Any website, whether created with WordPress or not, needs to be secure for many reasons, such as complying with privacy legislation, ensuring transactions on your site and the security and integrity of your users’ data.
For this reason, we must always apply the basics of security to any website, as well as effective web maintenance.
The good thing is that there are lots of web hosting companies really committed to WordPress and its security that increasingly include more specific features for our websites, and we also have very good security plugins for WordPress with which to further secure the installation of our website or online store.
I have been using security plugins for many years on my websites and those of my clients, and I have been changing from one to another according to the needs of each site, but I had never shared a comparison of the best security plugins for WordPress.
Although in some websites I have used on many occasions paid (premium) versions of security plugins, over time I have realized that it is almost never worth paying for these “pro” features because there is always a way to get them through another method or plugin.
That is why in this comparison I will focus exclusively on the free versions of WordPress security plugins that I have tested and analyzed.
Free WordPress security plugins reviewed
Below is a brief description of the free security plugins for WordPress that I have included in the comparison.
Wordfence Security
With over 4 million installations it is probably the most popular security plugin of all those in the comparison, also driven by their fantastic WordPress security reports on their website.
Its most popular features are the integrated free firewall and malware scanner.
iThemes Security
With more than 1 million installations, it is another of the most popular WordPress security plugins, of which I recently published an updated tutorial.
In the latest version, it has introduced a wizard and an intelligent protection system using user group typology, especially useful for implementers and developers when securing client websites.
All in One WP Security & Firewall
The name says it all, it is an all-in-one, an attempt to combine in a single security plugin the functionalities that you find scattered in others.
With more than 900 thousand installations it is a very popular plugin, with a very clear interface and screens with extensive explanations of each functionality, something very grateful for novice users.
Sucuri Security
Endorsed by the well-known security company, recently acquired by GoDaddy!, this plugin has more than 800,000 installations.
Its best asset is the malware monitor synchronized with its free online tool SiteCheck.
WP Cerber Security
This security plugin has a really overwhelming amount of tools, among which we must highlight the very detailed activity log on the site, ideal for administrators who spend a lot of time monitoring every movement on the web.
With more than 200,000 installations, it deserved to be in the comparison.
SiteGround Security
This is the new kid on the block in the WordPress security world. The plugin has been available for less than 2 months and already has more than 100 thousand installations, and the best of all is that its use is not limited to websites hosted on SiteGround but is fully functional, and free, on any website.
What is most striking about this free security plugin for WordPress is its very simple interface and the accuracy of the selection of tools and even those active by default as soon as it is installed.
How was the comparison made?
To make the comparison I installed the plugins on a test site without any other security reinforcement. Once each plugin was installed and activated I checked its functionalities and tools, reviewed the system files added and/or modified, as well as the plugin’s impact on the database and its performance and resource consumption.
Regarding this last concept, the resource consumption, I have analyzed the website before and after activating each plugin with its fundamental tools, checking the amount of memory, queries and resources it consumes on the front page of the website.
These measurements are made with Query Monitor and P3 Plugin Profiler.
In the comparison table, you will see listed many features, indicating which plugin incorporates it and to what extent, as well as other values.
Finally, you will find my personal assessment of what I consider to be the best free security plugin for WordPress according to the type of user and needs.
Comparative table of free security plugins for WordPress
Here is the table of results of the comparison.
Notes about the comparison
- Bolded rows are more important security tools than the rest. For example, it is much more important to protect access by double verification (2FA) than by changing the access URL.
- The firewall is not so relevant in the comparison as most current hosting already incorporates it, and in some plugins it is not a firewall but a set of file protection rules.
Which free WordPress security plugin should I use?
Having analyzed the main free security plugins for WordPress and recorded their strengths and weaknesses, these are my recommendations…
Security plugins that you should not use
Of course, this is my opinion, but I absolutely do not recommend using Sucuri Security or Wordfence, as they both lack tools that I feel are essential for WordPress security:
- File protection (Wordfence)
- XSS attack protection (both)
- Disable XML-RPC (Sucuri)
- RSS blocking (both)
On the other hand, I was sadly surprised that only SiteGround Security incorporates a tool to add security headers, which in their case adds HSTS, CSP and XSS headers.
I consider this fundamental in a security plugin, and I find it surprising that plugins like Redirection incorporate this tool and the most popular security plugins do not.
Security plugin easier to configure
By far the easiest plugin to configure for any type of user is SiteGround Security.
The default active tools are safe and the optional ones are perfectly explained.
In addition, the distribution of the sections seems to me the most accurate and easy to understand:
- Site Security
- Access security
- Activity log
- Post-hacking actions
Security plugin with more security tools
If we consider only the quantity, in this section the one that wins by a landslide is iThemes Security. And I do not mean only the amount of tools that incorporates the plugin, but also their importance/relevance.
I say this because WP Cerber has an overwhelming amount of settings, which can make it seem that it is more complete, but features that with WP Cerber may require dozens of clicks, with the other plugins you get them with a single click.
Now is it the plugin that brings us more security to our WordPress? Well not quite, because quantity does not equal quality or importance of the tools. And, for example, iThemes Security does not incorporate fundamental tools such as:
- RSS blocking
- Post-hacking reinforcements
In addition, I am absolutely disappointed with the recent change of interface and configuration wizard, which instead of helping does the opposite, making it very complicated to configure it correctly, despite my efforts to explain it.
Quite a pity.
Security plugin that offers better security
Here it is not so much important how many security tools the plugin offers, but how relevant they are to the security of the site.
There are plugins in the comparison with hundreds of tools that, in reality, are not really important for the security of a website. Do they contribute? Yes, but they are not the most important thing.
I mean that a security header is enormously more important for the security of a website than disabling right-click navigation, for example.
According to the dynamics of the comparison, if we take into account how many important security reinforcements (in bold) each plugin incorporates, the ranking would look like this:
- SiteGround Security – 12
- iThemes Security – 11
- All in One WP Security – 9
- WP Cerber – 5
- Sucuri – 6
- Wordfence – 5
Note: WP Cerber scores higher than Sucuri even though it has fewer important tools due to the point I made above about must-have features.
Surprised that Wordfence, the most popular plugin with the most installations, is at the bottom of the list? Me too, but on the other hand, it confirms the problem that I have been seeing these last months with hacked websites that I had to clean, that had Wordfence active, even with the premium version.
In the end, it is more important the relevance of the tools than their quantity.
Is the winner of the comparison the perfect security plugin?
No, not at all, as you will see in the table SiteGround Security is still missing some tools that I consider essential in a security plugin:
- File Monitor – To detect possible hacks and be able to take action.
- Safe API REST – It is essential to be able to configure the access mode through the WordPress API, as there are more and more threats that use this system.
- Security headers – Despite being the only one that adds security headers, I miss the ability to add more security headers, such as CSP, Content or Permissions.
I hope it is due to the novelty of this plugin, and that they will soon incorporate these functionalities and some other also relevant ones, such as DB prefix change, for example.
On the other hand, although it is not one of the most resource consuming, it is in the middle section, probably because of the activity log, something to improve, as well as the deletion of the 2 tables left in the database when it is uninstalled.
That said, surprisingly even for me, it is currently the one I recommend, and in fact, I am adding it by default in all my installations and those of my clients.
It is really easy to configure, with secure and adequate default settings, and it incorporates most of the most important security enforcements.
