wordfence inspects it. Under volume attacks – thousands of requests per minute hitting wp-login.php or xmlrpc.php – PHP workers get consumed even when Wordfence blocks every request. This is covered in detail in Wordfence and server-level security: why you need both. It is not a criticism specific to Wordfence; it applies to every plugin-layer WAF.

Common gotchas:

• The default scan schedule is “Standard,” which can spike CPU on shared hosting. Drop it to “Limited” or “Custom” if you see scan-time load alerts.
• Live traffic logging is off by default in newer versions because it consumed database storage faster than most sites needed. Enable it only when you actively need to debug a specific issue.
• The 2FA implementation is solid but uses a dedicated wp-login flow that some hardening tools (login URL renamers, IP whitelists at the server level) can break. Test 2FA recovery before deploying.
• Wordfence Central is genuinely useful if you manage 5+ sites; below that, it is overkill.

Sucuri Security + Sucuri Platform#

Use it if: You want a cloud WAF that filters traffic before it reaches your server. Sucuri’s paid platform is one of the few in this lineup that does not run as a WordPress plugin – it runs on Sucuri’s network as a reverse proxy, and your DNS points to Sucuri before pointing to your origin.

Don’t use it if: You need a free WAF. The free Sucuri plugin is a scanner and integrity checker, not a firewall. The WAF is a separate paid subscription.

What you get: The free Sucuri Security plugin (800,000+ active installs) handles file integrity monitoring, malware scanning, security activity logging, blocklist status checking against Google/Norton/McAfee, and basic post-hack actions (force admin password resets, regenerate secret keys). It is a solid free integrity tool but is not a firewall.

The Sucuri Website Firewall is the paid product, sold separately from $199.99/year (Basic). It is a cloud WAF that sits between your visitors and your server. Traffic flows through Sucuri’s network, where it is inspected for attack patterns, rate-limited, and filtered against threat intelligence before reaching your origin. Higher tiers ($299.99/year Pro, $499.99/year Business) add faster malware-cleanup SLAs, advanced DDoS protection, full custom SSL, and PCI compliance support.

The architectural advantage of cloud-WAF placement: requests blocked at Sucuri’s network never touch your server. Under attack, your origin sees only the filtered traffic. This is a fundamentally different shape of protection than what plugin-layer WAFs can provide, and it is the main reason Sucuri Platform is the recommended choice for sites that have actually been targeted.

Common gotchas:

• The Sucuri plugin and Sucuri Platform are different products. The free plugin alone gives you scanning, not a firewall – this is the most common confusion.
• Switching to the Platform requires a DNS change. Your domain points to Sucuri, Sucuri proxies to your origin. This means caching configuration, real-IP forwarding, and origin allowlisting all need to be set up correctly.
• Hide-origin features (rejecting direct connections to your origin IP) require the Business plan or manual nginx/Apache configuration. Without origin hiding, attackers who learn your real IP can bypass the WAF entirely.
• The malware-cleanup service that Sucuri is famous for is included in the Platform subscription and is genuinely competent. If your site is currently compromised, see my WordPress site was hacked: what to do right now before installing anything new.

Solid Security (formerly iThemes Security)#

Use it if: You want a hardening-focused plugin with extensive settings rather than a signature scanner. Solid Security’s strength is making it easy to enable the dozens of small server-side and WordPress-side hardening rules that, in aggregate, eliminate most of the easy attack surface.

Don’t use it if: You want signature-based malware scanning as the primary feature. Solid does not include a malware scanner in either tier – that role goes to Jetpack Protect, MalCare, or Wordfence.

What you get: Free version (700,000+ active installs) covers brute force protection, login lockouts after configurable failed attempts, file change detection, away mode (disabling the dashboard during set hours), database backups, strong password enforcement, 30+ hardening toggles, and version-string removal. Pro ($99/year for one site, $199/year for ten, $299/year unlimited) adds two-factor authentication, passkeys, trusted devices, magic links, user security check, password-less logins, advanced wp-config and .htaccess rules, scheduled malware scanning (using third-party Sucuri SiteCheck under the hood), Google reCAPTCHA, and Solid Central for multi-site management.

What sets Solid apart is the settings density. Where Wordfence presents a smaller number of high-level toggles, Solid exposes 30-40 individual hardening rules: disable XML-RPC, disable file editing in admin, enforce SSL on login, force unique nicknames, block direct PHP execution in /uploads/ , change the default WordPress prefix, and so on. For users who want to see what is being hardened rather than trust a black box, this is the better fit.

