To many things like hackers and spammers, your online site is in danger. It could be even more at risk — the Internet helps cybercriminals to hack into the website without having to leave their couch: On average, 18.5 million websites are infected with malware at any given time. The average website gets attacked 44 times per day. Of the roughly 90,000 websites that get hacked each day, 83% of them are using WordPress.
That is why you need to take as many steps as possible to ensure that your website is properly protected. As with anything connected to the Internet, security is a significant problem in the field of WordPress too. In fact, just for that reason, the CMS has its own dedicated security team and it’s also why we publish articles like this one.
As a consequence, the WordPress directory includes a set of security plugins. The more famous by far: WordFence. With more than one million active installations, most consumers seem to prefer this approach over everyone else.
What is Wordfence?
With more than two million active installs, Wordfence Security — Firewall & Malware Scan is one of the most common security plugins available on WordPress. It combats spam, malware, and other real-time threats. Unlike other plugins, Wordfence Security provides an incredibly user-friendly dashboard. You don’t need to be a tech wizard, have a background in IT or use this plugin to learn cybersecurity.
Wordfence Protection free edition offers several features to keep your website secure. They offer you certainly more out of the box than other free security plugins. You’re going to get firewall blocks and security from brute force attacks.
The premium pricing begins at $99 per annum. The premium edition comes with additional functionality such as two-factor authentication, direct customer service and real-time blacklisting of IPs. The blacklist functionality on the IP in real-time prevents requests from any IP address that has targeted another WordPress website that also uses Wordfence Protection. When it comes to your website’s safety and protection, I think this is a pretty good deal.
What can you do with Wordfence?
WordFence is a free plugin, which offers updated paid options as well. However, the free edition can manage anything just fine. With more than 3 + million active installs and 5/5 star ratings speak for the success of the plugin itself.
You’ll find complete details on the last scan, any new updates, along with Wordfence’s currently enabled / disabled features. When you begin to see the statistics of the attack, you can understand clearly the significance and requirement of a protection plugin for WordPress.
You can see the status of your protection system: Wordfence features allowed, day, week and month blocked attacks for both your site and Wordfence network, login attempts, blocked IPs and top countries from which your site was attacked (if any).
The dashboard is a great place to get an overview of what happened to your site, and the interest in taking it down in the hacking community. This way, you can assess the extent of the hazard and whether you need to take more action or just be extra careful.
Wordfence’s free WordPress version comes with simple scanning functionality but 30 days will delay real-time firewall rules and blacklists. Those are available only when you opt for the Premium edition.
The scan module is amongst the most critical pieces. Here, when you click Start a Wordfence Scan, the plugin will inspect your site for possible security problems so you can fix them. These include:
- Backdoors, malware, and vulnerabilities
- Modified core files
- Unknown files in WordPress folders
- Outstanding updates
- Comments with unsafe URLs
What’s interesting about this is that Wordfence’s developers have a server for every WordPress edition and every plugin and theme ever in the registry. That way, the plugin will compare files with their mirror on your server and detect something that has been modified from the original.
You can set the sensitivity, scan frequency, and whitelist files under the Scan Options and Scheduling section. The output scans can also be based on your system.
Wordfence comes with a firewall that holds threats at bay, in addition to the web search. You will find it under Wordfence > Firewall. The aim is to filter offensive before it reaches your site. The firewall rules are changed in real-time in the paid edition, while they are refreshed every 30 days in the free version.
Originally, Wordfence suggests that the firewall be kept in learning mode which is allowed by default. That way, it can understand more how the website operates and who is supposed to be there and who is not.
It will turn to activated automatically after a week, so there’s actually nothing to do for you. Click on the big Customize Wordfence Firewall button though. This will allow Wordfence to add some items to your.htaccess file for a more powerful firewall to run.
Brute Force Protection
Wordfence comes with many solutions to help deter assaults by brute force. Even, blocking fake Google crawlers and allowing unrestricted access to confirmed crawlers. With allowed Brute Force Security, Wordfence defends you from threats by locking their account after a few failed attempts to guess passwords.
Under the Block tab, traffic can be blocked using IP addresses, IP set, browser, hostname, and referrer. However, blocking at the country level is a prime-only feature. All different blocking rules can be combined and saved as a Block Type.
It makes it nearly impossible for brute force attacks to succeed. When you run websites for several different websites, maybe through reseller hosting, you may want to implement this in order to save resources.
Wordfence’s free version allows you to block IP addresses, while the paid edition allows you to block entire countries and geographies in addition to only IPs. A specific IP address, a list of IP addresses, hostname, user agent, referrer, etc. may be blocked.
There’s a live traffic tab on your WordPress website that shows a real-time update about the current visitors. Because various types of traffic have separate colors, you can easily distinguish what sort of traveler it is. Also, the plugin helps you to sort the traffic using different filters such as a person, crawler, registered user, blocked, locked, etc.
Additional Plugin Features
Here’s what the plugin will do for you more.
Advanced Firewall Settings
The firewall has more to it than its main features. For example, country blocking comes in the premium.
That means, if your site receives a lot of attacks from a specific area, you can block that country entirely and even redirect traffic that comes from somewhere else. Then there is the tab for blocked IP addresses, locked out and throttled down.
You see all traffic coming to your site in the Live Traffic panel even from non-human users such as crawlers, scripts, and RSS readers.
The view provides alerts for suspicious behavior and can be filtered in several different ways: by registered users, attempts at accessing inaccessible sites, the login page and even more granular. This helps you to pick up DDOS attacks or unusual traffic amounts from one IP address. On top of that, Wordfence lets you run a WHOIS for more information on each of the emails.
I have already mentioned the premium version several times. If you choose to go for it, it will cost you $99/year for one API. The price gets more affordable with additional APIs and years added to the license.
Besides the features already mentioned above, there are a few more things premium users get:
- Remote scan — The opportunity to search the site’s public side for signs of conflict from an external instrument.
- Checking site against spam lists — Check links for blacklisted pages in the Spamvertized and Google Safe Browsing list on your site and if your IP address produces spam.
- Premium support — WordPress community forums are still available for free. You can contact Wordfence directly with the premium edition, and get support from their experts.
Conclusion: Wordfence is the Best WordPress Security Plugin
Wordfence is by far the most common, and deservedly so, WordPress security plugin. Even the free edition provides tons of features to keep spam lists secure and off WordPress pages. The plugin will do its utmost to keep hackers and other suspicious individuals at bay, from an exhaustive security audit over a full-featured firewall to heaps of additional options.
From a user viewpoint, you can know where the site risks start and have plenty of choices to make the plugin work according to the needs. Of course, that doesn’t deny that health is a complicated problem. Even if Wordfence is very much “load it and forget it,” users will have to do a bit of research to get the most out of the plugin.
So, is this really the best security plugin on WordPress? Ok, users certainly seem to think so and there is nothing that would refute them in this study.