There are many WordPress plugins that secure your website. Here are the advantages of using WordFence.
It puts up a firewall that protects you from brute force attacks. Wordfence blocks DDoS attacks and blocks malicious IP addresses.
Additionally, WordFence boasts that they can speed up your site by a factor of 50. They accomplish this with the Falcon Engine, which is exclusively available through WordFence.
There are many reasons why industry pros highly recommend WordFence.For a free service, it’s quite comprehensive. Go ahead celebrate a little because most of your WordPress security concerns are addressed with WordFence.
WordFence is Free
There is a premium option available, but the free one has a very strong offering. The premium option is $34 for one year’s access to the API, yet the more API keys you buy, the cheaper each one is.
Additionally, the API keys timer (one year) only starts when you add the key to a site and not when you purchase it.
If you manage or consult WordPress sites, it makes sense to get a cost-savings with a bulk purchase. The caveat is that only the buyer of the API keys can call in for support. It’s sensible, since staffing a customer service team to train each API key owner is a significant day to day cost.
Enough about the premium option, go get the free WordPress security plugin and breathe a sigh of relief.
Scan Your Site
Once you add the plugin, the service begins with a scan.
The result is a list of concerns that you address one at a time. If you know a result isn’t a threat you can ignore issues. Next to each issue, you’ll find the relevant tool to remove the threat.
After you take action on all the identified risks (hopefully you have none), WordFence will continue to auto-scan your site every day.
You can customize when and how often it scans in the options menu.
Scan Plugins and Themes
When scanning, you have the option of enabling scanning your WordPress themes and plugins. It’s a good idea, mainly because they can compromise your site even if they aren’t active.
By default, these options aren’t selected.
When your source code is scanned, it is compared to the original code. This original code is regularly copied to WordFence servers and sometimes it isn’t updated instantly, so it may reveal some false positives. However, it is a good idea to enable these options.
Scan Files Outside WordPress Installation
Another option is to expand your scan outside of your WP installation. This option is more in-depth, takes more time, but will provide a comprehensive search. It expands the search to other directories:
- wp-admin
- wp-content
- wp-includes
- base directory
- all subdirectories of the above
This option is also a check box in the Scans to Include subsection of your options menu.
Scan For Potential Executables in Images
Malicious code can hide inside of an image. This is a PHP code snippet that compromises your site. It is hidden in the Exif headers (Exchangeable image file format). Think about this as metadata for the image, i.e. Data about data. Usually, the types of info you find here are:
- Date and Time of Image
- Camera Settings
- Make and Model
- Aperture
- Shutter Speed
- Focal Length
- Metering Mode
- ISO Speed Info
- Thumbnail for Previewing
- Description
- Copyright Info
The danger here lies in the fact that it won’t be visibly apparent that your site has been hacked. The image will display as it always does. The hackers essentially modify one of your images and you are none the wiser. However, this type of scan can prevent and identify such a hack.
High Sensitivity Scanning
This setting is usually used to find stubborn infections and may lead to false positives. It’s recommended you leave this option unchecked unless you are in the process of cleaning a site. I enabled this option to test what kind of false positives it might reveal. I may go back and disable it if it causes problems. In which case I will update this section.
How Much Memory Does Wordfence Request When Scanning?
Concerned about scanning using up too much memory? Well, don’t worry because a lot of the work is done by external servers. As a result, the scan will take up approximately 8 megabytes on most common WP setups.
If you are wondering about the resources your host provides you, you can visit the systems configuration section to view this. The external servers that do most of the work during the scan are hosted by the company providing WordFence (Feedjit) but more on that later in the article.
Premium Plan
The premium plan offers additional features that some may want to take advantage of. An example of this is:
- You can exclude whole countries from accessing your site. This feature uses a commercial geolocation database and has a “99.5% accuracy rate”.
- The next premium feature is for customized scanning. This feature is useful if you want to set the time of the daily scan or if you need to scan more than once a day.
- Yet another premium feature is the ability to test your passwords to make sure it can’t be cracked using common programs that hackers use.
