WordPress runs a large proportion of the web, which makes it a consistent target. Attackers do not usually go after specific sites; they run automated scans across millions of WordPress installations, looking for security vulnerabilities, outdated software and weak login credentials. Understanding where the security risks come from is the starting point for building a layered security strategy for your WordPress website.
This guide covers the plugin ecosystem as the primary risk vector, reviews the best WordPress security plugins worth using and the hardening steps that work independently of any plugin you install. These are wordpress security best practices that apply to sites of any size, from a personal blog to a high-traffic ecommerce site.
Why plugins are the main risk vector
According to Patchstack, 90% of WordPress vulnerabilities are found in plugins and themes. That figure has been consistent for several years. The WordPress core itself is maintained by a large, security-focused team and receives rapid patches when issues are found. Plugins, by contrast, vary wildly in maintenance quality, and there are over 59,000 of them in the official directory alone.
Attackers exploit plugins in several ways. Some target upload functions to inject malicious code or malicious files. Others use plugin flaws to carry out cross site scripting (XSS) attacks, inserting fraudulent advertising code into pages your visitors see. The most serious exploits allow full site takeover. In 2021, a vulnerability in the ProfilePress plugin allowed malicious file uploads; in the same period, an actively exploited flaw in the Fancy Product Designer plugin put an estimated 17,000 sites at risk.
The volume of new vulnerabilities is not slowing down. What changes the calculus in your favour is how quickly you apply updates and how carefully you choose what to install in the first place.
Abandoned plugins: a specific risk
A plugin that has not received an update in two years or more is considered abandoned. No updates means no security patches and no response to newly discovered vulnerabilities. Attackers specifically target abandoned plugins because they know the code will not be fixed. You can check the status of any plugin on its WordPress.org directory page: the last updated date and active installation count are listed on every plugin page.
An abandoned plugin does not necessarily mean the code is broken right now, but the longer it goes without maintenance, the higher the probability that an unpatched flaw will be discovered and exploited. Removing abandoned plugins is a low-effort, high-value step.
Choosing plugins you can trust
The WordPress plugin directory is the safest source. Every plugin listed there has been reviewed before publication. For plugins sourced from elsewhere, the following checks are worth running before you install anything.
- Find the developer’s website. No credible web presence is a warning sign. Legitimate plugin developers are identifiable.
- Check CodeCanyon. One of the main third-party marketplaces for WordPress plugins, it vets submissions before listing them. If a paid plugin is not listed there or on a recognisable developer site, treat it with caution.
- Look at download numbers and last updated date. A plugin that has been available for years but has very few downloads warrants extra scrutiny. Low adoption combined with infrequent updates suggests limited active maintenance.
- Check the WPScan Vulnerability Database. Before installing a plugin, search for it at wpscan.com to see whether any known vulnerabilities have been reported. If a vulnerability exists and no update is available, do not install it.
Tip: Avoid running multiple security plugins simultaneously. Running two or more security tools in parallel can conflict with each other, produce duplicate alerts and in some cases block legitimate traffic. Pick one and configure it properly to keep your site safe and avoid performance issues.
WordPress security plugins worth using
These are the popular WordPress security plugins that stand out for reliability, active development and the range of threats they address. Each is a trusted security plugin with an active user base and regular updates. Each takes a different approach, so the best security plugin for your site depends on what you need most. All three have a free plan adequate for most personal and small business sites, with paid plans adding security features like real-time threat intelligence. Another option worth knowing about is All in One Security (AIOS), a free plugin that combines hardening, firewall and login protection in one security dashboard, useful as an alternative if you want a single tool rather than a feature-heavy suite.
Wordfence Security
Wordfence is one of the most widely installed WordPress security plugins. Its core feature is a web application firewall WAF that filters malicious traffic before it reaches your WordPress server or web server. Alongside the firewall, it runs a malware scanner that checks your core files, themes and plugins against known-clean versions and flags anything that does not match.
The free wordpress security plugin tier covers wp security plugins essentials: firewall protection, malware scanning, brute force protection against brute force attacks, login protection and real-time traffic monitoring. Wordfence also lets you block specific IP addresses directly from the plugin dashboard, and the login lockdown feature tracks failed login attempts and limits login attempts to prevent credential stuffing. For site owners who want to gain access to premium threat feeds, the paid plan adds real-time firewall rules. One limitation to be aware of: the free plan receives updated firewall rules on a 30-day delay compared to Wordfence Premium, which gets them as soon as new threats are identified. For a personal blog or small informational site, the free version is adequate. For anything processing payments or handling customer data, the premium tier closes that window.
Solid Security (formerly iThemes Security)
Solid Security takes a hardening-focused approach. Rather than centering on a firewall, it works through a checklist of configuration changes that reduce your site’s attack surface. This includes changing the WordPress database table prefix (automated attacks target the default wp_ prefix), moving the login page to a custom URL, disabling the WordPress file editor and enforcing strong passwords across all user accounts.
Two factor authentication 2FA is available in the free version, which is one of the most effective individual steps you can take to protect admin accounts. File integrity monitoring alerts you when PHP files or WordPress core files are modified unexpectedly, which can be an early indicator of a compromise. The intuitive interface is well organised and explains what each setting does, making it a good choice if you want a structured way to work through security configuration and keep your secure site hardened without relying on defaults.
