There are a few WordPress plugins I routinely recommend for security:
- Block countries you don’t want visiting the site with IQ Block Country.
- Use WordFence (paid is recommended but not required for primo protection) to protect your site from many forms of hack.
- All in One WordPress Security and Firewall is a pretty good solution for many.
- Brute Protect is a fantastic way to keep Brute Force attacks from poking a hole in your site.
- Invisible Captcha completely handles crappy spam. Not exactly a standalone, but darn near.
- A decent Backup plugin – there are so many, you choose your favorite. I like to backup to Dropbox, and there are a few that do that.
It is important to note that most security plugins are not “set it and forget it”. Whatever firewall and threat reduction you’re using will require vigilance and care. You shouldn’t expect it to arrive out of the box without any kind of interfacing or settings check, and never look at it again. Make sure you whitelist your own IP address, also, anywhere you need to. And the IP addresses of your regular website consultants and content creation team. Otherwise, we can’t come in and help you if something goes screwy.
Best Practices
Update your software every time something needs update. You’ll see that with a little elbow grease, you can be better prepared for security problems on your WordPress website.
Check that your backups are arriving and include a full copy of the database. Most of the website hacks that have required my help to resolve over the years were avoidable, easily by just backing up and updating on a regular basis.
And don’t install plugins that leave security holes – like a plugin that lets you use sql commands in posts or widgets, or the like. No matter what you’re trying to solve, there’s a better way to do it than opening up your site to hackers.