Most Downloaded Security WordPress Plugins
144 indexed plugins
Plugins
144
Active Installs
27m+
Average Score
48
Audited
137
Most Downloaded
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #1 | Jetpack – WP Security, Backup, Speed, & Growth | 23 | 2,821 | 1,303 | 3m+ | Text Domain Mismatch | ||
| #2 | Wordfence Security – Firewall, Malware Scan, and Login Security | 21 | 1,592 | 2,973 | 5m+ | Output is not escaped | ||
| #3 | Really Simple Security – Simple and Performant Security (formerly Really Simple SSL) | 19 | 541 | 385 | 3m+ | Missing Translators Comment | ||
| #4 | Limit Login Attempts Security – Login Security, 2FA, Firewall, Brute Force Prevention | 25 | 618 | 605 | 1m+ | Unsafe printing function | ||
| #5 | MainWP Child – Securely Connects to the MainWP Dashboard to Manage Multiple Sites | 38 | 3 | 136 | 700k+ | Non-prefixed hook name | ||
| #6 | Kadence Security – Password, Two Factor Authentication, and Brute Force Protection | 23 | 1,053 | 967 | 700k+ | Missing Translators Comment | ||
| #7 | All-In-One Security (AIOS) – Security and Firewall | 24 | 552 | 1,228 | 1m+ | Non-prefixed global variable | ||
| #8 | Sucuri Security – Auditing, Malware Scanner and Security Hardening | 94 | 52 | 5 | 600k+ | Missing direct file access protection | ||
| #9 | Security Optimizer – The All-In-One Protection Plugin | 35 | 40 | 82 | 1m+ | Request data is not unslashed | ||
| #10 | Loginizer | 25 | 814 | 504 | 1m+ | Output is not escaped | ||
| #11 | ManageWP Worker | 22 | 507 | 565 | 1m+ | Non-prefixed class | ||
| #12 | User Role Editor | 43 | 117 | 145 | 700k+ | Output is not escaped | ||
| #13 | Hostinger Tools | 81 | 14 | 22 | 3m+ | wp function not compatible with requires wp | ||
| #14 | Safe SVG | 98 | 7 | 4 | 1m+ | Missing Arg Domain | ||
| #15 | Shield Security – Smart Bot Blocking, Brute-Force Login Protection & File Scanning | 23 | 1,118 | 202 | 40k+ | Missing Translators Comment | ||
| #16 | InfiniteWP Client | 22 | 2,286 | 1,812 | 200k+ | Exception output is not escaped | ||
| #17 | Admin Menu Editor | 32 | 159 | 233 | 300k+ | Non-prefixed global variable | ||
| #18 | Anti-Malware Security and Brute-Force Firewall | 22 | 544 | 965 | 100k+ | Output is not escaped | ||
| #19 | Advanced Access Manager – Access Governance for WordPress | 32 | 849 | 62 | 100k+ | Output is not escaped | ||
| #20 | SiteGuard WP Plugin | 24 | 362 | 345 | 500k+ | Output is not escaped | ||
| #21 | BulletProof Security | 0 | 5,048 | 4,949 | 20k+ | Output is not escaped | ||
| #22 | Companion Auto Update | 33 | 159 | 298 | 50k+ | Direct Query | ||
| #23 | Defender Security – Malware Scanner, Login Security & Firewall | 24 | 306 | 518 | 80k+ | Non-prefixed namespace | ||
| #24 | Activity Log – Monitor & Record User Changes | 38 | 81 | 149 | 200k+ | Nonce verification recommended | ||
| #25 | Titan Anti-spam & Security – Brute Force Protection, 2FA & Spam Filter | 31 | 57 | 196 | 50k+ | Nonce verification recommended | ||
| #26 | WP Hide & Security Enhancer | 27 | 124 | 375 | 50k+ | Input is not sanitized | ||
| #27 | BBQ Firewall – Fast & Powerful Firewall Security | 44 | 17 | 17 | 100k+ | Output is not escaped | ||
| #28 | NinjaFirewall (WP Edition) – Advanced Security Plugin and Firewall | 22 | 1,265 | 2,065 | 100k+ | Non-prefixed global variable | ||
| #29 | Security Plugin, Firewall & Malware Scanner with Auto Removal | 24 | 1,191 | 769 | 30k+ | Output is not escaped | ||
| #30 | Stop Spammers Classic | 94 | 185 | 1 | 30k+ | wp function not compatible with requires wp | ||
| #31 | WP Ghost (Hide My WP Ghost) – Security & Firewall | 85 | 6 | 373 | 100k+ | Non-prefixed global variable | ||
| #32 | Jetpack Protect | 30 | 657 | 217 | 100k+ | Text Domain Mismatch | ||
| #33 | Limit Login Attempts | 40 | 81 | 38 | 300k+ | Output is not escaped | ||
| #34 | Jetpack VaultPress | 28 | 71 | 362 | 10k+ | Missing nonce verification | ||
| #35 | WP fail2ban – Advanced Security | 32 | 75 | 153 | 60k+ | Dynamic hook name | ||
| #36 | Simply Static – The Static Site Generator | 25 | 163 | 448 | 30k+ | Non-prefixed hook name | ||
| #37 | MainWP Dashboard: Self-hosted WordPress Management for Agencies | 31 | 95 | 317 | 20k+ | Interpolated SQL is not prepared | ||
| #38 | underConstruction | 36 | 98 | 60 | 40k+ | Unsafe printing function | ||
| #39 | Two Factor | 42 | 18 | 70 | 100k+ | Nonce verification recommended | ||
| #40 | Protect Uploads | 99 | 2 | 1 | 40k+ | Missing direct file access protection | ||
| #41 | Zero Spam for WordPress | 34 | 79 | 393 | 20k+ | Non-prefixed global variable | ||
| #42 | Kadence Central – Site Management, Backups, Security, and Reporting | 26 | 462 | 213 | 30k+ | Text Domain Mismatch | ||
| #43 | Login No Captcha reCAPTCHA | 42 | 45 | 24 | 60k+ | Unsafe printing function | ||
| #44 | Stop User Enumeration | 99 | 1 | 1 | 50k+ | Dynamic hook name | ||
| #45 | Wordfence Login Security | 25 | 248 | 418 | 70k+ | Output is not escaped | ||
| #46 | SecuPress with Simple SSL – Simple and Performant Security | 23 | 1,696 | 1,590 | 40k+ | Non-prefixed global variable | ||
| #47 | Restricted Site Access | 91 | 14 | 11 | 10k+ | Missing Arg Domain | ||
| #48 | Modular DS: Monitor, update, and backup multiple websites | 21 | 161 | 81 | 40k+ | Exception output is not escaped | ||
| #49 | Login With Ajax – Fast Logins, 2FA, Redirects | 23 | 623 | 520 | 10k+ | Output is not escaped | ||
| #50 | Exploit Scanner | 37 | 25 | 130 | 8k+ | Non-prefixed global variable |
