10 Free WordPress Security Plugins Of 2023 (Good, Bad)

Are you interested in WordPress security plugins and looking for free ones?

Choosing the best WordPress security plugin is important since multiple plugins may have different features and levels of quality.

I don’t bother with WordPress security plugins or use any strict s-plugins on my websites. And they can slow down your website (front-end or back-end).

On shared hosting, avoid security or any heavy plugins.

I wouldn’t use Wordfence, All-In-One, iThemes, Sucuri, or any other full-security plugins on shared hosting. Because shared hosting lacks adequate server resources to add more plugins without slowing down your site or usually causing failures.

If you intend to use heavy plugins, at the very least, use cloud hostings like Scala, Cloudways, GURU, Krystal, or Cloud VPS services like DO, Vultr, Linode, etc., with sufficient server resources. (2,4GB+ RAM and Cores)

If Cloudflare or Sucuri do the job for you, then you won’t need a rich security plugin. Remember that server-level security is better than PHP, htaccess, or codes. It’s also critical to understand that no plugin can protect against every potential risk.

Always use properly coded themes and plugins, and avoid using NULLED themes and plugins, which are the most cause of hacker attacks.

You don’t know what’s inside the script with nulled themes and plugins, and there’s a possibility of malware. These codes can contain malware that can blow up and gather your data. Also, some third-party plugins and themes may not always be suitable.

Best Free Security Plugins For WordPress

1. Wordfence Security

Wordfence is a popular multi-security WordPress plugin with a plethora of features. This can help secure your site against attacks, injections, and other features. The scanner helps assess codes and injections and fix them quickly on the dashboard.

The WAF features are extensive to prevent a wide range of threats.

But the biggest problem is that this can heavily slow down your website. Wordfence is one of the popular slow plugins. I never recommend this plugin on shared hosting; you can’t even log in to your website. All multi-security plugins slow down your website because they run CPU-intensive background tasks on top of features, backend runs, and scans.

So you can see it with the Query Monitor WordPress plugin, which allows you to see with your own eyes.

Look at this pic:

Impact of Wordfence on performance, according to Query Monitor

Wordfence is a full-featured security plugin that includes everything. But, some functions are limited to the premium version. However, it can scan and identify whether the data are concerned.

Wordfence UI is something like W3TC UI FOR ME—confused but with a feature-rich interface and an email feature that alerts you that something went wrong.

Here are some Wordfence UI screenshots:

Wordfence’s key features:

Firewall: The firewall built into Wordfence aids in preventing harmful traffic from reaching your website. It can prevent various attacks, including brute force attacks, SQL injections, and cross-site scripting (XSS) risks.
Malware Scanning: scans your WordPress files and database for malware and other questionable code. If it catches any malicious content, it will alert you and allow you to take the right step.
Login Security: Wordfence provides fortified login security, allowing two-2FA and limiting login attempts to prevent brute-force attacks.
Block Malicious IPs: Wordfence can block known malicious IP addresses from accessing your site, providing additional protection.
Notifications: you can use the email alerts feature for critical events on the website, such as a file change or login attempt.
Others: Wordfence has multiple extra features like live traffic monitoring, tracking logins and password usage, site CAPTCHA, disk space tracking, etc.

Wordfence Free has many features, but you don’t need to use it if you already use Cloudflare and other trusted CDNs.

Also, it’s not recommended for shared hosts or hosting services that use fewer server resources. To use Wordfence safely, you’ll need a VPS with at least 2GB+ CPU+RAM.

Arguably, Wordfence is the most feature-rich free or paid security plugin. Besides, it causes your site to slow down. It includes helpful documentation, such as how to clean a hacked WordPress site.

Note: security plugins can cause your website to slow down because they use PHP and core files to access features. The more and more scripts drive your website becomes extremely slow. Try manual options as you can. Alternatively, use a single-task plugin or good web hosts with enough server resources.

2. Cloudflare

Cloudflare is not a plugin, but even the free plan can help a lot with website security. You don’t need security plugins if you use a mix of CDN services like Cloudflare, Sucuri, Fastly, etc., because these have built-in security features that prevent most threats.

Cloudflare has an official WordPress plugin, but it is optional because it makes little difference and has no value for your website’s security. It’s good for APO.