The strongest measure you can take against brute force attacks is to require two-factor authentication when logging into WordPress.
If you aren’t familiar with Two Factor Authentication, think of it as Cellphone Sign-In. You will first sign into WordPress and then you will receive a code on your phone which you will enter at the end of your password with a space separating them. This premium feature offers very high-level security for your WordPress site since someone would have to intercept the code to gain access.
Email Alerts
When you install WordFence you set an admin email account where you will receive alerts for your site. This can alert you to DDoS attacks, intrusions, and Google Blacklisting.
When setting your firewall options, you may inadvertently set something that will lock you out. It is important to enter your admin email and make sure you have access to it.
You can request an email if you get locked out. This grants you access once again. Also, it’s a good idea to have two-factor authentication for this admin email account.
Detect Code Injections or Alterations
This plugin isn’t like most. It isn’t just downloaded code. It is connected to a cloud-based source of much-needed information.
Feedjit Inc is the company behind WordFence and they have data centers in Seattle, Washington. These data centers host copies of every version of WordPress, plugin, and theme. This enables them to alert you when any of your code is altered.
They can help you identify the change in software as well as revert it to the correct version. This is extremely helpful if your site becomes infected and you don’t know where the injected code resides.
Avoid Being Black-Listed by Google
Essentially this great feature can be summed up with Real Time Monitoring of All Links on Your Site
Have you heard of the Google Safe Browsing (GSB) List? According to documentation from Google Developers, the GSB is a constantly updated list of URLs for dangerous webpages. The domain may be suspected of phishing, hosting malware, hosting unwanted software, or all of the above.
By maintaining a real-time copy of this list, they can scan all your files, posts, pages, and comments for dangerous URLs. A deep sigh of relief provided for free. Now you don’t have to worry about potentially getting black-listed by Google and losing out on all those organic search visits that we all want.
Proactively Detect Vulnerabilities
Wordfence also provides accesses to an updated list of threats and malware. This enables scans to detect intrusions, malware, and back-doors into your site.
Hackers often attempt to use the most common usernames in their brute force attacks. Here are some of the most common usernames that hackers will check first. DON’T USE THESE.
- Root, Admin, Test, Guest, Info, MySql, User, Administrator, and Oracle
- In general the longer your username, the better off you are
Don’t be subject to a dictionary attack. This is where millions of likely possibilities are attempted on your username and password. Don’t use simple words that could be found in the dictionary. This is different than a brute force attack which involves checking every possible permutation. Better yet, set your limit for password attempts to prevent either a Dictionary or a Brute Force attack.
Here is an example from this site. You will notice that they attempted to log into my site using the domain name, so that is another one to avoid using for your admin username.
In-Depth Traffic Reports in Real-Time
Tools like Google Analytics come up short when your goal is to track crawlers, feed readers, hack attempts and other bot traffic. Wordfence bridges this information gap for you. Now you can know more about who or what is accessing your server. The view you are presented with has an all-inclusive tab called “All Hits” and other tabs that break your traffic down into:
- humans
- registered users
- crawlers
- google crawlers
- pages not found
- logins and logouts
- Locked Out
- Blocked
- Blocked by Firewall
This tool helps you see when one IP address is making many requests to your site. This can be a result of a hacker collecting information about your web property, or someone engaging in a Distributed Denial of Service (DDoS) attack. You can block that IP address along with learning more about the IP with a WHOIS lookup. Then you can reach out to the host to report abuse.
An advanced version of this addresses the fact that hackers can regularly change their IP address. These IP addresses often belong to the same network, which you can identify and block inside WordFence. Additionally, you can block a range of IPs.
If you notice you are getting attacked by an unusual type of browser you can block the attacker by their Browser or User Agent ID.
Another strategy here is to look at IPs getting the most 404 not found pages. This often happens when a crawler is attempting to traverse your entire site. When a hacker looks for weaknesses they often request resources that don’t exist.