MalCare Security
MalCare takes a different architecture than the other two. Its malware scanning runs on MalCare’s own servers rather than on your hosting, which means the scan does not consume your server’s resources. This matters on shared or resource-limited hosting where a heavy local scan can slow the site noticeably during the process.
MalCare’s standout feature is one click malware removal. Where most free security plugins identify malware but require you to handle the cleanup manually (or pay for the premium service to remove it), MalCare handles removal directly from the plugin dashboard. It also includes real-time bot protection and login security. For site owners who want detection and removal in a single tool without the overhead of a server-side scan, it is a strong option.
Hardening steps beyond plugins
A security plugin will not compensate for an outdated WordPress installation, abandoned plugins or a weak admin password. These steps matter regardless of which plugin you choose.
Keep everything updated, automatically
Outdated plugins are the most common way WordPress sites get compromised. Enabling auto-updates is the most reliable way to stay current. In your WordPress admin, go to Plugins > Installed Plugins and enable auto-updates for each plugin. Apply the same setting to WordPress core under Dashboard > Updates. Check your active theme too: WordPress themes receive security patches the same as plugins do. Keeping a secure WordPress theme updated is as important as keeping plugins current, as an outdated theme can expose the same security issues.
Remove plugins you are not actively using
Inactive plugins are not safe even when deactivated. If the plugin files are present on your server, a vulnerability in them can still be exploited. Remove anything you are not actively using: deactivate the plugin, then delete it. Fewer plugins also means a lighter site, which reduces page load times independently of any security benefit.
Use a strong login setup
The default admin username in WordPress is admin. Automated brute force tools target this specifically. If your WordPress site was set up with admin as the username, create a new account with administrator privileges, then delete the old one. Use a unique password generated by a password manager for all admin accounts. Two-factor authentication on admin accounts is the single most effective defence against credential-based attacks, regardless of whether the password is ever compromised.
Use a web application firewall
A WAF monitors traffic between the internet and your site, blocking common attack patterns before they reach your application. Wordfence includes a WAF within the plugin. Alternatively, a cloud-based WAF such as Cloudflare operates at the DNS level and can filter malicious traffic before it reaches your server at all. For sites handling sensitive data or with a meaningful volume of traffic, a WAF at the hosting or DNS level provides a layer of protection that helps keep your site secure against DDoS attacks and other threats that plugin-level defences alone cannot replicate.
Other threats to know about
Plugin vulnerabilities account for the majority of WordPress compromises, but they are not the only attack surface worth understanding.
SQL injection
SQL injection is an attack where malicious database commands are submitted through a form field on your site. If form inputs are not properly validated, an attacker can read, alter or delete your database, or insert malicious content into your pages. Keeping WordPress and all plugins updated is the main defence, since injection vulnerabilities in WordPress components are patched quickly when discovered. A WAF adds a further layer by blocking known injection patterns before they reach your database.
Brute force login attacks
Automated bots cycle through large volumes of username and password combinations targeting your login URL. The defences layer: a strong unique password, two factor authentication 2FA, limit login attempts to block repeat failures (all three security plugins above include login lockdown features), and a non-default admin username. WordPress users who skip any of these make credential attacks easier. Any one defence makes a brute force attack harder; all together makes it effectively impractical.
If your site has already been compromised
If you suspect your site has been affected by malware, act on it rather than waiting to confirm. Signs include unexpected admin accounts, modified files, unfamiliar content appearing in pages or your site being flagged by Google Search Console. The guide to removing malware from WordPress covers the recovery steps. MalCare’s one-click removal tool handles many cases without requiring manual file editing.
Contacting your hosting provider is a step many site owners skip. If your site has been compromised, your host may be able to restore from a clean backup, identify which files were modified and confirm whether the infection spread to other sites on the same account. It is worth making that call early in the process.
Further reading
For broader website security beyond WordPress, protecting your website from hackers and cyberattacks covers the server-level and infrastructure measures that complement plugin-based WordPress security.
UK businesses that handle customer data should also be aware of the NCSC’s Cyber Essentials scheme, which sets out the five technical controls the government recommends as a baseline for organisations handling sensitive information. Keeping software updated and using firewalls are two of the five controls, which aligns directly with good WordPress security practice.
Wrapping up
The plugin ecosystem is the biggest single security risk for WordPress sites, but it is manageable. Improving your site’s security comes down to keeping everything updated, removing unused plugins and wordpress themes, choosing from the reviewed WordPress security plugins listed above, and installing one of them to add a website firewall and monitoring layer. Strong security measures including two factor authentication, a web application firewall WAF and DDoS protection at the hosting server level complete a solid security posture. Security hardening is not a one-time task: revisit your security settings periodically as the wordpress community identifies new wordpress attacks and security issues.
For a hosting environment built around WordPress, take a look at UWH WordPress hosting.
About Angus
Angus is the Website and Content Developer at Unlimited Web Hosting UK where he crafts clear, engaging content optimised for humans.
You May Also Like
Related articles you might find interesting.
Ready to get started?
Launch your website with our reliable cPanel hosting with unlimited bandwidth and expert support.
Get cPanel Hosting