Cloudflare Free can be useful if you have a crowded website or any website that attracts attackers. Cloudflare operates at the DNS level, giving it more control over your website’s processes and security edges. Even on the free plan, they can defend your site from attacks and spammers and apply other security and performance approaches.

Cloudflare Free Security Features:

Fastest DNS: Cloudflare is a prompt DNS provider, and having a fast DNS can be helpful in many ways.
Free CDN: This is the most awesome part. Cloudflare provides an absolutely free CDN. CDN is great for security and performance because spammers and attackers must pass through CDN servers before reaching your servers, and CDN servers are highly optimized for stability. Cloudflare provides extra protection and DNS.
Free SSL: use the full strict option for the best security.
Firewall Rules: helpful in preventing bad bots, regions, XML-RPC, and more.
Bot Fight Mode: this can help stop harmful bots, and bot fight mode is better than plugins because it is refined and does not slow down your website.
Early Hint: not a security feature, but that decreases latency.
Browser Integrity Check: a level to prevent harmful bots and spam, and it looks for threats in HTTP headers from your visitors’ browsers.
Privacy Pass Support: a browser extension enhances browsing and reduces the number of CAPTCHAs viewed by your viewers.
Hotlink Protection: this helps protect your images—media from off-site linking and reduces bandwidth usage, but off-site linking is not always bad.
Server-side Excludes: can be used to hide specific content from unreliable viewers.
Automatic DDoS protection: Detects traffic and grows real-time patterns that move attacks at the web and application levels.

In the free version, you can use paid addons such as “APO,” which caches HTML and can provide fast worldwide speeds with minimal latency. Load Balancing can route traffic to faster data centers.

Otherwise, you can use the “PRO” plan, which includes extra features like turbo, image optimization, super bot fight mode, more WAF rules, etc.

There are tons of Useful Cloudflare Security features, and if you can use their premium version, you really don’t need any security plugins—Especially the enterprise plan. You can’t use it for average websites, but you can use it via hosting services like Rocket.net, Kinsta, BigScoots, etc.

Besides Cloudflare, other CDNs are also good for WordPress Security, including KeyCDN, BunnyCDN, Quic.cloud, etc. These are some of the best CDNs for WordPress Security.

3. Antispam Bee

Antispam Bee FREE WordPress Security Plugin

Antispam Bee is a spam comment filter plugin utilizing Honeypot. And this plugin only does it and has valuable features for dealing with spam comments. The plugin stops spam comments and reposts without using re-captcha or third-party systems.

Honeypot is a technology that analyzes attacker behaviors and helps determine whether a commenter is a bot without a captcha. Honeypot uses challenges for bots. And if they are identified as bots—they will be barred before leaving a comment.

This is the best WordPress plugin for stopping spam comments with little or no impact on page speed. And I use it on all websites.

The most reasonable part is that it is entirely free and has no ads. There aren’t any notifications inviting users to upgrade to the premium version.

Antispam Bee Useful Features:

Trust accepted commenters: get pre-approved commenters automatically.
Trust with Gravatar: typically uses humans, but spammers are possible.
Comments only specific languages: Only English comments would be relevant to websites in English.
Block certain countries: If you receive a significant number of spammers from a few countries, you can block them.
Verify the IP addresses: Can confirm IPs from commentators.
Delete existing spam: terminate current spam on set dates.
Statistics dashboard: View spam data on the dashboard, daily reports of the spam rate, and blocked spam, but this is unnecessary.

Additional Recommendations:

Remove Website Field: Backlink hunters always try to use the comment’s website URL field. Their intention in a comment is to get a backlink, not to add worth discussion. You can remove the Website URL Field from the comments section.

Most WP themes include this feature; if they do not, plugins can help.

Alternatively, you can use this custom code. Find functions.php in your theme’s folder. At the end of the file, add the following code:

function remove_comment_website_field($fields) {
    unset($fields['url']);
    return $fields;
}
add_filter('comment_form_default_fields', 'remove_comment_website_field');

When using any of those approaches, the website box should be removed from your WordPress site’s comment section, and visitors won’t be put website URL when posting a comment. This can lead to fewer spam comments.

