5 WordPress Plugins To Increase Your Blog's Security

Martin Brinkmann
May 8, 2010
Updated • Dec 11, 2014

WordPress, like any other popular script or online service, is heavily targeted by people with malicious intents who try to get access to installations  to use the hijacked blogs or services for their malicious activities.

This includes displaying ads to blog visitors or placing links to their sites on the blog or even redirecting the whole blog to another site.

WordPress administrators can improve the security of their blog with several standard practices like selecting a secure password, changing the admin username or disabling features in the blog (like preventing registration or remote publishing).

But there are also WordPress plugins that can increase the blog's security tremendously. The following list contains five WordPress plugins that improve a blog's security.

1. Login Lockdown

Login Lockdown increases the protection against so called brute force attacks. The plugin will log every login attempt and block attempts from IP addresses that try to gain access repeatedly in a short period of time.

The login retries, the retry time interval and the length of the lock out can be configured in the plugins' options.

The list of blocked IP addresses can also provide the webmaster with information about undergoing attacks.

2. WP Security Scan

WP Security Scan scans several key elements of the blog. The plugin checks the WordPress version, table prefix, if the WordPress version is hidden on public pages, if DB errors are turned off, if the ID Meta tag has been removed, if a user admin exists and if a .htaccess file has been placed in wp-admin for extra security.

It can furthermore scan the file permissions of the core WordPress folders (showing what it suggests and the actual permissions), change the WordPress table suffix to protect the blog from zero day attacks and provides access to a password strength checker. Does not need to be active all the time and is useful when you harden the blog against security attacks.

3. Antivirus for WordPress

Antivirus for WordPress scans the active theme folder for malicious injections. It protects the blog against certain forms of exploits and spam injections. Runs in the background and can be configured to notify the admin if a scan finds an anomaly in the theme files.

4. WordPress File Monitor

Note: The plugin has not been updated since 2010. I was not able to find a comparable extension that is updated regularly. While the extension may still work in recent versions of WordPress, I suggest you try it in a local environment first to make sure it does.

The plugin monitors the files of a WordPress blog and notifies the webmaster if any of them have been changed. It can check the file modification date or compare hashes to find modified files.

Folders can be excluded from the scan, important for cache folders for instance with files that change regularly.

5. Secure WordPress

The plugin performs a series of one-time operations on the WordPress blog, specifically:

1. removes error-information on login-page
2. adds index.php plugin-directory (virtual)
3. removes the wp-version, except in admin-area
4. removes Really Simple Discovery
5. removes Windows Live Writer
6. remove core update information for non-admins
7. remove plugin-update information for non-admins
8. remove theme-update informationfor non-admins (only WP 2.8 and higher)
9. hide wp-version in backend-dashboard for non-admins
10. Add string for use WP Scanner
11. Block bad queries

Secure WordPress can be downloaded from the official WordPress Plugin repository.

5 Wordpress Plugins To Increase Your Blog's Security
Article Name
5 Wordpress Plugins To Increase Your Blog's Security
The article suggests five WordPress security plugins that you can install on your blog to improve its security.

Previous Post: «
Next Post: «


  1. allaboutedu said on September 22, 2011 at 11:16 am

    can u suggest a plugin where i can block an IP basis the no of clicks or time spent on the site. so if an ip comes to the site and does x number of clicks in a given time frame then it will be blocked automatically.

  2. dcpatton said on May 13, 2010 at 5:09 pm


    Good article. Interestingly Login LockDown seems to not be updated to the latest version of WordPress. I also think it might be of value to suggest admins use SSL (https) for all their admin activity. Unfortunately a lot of hosting services don’t support it.

    What are your thoughts on plugins like Admin SSL?

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.