The plugin was acquired by StellarWP in 2018 and rebranded from iThemes Security to Solid Security in 2023, alongside the rest of the iThemes lineup (BackupBuddy → Solid Backups, iThemes Sync → Solid Central). The codebase is the same; the product positioning changed.

Common gotchas:

• The “Hide Backend” feature (renaming wp-admin to a custom URL) breaks compatibility with some plugins that hard-code admin URLs. Always test on staging before enabling.
• File change detection scans run as WordPress cron jobs. On low-traffic sites with infrequent visits, the cron may not fire reliably – configure a real system cron for wp-cron.php if you depend on scheduled scans.
• Two-factor authentication is Pro only. The free version has login lockouts but no 2FA. This is the most common reason users upgrade.
• The malware scan in Pro uses Sucuri SiteCheck (the same external service the free Sucuri Security plugin uses). It is a remote scan of publicly visible content, not a server-side file scan. For server-side file scanning you need Wordfence, MalCare, or AIOS.

All-In-One Security (AIOS)#

Use it if: You want a strong free hardening plugin with lower resource overhead than Wordfence. AIOS is one of the few security plugins that pushes a meaningful amount of its protection down to .htaccess rules – blocking malicious requests at the web server before PHP runs.

Don’t use it if: You need the largest threat-intelligence network. AIOS does not have anything comparable to Wordfence’s real-time IP feed.

What you get: Free version (1 million+ active installs) covers user account security (admin username detection, weak password enforcement), login lockdown with configurable retry limits, brute force prevention via .htaccess rules, registration security, database security (table prefix changes, scheduled DB backups), filesystem security (file permissions check, PHP file edit prevention, host system info exposure check), .htaccess and wp-config.php backup/restore, blacklist manager (manual IP/User-Agent blocking), firewall settings (basic to advanced .htaccess-based rules), brute force prevention (cookie-based and CAPTCHA), and a security strength meter giving the site an overall score.

Premium ($70/year) adds smart 404 detection (blocking IPs that hit too many 404s in a window – basic vulnerability scanner blocking), country blocking, two-factor authentication for editors and authors (free version supports admin only), and removal of unwanted backend “Powered by AIOS” branding.

The architectural twist: a meaningful amount of AIOS’s protection is implemented as .htaccess directives rather than PHP middleware. That means many requests get rejected by Apache (or by nginx via a translation) before PHP even starts. On Apache hosts this is a real efficiency gain over plugin-layer WAFs. On nginx hosts (most managed WordPress hosting), the .htaccess rules are not natively executed – you need either an nginx-translation layer or to apply the equivalent nginx.conf snippets manually.

The plugin was acquired by Updraft (UpdraftPlus authors) in 2022. Active development resumed under the new ownership; the plugin had been stagnant for several years before the acquisition.

Common gotchas:

• On nginx hosts, the .htaccess-based protections do not automatically apply. Check whether your host translates .htaccess to nginx rules; if not, AIOS becomes a PHP-layer plugin like the others.
• The “security score” gamification (giving you a score from 0-505) encourages enabling every feature, including some that break sites – especially the .htaccess rewrite rules that conflict with cache plugins. Enable features individually and test.
• The free version’s 2FA is admin-only. To extend to other roles you need Premium.
• Backup and restore of .htaccess and wp-config.php is a genuinely useful feature – few other plugins let you snapshot and roll back these files from the dashboard.

MalCare#

Use it if: Your site cannot tolerate server-side scan load. MalCare runs all scanning on its own infrastructure – the plugin uploads files to MalCare’s servers, where they are scanned, and only the results come back. No server CPU is consumed by signature matching.

Don’t use it if: You want a free option. There is no free tier – the plugin requires a subscription from day one.

What you get: MalCare ($149/year for one site, $299/year for five, $599/year for twenty) is a paid-only product. Features include external malware scanning, one-click malware removal (the company’s flagship – their automated cleaner handles the most common WordPress infections without manual file editing), Atomic Security (their cloud WAF, similar in placement to Sucuri Platform), login protection, vulnerability monitoring, white-label reporting, and uptime monitoring. The plugin uploads file hashes (and full files when changes are detected) to MalCare’s servers; the heavy work of comparing against malware signatures happens externally.