Additionally, you can look at login attempts to identify brute force attacks. Remember don’t use admin as your username and have a strong password.
Site Speed Improvement
As mentioned earlier in this article, Wordfence provides you with the Falcon Engine which is claimed to be the fastest WordPress caching system available. Optimized caching enables your server to handle more requests per second. That way if someone is engaging in a DDoS attack, it won’t slow down the site for other visitors.
Blocking, Locking Out, and Throttling IP Addresses
Block IP’s temporarily or permanently. Lock-out hackers and throttle interfering crawlers.
Wordfence comes with firewall rule options. If a visitor violates these rules their IP address will be blocked or throttled automatically. Those IP addresses that violated the rules can be seen in the Blocked IPs section of Wordfence. Additionally, you can set limits on Login Options. If these limits are violated the user’s IP will be locked out for a set amount of time.
Login Security
Under ‘Login Security Options” subsection of the ‘Options’ section you will want to set login limits. I have WordFence set up so that if someone fails to log in more than 10 times in one day their IP will be blocked for 30 days.
I have also added a list of commonly used usernames in brute-force attacks so that hackers will be blocked right away. This will hopefully encourage them to move onto other targets.
If you read the options available you might have been intrigued by the ?/author=N scan.
It turns out that without a security plugin in place someone can query your database to discover actual usernames. With half the puzzle put together, a brute force attack because much easier. Wordfence recommends leaving this enabled.
Another interesting item is that WordPress can potentially “reveal valid users”. Without this option, a hacker can enter a username with a bad password and WordPress will actually inform the hacker that the username is correct, but the password is wrong. As you may have guessed, Wordfence strongly recommends enabling this option.
Blocking an IP
When you block an IP address, it will appear with some additional information. You will be able to see the geographic location of the IP, how many hits occurred before it was blocked and how many attempts it has made on your site since it was blocked. Additionally, you can manually block IPs by adding IP addresses to this list.
The Firewall Rule Options can be customized to meet your needs and concerns. If a visitor’s activity exceeds a certain limit you can throttle or block it. This is how the Firewall Rules section looks by default (under Options).
This page shows how long until a blocked IP will be automatically unblocked. This is set in the Firewall rules section. By default, this isn’t in effect since all the rules are set to unlimited.
Additionally, you have the option to look at IP addresses which have been locked out from the login system for too many login attempts. And finally, when the firewall “throttles” someone’s access for accessing the site too quickly, you can see which IP addresses have been throttled.
This quick access is often indicative of someone scraping your site with a bot. This can be accomplished by programming a crawler to visit every page on your site and copy all your content.
The first option is to block fake Google crawlers. This is accomplished by checking the IP address of the crawler and comparing it to Google’s IP addresses. If it doesn’t match that means someone is pretending to be Google.
The documentation for Wordfence brought up the possibility of this option blocking real visitors. They don’t know for sure, but they hypothesize that some ISPs use the same IP address for their crawling activity as their customer’s IP address. Why they are pretending to be Google hasn’t yet been determined. For this reason, it’s a good idea to keep this unchecked until you really need it.
This section is useful if you find that someone is engaging in hack activity, scraping your site, or executing DDoS attacks. I have left this to
I have left this to the default settings for now because BlueHost does this at the server level for us. By using your ‘Live Traffic’ view, you can see if someone is attempting to access your site in unconventional ways.
If you find that an IP is persistently attempting logins under nonexistent usernames you can block it by clicking the [block] link next to the listed IP. It will then be in the “IP’s that are blocked from accessing the site” tab under the “Blocked IPs” section.
Throttling an IP Address
You can set a rule so that when someone at an IP address attempts to make more than a certain number of requests during one minute it will automatically be throttled. In other words, it will prevent any other requests from being answered. This is quite useful if you find that crawlers are slowing down site speed for human visitors.
You can view Firewall rules to learn more.
Overall, the features provided by WordFence will help to reduce the possibility of your site becoming compromised. Please let me know if this article has been useful to you, or if you have anything that needs to be added here.