Do you know WordFence? An extremely powerful plugin to increase the security of your WordPress site!
One of the biggest concerns for anyone who has a website or online application is ensuring its security. After all, it is not new that cyber attacks are growing every day and can bring many problems to people and companies, leading to very large losses. Therefore, keeping application security should be one of the main concerns of a developer and anyone who owns online services, such as a website or e-commerce.
Currently, WordPress is one of the best-known and most used CMS tools for website development. One of the great advantages of WordPress is the possibility of expanding its functionality by installing plugins. And when it comes to security, the Wordfence plugin is the most famous and most used security plugin on WordPress!
What is WordFence
WordFence is a security plugin for WordPress. It is currently the best-known and most-used security plugin by the WordPress community.
WordFence offers a Free (free) and a Premium (paid) version. Although there are two versions, the Free version of WordFence already provides several features that are enough to keep your WordPress security level high.
How does WordFence Security protect my WordPress Site?
The WordFence plugin includes an endpoint firewall and a malware scanner, developed exclusively to protect WordPress. It is constantly updated with the latest firewall rules, malware signatures and has a huge data catalog containing malicious IPs to keep your website safe.
WordFence includes a Web Application Firewall (WAF) capable of identifying and blocking malicious traffic. WAF runs on the terminal, so it can integrate deeply with WordPress. A big difference of Wordfence is that it doesn’t break cryptography, it can’t be bypassed and it can’t leak data.
In addition, WordFence has an integrated Malware Scanner, which acts to block requests that include malicious code or content. Wordfence protects your WordPress from brute force attacks by limiting login attempts and enforcing strong passwords, in addition to other security measures for login authentication.
The Premium (paid) version also includes other advantages, making WordFence even more powerful. Among them, we can highlight the possibility of updating firewall rules in real-time, malware signature, IP blacklist in real-time, and others.
Key Security Features of WordFence Security
WordFence has several security features, however, some of these are considered the most important by the community and even the company.
Password Protection and Password Leakage
One of the biggest concerns when it comes to security is precise to guarantee the confidentiality of passwords, preventing anyone from accessing your website or application. Wordfence includes protection against this specific threat. This feature allows you to block logins from administrators who use compromised passwords. Thus, if an administrator has his password recognized as a compromised password, it will be necessary for him to reset his password to be able to log in.
It is noteworthy that this feature was made possible through the integration of WordFence Login security into the database provided by Troy Hunt’s Pwned Passwords API. This API has a huge list containing millions of compromised passwords.
With these features Wordfence allows you to monitor various traffic information such as:
- Watch hackers/cyber criminals trying to break into your website in real-time. This way you can monitor attack attempts that are not shown in other traffic viewers and still identify their locations, IP address, and time/date of the attack.
- Identify who is joining and leaving your site and their actions, in real-time. Through this, you can better observe the actions of visitors, and, if you suspect attacks, you will be able to better handle the creation of strategies to limit these threats. In addition, it is still possible to check the location, IP address, and time and date of users’ actions.
- Although Wordfence’s focus is on security, it is also capable of analyzing in real-time your Site’s crawling by Google. This is a very interesting feature, especially for SEO strategies. And it also allows you to identify possible problems such as non-existent page tracking or even the absence of robots.txt files.
- Protect your intellectual property against content theft. That is, with this feature, you guarantee control over your content.
- Block real-time trackers. WordFence can identify the actions of crawlers (such as crawlers) that present threats, and thus block whatever is causing these problems.
Advanced Blocking Features
WordFence offers powerful options that allow you to manually block traffic from any source. This way, you can quickly and efficiently prevent threats to the website’s security.
So, with these features, you can block things like entire malicious networks, or suspicious human or robot activity, among others. In addition, wordfence allows you to perform IP blocking simply, without having to modify the .htaccess file directly to block IPs.
Wordfence allows you to create several blocking rules such as:
- block IP address ranges (such as malicious networks);
- web browsers and specific browser standards;
- reference sites
In addition, you can still make rules containing combinations of the above rules.
It is also worth noting that Wordfence allows you to perform country blocking, implementing security based on geographic protection.
