Top Security WordPress Plugins
172 indexed plugins
Plugins
172
Active Installs
27m+
Average Score
51
Audited
172
Top Scores
| Rank | Plugin | Score | Errors | Warnings | Installs | Added | Updated | Top Issue |
|---|---|---|---|---|---|---|---|---|
| #101 | .htaccess Site Access Control | 37 | 54 | 67 | 800 | Input is not sanitized | ||
| #102 | ReCaptcha Integration for WordPress | 37 | 60 | 66 | 9k+ | Output is not escaped | ||
| #103 | Injection Guard | 36 | 87 | 45 | 1k+ | Unsafe printing function | ||
| #104 | underConstruction | 36 | 98 | 60 | 40k+ | Unsafe printing function | ||
| #105 | WP fail2ban Blocklist | 36 | 61 | 63 | 3k+ | SQL query is not prepared | ||
| #106 | Brozzme DB Prefix & Tools Addons | 35 | 24 | 42 | 9k+ | Request data is not unslashed | ||
| #107 | CrowdSec | 35 | 130 | 119 | 2k+ | Output is not escaped | ||
| #108 | Expire User Passwords | 35 | 3 | 15 | 3k+ | Nonce verification recommended | ||
| #109 | Give – Cloudflare Turnstile | 35 | 3 | 2 | 500 | Hidden files included | ||
| #110 | Keyring | 35 | 233 | 203 | 1k+ | Output is not escaped | ||
| #111 | Security.txt Manager | 35 | 1 | 0 | 500 | Hidden files included | ||
| #112 | Security Optimizer – The All-In-One Protection Plugin | 35 | 40 | 82 | 1m+ | Request data is not unslashed | ||
| #113 | SMNTCS Disable REST API User Endpoints | 35 | 8 | 0 | 6k+ | Hidden files included | ||
| #114 | Subresource Integrity (SRI) Manager | 35 | 26 | 94 | 900 | Request data is not unslashed | ||
| #115 | WPFront User Role Editor | 35 | 333 | 578 | 30k+ | Output is not escaped | ||
| #116 | Media Vault | 34 | 115 | 150 | 800 | Output is not escaped | ||
| #117 | Zero Spam for WordPress | 34 | 79 | 393 | 20k+ | Non-prefixed global variable | ||
| #118 | Companion Auto Update | 33 | 159 | 298 | 50k+ | Direct Query | ||
| #119 | WP EXtra – One Click Optimize | 33 | 414 | 101 | 7k+ | Missing Arg Domain | ||
| #120 | Admin Menu Editor | 32 | 159 | 233 | 300k+ | Non-prefixed global variable | ||
| #121 | Advanced Access Manager – Access Governance for WordPress | 32 | 849 | 62 | 100k+ | Output is not escaped | ||
| #122 | Restrict Usernames Emails Characters | 32 | 327 | 367 | 1k+ | Output is not escaped | ||
| #123 | WP fail2ban – Advanced Security | 32 | 75 | 153 | 60k+ | Dynamic hook name | ||
| #124 | Titan Anti-spam & Security – Brute Force Protection, 2FA & Spam Filter | 31 | 57 | 196 | 50k+ | Nonce verification recommended | ||
| #125 | My Private Site | 31 | 425 | 190 | 20k+ | Text Domain Mismatch | ||
| #126 | LWS Tools | 31 | 104 | 134 | 10k+ | Request data is not unslashed | ||
| #127 | MainWP Dashboard: Self-hosted WordPress Management for Agencies | 31 | 95 | 317 | 20k+ | Interpolated SQL is not prepared | ||
| #128 | Staatic – Static Site Generator for WordPress | 31 | 420 | 195 | 2k+ | SQL query is not prepared | ||
| #129 | Jetpack Protect | 30 | 657 | 217 | 100k+ | Text Domain Mismatch | ||
| #130 | WPOrLogin – Custom Login, Social Login, Limit Attempts, Hide Login & reCAPTCHA | 30 | 484 | 222 | 2k+ | Unsafe printing function | ||
| #131 | WPS Cleaner | 30 | 430 | 491 | 20k+ | Output is not escaped | ||
| #132 | CloudSecure WP Security | 29 | 74 | 350 | 100k+ | Request data is not unslashed | ||
| #133 | Security Ninja – WordPress Security & Firewall | 29 | 149 | 347 | 7k+ | Direct Query | ||
| #134 | Jetpack VaultPress | 28 | 71 | 362 | 10k+ | Missing nonce verification | ||
| #135 | OOPSpam Anti-Spam: Spam Protection for WordPress Forms & Comments (No CAPTCHA) | 27 | 271 | 568 | 6k+ | Request data is not unslashed | ||
| #136 | WP Hide & Security Enhancer | 27 | 124 | 375 | 50k+ | Input is not sanitized | ||
| #137 | Kadence Central – Site Management, Backups, Security, and Reporting | 26 | 462 | 213 | 30k+ | Text Domain Mismatch | ||
| #138 | SP Move Login | 26 | 881 | 215 | 6k+ | Text Domain Mismatch | ||
| #139 | GD Security Headers | 25 | 407 | 521 | 1k+ | Output is not escaped | ||
| #140 | Limit Login Attempts Security – Login Security, 2FA, Firewall, Brute Force Prevention | 25 | 618 | 605 | 1m+ | Unsafe printing function | ||
| #141 | Loginizer | 25 | 814 | 504 | 1m+ | Output is not escaped | ||
| #142 | Nexter Extension – Security, Performance, Code Snippets & Site Toolkit | 25 | 198 | 710 | 10k+ | Nonce verification recommended | ||
| #143 | Simply Static – The Static Site Generator | 25 | 163 | 448 | 30k+ | Non-prefixed hook name | ||
| #144 | Wordfence Login Security | 25 | 248 | 418 | 70k+ | Output is not escaped | ||
| #145 | All-In-One Security (AIOS) – Security and Firewall | 24 | 552 | 1,228 | 1m+ | Non-prefixed global variable | ||
| #146 | Defender Security – Malware Scanner, Login Security & Firewall | 24 | 306 | 518 | 80k+ | Non-prefixed namespace | ||
| #147 | Limit Attempts by BestWebSoft – WordPress Anti-Bot and Security Plugin for Login and Forms | 24 | 563 | 548 | 4k+ | Text Domain Mismatch | ||
| #148 | RSFirewall! | 24 | 563 | 521 | 4k+ | Output is not escaped | ||
| #149 | Security Plugin, Firewall & Malware Scanner with Auto Removal | 24 | 1,191 | 769 | 30k+ | Output is not escaped | ||
| #150 | SiteGuard WP Plugin | 24 | 362 | 345 | 500k+ | Output is not escaped |