Disable HTML: you can use HTML in the comments, and it can be used to mask spam links. You can prevent this by disabling HTML in comments.

However, using reCAPTCHA to stop spammers is not the solution. Yes, it can be used, but it will slow down your website. It is important to know that reCAPTCHA services are third parties, so I don’t think your website should have extra external requests.

WPS Hide Login is a single-task tiny plugin (47KB). It only changes the login page from wp-login to a different URL. It detects page requests and is compatible with any site.

Unlike other security plugins, there are no negative effects on page speed. WPS Hide Login is a simple solution for securing the WordPress wp-admin.

After installing this plugin, you will see it in the Settings tab. Click, and you will see a page similar to this example image, where you can change the login URL and redirect to a different URL to access the login page:

Change the login page from wp-login.php to a different URL.

If you forget the new login URL, removing this plugin restores your site to its old state. Alternatively, you can rename the plugin folder in the file manager.

LoginWP

If you want to redirect users to a different URL once they access the default login URL when trying to log in, you can install a plugin called “LoginWP—Peter’s Login Redirect.”

Install and enable the plugin. In the plugin Login URL Redirect area, enter the URL where you want to redirect users when they access the default login URL (wp-login.php).

Here’s a picture:

5. Anti-Malware Security

Anti-Malware Security and Brute-Force Firewall

Anti-Malware Security is an entirely free plugin that scans and removes recognized new threats, backdoor scripts, and database injections. Firewall to stop malware, directory shield, PHP file security, Brute-force protection, and other features.

If you only need scanning or a firewall, this plugin is ideal. However, the Firewall provides fewer functions than others. But scanning is perfect and has little impact on page speed.

The anti-Malware security plugin user interface needs more visual appeal, as it gives the appearance that this plugin wasn’t specifically designed for WordPress. However, the plugin’s simplicity makes it worth considering, especially for scanning purposes.

Here’s a pic:

Although this is not a full-featured plugin like Wordfence, I like that it focuses on checking and Firewall. Don’t waste your time with formal lists that mess with htaccess.

Limit login attempts reloaded is another single-task plugin developed to restrict logins. After a set amount of retries, this plugin will prevent an IP from making further shots, helping to make a brute-force attack tough. By default, WordPress allows unlimited login attempts. Also, that may slow down a website due to the considerable requests.

Brute force attack is the most common type of attack on websites, even small ones. This simply means that a person or a bot will keep guessing your login details until they get them correct, and sometimes they use codes or add-ons to do this.

Limit login attempts plugins let users monitor, and cap login tries for a set time. However, even with security plugins installed, you can still be hacked.

With the free version, you can customize the lockout time, the email sent when an attempt is blocked, etc. But I felt this plugin was a little bloated (699 kb in size), and many essential features were only available in the paid version.

Paid features: Automatic backups, timed lockouts, country blocking, etc.

But brute force attacks are a severe issue, especially in WordPress, and you can prevent them with this plugin. However, this plugin is unnecessary if you already use full-featured plugins like Wordfence, All in One, Itheme, Sucuri, etc.

I hate the Dashboard, which repeatedly encourages upgrading to the premium version.

7. iThemes Security

I’m not a fan of iThemes Security, but you may find it quite helpful, and I like this UI because everything is put on a single, uncomplicated page. Friendly to beginners.

It’s good that they’re not taking up space. The unfortunate reality is that most of those features are simply htaccess lines, that’s all. Site scan does not perform like Anti-Malware or Wordfence, and this plugin uses a lot of memory, as tested by Query Monitor.

Some Useful iThemes Security Features:

Enforce SSL: helpful in ensuring that all connections are secured using SSL.
Brute Force: alternative term to limit login attempts
Hide Login: It lets you modify the default login URL, like the WPS Hide Login.
Two-Factor: extra login security layer
Database Security: helps in the prevention of database injection attacks.
File Change: scan the site for file changes, but Wordfence does this better.
Ban Users: barring specific IP addresses.

I don’t know why this plugin is popular. iThemes is nothing incredible, only simple and silly things like strong passwords, PHP execution, file access, etc.

If you are new to WordPress, this can be handy until you learn how to do those on your own. The UI is straightforward. You just need ticks, but don’t use it with shared hosting.