The architectural pitch: most site owners install Wordfence and discover that the scheduled scan adds noticeable load to their server, especially on shared hosting. MalCare’s externalized scanning eliminates that load entirely. The trade-off is data flow – you are sending file hashes (and sometimes file content) to a third party. For most sites this is fine; for sites with strict data-residency requirements it may not be.

The “one-click cleanup” is genuinely useful. For common WordPress malware (eval-base64 backdoors, hidden admin users, malicious post injections, redirect malware), MalCare’s automated cleaner has a high success rate without human intervention. For rare or targeted infections, manual cleanup or a service is still required – see WordPress malware: how it gets in and how to remove it for the manual playbook.

Common gotchas:

• No free tier. If you want to evaluate before committing, the trial is the only option.
• The cleanup tool is bundled with the subscription, but on truly compromised sites it sometimes routes to manual cleanup by the MalCare team. This is included in higher tiers and is also legitimate value, but it is sold as “one-click” and not always one-click in practice.
• Atomic Security (the cloud WAF) is a separate optional add-on, not the default protection layer. Confirm whether your subscription includes it before assuming you have a cloud WAF.
• Same vendor as BlogVault (covered in best WordPress backup plugins). If you already use BlogVault, MalCare integrates cleanly into the same dashboard.

Jetpack Protect#

Use it if: You want a free vulnerability scanner from a well-resourced vendor (Automattic), running quietly in the background and reporting outdated or vulnerable plugins/themes/core. It is the simplest “do nothing, just tell me if I have a problem” option.

Don’t use it if: You want a WAF or active blocking in the free tier. Jetpack Protect’s free version is detection only – it tells you what is wrong; it does not stop attacks.

What you get: Jetpack Protect (free, 100,000+ active installs) provides daily vulnerability scans against the WPScan vulnerability database (the same database used by professional security researchers), reporting outdated WordPress core, vulnerable plugins, and vulnerable themes. The free tier is detection only; you fix issues yourself based on the report.

The paid tier is sold as Jetpack Security ($120/year for one site) or Jetpack Complete ($840/year for one site). Security includes Jetpack Protect, real-time backups (formerly VaultPress, covered in the backup roundup), spam filtering (Akismet), downtime monitoring, and brute force attack protection. Complete adds the WAF, the rest of the Jetpack feature set (CDN, image optimization, search), and is overkill for security-only use cases.

The architectural advantage: Jetpack Protect runs as a thin scan, not as a firewall. It does not inspect every request; it does not consume PHP workers under load. It just runs a daily check against the WPScan database and tells you which of your plugins or themes have a known vulnerability. Pair this with one of the WAF-providing plugins above and you have both signal and protection.

Common gotchas:

• The free version is scan only. Many users install it expecting a firewall and find that vulnerabilities are reported but not blocked.
• Jetpack Protect requires a WordPress.com account connection. The connection is free but the account requirement annoys users who do not otherwise interact with WordPress.com.
• Auto-fix is not included in the free tier – you fix vulnerable plugins manually by updating them. The paid tier includes one-click auto-update for vulnerable plugins.
• Jetpack as a whole has a reputation for being heavy. Jetpack Protect specifically (the standalone plugin) is lightweight and does not pull in the full Jetpack module set unless you install Jetpack itself.

How they compare on the things that matter#

Feature checklists are easy to fake. The honest comparison is on a small number of architectural and operational decisions.

Where the firewall runs. Wordfence, Solid Security, and AIOS run their WAF as a WordPress plugin – after the request reaches PHP. Sucuri Platform and MalCare’s Atomic Security run cloud WAFs – before the request reaches your server. Jetpack Security’s WAF is also plugin-layer. Cloud-layer placement is more resource-efficient under attack but requires DNS changes and proper origin hiding.

How real the threat intelligence is. Wordfence’s real-time threat feed is genuinely the largest in WordPress. Sucuri’s is also strong but covers a narrower customer base. Solid, AIOS, and Jetpack rely more on static rule sets and the WPScan vulnerability database. MalCare’s signal comes from its own customer base, which is meaningful but smaller.

Free vs. paid value. Wordfence and Solid Security have free tiers that are genuinely useful on their own. AIOS is a strong free option, especially on Apache. Sucuri’s free plugin is integrity-only – the firewall is paid. MalCare has no free tier. Jetpack Protect’s free tier is scanner-only.

Resource impact. MalCare and Sucuri Platform are the lightest on your server because they externalize the heavy work. AIOS is light when running .htaccess rules natively (Apache hosts). Wordfence is the heaviest by reputation – the scanner is thorough but expensive on shared hosting. Solid Security and AIOS sit in the middle.

