Best plugins for WordPress security and backup

I will be the first to admit that I don’t know very much about internet security. It’s the main reason I steer clear of working on e-commerce websites and others that deal with highly sensitive information. Sure, I know enough not to use the same easy-to-guess password for everything, but when it comes to hackers, I don’t really understand how they do it, and I only partially understand why they do it.

When faced with any evidence of hacking, my usual response is to “nuke the entire site from orbit,” to use the famous quote from Aliens (1986). That is, to delete the entire website and restore from an off-site backup. Its kind of like demolishing your house when you find out you have roaches, but only if you could somehow keep a backup copy of your house and easily rebuild it once the rubble had been cleared away.


Luckily for me, most of the website work I do is in WordPress, and WordPress has a large and enthusiastic community of developers who know a lot more about security than I do, and there are quite a few utility plugins available to help you detect, prevent and recover from the damage done by unauthorized use of your website.

These are the two that I recommend for just about any WordPress website:

Wordfence Security

Wordfence is my favorite WordPress security plugin. It is easy to install and use, and it has a lot of really useful features. It provides a live view of traffic to your website so you can see what countries and IP addresses visitors to your site are coming from, and it allows you to block individual IP addresses from accessing your website if you think they’re up to no good. It also has a feature that will limit the number of failed login attempts, which is helpful against hacking programs that keep throwing random passwords at your website until they find the right one.

But Wordfence’s most useful feature is a daily scan of all the files in your website, where it checks them against a database for changes, makes sure you have the most current versions of your core software and plugins, detects files containing possible malicious code, and sends you an email alert if it detects a problem. If nothing else, this serves as a great reminder when you need to update a plugin, but it might also help you detect a hacking attempt before it has a chance to get too far.


Everyone knows that you should back up all your files and data on a regular basis. Everyone also knows what a hassle it is to remember to back up all your files and data on a regular basis. BackWPUp is a great automatic backup utility. You can set it up to make regular scheduled backup copies of some or all of your website files, as well as your database. It will save them wherever you like: in a directory on your website’s server, on a remote server via FTP, or to your DropBox account or a selection of other cloud storage services. Having an off-site backup of your website is a lot better than rebuilding it from scratch, and it’s really nice to have a simple utility that does the work for you.