Security Plugins
30-60 minIntermediate
Security plugins are the first line of defense for WordPress. They handle firewalls (WAF), login security, and malware scanning.
Prerequisites
- WordPress admin access
- No existing conflicting security plugins installed
Easy Recommended
Wordfence Security (Complete)
The most popular choice. Includes an endpoint firewall and malware scanner built from the ground up to protect WordPress.
1
Installation and Setup
1
Install "Wordfence Security - Firewall & Malware Scan"
2
Activate and get a (free) license key via email
3
Go to Wordfence > Dashboard > Optimize the Firewall
4
Download the .htaccess backup as prompted
5
Click "Optimize Firewall" (This enables the Extended Protection)
2
Recommended Settings
1
Enable "Brute Force Protection"
2
Turn ON "Disable Code Execution in Uploads directory"
3
Set "Lock out after" [5] login failures
4
Enable 2FA (Two-Factor Authentication) for Admins - Mandatory!
Best Practices
Do
- Enable Two-Factor Authentication (2FA)
- Keep the plugin updated automatically
- Whitelist your own IP address
Don't
- Run two operational firewalls/security plugins at once (Wordfence + AIOS is usually overkill and causes conflict)
- Lock yourself out by setting brute force limits too low
Verification Checklist
- Firewall is in "Enabled and Protecting" mode
- 2FA is active for admin accounts
- A malware scan has been run recently