Settings vs. defaults. Solid Security exposes the most individual settings; users who want to control each hardening rule prefer this. Wordfence and AIOS lean on sensible defaults with fewer dials. MalCare and Sucuri Platform are largely set-and-forget once configured.

Common mistakes when picking a security plugin#

The plugin you pick matters less than the choices you make around it. The most common mistakes:

Running two WAF plugins at the same time. Wordfence and AIOS both write firewall rules; running both creates rule conflicts, performance overhead, and false positives. Pick one WAF plugin. Pair it with a complementary scanner (Jetpack Protect alongside Wordfence is fine because they do different things).

Treating the free tier as production-ready. Wordfence Free, Solid Security Free, and AIOS Free all have meaningful gaps versus their paid versions – the 30-day rule delay in Wordfence Free, the missing 2FA in Solid Free, the admin-only 2FA in AIOS Free. For low-traffic personal sites, free is fine. For revenue-generating sites, the $99-$149/year for the paid tier of one of these is small compared to the cost of a compromise.

Skipping XML-RPC. Most plugins above can disable XML-RPC. Enable that toggle. The endpoint’s multicall method is the highest-amplification brute force vector in WordPress. Full context in WordPress XML-RPC: what it is and how to disable it.

Ignoring the scanner schedule. Default scan schedules can spike CPU on shared hosting. Drop scans to overnight off-peak windows, or use external scanning (MalCare, Sucuri SiteCheck) instead of in-process scanning.

Renaming the login URL and calling it security. Hiding /wp-login.php slows down scanners but does not stop them – any modern bot enumerates URLs by scraping pages. The bigger concern is that login-URL renaming breaks compatibility with backup plugins, page builders, and WooCommerce checkout in surprising ways. For genuine login security, see WordPress login URL: where to find wp-admin and how to change it.

Forgetting the host’s role. A security plugin running inside WordPress cannot protect against issues that prevent WordPress from loading at all. Server-level protections – fail2ban, ModSecurity at the web server, rate limiting in nginx – run regardless of what is happening inside WordPress. The complete picture is in is WordPress secure and how to harden it.

What to do after installing#

Picking a plugin is the easy part. The decisions that follow:

Configure the WAF. Most plugins ship with sensible defaults. Walk through the firewall settings anyway – country blocks, login lockout thresholds, scan schedules. The defaults are tuned for the average site, not yours.

Enable two-factor authentication for every admin account. Whichever plugin you chose, find its 2FA toggle. Use an authenticator app (Authy, Google Authenticator, 1Password), not SMS. SMS-based 2FA is better than nothing but defeated by SIM-swapping attacks.

Set up alerts you will actually read. Most plugins email on file changes, login lockouts, and detected malware. Configure a real inbox, not the noreply that nobody checks. The alert that catches an active compromise is only useful if it lands somewhere a human looks within 24 hours.

Run an initial scan and clear out warnings. First scans typically flag dozens of items – outdated plugins, weak passwords, missing hardening rules. Triage them once, then your future alerts represent real change rather than baseline noise.

Test recovery before you need it. If 2FA breaks, can you recover? If the login URL is renamed and you forget it, can you find it? Test now, in a calm window, not at 2 AM during an incident.

Keep the plugin updated. Security plugins are themselves attack targets – a vulnerability in your security plugin is a particularly bad day. All six plugins above have had security patches in the last few years. Auto-update or check weekly.

Final picks#

If you want a one-line answer:

• Most sites: Wordfence Free, upgraded to Premium when the site generates real revenue. Mainstream choice, largest user base, strongest threat feed.
• You have been targeted: Sucuri Platform. The cloud WAF stops attacks before they reach your origin – the only architectural difference that matters under sustained attack.
• You want the lightest free option: AIOS on Apache hosts, Solid Security on nginx hosts. Both are genuinely useful in the free tier without the resource overhead of Wordfence’s scanner.
• You cannot afford any server load from scanning: MalCare. The externalized scan model is the only one that does not consume your CPU.
• You want a thin “is anything wrong” check alongside something else: Jetpack Protect. Free, lightweight, runs once a day, tells you what is vulnerable.

The plugin matters. The configuration matters more. The unpatched plugin or theme that bypasses any of these is what actually gets sites hacked – keep your stack updated, keep your 2FA on, keep backups off-server.