[pricemm]

I found iThemes security on a simple search and it has really good reviews

https://wordpress.org/plugins/better-wp-security/

Does anyone know of a better free plugin to recommend?

[TKmeridian]

I'm currently using Wordfence Security and they provide very good protection and feedback as to who is attacking our site. It is very highly recommended by many WP users and it was recommended by a digital marketing friend of mine who maintain website for a living. So I guess it is worth looking into :)

[binil]

Wordfence is a pretty comprehensive plugin and it will need more resources.

Another plugin that I suggest is https://wordpress.org/plugins/block-bad-queries/
Its pretty light.

[eladkarako]

Tips for self-hosted installations:

Plugins are fine and all, but you can manage with a good htaccess file for better caching-headers and some basic blocking. It is a lot faster since it does not require PHP, just Apache (there is a way to convert the format to nginx).

https://perishablepress.com/6g/ (or later)
https://incredibill.me/htaccess-block-language
https://incredibill.me/htaccess-block-country-ips
https://modusinternet.com/en/products/cu...ccess.html
https://www.stevesouders.com/blog/2008/0...uerystring

On top of that you can always add an additional protection since it does not directly related to WordPress anyway.
If you don't need users to login (for comments) - disable comments and new user creation.

Another trick is to change the name of the login-page or admin folders (for example admin.php to admin1.php) you can update the link in your theme manually for users to login or remove the link entirely from the HTML (manual theme editing). A lot of spam/malicious-traffic is just an automatic set of requests to a commonly-known path in your WordPress installation, giving them a 404 reduces a lot of the server load (you can even move the 404 page to another server, for example GitHub static-page, with a redirect - since rendering 404 error page still uses the server..), and you can always access the renamed php-file. Note that this might break stuff...

If you are willing to avoid the internal comment system entirely (disable all comments) or switch to one of the 3rd-party engines (with a plugin), you'll reduce a lot of the traffic (and DB access) to the server and you'll make your website a lot more secure.
3rd-party comment systems have their own authentication (usually through free Facebook/Google/WordPress API which they manage on their own, which means you can safely turn off new user creation).

If you still want to stick your existing set-up, try smarter spammer avoiding, with honeypot plugin(s) https://wordpress.org/plugins/tags/honeypot/ .

[eladkarako]

I agree that .htaccess protection is a better approach.

Never said better, more like an additional layer.

I'm pretty sure there isn't a (simple) htaccess equivalent to allow a unique identifying a user,
(the simplest way is probably a php session-cookie), measuring the rates of the bandwidth used,
and optionally reduce the server load by bandwidth-rate-controlling or connection-closing.

Such logic is best served close-to-the-server, and there are most likely Apache/nginx server-plugins for that,
but none that I've came across with cheap shared-hosting (please let me know you know otherwise!)

However, some CDNs can do that for you (Akamai/Cloudflare/..) though.
With a (free) WordPress plugin: https://www.cloudflare.com/integrations/wordpress/

Anyway, the cloudflare one seems a fairly nice addition of a security/stability layer to a WordPress based website.