Security it has been a problem since the dawn of humanity. The premise of having protection devices it is to secure what we value most.

We’ve created doors, walls, fences, alarm systems. To a certain extent they work. But by the end of the day, even the greatest security system wouldn’t work if we didn’t take the steps to implement it.

In a similar way, our websites are valuable. For some, they are their precious thing. If it is you, would you leave it exposed, waiting for it to be wide open, taken from you?

Working as a web developer, I deal daily with websites that have been hacked, pished or are extremely vulnerable to the prior.

When clients or colleagues ask me “Raf, what is a good security starter kit?”, I normally list some of my favorite plugins.

My top WordPress Security Plugins for 2016 are:

Author: Wordfence
Premium version: available for purchase

About the plugin:

Secure your website with the most comprehensive WordPress security plugin. It also has a firewall, malware scan, blocking, live traffic, login security and more. Wordfence Security is 100% free and open source.


WordPress Firewall

  • Web Application Firewall stops you from getting hacked by identifying malicious traffic, blocking attackers before they can access your website.

Blocking Features

  • Rate limit or block security threats like aggressive crawlers, scrapers and bots doing security scans for vulnerabilities in your site.

Login Security

  • Enforce strong passwords among your administrators, publishers, and users. Improve login security.

Security Scanning

  • Scans core files, themes and plugins against repository versions to check their integrity, verify security of your source and see how files have changed. Optionally repair changed files that are security threats.
  • Scans for signatures of over 44,000 known malware variants that are known security threats.

Monitoring Features

  • See all your traffic in real-time, including robots, humans, 404 errors, logins and logouts and who is consuming most of your content. Enhance your situational awareness of which security threats your site is facing.

Multi-Site Security

  • Wordfence Security for multi-site also scans all posts and comments across all blogs from one admin panel.

Authors: Dave Ross, Jesse Polak, Andrew Rusell, Laurence

About the plugin:

Modern two-factor that people love to use: strong authentication without passwords or tokens; also, single sign on/off; magical login experience.


Login Features

  • No passwords: log in securely with the Clef wave, and enjoy two-factor protection without one-time codes.
  • No extra devices: use your smartphone instead of a “third device” such as a USB drive or security key.

Security Features

  • Strong authentication: Clef replaces passwords with the highly secure, tried-and-true RSA public-key cryptosystem.
  • Comprehensive login protection: Clef disables passwords for all three WordPress authentication points: Dashboard access, API access (XML-RPC), and password resets. Thus it protects WordPress’s front door and back door against the full spectrum of password-based attacks.

Configuration Options

  • Flexible password settings
  • Shortcode support: insert Clef’s “login with your phone” button or the Clef Wave in any post, page, or text widget using the clef_render_login_button shortcode.
  • Standards-based compatibility: Clef’s WordPress plugin adheres to WordPress coding guidelines and is compatible with most mainstream plugins and themes.

Authors: jwineman, thellimist, icyapril

About the plugin:

All of CloudFlare’s performance and security benefits in a simple one-click install of recommended settings specifically developed for WordPress.


Web application firewall (WAF) rulesets

  • Available on all of CloudFlare’s paid plans, the WAF has built-in rulesets, including rules that mitigate WordPress specific threats and vulnerabilities. These security rules are always kept up-to-date, once the WAF is enabled, you can rest easy knowing your site is protected from even the latest threats.

Automatic cache purge

  • Occurs when you change the appearance of your website. This means that you can focus on your website, while we ensure that the latest content is always available to your visitors. (Note: By default, Cloudflare does not cache HTML, and a cache purge is not required on updating HTML content such as publishing a new blog entry).

Additional features

  • Header rewrite to prevent a redirect loop when Cloudflare’s Universal SSL is enabled
  • Change Cloudflare settings from within the plugin itself without needing to navigate to the dashboard. You can change settings for cache purge, security level, Always Online, and image optimization
  • View analytics such as total visitors, bandwidth saved, and threats blocked
  • Support for HTTP2/Server Push

Authors: Matthew, Ronald Huereca, Roary Tubbs, BigWing Interactive

About the plugin:

Manage all your WordPress updates, including individual updates, automatic updates, logs, and loads more. It also works with WordPress Multisite.


  • WordPress Core Updates- This setting is used to toggle on and off the WordPress core updates.
  • Plugin Updates – This setting is used to disable all plugin updates on your website.
  • Theme Updates – This setting is used to disable all theme updates on your website.
  • Major Releases – This setting toggles whether or not you want the major WordPress core versions to automatically update themselves.
  • Plugin Updates – This setting can either automatically update all your plugins, or automatically update any select plugins you want.
  • Theme Updates – This setting can either automatically update all your themes, or automatically update any select themes you want.
  • WordPress Version in Footer – This setting will remove the WordPress version in the admin footer on your website.
  • The ability to block users from configuring the settings.
  • The ability to select which users can still see and perform updates.

Author: Backup with UpdraftPlus, David Anderson, DNutbourne, aporter, jcb121
Premium version: available for purchase

About the plugin:

Backup and restoration made easy. Complete backups; manual or scheduled (backup to S3, Dropbox, Google Drive, Rackspace, FTP, SFTP, email + others).


  • Supports WordPress backups to UpdraftPlus Vault, Amazon S3 (or compatible), Dropbox, Rackspace Cloud Files, Google Drive, Google Cloud Storage, DreamHost DreamObjects, FTP, OpenStack (Swift) and email. Also (via a paid add-on) backup to Microsoft OneDrive, Microsoft Azure, Google Cloud Storage, FTP over SSL, SFTP, SCP, and WebDAV (and compatible services, e.g. Yandex, Cubby, OwnCloud). Examples of S3-compatible providers: Cloudian, Connectria, Constant, Eucalyptus, Nifty, Nimbula, Cloudn.
  • Quick restore (both file and database backups)
  • Backup automatically on a repeating schedule
  • Site duplicator/migrator: can copy sites, and (with add-on) duplicate them at new locations
  • Failed uploads will automatically resumed/retried
  • Large sites can be split into multiple archives
  • Select which files to backup (plugins, themes, content, other)
  • Select which components of a backup to restore