1. Wordfence, the most installed WordPress security plugin
With over four million installations, Wordfence is the most popular WordPress security plugin. It protects your site with a variety of features, from a firewall to login security to periodic scans.
However, with so many features, it can be difficult to understand how it works, why to use it or even how to set it up properly. In this article, we will look at this in detail.
In addition, Wordfence offers a paid version that complements its free version, including real-time updates to blocking rules and malware signatures. For $99 a year, your site will be better protected and you will be entitled to technical support.
Nevertheless, the free version, which we’ll focus on, has enough tools to provide satisfactory protection for your site.
2. Wordfence features
Wordfence provides some configuration upon installation including the ability to enable automatic updates and firewall optimization, after downloading your htaccess file. The plugin also offers a guided tour which I recommend reading if you want to learn more about the available features.
2.1 Dashboard
The dashboard provides a summary of what is happening in the plugin. Among other things, you will find the status of the firewall and scans as well as the attacks blocked by Wordfence on your site.
By default, the plugin’s widget displays on the WordPress dashboard to give you an overall view of your site’s security every time you log in. If you don’t want it to display, you’ll need to click the « Screen Options » button in the top right corner and uncheck the « Wordfence activity in the past week ».
2.2 Firewall
The purpose of a firewall is to block malicious traffic, and therefore attacks. There are several types of web application firewall or WAF. Some block traffic on the network or in the cloud, i.e. on external servers; others, including Wordfence, block attacks at the endpoint, i.e. on your server.
Obviously, there are advantages and disadvantages to each option. In the case of Wordfence’s WAF, end-to-end encryption is not broken, as it may be with other firewalls, and scans of your server can be more in-depth.
However, your server’s performance may be diminished since it provides all the resources needed for the WAF to function properly. That’s why I recommend testing your site’s performance before and after installing Wordfence and checking whether the performance hit is problematic or not.
When the plugin is activated, the firewall goes into learning mode for a week. This allows the system to understand how your site works and the behaviour of its users. After that, the firewall is configured and optimised automatically. However, you can always block certain actors manually if you notice that the WAF is letting suspicious traffic through.
2.3 Scan
Wordfence scans your site daily for malware and vulnerabilities. These include available updates to WordPress, your plugins and themes. If an anomaly is detected, you will receive an email alert depending on the severity of the problem.
You can also scan your site manually if you suspect that it has been hacked or if it is not working properly and you want to make sure it is healthy.
2.4 Tools
Wordfence’s tools allow you to view real-time traffic, search for the owner of a particular IP address, import or export plugin settings, and review your site’s full diagnostic.
You don’t need to configure anything in particular in this section as the default settings should be fine. On the other hand, these tools are useful for checking who is visiting your site and accurately monitoring its health.
2.5 Login Security
Login security is paramount in WordPress. With this feature, Wordfence not only allows you to enable two-factor authentication, but also to configure this system for user roles of your choice.
The settings tab will help you further protect your site by disabling XML-RPC or even enabling Google reCAPTCHA. Both of these options are intended to reduce the effectiveness of brute force attacks. These attempt to guess combinations of usernames and passwords to gain access to your site.
In addition to the security risk they pose, they can also have a negative impact on your site’s performance as they use up your server resources. Independently, the team developing Wordfence has created a lighter plugin that contains only the login security features.
2.6 All options and email alerts
In this section, you will be able to configure all of the plugin’s settings in one place. Here you will find the various firewall, scanner and brute force attack protection options.
Of particular interest is to configure the email alerts to suit your needs, without being too frequent. To do this, you will need to choose the alert level at which you want to be notified. You can also choose not to be notified by unchecking the box « Alert me with scan results of this severity level or greater ».
If you update WordPress, your plugins, and themes regularly, you probably don’t need to receive an alert every time an update is available.
On the other hand, if you don’t do this maintenance periodically, these alerts are really useful to remind you to do it. In addition, you have the option of receiving a weekly email report listing the attacks blocked during the week.
3. Conclusion
Wordfence is, in my opinion, one of the essential plugins to install on any WordPress site. It prevents the most common hacks and protects your site comprehensively. There are other good quality security plugins out there, but Wordfence remains the most popular and arguably the most comprehensive.
Which security plugin do you use on your site? Let me know in the comments.