I use, and recommend that my clients use, the Cerber Security and Antispam WordPress plugin. The plugin author is very serious about website security as you can see by the photo he uses for his plugin. That’s Cerberus, the multi-headed dog.
Cerber offers serious protection for WordPress websites. The plugin is also well supported, as the author is extremely responsive to any issue with the plugin.
However, if you’re running an old site with redirects you may want to disable the traffic inspector portion of the plugin.
I have some old sites that were done with SHTML and ASP before being moved to WordPress. Even though these sites moved to WordPress years ago, they still get traffic to to the old URLs. There are redirects in place to send that traffic to the new WordPress pages.
Now we add Cerber to the mix. It identifies visitors trying to access the old URLs as “probing for vulnerable PHP code”. The redirects are ignored and visitors to those pages are locked out of the sites.
As I said, I’ve seen this behavior on multiple websites.
So if you have any redirects involving anything other that WordPress pages (it seems to work fine with those) you’ll want to disable the traffic inspector.
I’ve notified the plugin author of the problem and hope that this will be fixed in future versions of the program.