Top 5 WordPress Security Plugins of 2021 Roundup

Reading time: 6m

Thanks for checking out the Top 5  2021 WordPress Security Plugins Roundup!  In this post, I will show you some of the top WordPress security plugins, just in time for the Christmas 2021 season.

This list includes only lightweight, battled tested, and solid plugin recommendations for the average WordPress administrator.  Notice that no Paid or All-in-one plugins are in this list, though some of the plugins do have Pro versions.

The reason I don’t include all-in-one plugins is because while they are convenient, that amount of automation comes at a serious cost.  If your website is not cache-friendly and has concurrency limits, using an All-in-one plugin e.g. iThemes Security or WordFence will cost a lot in terms of server resources.  The recommendations here are FREE single-purpose plugins which allow you to do the same thing, and are separately and logically manageable.

5. Disable REST API



Ease of Use: Easy

This plugin controls the availability of the JSON API URLs for specific WordPress user roles or lack thereof.

Disabling all access to anonymous users is the default setting.  Just Install and Activate to protect your site!

I recommend this plugin because it essentially wipes out an entire class of information disclosure.  If you use anonymous WP-JSON calls you’ll want to register your REST routes and enable the relevant permissions.

4. Two Factor Authentication



Ease of use: Very Easy

A simple plugin to configure 2 Factor Authentication policies.  Extremely fast and easy to set up.  Just scan the generated barcode in your Authenticator app, and your code is now required before completing the login.  Use LastPass Authenticator to require biometric unlock!

3. User Role Editor

Link –


Ease of use: Advanced Knowledge Recommended

This plugin is more comprehensive than the Disable REST API plugin.  Instead of allowing REST methods by URL, you can allow capabilities per role or per user.  Even if a role has the REST method allowed, if the capability is not enabled for the user or role then the action doesn’t go through.  Absolutely critical if you intend on having very restricted roles by path and capability.

You can use it with the Disable REST API plugin to allow routes for roles, but disable capabilities for specific users in that role.

2. WP Activity Log

Link –


Ease of use: Easy

This plugin stores a comprehensive history of the changes on your website.  Crucial for establishing timelines after a potential breach, and identifying suspicious activity.

1. Salt Shaker

Link –


Ease of use: Very Easy

Continuously rotate your password hashing salts in wp-config.php.  The password in the database will rotate the encryption salts to make it that much more difficult for an attacker.

Leave a Reply

Your email address will not be published. Required fields are marked *