ChipBot - Gain 11x Higher Profit on Your WebsiteChipBot - Gain 11x Higher Profit on Your Website

Are You Missing These 3 Free WordPress Security Plugins?

Matt Lo
written by
Matt Lo
last updated
September 05, 2019
Are You Missing These 3 Free WordPress Security Plugins?

Recently I’ve attended a few WordPress meetups around Chicago and discovered a pattern with security. Attendees will be confident to talk about their WordPress general best practices, but never about the likelihood of an attack on their instance. This seems odd, especially when 90% of all compromised content management systems came from WordPress.

Admins talked about daily backups, managing plugins, and running weekly scans. Some even subscribe to the Common Vulnerabilities and Exposures alert list, to get the latest on all tech related security issues.

There’s nothing wrong about doing those things.

But what’s missing is the prevention of basic ways a WordPress instance can get compromised.

First, businesses usually have someone else helping out with their website. As a result, business owners will share their passwords. Web admins, writers, SEO specialists, and interns may all have the same password. A strong password becomes less secure when more people know about it.

Although you may have good security practices, other people who know your password may not. For a hacker, a web admin or agency is a high-value target because they have access to multiple business accounts.

The second situation is protection against automated threats.

A new installation of WordPress has no protection against brute-force attacks. If an attacker does figures out your password, other systems will be compromised too. Many people reuse the same password across systems.

An intruder will use brute-forced credentials to login into your Gmail, Stripe, PayPal, and MailChimp accounts.

Social engineering and leaky passwords are common ways to get compromised. I see these website security gaps all the time when I help new customers install my product.

Below are 3 WordPress security plugins you can install within 15 minutes that will address my concerns. They’re free and will work on any platform or service (GoDaddy, HostGator, Dreamhost, DigitalOcean, cPanel, Plesk, etc…).

Assume Everyone Can Get Your Password

What if you shared your ultra-strong password to your web admin, SEO writer on Fiverr, and your marketing wizard brother-in-law? Now is the time to lock down access.

The most common solution people do is change passwords… but then they share them again, creating the same problem. LastPass’ strong passwords don’t protect you against this.

My first simple advice is to please make new accounts for every user you need to give access to. Everyone should have their own account on WordPress. No exceptions.

Second, every account on WordPress should be using two-factor authentication (2FA). It’s another layer of security that asks for a unique code from your personal phone. So even if I get your password, I can’t log in into your WordPress account unless I have your phone too.

Install Two Factor Authentication Plugin

Here are 6 really easy steps to add 2FA:

  1. On your WordPress dashboard, go to Plugins on the left, then click Add New.
  2. On the top right, type “two factor authentication”.
  3. Look for the second one that says Two Factor Authentication, click Install, and then click Activate.
  4. Download the Google Authenticator app.
    Click here to download for iPhone/iPad.
    Click here to download for Android.
  5. Click Two Factor Auth on the left, and scan the barcode using the authenticator app.
  6. Make sure you have a code listed on your app, then click enable in the plugin settings.

You can check if users are setting up 2FA or not by going to the Users page. If you have any questions about the setup, drop a comment below the article.

Prevent Brute-Force Attacks On Your Credentials

A lot of people don’t know this, but there are malicious actors scanning IP addresses all the time. There are 4,294,967,296 IP addresses in the public domain but attackers don’t need to waste time on all those IPs. They only need to know what ranges GoDaddy, AWS, DigitalOcean, and other providers use for their customers.

Hosting companies buy IP addresses in blocks then distribute them in IP pools for their customers. Attackers can continuously scan these pools as new websites come up. They can know if your site is a WordPress based website simply by trying to see if /wp-admin exists on the URL.

By default, WordPress can be brute-forced if left by itself. Your website could be compromised before you gained any traffic traction.

Luckily, there’s a plugin to defend against brute-force attacks.

Install Limit Login Attempts Reloaded Plugin

This will be way faster than configuring 2FA, there are only a few steps.

  1. On your WordPress dashboard, go to Plugins on the left, then click Add New.
  2. On the top right, type “limit login”.
  3. Look for the second one that says Limit Login Attempts Reloaded, click Install, and then click Activate.

There are some default options already in place, but you can fine-tune them in in the settings (which are hidden under the submenu for Settings). For more security, I’d also suggest installing Google Recaptcha to filter out bot requests.

Scan For Malicious Files

For a while, I was never really a big fan of file scanners. I hate them on my computer (slows down processing) so inherently I hate them on my WordPress instance too. Plus I rarely install new plugins.

Over the years, I’ve shifted this mindset when it comes to WordPress security. I don’t install a lot of plugins but I do keep existing ones up to date. Additionally, sometimes I have other web admins updating my theme file for enhancements and features.

And on a side note, after talking with Mark from MacLean WebWorks, he recommends running this even if you have other scanners too. He’s seen Sucuri miss things that WordFence caught, and vice versa.

Never assume your WordPress instance to be safe without constant security audits or scans.

Plugin developers that update plugins can be compromised and sleeper code could be in your theme files. In some situations, sites could be compromised before admins harden the security.

Always have your instance scanned with the most up to date security vulnerability detection. It prevents backdoors, removes malicious files, and gives a little bit of piece of mind.

Install WordFence Plugin

  1. On your WordPress dashboard, go to Plugins on the left, then click Add New.
  2. On the top right, type “wordfence”.
  3. Look for the second one that says Wordfence Security – Firewall & Malware Scan, click Install, and then click Activate.


Don’t underinvest in your website. Upgrade your security and stay up to date as much as you can. Periodically audit your website security and be proactive on the common security breaches. For large breaches, subscribe to

Install these 3 security plugins to be more secure today. Finally, help out anyone else who might run a WordPress website by forwarding this article to them or sharing it on social media. They will thank you for the security advice.

Please share if you liked the article!

Matt Lo
Matt Lo

Matt is a Chicago-based entrepreneur with over a decade of experience building highly scalable web-based technology solutions. Knowledgable in 12 different programming languages and experienced startup veteran; having worked on 6 others. He's currently the founder and CEO of ChipBot. You can reach Matt on Twitter, LinkedIn, or StackOverflow.



Follow Us On Social Media

ChipBot, Inc.2021 ChipBot, Inc. All Rights Reserved.