WordPress is THE most used Content Management System in the world, it is second to none. The unmatched popularity of WordPress attracts bad people, like hackers.
If you a WordPress developer, or WordPress designer who prefers the flexibility of the CMS must have heard about security plugins. And if you are like me, you might have heard about tens of security plugins.
Installing every possible security plugins you have come across wouldn’t help your efforts, and it will do just the opposite of what you intent.
There are a few good WordPress security plugins like SecuPress, Sucuri, Malcare and Wordfence. In this article, I chose to walk you through the Wordfence plugin and why it matters.
Wordfence is developed by world leaders of WordPress security, Defiant. Defiant is based out of Seattle, WA. Wordfence is installed on more than 3 millions of WordPress websites and they properly protect those sites.
If you are planning to install this plugin on your website, you must know about their free and paid plugins. As a security plugin, it works by scanning your website for viruses, malware, adware, trojans, and other suspicious links at regular intervals throughout the day. Most of the security plugin does the same. Defiant, with their experience of working with this plugin for so long, has made it lightweight and almost foolproof.
First of all you need to go to your WordPress dashboard. The navigate to Plugins -> Add New. Search for Wordfence. Install Wordfence Security – Firewall & Malware Scan. Avoid installing plugin files acquired from non-official sources.
Click install, and depending upon your server setup, it will finish installing in a couples of seconds. Once it is installed on your server, you will see the Install Now button showing “Activate Now“. Click on it to complete activation of the plugin.
Once activated, you will see a prompt to enter your email address. The entered mail will receive security updates related your website.
The next prompt screen will request you to enter your Premium Key, you wouldn’t have one unless you have purchased the premium version. Click on the No Thanks link to proceed.
You can now head on to the Wordfence dashboard by clicking on the Wordfence link on the sidebar.
In the dashboard, you will be welcomed with Firewall and Scan circular progress bars.
Tip: WAF means Web Application Firewall. It will stay in Learning Mode for a few days.
This is a screenshot from one of our client websites where an attempt was made by a malicious end user. Wordfence blocked the attempt in realtime.
Live traffic show you what is happening realtime in your website. Hack attempts, user-logins, and requests that were blocked by Wordfence Firewall.
Whois lookup helps find the details about the IP addresses and domains that are attempting malicious activities on your website.
In the free version, the applied Firewall Rules will be Community ones. Brute force protection is automatically setup for you, by Wordfence itself.
Firewall also has options to delay IP and Country blocking until after WordPress plugins has loaded. With the firewall, you can also rate limit crawlers. You can also rate limit Google’s crawlers. Although, it would be a very bad idea to do so.
In the free version, the malware signatures that are used to validate the checks are community ones, which is delayed by 30 days than the premium version. Which is fine if your website is not dealing with financial transactions.
The scan results display issues that are pertaining to the website. Which needs your attention.
You can also choose low resource scanning to reduce server load by lengthening the scan duration.
Login Security – 2 Factor Authentication
Wordfence also allows you to set up extra login security, by activating 2 Factor Authentication on your website. It will reduce brute force attacks to the absolute minimum.
Premium version of the plugins comes with extra options, and also country blocking.