WordFence’s country lock is designed to stop an attack, prevent content theft, or stop malicious activity originating from a geographic region. This is a great advantage, as it is very common for certain cybercriminals to use a region to generate their attacks. Also, you can restrict regions that are involved in malicious activities. In addition to doing all this extremely quickly and effectively.
File Repair Features
Another very important feature that Wordfence brings with it is File Repair.
This feature is capable of identifying corrupted files, in addition to verifying the changes made and repairing them. Wordfence checks the source code analyzes changes that have occurred and repair files that have been attacked by malicious actions.
If you were to do all this manually, it would be necessary to use some system to analyze the security flaws and repair the files one by one, which demands high technical knowledge.
In other words, Wordfence checks your main files, themes, and plugins, comparing them to what is stored in the official WordPress repositories, and with that, it manages to maintain the integrity of your files!
With Wordfence’s file repairer you can see how your files have changed, you can download the original file and compare it with the current one, and you can even preview and repair the files by replacing them with an original version.
One of the most effective ways to permanently prevent brute force attacks is through two-factor authentication. Nowadays, most people already know this feature, as it is widely used in various applications and services, such as banks, social networks, and others.
But, in short, it is a type of authentication that requires the user not only to enter a password but also to perform a second action that only he would have access to information. Therefore, this greatly increases the security of the application, and even if an attacker were able to discover your username and password, he would not be able to access it.
Wordfence takes advantage of this feature to increase the security of your WordPress. Thus, it allows you to use a TOTP authentication service, such as Google Authenticator, Authy, FreeOTP, 1Password, and others. You can then enable two-factor authentication for your WordPress and ensure the integrity of logins performed.
How to Install WordFence Security
Now that you know what WordFence is and what it is capable of doing, we’ve finally arrived at installing this plugin!
The first thing you should do is access the WordPress Admin Panel, usually via the URL “ /wp-admin ”. Log in normally.
Later, in your WordPress Administration panel, look in the sidebar for the “ plugins ” option and select “ add new ”.
On this next screen, select the search bar and search for “ Wordfence Security ”.
Now just identify the Wordfence Security plugin, and click on the “ Install now” option.
Please wait a few moments for the installation to complete. After performing the installation, you will need to activate the plugin. Probably, once the installation is complete, a button will appear as in the image below, with the option to “ activate ”, so just click on it and Wordfence will be activated in your WordPress.
Finalizing Wordfence Security Plugin Activation
Once you activate the plugin, you will be redirected to the WordFence administration page. As this is your first time installing the plugin.
You can enter your email, to receive WordFence information. It is also optional that you choose to join the WordFence mailing list, where they send updates and plugin information via email.
To proceed, accept the Wordfence terms and privacy policies (read them first), and click on the “continue” option.
Later, you will be presented with the screen asking you to enter your Premium Key. This option is to enter the key you received when purchasing the premium version of WordFence. If you have done this, just insert the key and click “install”. But if you haven’t purchased the key and want to use the Free version of Wordfence, just select the “No Thanks” option.
With these steps, your WordFence Security plugin is already installed and activated on your WordPress.
WordFence Settings to make your WordPress more secure
After finishing the installation and activation of Wordfence on WordPress, now you just need to configure it for your needs.
Of course, wordfence has several features, some simpler and others more advanced. To have better use of Wordfence, the ideal is that you know the tool.
By default, Wordfence already has some basic settings. That way, just by installing and activating the plugin, you already guarantee greater security in your WordPress.
If you see a message like an image below asking for permission to activate Wordfence’s automatic update, we recommend that you allow it. So, just click “Yes, enable auto-update”.
All tutorials and configuration tips found here can be used in Wordfence in its Free (free) version.
Optimizing the Firewall
But let’s improve even more. Access the Wordfence dashboard.
Once you log in for the first time, some mini-tutorials are likely to appear, just click “next” or “got it”. While accessing it for the first time, you should see a message right at the beginning of the dashboard for you to configure the Web Application Firewall (WAF), so click on the “ click here to configure ” option.
On the next screen, and autodetection of your server will be performed. Confirm that it is correct, if not, select the correct option for your server. Also, click on the Download option to download your “ .htaccess ” file and keep it as a backup. Then just click on the “Continue” option.
