Dealing with WordPress hacks is a huge hassle. I have had the unfortunate experience of dealing with these tedious WordPress hacks many times during my web design career. There are a lot of security plugins for WordPress; it’s so hard to find the best one. There is one plugin that can drastically help protect your WordPress security, though. Take it from me; it is many net for your WordPress site. If I were to populate a list of “must have” plugins this would most certainly have to be on the list. It’s just that important. Its name is “Wordfence.” This plugin is very powerful, and I use it on all of my WordPress sites.
I found this excellent Wordfence YouTube video that shows you all the features of Wordfence:
Wordfence fights off scraper attempts, aggressive robots, fake bots, unauthorized login attempts ,and even strong brute force attacks. You can restore key WordPress files and revert back to earlier stages.
Okay, so first of all (and probably the best of all), this plugin is free. It, of course, has some premium or paid options, but they, are not entirely required, to begin with, just added features if you find yourself satisfied with the plugin’s performance. Basically, as a security plugin, it works by scanning your site for viruses, malware, adware, trojans, and other suspicious links on regular intervals throughout the day. Yeah, other security plugins also do this, but what’s good about this plugin is that it’s lightweight. It’s as if you don’t have a security plugin installed. It doesn’t slow down the loading of your pages or doesn’t even make you or your visitors feel as if something’s running in the background.
Once we have Wordfence installed on our website lets click on the Wordfence icon (or text) in our WordPress dashboard. You will want to find the “scan” text. Once you find it click on it. There you can click “start a Wordfence scan, ” and Wordfence will start scanning your website.
It checks the following:
- Scanning for HeartBleed vulnerability.
- Core theme & plugin signature files.
- Known malware files from Wordfence.
- Core WordPress files vs. originals in the repository.
- File contents for infections and vulnerability.
- Files/post/comments Google safe browsing list.
- Weak passwords.
- DNS for unauthorized changes.
- Disk space.
This typically takes about 2 minutes to scan your site. You can do something else on your website while it’s scanning (depending on how big your site is).
Next, there will be a box that says “new issues.” Will show you all the issues that Wordfence has found. You have the option to mark them as fixed, make the changes, and ignore. What I like about this plugin is it shows you when there are problems with a particular file. You have the option to view it next to its original source. You can then see what line of code is suspicious and restore it to the original core file.
More than just a security plugin, WordFence Security plugin also shows you real-time traffic, from human and non-human alike, bots, spiders, logins, and logouts – anything that hits your site. So, if you’re not getting information about these through your favorite analytics plugin, then this is a must have. However it can use a lot of resources which can cause speed/loading time problems on your website. So if you run into any troubles with loading times try disabling the live traffic feature.
Wordfence does offer many performance options. You can find these under Wordfence>performance setup. You can use caching so that the plugin doesn’t hog all your servers resources. There are three options:
- Disable all performance enhancements.
- Enabled basic caching. (2 to 3 times speed increase)
- Enabled Wordfence Falcon Engine. (30 to 50 times speed increase)
You can even configure cache options to work with SSL (secure https pages), add hidden debugging data to the bottom of the HTML source of a cached page, and clear cache when a scheduled post is published.
You can clear the cache of even get cache stats if you want.
You can add items like URLs, cookies, and browsers (user-agents) to exclude from caching. You can configure these with “if” statements which included URL starts with, URL ends with, URL contains, URL exactly matches, users-agent contains, User-agent exactly matches, and cookies name contains. Then you click “add exclusion.”
You can manage the IP addresses that are viewing your website. You can manually add different IP addresses to your log, lock IP’s out, and show IP’s that were recently throttled for accessing the site too frequently. So, if there is a problem and you think the IP address might be problematic, it’s as simple as just blocking it.
Cellphone settings are only available for those webmasters that have a premium membership. You can configure your setting by putting in your cell phone username and telephone number.
Also, a premium membership that allows you to block sites from different countries. You can send them to standard Wordfence blocked message or a custom URL. An excellent option if you see DDOS attacks or problems that are related from hackers in Turkey. Do love this feature from Wordfence.
Another premium feature of Wordfence is to schedule when Wordfence scans occur. You can do them anytime you want Monday through Sunday. Anytime you want. It’s a good idea to run scans a least once a week to ensure that your WordPress site isn’t infected with malware.
Any IP’s that look suspicious you can cut and paste their IP address and it will tell you everything about the IP. You don’t have to go to who.is or other “whois” site. It’s all done through your dashboard in WordPress.
Advanced blocking is available for free with Wordfence. You can block IP address ranges. Meaning that you can block 192.168.200.200 – 192.168.200.220. You can block user-agents too. To do this, you enter in something like this, *badRobot*, AnotherBadRobot*, *someBrowserSuffix. You can block people that were referred from specific websites. To do this you enter in *badWebsite*, AnotherBadWebsite*, *someWebsiteSuffix. Once, you block people there is a field where you can enter in your reason. Helps the developers at Wordfence to see exactly why you are blocking a certain site, IP, or user-agent. What a great idea from the developers of Wordfence!
I use the free version for all my websites. But you can purchase the paid version of Wordfence at Wordfence.com. Here is a breakdown of the prices per license:
- 1 API – $39.00/year.
- 2 API – $59.00/year.
- 3 API – $79.00/year.
- 4 API – $99.00/year.
- 5 API – $119.00/year.
You do get discounts for buying the premium service for more than 1 year. Currently, you can purchase it for up to 5 years.
Don’t just take my word for it. Wordfence is an excellent security plugin for WordPress. This plugin gets excellent reviews on WordPress.org. I have found some interesting reviews on Wordfence that you can view:
I highly recommend the Wordfence security plugin. There are some options that you can configure to your likings. The free version is worth it, and the paid version is worth the money. You have to play it safe with your WordPress sites. Every second, minute, hour, day, week, month, etc. that our websites are infected or down we are losing out on clients, visitors, and money. It’s easy to use, lightweight, and compatible with the latest versions of WordPress. This plugin has saved me an immense amount of time and headaches over the years. You can check out the plugin at https://wordpress.org/plugins/wordfence/
I want to hear what you think about this security plugin. If you have any questions, feedback, comments, etc., please leave your comments down below about Wordfence.