In the previous lesson, we’ve talked about achieving higher security awareness. One way of doing so is by using the Wordfence Plugin.
With over 2 million active installs, this plugin has a very nice proven record of securing your site, protecting from malware and stopping a HUGE amount of hacker attacks. The interface is very robust, and it provides a lot of security measurements for enhancing the protection of your overall WP site on a TOP level. Some of our favorite security measurements include:
- Brute force protection
- Virus/Malware removal
- Keeping you off the Google SEO blacklist
In this lesson, we will cover the most important features that are essential for your ultimate website protection. We will begin by analyzing and configuring the plugin step by step.
Wordfence Security – Installation And Configuration
You can install Wordfence Security like any other plugin from the WordPress plugins repository (Open your WP Admin -> Plugins -> Add New -> Search for Wordfence). It has a free version that is more than enough for securing your website.
You don’t need to waste money buying the premium license unless you want some of the advanced security measurements like two-step authentication, blocking specific countries, password audit, etc.
After the activation, you will be asked to put your email address for receiving emails concerning the security of your website. This way you will constantly be notified if someone is trying to harm your site.
- Put your primary email
- Select YES
- Check the box
- Click Continue.
On the next screen, just click on No Thanks.
- Now navigate to the Wordfence menu on the left.
- Enable auto-update
- Start optimizing the Wordfence Web Application Firewall by clicking on Click Here To Configure.
Download the server file .htaccess and keep click on Continue.
And that’s it. Now you are done configuring the WordFance basic settings. You can Close this window.
Configuring WordFence Firewall
After the successful installation, navigate to WordFence -> Firewall.
From here you can further configure the WordFence Firewall. Here you can find 4 main sections:
- Rate Limiting
- All Global Options
1. From the Rate Limiting section, you can increase the time for blocking the IP addresses that break the rules to 30 minutes for example.
2. From the Blocking section, you can see all IP’s that have been blocked, locked out from being able to log in and “throttled” for accessing your site too frequently. Also, you can manually block an IP address from accessing your site.
The Country blocking feature is premium. The Wordfence country blocking system is an effective way to prevent an attack or any activity from a particular geographic region.
From the Custom Pattern tab, you can block a range of IP addresses that match specific criteria.
3. Help – Here you can find the complete documentation for using the Wordfence plugin.
You have free support (that can take up to 4-5 days for them to respond to you) or premium support (that takes 3-4 hours for responding)
4. All Firewall Options – Used for making further configurations, but we mostly use brute force protection from here.
From the Brute Force Protection section, limit the number of failed attempts from 20 to 5 or maybe 3 (if you want to be extremely careful).
Scanning – Scan Your Website Regularly
What you may want to do often is to scan your website for any potential threat.
It will take some time and some memory from your server, but you will get a detailed activity log and report for all potential issues. Besides, there will be provided a quick solution to that problem which we advise you to consider fixing it. The scanner may catch up something that is not very dangerous like updating your plugin or theme.
If you are using the free version of Wordfence, the plugin makes quick scans automatically once per day (and full scans – every 72 hours).
But you can also manually schedule scans (which is a premium feature for paid customers).
From the Tools menu, there are 5 features:
- Two Factor Authentication (increased security using your mobile phone) – Premium Feature
- Life Traffic (see what is happening on your site in real-time)
- Whois Lookup (see who owns an IP address or domain name that is visiting your website)
- Import/Export Options (for cloning one site’s configuration to another)
- Diagnostics (information that can be used for troubleshooting conflicts, configuration issues, or compatibility with other plugins, themes, or a host’s environment.)
- Life Traffic – This option is useful when you what to see what is happening on your site in real-time. You can also see if someone is trying to access your website by making a lot of requests and block his IP.
- Whois Lookup – The “whois” service is a service on the Internet that gives you a way to look up who the owner of an Internet resource is (IP or website). For example, if someone is trying to attack your site, you can take his IP address, perform a Whois Lookup and Block his entire network.
Some of these options can also be found in the other relevant sections of the plugin configurations. This page is provided for easier setup for experienced Wordfence users.
From here you can Hide WordPress version for the hackers to have a difficult time guessing it.
Also, you can whitelist your Admin IP to prevent locking yourself out.
When you are done configuring click on Save Changes at the top of the page.
Pros And Cons Of Wordfence Security
If the security of your WordPress site is of great importance for you, consider using this plugin. As we covered in this lesson, there are many handful features provided in this plugin that can make your life easier when dealing with attacks.
The only bigger downside is that it requires a more of your space for performing the scans, but if you don’t mind the required memory usage (which can be limited for example no more than 256 MB) than you don’t need to worry about overloading your server.
The options are pretty much self-explanatory and well-documented.