Okay, now your WAF is pre-optimized and configured. Finally, click on the “close” option.
Firewall Learning Mode and Protection Mode
Although we’ve already left the WAF pre-optimized, we have a great tip for you. So just follow this tutorial to keep your Firewall performing even better!
First, select the option “ Firewall ” of Wordfence to access the Firewall dashboard.
Then select the “ manage firewall ” option.
On this screen, look at the “Web Application Firewall Status”.
It will likely be set to the “ Learning Mode ” option. In other words, the WAF will be learning about your website, understanding how it works.
Therefore, we recommend that you keep in the “ learning mode” during the development of your website and after you have completed all the necessary installations, such as plugins and other tools.
However, if your site is already finished and online, we recommend that you leave it in learning mode for about 5 to 7 days. After that, change the mode to “Enabled and Protecting ”.
After making this change, don’t forget to click on “ Save Changes ”.
Ready! With this, your Firewall will be much more optimized and will guarantee greater performance and greater security for your WordPress.
Configuring Wordfence Brute Force Protection
On the WordFence Firewall Dashboard, there is a tab called “Brute Force Protection ”. In other words, in this part, you can make some settings to protect your website from Brute Force attacks.
Among the settings, if you don’t have much knowledge, you can leave everything at the default. However, some settings deserve some attention.
Lockout after how many login failures: In this setting, you can set the limit of login attempts a user can make. Therefore, if the user exceeds this limit, he will be blocked. We recommend that you restrict between 3 to 5 attempts.
Lockout after how many forgot password attempts: Represents how many times the user can miss the password. As with the previous configuration, we recommend restricting between 3 and 5 attempts.
Count failures over what time period: Represents the period in which failed login attempts are counted. We recommend leaving between 4 and 6 hours.
Amount of time a user is locked out: Represents the time the user will be locked out. For this case, the choice is very personal, but we recommend at least a period of 1 day (24 hours).
Basically, these are our recommendations. In addition to these, you can keep the rest of the brute force protection settings as default or, if you know what you’re doing and prefer, you can choose to customize them.
Extra Tip for Brute Force Protection
Here’s another very interesting tip: There is the option for you to automatically block a user who enters certain usernames. This is very interesting because most attackers usually test the “ admin ” user right from the start. So here are two recommendations:
- 1- Do not create a user called “admin” in your WordPress
- 2- Add this username for immediate blocking
To block it, just go to the options box ” Immediately block the IP of users who try to sign in these usernames “, type the username, such as “admin”, and finally press the “enter” key.
Don’t forget to click on “ Save Changes”.
Now, let’s do a Scan of our WordPress. To do this, on the Wordfence side menu, select the “Scan” option.
Later, on the Scan dashboard, click on the “Start New Scan” option to start a Scan of your WordPress.
This procedure may take a while. So, wait and don’t close your browser window until the scan is finished.
By doing this, Wordfence will be scanning your website for errors or security issues. If found, it will be informed on this screen and will also bring suggestions. Just make the corrections you find necessary!
Scanning should be done whenever you find it necessary. For sites with low traffic volume maybe twice a month is enough. Ideally, however, you want to scan daily or at least weekly.
Login Security – Two-Factor Authentication
By accessing the Wordfence “Login Security” menu, you will be able to make changes to the Login Security settings, such as Two-Factor Authentication.
Once you enter the Login Security option, you will find a dashboard.
In this step, you can register two-factor authentication. Then, access the authentication app you use or prefer from your smartphone, such as Google Authenticator. Then, read the QR Code that is displayed on the Wordfence screen.
It is also very important that you download the recovery code, and keep it in a safe place, as if you have problems with two-factor authentication, you can use it to recover your account. So just click Download.
Finally, just type the code shown in your two-factor authentication application in the requested field, and then click on “ activate ”.
That’s it, this way two-factor verification will be enabled for your account!
With that, we end this article and tutorial! Following the steps explained, you will be able to install and activate WordFence, as well as configure the main security features. That way, you’ve just managed to make your WordPress more secure!
Therefore, in addition to using a good security application like Wordfence, you must know the hosting company where you will host your site. Hosting servers must follow proper security standards, ensuring the reliability of their services!
For website maintenance service contact us.