A hacked website can cause a lot of damage. As with all systems designed for web use, security is an important issue for WordPress. The market offers some plugins to increase the security of a WordPress website. By far the most popular is Wordfence. What Wordfence can do and how the security plugin is configured, you will learn in this article.
What is Wordfence Security?
With more than 22 million downloads, Wordfence Security is by far the most popular WordPress security plugin. Wordfence delves deep into the system, scans the website for vulnerabilities, notifies the user via email in case of suspicious activity, provides advanced login security measures and much more. The plugin is basically free of charge. However, if you want to rely on advanced features, you may consider the paid premium version.
Setting up the Wordfence Security Plugin
First we have to install and activate the security plugin. How this works in detail, we have compiled in our guide for installing plugins with WordPress,. Once the plugin is activated, the following notification will appear on your dashboard:
As mentioned above, Wordfence will notify you about suspicious activity on your website. To receive future security alerts, you can enter your email address in the field provided and click Get Alerted to confirm. You can also subscribe to the Wordfence newsletter. If you don’t want to do so, click on the checkbox to remove the blue tick.
Configuration of the Wordfence Security Plugin
The installation is not quite done yet. Wordfence needs to be configured. Our first station is the Wordfence Dashboard, which we reach via the newly added tab (Wordfence > Dashboard). Here we can find all kinds of things related to Wordfence and the security of our website.
The dashboard shows you which Wordfence features are enabled, how many attacks were blocked, the number of logins, blocked IPs and from which country the attack was made (if attacked). This information is particularly relevant for us, as we can use it to derive necessary security measures.
Step 1: Website scanning with Wordfence
To check our website for possible security holes, we navigate from the dashbord to Wordfence > Scan. When we start the Wordfence Scan, the plugin checks our website for possible security holes. We can think of it in a similar way to a computer that we scan with an anti-virus program.
As soon as we click on the button, the security scan starts. The plugin checks if there are unknown files in the WordPress folders and checks the existing ones for possible changes. In addition, Wordfence specifically searches for comments with unsafe URLs or pending updates.
If the scanning process detects possible problems, the plugin will offer you solutions. You can either delete the affected file, restore it to its original state or simply ignore the problem. This makes sense, for example, if you have deliberately changed the file. Deleting a file can cause the website to become inaccessible. Therefore, you should only do this if you are familiar with it and can assess the risk.
Step 2: Limit login attempts
With so-called brute force attacks hackers try to get access data by automated trial and error. This involves using various combinations of user names and passwords to log into a system. To make it as difficult as possible for hackers, you should rely on complex access data for your blog. We have already described how to change your username and password in our article on WordPress Security . Furthermore, it seems to make sense to limit the possible login attempts. For this purpose we go to Wordfence > Options and scroll down almost all the way to Login Security Options.
The settings provided by Wordfence are basically quite solid. You can make 20 login attempts within 5 minutes until a user is blocked by the system. Since brute force attacks usually send login attempts every few seconds, the 20 attempts should be achieved in well under 5 minutes. If you want to play it safe, you can reduce the number of login attempts to 10.
Step 3: Optimize Firewall
Another important security feature is the Wordfence Firewall. We can find it under Wordfence > Firewall.
The purpose of the firewall is to filter out unwanted visitors so that they do not get to the website. Initially, the security plugin recommends keeping the firewall in learning mode, which is already enabled by default. This way the system learns about our website and its visitors. This is necessary so that the plugin can separate “good” from “bad” visitors. In the premium version, the rules are updated in real time, while the free version is updated every 30 days. After one week Wordfence automatically switches off the learning mode and applies the learned rules.
Protect WordPress website with the Wordfence Security Plugin – Conclusion
Wordfence also offers many features in the free version to keep hackers at bay. With such an extensive feature list, however, the question arises how easy the plugin is to use. Since WordPress security is a complex issue in itself, you need a basic understanding of how hackers work. This is the only way to really configure the plugin. What we like is that every setting and its effect is explained. This way, at least the basics can be worked through quickly with a little effort. In addition, the settings that have already been preset provide solid protection, so that even after installation alone, there is already protection against unwanted access.
Is Wordfence rightly the most popular WordPress security plugin? What do you think about it? If you use Wordfence, we would like to know what your experience with it is. Write it in the comments!