Top 17 Free WordPress Security and Backup Plugins

Boutros AbiChedid - WordPress Security.

Securing your WordPress Website is critical in growing your online presence. As your Website becomes more popular it becomes more attractive to Crackers.

If you are looking for Security and Backup Plugins for your WordPress Website, then look no further. In this article, I share and review the Best 17 Free WordPress Security and Backup Plugins that don´t cost you anything. Keeping your WordPress Website Secure is a must and should be taken very seriously.

Best Protection! Use Common Sense

The best security and peace of mind is to use common sense. The most important one is to always upgrade to the latest version of WordPress. Also, you need to be vigilant about what plugins you want to install. As many plugins may pose a security risk on their own, especially if they are not coded to standards and are not regularly updated.

WordPress security starts by using a reputable hosting company. If by default, your server setup is not secure, then no added security measures is going to keep Spammers, Black hat Hackers, and Script Kiddies out of your Website.

Also keep in mind that you can do many things manually to harden the security of your WordPress Website. These changes are simple enough and don´t require a plugin. For instance please read the 3 tutorials I wrote about WordPress Security:


I want to emphasize that all the Plugins I listed below:

  1. Are Free to use.
  2. Are Being continuously updated and maintained. Remember that an outdated plugin, can pose a security risk in its own.
  3. Have high popularity and high positive ratings.
  4. Are all tested to work on WordPress version 3.3.2
  5. Are in my opinion, the BEST.

There are many WordPress Security and Backup plugins available nowadays. After extensive research, testing and reviews, here are the Top 17 WordPress Plugins for Security and Backup Purpose that you can depend on. Just choose the one(s) that fit your needs for your self-hosted WordPress Website. And remember don´t over-do it. All links are External. Good Luck!

All Purpose Security Plugins

1. Better WP Security

Better WP Security. WordPress Plugin.

  1. Visit Plugin Page.
  2. Better WP Security takes the best WordPress security techniques and combines them in a single plugin, ensuring that as many security holes as possible are patched without having to worry about conflicting features or the possibility of missing anything on your Website. Better WP Security can even make regular backups of your WordPress database allowing you to get back online quickly in the event someone is able to compromise your Website. The plugin works on multi-site (network) and single site installations.

2. Ultimate Security Checker

Ultimate Security Checker. WordPress Plugin.

  1. Visit Plugin Page.
  2. Ultimate Security Checker identifies security problems with your WordPress Installation. It scans your blog for known threats, then gives you a security “grade” based on how well you have protected yourself. You can fix the problems yourself, or you can use their service to do it for you automatically.

3. WP-Sentinel

WP-Sentinel. WordPress Plugin.

  1. Visit Plugin Page.
  2. WP-Sentinel is A WordPress security system plugin that checks every HTTP request against a given set of rules to filter out malicious requests. Furthermore WP-Sentinel communicates with a centralized server to collect attackers data and build an IP address blacklist.

4. BulletProof Security

BulletProof Security. WordPress Plugin.

  1. Visit Plugin Page.
  2. BulletProof Security provides .htaccess protection against browser based hacking attempts: XSS, RFI, CRLF, CSRF, Base64, Code Injection and SQL Injection hacking attempts. BulletProof Security provides the additional Website security measures and protection that every Website should have. There is a Professional version of this plugin for additional security measures.

5. Secure WordPress

Secure WordPress. WordPress Plugin.

  1. Visit Plugin Page.
  2. Secure WordPress is a WordPress Security Plugin that beefs up the security of your WordPress installation by removing error information on login Pages, adds index.html to plugin directories, hides the WordPress version, blocks any bad queries that could be harmful to your WordPress Website and much more.

Backup Plugins

If you have a small blog, run by a single author, then doing a regular manual backup will do. Please read a previous tutorial I wrote on how to do a Complete Backup of Your WordPress Website in 2 Simple Steps.

However; if you run many blogs, or if you run a high-trafficked blog with multi-authors, you probably should consider a plugin to automate the backup process.

6. WP-DBManager

WP-DBManager. WordPress Plugin.

  1. Visit Plugin Page.
  2. WP-DBManager Manages your WordPress database. It allows you to optimize the database, repair the database, backup database, restore database, delete backup database, drop/empty tables and run selected queries. The plugin supports automatic scheduling of backing up, optimizing and repairing of database.

7. myEASYbackup

myEASYbackup. WordPress Plugin.

  1. Visit Plugin Page.(This plugin is NO longer available – July, 10, 2013).
  2. myEASYbackup plugin backup, restore, migrate your WordPress installation, both code and MySQL tables. When performing a backup, myEASYbackup creates a single file, called “data set”, that includes your data in compressed format. Data sets are saved outside the WordPress installation directory to avoid someone else discover the links and get them.

8. BackWPup

BackWPup. WordPress Plugin.

  1. Visit Plugin Page.
  2. BackWPup is a WordPress Backup plugin. It is a Database Backup, WordPress XML Export, Optimize the Database, Check/Repair the Database and File Backup.

Login Plugins

For this blog, I do use the Limit Login Attempts Plugin, as I discussed in a previous tutorial: Secure Your WordPress Login Page by Limiting Login Attempts.

