Top Security WordPress Plugins
188 indexed plugins
Plugins
188
Active Installs
27m+
Average Score
52
Audited
179
Top Scores
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #51 | LH HSTS | 78 | 3 | 12 | 600 | Input is not sanitized | ||
| #52 | Disable WP Registration Page Spam | 77 | 5 | 12 | 1k+ | Nonce verification recommended | ||
| #53 | OpenID Connect Generic Client | 73 | 9 | 59 | 10k+ | Non-prefixed hook name | ||
| #54 | Comment Form CSRF Protection | 70 | 7 | 10 | 500 | Request data is not unslashed | ||
| #55 | WebDefender Security – Protection & AntiSpam | 70 | 176 | 61 | 1k+ | wp function not compatible with requires wp | ||
| #56 | Simple Login Captcha | 70 | 20 | 19 | 10k+ | date date | ||
| #57 | Simple Login Lockdown | 69 | 13 | 6 | 4k+ | Output is not escaped | ||
| #58 | Content Security Policy Manager | 68 | 19 | 2 | 2k+ | Output is not escaped | ||
| #59 | Protection Against DDoS | 68 | 22 | 5 | 3k+ | Output is not escaped | ||
| #60 | Forget Spam Comment | 67 | 5 | 10 | 10k+ | Input is not sanitized | ||
| #61 | WP Anti-Clickjack | 66 | 4 | 42 | 4k+ | Nonce verification recommended | ||
| #62 | Inactive Logout | 64 | 30 | 71 | 10k+ | Non-prefixed global variable | ||
| #63 | REST XML-RPC Data Checker | 54 | 14 | 45 | 1k+ | Input is not sanitized | ||
| #64 | Meta Generator and Version Info Remover | 52 | 20 | 28 | 10k+ | Non-prefixed function | ||
| #65 | Block IPs for Gravity Forms | 50 | 8 | 36 | 1k+ | Request data is not unslashed | ||
| #66 | TrustedSite | 50 | 29 | 14 | 20k+ | Output is not escaped | ||
| #67 | Whitelist IP For Limit Login Attempts | 48 | 18 | 12 | 600 | Output is not escaped | ||
| #68 | Security Ninja For MainWP | 47 | 246 | 71 | 500 | Text Domain Mismatch | ||
| #69 | iControlWP | 47 | 45 | 59 | 1k+ | Missing direct file access protection | ||
| #70 | Easy Basic Authentication – Add basic auth to site or admin area | 46 | 14 | 28 | 600 | Input is not sanitized | ||
| #71 | SX User Name Security | 46 | 42 | 9 | 900 | Output is not escaped | ||
| #72 | JetHost Total Care – Security & Enhancements | 45 | 10 | 85 | 800 | Direct Query | ||
| #73 | LWS Hide Login | 45 | 5 | 58 | 20k+ | Request data is not unslashed | ||
| #74 | Passwords Evolved | 45 | 26 | 17 | 1k+ | Output is not escaped | ||
| #75 | BBQ Firewall – Fast & Powerful Firewall Security | 44 | 17 | 17 | 100k+ | Output is not escaped | ||
| #76 | User Role Editor | 43 | 117 | 145 | 700k+ | Output is not escaped | ||
| #77 | User Session Control | 43 | 31 | 21 | 700 | Output is not escaped | ||
| #78 | Lock Down Admin | 42 | 30 | 20 | 3k+ | Unsafe printing function | ||
| #79 | Login No Captcha reCAPTCHA | 42 | 45 | 24 | 60k+ | Unsafe printing function | ||
| #80 | Proxy & VPN Blocker | 42 | 10 | 72 | 1k+ | Nonce verification recommended | ||
| #81 | Two Factor | 42 | 18 | 70 | 100k+ | Nonce verification recommended | ||
| #82 | WP Author Security | 42 | 40 | 13 | 500 | Output is not escaped | ||
| #83 | WP Fingerprint | 42 | 34 | 47 | 9k+ | Direct Query | ||
| #84 | CloudGuard | 41 | 41 | 13 | 1k+ | Output is not escaped | ||
| #85 | Edit Lock | 41 | 47 | 22 | 500 | Non Singular String Literal Domain | ||
| #86 | Google Authenticator | 41 | 39 | 65 | 20k+ | Output is not escaped | ||
| #87 | Lockdown WP Admin | 41 | 20 | 50 | 10k+ | Request data is not unslashed | ||
| #88 | Log cleaner for Solid Security | 41 | 65 | 47 | 8k+ | Text Domain Mismatch | ||
| #89 | Advanced Country Blocker | 40 | 23 | 77 | 2k+ | Exception output is not escaped | ||
| #90 | Advanced IP Blocker | 40 | 94 | 44 | 2k+ | Exception output is not escaped | ||
| #91 | Atomic Edge Security – Firewall, Malware Scan and Login Security | 40 | 12 | 184 | 600 | Non-prefixed global variable | ||
| #92 | Limit Login Attempts | 40 | 81 | 38 | 300k+ | Output is not escaped | ||
| #93 | Logbook | 40 | 33 | 59 | 2k+ | Nonce verification recommended | ||
| #94 | No-Bot Registration | 40 | 112 | 42 | 2k+ | Unsafe printing function | ||
| #95 | No CAPTCHA reCAPTCHA | 40 | 112 | 26 | 4k+ | Text Domain Mismatch | ||
| #96 | Universal Honey Pot | 40 | 23 | 94 | 1k+ | Missing nonce verification | ||
| #97 | Blackhole for Bad Bots | 39 | 123 | 69 | 30k+ | Output is not escaped | ||
| #98 | DefendWP Firewall | 39 | 16 | 203 | 3k+ | Non-prefixed global variable | ||
| #99 | Virusdie | One-click website security | 39 | 149 | 66 | 2k+ | Output is not escaped | ||
| #100 | WPS Limit Login | 39 | 152 | 76 | 100k+ | Output is not escaped |