8. Shield Security

Shield Security WordPress Security Plugin

Shield Security is another full-featured CPU-hungry plugin with a plethora of features and queries. Yes, the plugin has a lot of positive reviews, but it also causes the website to slow down. That is the main reason why I am not interested in this plugin.

Not just this one, but most security plugins usually require database access to store records, blocklist data, and others. The database on your host may experience overload due to the multiple database requests, which will affect how quickly your site loads.

However, if you have a lot of server resources, such as VPS or dedicated servers with cloud panels, this is good, but having a lot of unnecessary features feels overblown.

On shared hosting, I can’t even log in to the dashboard, and according to Query Monitor, this plugin has a lot of queries, something that I don’t see in other WordPress security plugins.

Don’t Combine Features:

Using multiple security plugins or a security plugin with another plugin offering similar features can result in redundant functions and excessive resource usage.

Shield Security Features:

Scanner: you can scan and fix WP core, plugin, and theme files in the free version.
AntiBot Detection: This can help to protect security with bot-detection tech without confusion. You can also select security locations like Login, Register, Checkout, etc. You can set your login cooldown time with a Cooldown period in seconds.
SPAM Protection: prevent spam in comments and forms.
Firewall: It’s good to see Firewall in the free version. You can customize and set Whitelists for pages, parameters, and users that avoid the Firewall.
Security Headers: these are just htaccess lines, but they include some extra features like Mime-Sniff, XSS Protection, etc.
Traffic Logs: This log allows you to look at traffic and unwanted activities.
Alert: It will inform you if something goes wrong.

Shield Security Automatic Bot Comment SPAM Protection

This is a fully functional freemium security plugin, with some features limited to the paid version. My main complaint is that this plugin slows down like hell, particularly the WP dashboard. And many ads for the premium version.

It has helpful guidelines for each feature as well. Also, aggressive firewalls or frequent logs can lead to slowdowns.

Note: You know that adding more features and checks to every page can result in more queries and processes. That is the most common reason for a website’s slowdowns.

I think this plugin is fine if you have a good web host with plenty of server resources. Otherwise, it’s slow and can cause extra problems. But it’s worth a shot.

9. Loginizer

Loginizer is a login security plugin that focuses on brute force attacks. Still, it has extra features available in the paid version, like PasswordLess Login, 2FA, Captcha, File Checksum, etc. However, the paid version is not worth it for those features.

This plugin provides useful features and suggestions for Brute Force security and is an excellent alternative to Limit login attempts reloaded. You can configure maximum retries, lockout time, maximum lockouts, extend lockouts, retries, and email alerts.

Also, the plugin has IP blacklist features to block unwanted IPs and also IP whitelist features to allow trusted IPs to bypass security. You can customize the error message for failed login attempts, but these features are just lines of code.

My concern about the plugin is that it has few features but has an overload of queries and ads. Also, all other features are only available in the pro version.

Use one or two security plugins to ensure that the security measures you deploy won’t cause your site to load slowly.

Loginizer is unnecessary if you already use a full-featured plugin or third-party protection like Cloudflare, Sucuri, etc. Also, you should avoid feature overlaps with other plugins.

And Loginizer may slow down your admin panel. It is beginner-friendly in terms of user experience and ease of use. However, you can do everything manually if you are a skilled WordPress user.

10. Really Simple SSL

Most of the time, Really Simple SSL is a useless plugin, but it can help you configure your website to run over HTTPS. And if your site is small, you don’t need this one.

But if you have a lot of pages and content, they can be mixed together, and this plugin can help. It also has some cool features, but the paid version is unnecessary.

Really Simple SSL Free Version Features:

Mixed Content Fixer: One of the critical features that address “mixed content” problems is when your website loads resources like images, programs, or CSS files over HTTP rather than HTTPS, causing a security warning in browsers. The plugin helps ensure all resources are loaded securely over HTTPS against mixed content errors.
Security Headers: This can help you set up security headers like HTTP Strict Transport Security (HSTS) and secure cookies to improve the security of your website.
Backend mixed content fixer: It is possible to mix content on the WordPress backend. This feature is helpful if you have that type of problem.

Overall, Really Simple SSL makes it easier to add a security certificate and enable HTTPS on your WordPress site, even for users with less technical knowledge.