9. Limit Login Attempts

Limit Login Attempts. WordPress Plugin.

  1. Visit Plugin Page.
  2. Limit Login Attempts plugin, limits the number of login attempts both through normal login as well as using cookies. By default WordPress allows unlimited login attempts either through the login page or by sending special cookies. This allows passwords (or hashes) to be brute-force cracked with relative ease. Limit Login Attempts blocks an Internet address from making further attempts after a specified limit on retries is reached, making a brute-force attack difficult or impossible.
    By the way, Yes this plugin still works on WordPress Version 3.3.2.

10. Login Lock

Login Lock. WordPress Plugin.

  1. Visit Plugin Page. (This plugin is NO longer available – July, 10, 2013)
  2. Login Lock plugin, enforces strong password policies. It provides emergency lock down features, monitors login attempts, blocks hacker IP addresses, and logs out idle users.

AntiVirus/AntiMalware Plugins

11. AntiVirus

AntiVirus. WordPress Plugin.

  1. Visit Plugin Page.
  2. AntiVirus plugin will automatically scan your theme templates for malicious injections. It checks Database tables and theme templates, it performs daily scan with email notifications.

12. Sucuri Sitecheck Malware Scanner

Sucuri Sitecheck Malware Scanner. WordPress Plugin.

  1. Visit Plugin Page.
  2. Sucuri Sitecheck Malware Scanner plugin enables full malware and blacklisting scan capabilities from Sucuri SiteCheck Website. It will check for malware, spam, blacklisting and other security issues like .htaccess redirections, hidden eval code, etc.

13. Exploit Scanner

Exploit Scanner. WordPress Plugin.

  1. Visit Plugin Page.
  2. Exploit Scanner plugin searches the files on your WordPress Website, and posts and comments tables of your database for anything suspicious. It also examines your list of active plugins for unusual filenames. This plugin does not remove anything. It is left for you to do.

Comment Spam Plugins

Comment forms are another typical entry point for Crackers and Spammers. Cleaning out spam comments manually is time consuming. Many spam comments will slow down your Website and prevent legitimate comments from being posted, and prevent legitimate visitors from accessing your Website.

14. Akismet

Akismet. WordPress Plugin.

  1. Visit Plugin Page.
  2. Akismet plugin checks your comments against the Akismet Web service to see if they look like spam or not and lets you review the spam it catches in your admin screen. You will need an API key to use it. The API Key is free for personal blogs.

15. Bad Behavior

Bad Behavior. WordPress Plugin.

  1. Visit Plugin Page.
  2. Bad Behavior plugin prevents spammers from ever delivering their junk, and in many cases, from ever reading your Website in the first place. Bad Behavior is a PHP-based solution for blocking link spam and the robots which deliver it. Bad Behavior complements other link spam solutions by acting as a gatekeeper. This keeps your Website´s load down, and can help prevent denial of service conditions caused by spammers.

16. Antispam Bee

Antispam Bee. WordPress Plugin.

  1. Visit Plugin Page.
  2. Antispam Bee plugin is an independent antispam solution. It detects comment and trackback spam. Antispam Bee is simple to use, has many options and filters. It does not store data on remote servers. It allow comments only in certain language and send Email notifications about new spam comments. It also block comments and pings from specific countries.

17. SI CAPTCHA Anti-Spam

SI CAPTCHA Anti-Spam. WordPress Plugin.

  1. Visit Plugin Page.
  2. SI CAPTCHA Anti-Spam adds CAPTCHA anti-spam methods to WordPress comments, registration, lost password and login. In order to post comments or register, users will have to type in the word(s) shown on the image. This prevents spam from automated bots. This plugin works great with Akismet plugin. This Plugin is also fully compatible with WPMU, and BuddyPress.

Your Turn to Talk

In this post, I discussed the Best 17 Security and backup Plugins for WordPress, and I am confident that at least one will meet your needs.

There are many more backup and Security Plugins for WordPress that I did not list, but what you choose is mostly a matter of preference and what works best for you. I myself, use the limit Login Attempts plugin. Also at some point in the past, I used for Comment spam: GASP and WP-reCAPTCHA.

If you have any other Security or Backup Plugins to add or something else to say, please share your opinion in the comments section below. Your opinion matters, unless it is a Spam.

If you found this post useful, please consider: linking back to it, subscribing by email to future posts, or subscribing to the RSS feed to have new articles delivered to your feed reader, or feel free to donate. Thanks!

About the Author |
Boutros is a professional Drupal & WordPress developer, Web developer, Web designer, Software Engineer and Blogger. He strives for pixel perfect design, clean robust code, and user-friendly interface. If you have a project in mind and like his work, feel free to contact him. Connect with Boutros on Twitter, and LinkedIn.
Visit Boutros AbiChedid Website.

One Response to “Top 17 Free WordPress Security and Backup Plugins”

  1. Geoff Akerlund says:

    Hey, great list Boutros. My host (WPengine) actually preinstalls limit login attempts by default.

    I would also like to add these free plugins:

    WordPress Backup to Dropbox:
    and UpdraftPlus:

    I’ve created a more comprehensive list at: