The security of the WordPress content management system is a much-discussed topic. WordPress runs more than 35% of websites all over the Internet , making it a clear target for hackers. Thanks to the possibility of easily extending the system using third-party plugins and thus getting basically any code into the web, this fight is very difficult for WordPress itself.
Fortunately, there are many techniques, recommendations, and plug-ins to secure WordPress from hacking attacks to prevent site attacks. One important part of WordPress security is the Wordfence Security plugin.
Wordfence Security – web security plugin
If you are serious about securing your WordPress site, Wordfence Security is a plugin that should not be missing in any WordPress installation . Together with the iThemes Security plugin, it is one of the most widely used security plugins.
Wordfence is a kind of antivirus for your site . Use a firewall to protect it from force brakes ( brute force ), DDOS attacks , and search for malware (malicious code) throughout the app and much more.
The plugin is offered for free in the basic version, which is sufficient for most web applications. You can find out what the paid Premium version offers at the end of the article.
Basic Wordfence Security features
One of the most important features of the Wordfence Security plugin is its PHP-based firewall , so it’s not a problem to use it on every WordPress site. There is no need to use external services (eg Cloudflare) and perform complex configurations.
Firewall protects your site from attackers trying to find a security hole , perform DDOS or force / brute-force attacks that for example, trying to guess the password to log in to the administration.
Scan for security issues
Wordfence scans the system state at regular intervals. For example, all tests include checking the version of WordPress, its plugins , monitoring changes to all files and the presence of malicious code ( mallware ), checking security settings, user accounts, and more.
In case of problems, you are notified by e-mail and you can solve the problem immediately.
How to install Wordfence Security
The Wordfence Security plugin can be installed easily via web administration in Plugins & gt; Install plug-ins , type “ Wordfence Security ” into the search.
Once installed, just Activate the plugin and that’s it. The plugin will now, without any further settings, begin to perform its function and protect your website.
At a minimum, however, I recommend setting up an email address for notifications . You will receive news about the security of the website and warnings about possible attacks / attacks. This address can be set right in the welcome modal window, which pops up after activating the plugin. You can skip the second part for entering the license key, it only applies to the Premium version.
Recommended Wordfence plugin settings
As I mentioned, Wordfence will be fully operational as soon as it is activated. Nevertheless, I personally make some additional settings.
General Wordfence settings
1. Disable automatic updates
First, I recommend disabling automatic plugin updates. You will be asked for this immediately after its activation. In general, automatic updates can sometimes cause a problem with WordPress plugins and cause the site to malfunction on its own. I always perform updates myself and manually, so I can immediately resolve any issues that may arise after the update.
2. Edit email notification settings
Because I already manage more than a hundred websites running on WordPress, email notifications can greatly spam your inbox, losing their purpose.
For this reason, I recommend setting up Wordfence & gt; All Options :
- Set up email alerts only when a problem is found with a level higher than High
(/ Alert me with scan results of this severity level or greater)
- Disable notifications when an administrator logs in to the site (Alert me when someone with administrator access signs in)
- Disable sending weekly security summaries < em> (Enable email summary)
3. Scan level settings
By default, Wordfence scans for possible problems at the Standard Scan level. I want a calm soul for my projects and set the High Sensitivity level in Basic Scan Type Options . As a result, far more tests are performed during the scan and may reveal problems that the standard level does not address.
Advanced firewall protection settings
Wordfence is loaded as a regular plugin within the system. This means that its firewall protection does not take place until the plugin is loaded, which can sometimes be too late. A lot of other code and calls are made before loading plugins, which can be used by attackers to attack. In addition, scripts are not protected at all outside of the WordPress installation.
The solution to this problem is to set the Wordfence firewall to load automatically before each call to .php scripts. This can be done by setting the auto_prepend_file property in the php.ini configuration.
Some hosts allow you to set this feature within .htaccess , without having to interfere with your hosting configuration. The Wordfence wizard in web administration will serve you well for this. For example, click the Optimize the Wordfence firewall button in the firewall settings.
Extended firewall protection settings for Wedos
With Wedos hosting, I’ve encountered an issue where Advanced Firewall Protection using the Administration Wizard doesn’t work. This is because Wedos does not allow the auto_prepend_file property in the .htaccess file to be overwritten.
The only option is to set this value directly in the Wedos webhosting administration, where the PHP Configuration page is. Here, in the field for the auto_prepend_file property, we set the path to the wordfence-waf.php file, which will be loaded automatically each time .php scripts are called. The path is relative to the web hosting root of your site, so be careful not to start with a slash / (otherwise the site will crash when the page loads).
Unlike other hostings, however, Wedos has the problem that setting auto_prepend_file globally for the entire hosting does not solve the problem for subdomains and aliases. Therefore, advanced firewall protection will only work for the main domain.
Google reCaptcha in WordPress using Wordfence
A great feature of the Wordfence plugin is setting up login page protection with Google reCaptcha v3. Version 3 is “invisible” and requires no action on the part of the average user (e.g. checkbox, image selection semaphore, etc.) can protect the login form from robots.
You can set up Google reCaptcha in Wordfence & gt; Login Security & gt; Settings , where you need to enable this feature and enter the API keys for this service. You can Create an API key for Google reCaptcha for free directly in the administration of this service .
What does the paid version of Wordfence Premium offer?
Wordfence is absolutely sufficient in its free version, which will easily protect your website. Nevertheless, it is possible to buy a premium version for $ 99, which offers, among other things, the following:
- Firewall and scan rules for mallware are updated in real time. The free version updates the rules once every 24 hours.
- Country blocking, which allows you to deny access to the login page or the entire site from selected countries. In the free version, you can only block individual IP addresses.
- Real-time IP address blocking. Thanks to hundreds of thousands of installations, Wordfence has a huge database of IP addresses from which attacks are carried out. The premium version can use this information to automatically block these IP addresses before attempting to attack your site.
- Possibility to plan the inspection interval, which in the basic version takes place once every 24 hours (thorough inspection once every 72 hours).
- Premium support will allow you to solve any problems with Wordfence within 24 hours of submitting the ticket.