When it comes to WordPress security, I like to rely on a combination of custom code as well as installing and configuring some security plugins. This list covers the plugins I used the most in 2021. There is no specific order in terms of recommendation or use cases.
NinjaFirewall is a web application firewall which can be installed as a normal plugin. It comes with many useful possible configurations, options for monitoring, event notifications and login protection. What I really like about this plugin is the fact that you can add IP anonymization which makes it GDPR compliant.
NinjaScanner is a lightweight virus scanner which extends the functionalities of the Firewall above. After you’ve installed the scanner you can run file integrity checks, move suspicious file to quarantine, make file/database snapshots, configure email notifications, run background scans and many more.
Limit Login Attempts Reloaded
This plugin does exactly what the title says: It limits login attempts. Besides configuring how many attempts a user can make before getting locked out, you can enter you email address to get notified if somebody got locked out. This plugin has an option to make it GDPR compliant also. Limiting login attempts is not only useful for your admin accounts, it can also secure your woocommerce customers or forum user accounts.
With this plugin you can easily protect your login with a second factor such as OTP. Go check out my post about this topic/plugin: How to add 2FA to your WordPress Login
WPS Hide login
You may think “I’ve got a firewall, why should I hide my login path?”. I admit that if you don’t protect the WordPress API against bruteforce attacks, there is no point in hiding the login path. Also if you already have a firewall installed, use a 2FA plugin and/or limited the possible login attempts, it might seem useless to hide the login path. But what I’ve noticed is, that it builds trust for you clients (the owner of the website) because it’s something they can see. And to build this bit of extra trust, I take the 2 minutes time and install and configure the plugin on nearly every project.
Not really a security plugin, but I like to deactivate any functionality I don’t need in a system and because most of the sites I build aren’t forums or blog, I disable the default WordPress comments feature with this plugin.