Defender Review: Best Security Plugin

In this Defender review post, I will go through every feature of the plugin, what it offers, and what it can do. Also how to set it up to get the most out of it.

Defender is my favorite security plugin for WordPress and it has many features that can’t be found in its competitors. It has a great user interface, it’s easy to understand, and has some powerful security features.

This security plugin is made by WPMU DEV, a team that has other great WordPress plugins such as Hummingbird, Forminator, Smush, etc. I love their plugins and I use some of them on my website.

First of all, I will start my Defender review with the features it offers, and then I will show you how to set it up in the right way to get all the good it has.

Defender Features

First, let’s see what features the free version of the plugin has, and then I will show what you get additionally if you upgrade it to a pro version.

Malware Scanning

One of Defender’s strengths is its malware detection and protection. You can scan your whole website and it quickly detects if there is any malware on your website’s files.

defender review malware

It lists out any suspicious files and you are able to delete them or ignore them. Perhaps you have some custom, non-WordPress files in your core files and you can tell Defender to ignore that files.

Defender scans not only the core files but also theme and plugin files. It is a great way to protect your WordPress website from any malware whether it’s a plugin, theme, or something in the WordPress core.


Another powerful tool of Defender is its firewall. Great protection layer from hackers and bots. It can be a great help for your website.

defender firewall

Firewall secures your website for three different attacks:

  1. Login Protection – If someone tries to log in to your website, you can set a limitation to failed login attempts and set a lockout period. So, it is hard for someone to crack your login credentials.
  2. 404 Detection – This protection will keep an eye on IP addresses that request pages that don’t exist and lock them out. Also, you can create IP addresses blocklists, and allowlists.
  3. IP Banning – And the third layer is where you can ban some IP addresses forever. So, if you see that a specific IP address causes problems, you can add it to a blocklist.

Also, it has a log section where you can see all the logs for these three protection layers. You can see which IPs were blocked, what 404 pages were requested, etc.

You can delete logs manually or tell Defender to delete them after a specific period like 2 days.


I wasn’t gonna include two-factor authentication in this Defender review, but it can be indirect protection for any website. And it has some cool features for 2FA.


You are able to enable 2FA for different WordPress users, force them to use 2FA, and choose an email to get the one-time password.

Third-party authentication apps you can use with Defender are Google Authenticator, MS Authenticator, and Authy.

Also, Defender has lost the phone option. It allows you to send a one-time password on mobile in case you cant’ log in.

Mask Login Area

One of my favorite features of this security plugin is that you can create a mask for your WordPress login. One of the reasons I decided to write this Defender review.

What it does is that it allows you to create a custom login link for your WordPress website. The default login for every WordPress website is

Also Read: Analyze Your Website

So, you can change this wp-admin and create your own string of text. You can choose any text. Your login could be and this way your website will be more protected.

When someone goes to a default login link, there will be an error or you can create redirection and redirect them to a specific page of your website.

Google reCaptcha

WPMU DEV recently added the reCaptcha feature to Defender. From now on your website will be more secure from bots and malware. Google reCaptcha can is a great security option and it can be very helpful.

Defender offers three types of reCaptcha: V2 Checkbox, V2 Invisible, and reCaptcha V3. To use it, you need to create the key for Google reCaptcha. You can choose between dark and light versions of reCaptcha.

Google reCaptcha can be added to different places:

  • Register
  • Login
  • Lost Password
  • Comments

If you have comments allowed on your website, you already know how much spam is coming through. So, from now on, with the help of Defender, you can add an additional security layer to your comments.

Security Headers

Another awesome feature that not many security plugins offer is security headers. It’s an additional protection layer for your website. This is one of the main reasons why I decided to make this Defender review.

Here is the list of what security layers you can add to your website:

  • X-Frame-Options – Protection from clickjacking attacks.
  • X-XSS-Protection – This HTTP security stop loading of pages if cross-site scripting is detected.
  • X-Content-Type-Options – This layer is for MIME sniffing attacks. It is good when you allow users to upload files to your website.
  • Strict Transport – This tells browsers that the website should be accessed using HTTPS.
  • Referrer-Policy – HTTP header tells browsers how to handle information that is sent to websites when a user clicks a link that leads to another website.
  • Feature Policy – This feature provides control over what browser features can be used when pages are embedded in iframes.

As you can see it has many protection layers for your website. Defender is a very powerful plugin. Also, you can save your settings and upload them to another website.

Defender Pro

All the features I talked about comes with the free version and my Defender review won’t be complete if I don’t include what additional features a pro version offers.

The first thing you get with a pro version is Audit Logging. The Defender will track all the changes that are made to your website. It will show you the report on what is going on behind the scenes.

The second is WAF (Web Application Firewall) which is protection from hackers and bots before they reach your website. It will filter all requests and secures your WordPress core, themes, and plugins.

Also, it has Blocklist Monitor which checks if you are on Google’s blocklist and if something is wrong, it lets you know about it.

defender pro plugin pricing

You can get a Defender Pro for $5 per month for one website which makes it one of the most affordable security plugins.

How To Setup Defender Plugin

You can see from Defender features that it’s one of the most powerful security plugins out there. Now let’s see how to set it up in the right way to use every feature it offers. Let me make a Defender review complete.

Activation & Scan

First of all, install and activate Defender from the WordPress plugin repository like any other plugin. On the left sidebar, you will see a new section for the plugin.

Go there and click Activate & Configure. It will activate all the necessary features and scan your website for the first time automatically.

plugin configuration

It’s a better practice to wait until it finishes the malware scanning.

Recommendations & Malware

Next, go to Recommendations and see what it tells you. For example, it can show you that you need to disable the file editor. I always disable the editor. You can disable or ignore it.

disable file editor

The same goes for the malware section where you can see the issues. You can delete suspicious files or ignore them. But be careful. Defender plugin can see some files as a threat when they are not. So don’t delete some files you need.

For example, it can tell you to delete Google AdSense file ads.txt, but Google needs it for displaying ads. So, ignore it. Leave settings to default.

Configure Firewall

In the Defender review, I talked about login and 404 request protection. Here you can configure it. And it is simple to tweak the settings.

limit failed login

Choose how many failed login attempt is allowed and how long can a user be locked out. You can do the same for 404 requests, and also add IPs to blocklists.

And in the settings section, you can delete logs after a specific period.

Mask Your Default Login

Now it is time to create a custom login link. Go to Advanced Tools and activate Mask Login Area.

Now you just have to write any text you like in URL slug input and that will be your WordPress website login link. Something like

defender review login mask

Also, you can create a redirection link when someone visits the WordPress default login link. Just choose a page or a custom link in the Redirect Traffic section.

Activate Security Headers

I told you in Defender review that one of its powerful features is security headers and now I will show which one you should activate. Security headers are in Advanced Tools, under Mask Login Area.

Activate X-Frame-Options and set it to Deny. Activate X-XSS-Protection and set it to Block.

Next, enable X-Content-Type-Options and lastly enable Referrer Policy and from the dropdown list choose strict-origin-when-cross-origin.

That is how I configure the Defender plugin for every website. You can enable Feature-Policy and Strict Transport, but I don’t use them.

All these can be done with a free version but if you want more options, you can always upgrade to a pro version.


In this Defender review, I showed you all the features and options it offers and also how to set up it the right way. Defender is my favorite security plugin. It is very powerful and easy to use. You can scan your website any time and see if there are any problems.

You can also check other plugins from WPMU DEV. They are as powerful as Defender and they have plugins for caching, SEO, backups, analytics, image optimization, and more.

Leave a Reply