It has over 5 million installs and all 5-star ratings, and many people can get help with SSL and Mix content problems with a few clicks.

This is nothing incredible for me; many sites don’t want it. But this is a handy plugin if you have a problem with that. However, I felt slightly bloated because it has 600kb+ads.

WordPress Security Plugins Aren’t Always Reliable

All plugins aren’t fine or safe. Some were made with great care and are hugely helpful, while others are junk with regular htaccess edits. And have other problems.

So, these are some concerns I have about WordPress security plugins:

Slow down the website:

This is a significant problem with security plugins, especially full-featured ones, as they cause your website to slow down with unnecessary features. Even you don’t need to use image optimization plugins because you can use methods like Ezgif or CDN to optimize.

If you’re worried, you can set up a security plugin for the scanning but deactivate it afterward. When you notice issues with your site, run the scanning, catch the problems, and then uninstall.

However, tiny security plugins or single-task plugins such as Hide Login, Antispam Bee, Limit Login Attempts, and others have nothing to do with page speed.

Firewall, IP blacklist, scanner, brute force, core file validation, and other features dealing with PHP and core files can always slow down your website.

In VPS or Dedicated servers with massive resources, this is a manageable problem because you have enough space for everything. However, on shared hosts, they are always a problem. Use a good cache plugin like FlyingPress when using a security plugin.

They can’t fully protect your site:

That is the point; even if you have installed a security plugin, you can be attacked. Because they cannot detect all bad guys and can only identify known structures, what about new hacking tactics and scripts?

Attackers and bots try to find some holes to exploit. This isn’t a big deal for a small site, but you’re always flying under the radar if you’re a brand.

They are expensive:

Security plugins are not charity services because they are crafted to make some profits rather than provide protection. Even though they do a good job, most features or support are restricted to the paid version.

They offer unrelated functions to explain the price that doesn’t positively involve security. But I can’t blame them because they run a business, and developing is not easy.

Irrelevant features:

I hate this because unrelated functions are always slow and cluttered, which is a critical factor in why I liked the one-task plugins.

For marketing reasons, many security plugins aim to surpass one another by adding whatever function they can. They are unrelated to security and shouldn’t even be included in plugins.

The main reason why some plugins are so slow and require so many autoloads is because of their bloated features.

Security Plugins Not Mentioned in This List (And Why)

I’m aware that there are plenty of WordPress Security Plugins around, both free and premium, and that most of them are not effective. So, because I only included 10+ plugins, here are several popular ones that I did not include. Why?

Cerber Security: although this plugin is more effective than Wordfence. It was recently removed from the WordPress plugin directory, so I can no longer recommend it. Personally, I like it and find it useful.
Sucuri: Sucuri is a great company when it comes to WordPress security, but this plugin is ideal in a paid version. If you subscribe to their paid service, it is perfect.
Defender Security: Nothing remarkable, but well-designed and user-friendly. However, the most notable features are lacking from the free version.
All-in-One Security: nothing unique, similar to iThemes, but the UI is not friendly.
MalCare: Although fully functional, it is not user-friendly and requires payment before providing its essential function. And it works outside of the WP dashboard.
Bulletproof Security: matured plugin, but outdated UI and CPU-intensive tasks that seem unnecessarily complicated. Features may be helpful for large websites.
Jetpack: isn’t much to say about this; worst WordPress plugin ever, terrible and slow.

Wrapping It Up

There are types of security plugins like full-featured once (Wordfence, Cerber security, Bulletproof, Shield security, etc.).

Firewall and malware scanning plugins only check and deal with firewalls, similar to Anti-malware security. And other small checklists and simple task plugins, like Antispam bee, WPS Hide login, Limit login attempts, etc., can be more useful than others.

And third-party security services like Sucuri, Cloudflare, and MalCare.

Security plugins are not required and can slow down your website. But they can be helpful if you have a large website or brand. Anyway, choose the right one for your site.

Many security plugins are overpriced. Unfortunately, even with a security plugin installed, you can be hacked. Hehe!

Constantly keep a backup and avoid using nulled or third-party plugins and themes. Use reliable hosting services and CDNs to protect your website better than plugins.

If you have any questions, thoughts, or comments, leave them in the comments section.

Read More: