WordPress Security Plugin Review – The Best Free and Paid Security Plugins

Updated on November 04, 2017

This article is part of our WordPress Security series:

1. A Handy Guide to WordPress Security
2. WordPress Vulnerabilities
3. WordPress Security Plugin Review


In other words, the open source content management system designed to be lean and flexible needs added security functionalities to keep up with sophisticated cyber-attacks. This extended functionality comes from third-party tools called security plugins.

BulletProof Security

Among these is BulletProof Security, downloaded over a million times with only a single one (out of five) star feedback rating. The security plugin provides strong protection against XSS, RFI, CSRF, SQL Injection and a ton of other WordPress exploits, and features firewalls, security monitoring, login security and strengthens access privileges to prevent costly attacks.


BulletProof Security is not the easiest plugin for non-techie website owners to install on the WordPress platform. The plugin pops up with some spooky pop-up messages during installation, sometimes ringing false alarm and sometimes raising legitimate concerns as this test demonstrates.

If your WordPress installation contains several rules in the .htaccess file, you’ll have to manually configure the plugin to overwrite some of the existing data, which means you should back up the file in case your site goes down. Here’s a handy video guide to install and configure BulletProof Security plugin.

Once configured, the security plugin doesn’t interfere with the operation of other WordPress software and plugins despite making changes to the source code.

Firewall Security

WordPress security plugins are not quite the security firewalls defending the entire hosting network because those security measures can only be implemented at the server level by hosting companies (one more reason to seek for the right hosting company).

The security plugin will however, work as a (.htaccess deny) rule-based firewall for your specific WordPress installation. It uses .htaccess website security configuration, which means .htaccess files are processed before any other script on the site. This allows BulletProof Security .htaccess files/firewalls to prevent malicious script from executing before it reaches PHP files such as wp-config.php, bb-config.php, php.ini, upgrade.php, install.php and php5.ini among others at the WordPress core. Here are the details on using BulletProof Security plugin for .htaccess security.

Creating .htaccess files enables BulletProof Security to protect your site against XSS, RFI, CRLF, CSRF, Base64, Code Injection and SQL Injection attacks. You can also add your own .htaccess code to add functionality to your WordPress site besides enhancing unauthorized intrusion protection.

Login Security

BulletProof security plugin provides adequately restrictive default login settings to defend against Brute-Force login attacks, one of the most popular WordPress exploits capable of compromising over 30,000 sites in a single day!

The security plugin limits login attempts and obscures login error messages that assist hackers in guessing login credentials. However, not all of these settings are activated by default, which could prevent the plugin from working at its maximum potential. As a result, WordPress users have to remain vigilant as BulletProof Security doesn’t do much to fill the security holes left due to human vulnerabilities all by its own.


BulletProof Security (especially the free version) isn’t an all-in-all security solution for large-scale online businesses such as e-commerce sites running on the WordPress platform. Installation takes way more than just ‘a few clicks’ as promised. Untrained users can easily miss out on core security features that need to be activated separately. Configuration is a rather complex process with several coding errors and conflicts emerging to frighten average online business owners managing WordPress.

Most of the restrictive login features should have been enabled by default, without which determined hackers can effectively use login exploits to access the WordPress core and inject backdoors. BulletProof Security takes care of most of the vulnerabilities exploiting flawed access rights and user privileges, but human vulnerabilities such as weak usernames and passwords are mostly overlooked by the plugin under default settings.

And finally, the security plugin never completely deletes from the site following a thorough uninstallation. Entries added to the .htaccess files are not completely removed after uninstalling the Security plugin and hackers can exploit these rules to compromise your website.

However, BulletProof Security offers some of the best customer support services out there, and the community actively assists resolve every technical issue there is.

free vs premium plugins

BulletProof Free vs. Premium

The free version is mostly a monitoring tool that will also prevent unauthorized intrusions using .htaccess security settings. The free version offers reasonable protection against Injection and cross-site-forgery attacks and you can address core-level PHP vulnerabilities using additional measures to lock down mission critical files.

The Pro version does the same automatically and offers enhanced protection against sophisticated Denial of Service, spam and brute-force attacks. But the Pro version is rated slightly less than perfect in comparison with other paid security plugins, especially since alternatives such as Sucuri Security offer better overall security performance.

Sucuri Security

Little comes free here. The free version only offers enter-level security features and website scans to determine if a hacker has broken into your WordPress website. But since WordPress security is all about preventing unauthorized intrusions in the first place, the paid version of Sucuri security plugin provides multiple layers of defenses needed at various stages of cyber-attacks.

These defenses include malware and blacklist monitoring and cleanup, and website security monitoring at WordPress core and server level. The paid BulletProof Pro version also offers similar security features, but Sucuri Security plugin requires minimal user intervention as most of the scans and back-end changes are fairly automated and a single-click processes.

Sucuri security excels in website security and its development team cleans up backdoors and malware for a small free. Add Sucuri WordPress security plugin to a polished website and it will remain that way for a long time because the plugin works as a firewall communicating with Sucuri servers. And if a cyber-attack is detected at any website, the culprit IP is banned across the network, resulting in incremental security protection for all their customers.

But for Sucuri to ensure complete security, you need to purchase the complete Sucuri package which includes CloudProxy, a cloud-based detection/prevention solution, off-site backup and Web-application firewall services.

However, if you’re sufficiently tech-savvy and can play around with your Website code and configuration settings, the BulletProof Pro security plugin with a highly-active support community can work just as well for a fraction of the cost.

This article is part of our WordPress Security series, read the rest:

1. A Handy Guide to WordPress Security
2. WordPress Vulnerabilities
3. WordPress Security Plugin Review

This article was written by Ali Raza
Ali is a Pro Web Developer and a huge fan of WordPress and BuddyPress. He also covers consumer and enterprise technology issues for major U.S. and international publications. As a racing driver and a stunt master, only cars eclipse his love for technology.

Hand-picked related articles

Leave a Reply

Send this to a friend