7 Best WordPress Security Plugins You Probably Don’t Know About

WordPress is used by 31.1% of all websites in the world. No doubt that the most popular CMS is the hacker’s target. The WordPress core is relatively secure but it does not include security features to scan malware files, stop brute-force attacks, bad bots, malicious URL requests, etc.

The good news is that WordPress has plugins for almost everything! Hundreds of free and open source WordPress security plugins are available at WordPress.org.

Here are some WordPress security plugins, though not as well known as the other popular plugins, that are lightweight, fast and compatible with RunCloud web server stacks, Native NGINX and NGINX+Apache2 Hybrid.

1. NinjaFirewall


NinjaFirewall (WP Edition) is a web application firewall plugin that sits in front of WordPress. It can hook, scan, sanitise or reject any HTTP/HTTPS request sent to a PHP script before it reaches WordPress.


NinjaFirewall is a lightweight, fast, rich features web application firewall for WordPress. It does not depends on .htaccess file for security filters, thus it supports both Apache and NGINX web servers.

2. BBQ: Block Bad Queries

block bad queries (bbq)


Block Bad Queries (BBQ) is a simple, fast plugin that protects your WordPress site against malicious URL requests. It works with websites that unable to use .htaccess rules, like sites running on NGINX web server.


Malicious URL requests is one of the popular methods to hack WordPress site. Block Bad Queries checks and block all incoming requests that contains high risk query strings. It is plug-n-play and no configuration required, also compatible with other security plugins.

3. WP fail2ban


WP fail2ban uses fail2ban to prevent brute-force password-guessing attacks at the server level. It logs all login attempts to syslog and comes with two fail2ban filters.


Brute-force password-guessing attacks never stop and they affect website performance. Blocking attacks at server level is always better performance than blocking at web application level.

4. Plugin Security Scanner

plugin security scanner


Plugin Security Scanner checks your WordPress site’s plugins or themes for security vulnerabilities against WPScan vulnerability Database. The scanner runs daily and send email to administrator if any vulnerable plugins or themes are found.


It is important to make sure all your site’s plugins and themes do not contain known security vulnerabilities. If plugin security update is not yet available, you should remove the plugin or find an alternative solution.

5. WP Security Audit Log

wp security audit log


WP Security Audit Log keeps a real-time log of everything happens on your WordPress site. The changes that the plugin can keep a record of including post, page, custom post type, tags, categories, user accounts, WordPress core and settings, plugin and theme changes, WordPress database changes, and more.


With an real time user activity and monitoring log, you can keep an eye on what is happening on your website, and easily spot suspicious behavior before it is too late.

6. Blackhole for Bad Bots

blackhole for bad bots


Blackhole for Bad Bots is a simple plugin that creates a honeypot trap for bad bots. It includes a hidden link to your WordPress site and you add a line in robots.txt file to forbids bots from following the hidden link. Any bots that ignore or disobey the robots.txt rule will crawl the link and be trapped — denied further access to your site.


Robots.txt, the robots exclusion standard, is a standard specifies how to inform the web robot about which areas of the website should not be processed or scanned. Good robots should follow the standard. We can safely assumes any robot that does not follow robots.txt rules is a bad robot, then blocks it from accessing your website anymore.

7. StopBadBots



StopBadBots blocks bad bots and web spiders from visiting your WordPress site. It does not uses robots.txt nor .htaccess. The database includes over 2570 bots and automatically updates. You can manually add unlimited bots and option to enable/disable blocking for each bot.

Bad bots affect your website performance, steal your content, consume bandwidth, and look for vulnerabilities to hack your site. StopBadBots is lightweight and easy to setup to solve bad bots problem.


No plugin will hacker-proof your WordPress site. These security plugins help to stop most attacks and hacking attempts, as well as free up system resources from dealing bad requests.

How do you secure your WordPress site? Please share with us in the comment below.

Categories: Security, Tips & Tricks, WordPress

Simplifying Server Management

RunCloud is a cloud server management tool that allows you to maintain full control of your server and host multiple WordPress, WooCommerce, Laravel, and PHP applications with fast and easy configuration.

Start Your Free Trial

5 days free trial no credit card required cancel anytime

13 thoughts on “7 Best WordPress Security Plugins You Probably Don’t Know About

  1. I use GOTMLS to scan & remove malware files on a hacked site. I don’t use GOTMLS for security protection.

  2. This is great security plugin. The best WordPress WAF (web application firewall). It works smoothly on WordPress with native NGINX too in Full mode. I fall in love with NinjaFirewall.
    For the first time, I was recommended by RunCloud. Thanks for it.

Leave a Comment

Your email address will not be published. Required fields are marked *