Wordfence Security Plugin – How to secure your WordPress website
WordPress makes up over 30% of websites today, so WordPress security is key. Looking at the 2019 world wide WordPress statistics:
- Of the top 100 websites in the world 14.7% are WordPress
- 500+ sites are created using WordPress.org each day
- …and every single second 17 new blog posts pop-up from WP
So, from and opportunity perspective alone your WordPress website is a hacking target. Add to this the thousands of updates, hosting options and endless plugins we end up with a vulnerability soup.
There are many ways to secure your WordPress site, from end point server to entry point, some far more complicated than others – but for the purpose of making this tutorial easy we will be focusing on just one called Wordfence.
It’s simple to implement, it’s easily configurable, it has had over 150 million downloads to date, it features all the key requirements to secure a site, and as of now it’s averaging around 8,000,000 blocked attacks.. per hour. Did I mentioned it’s free for most of your needs? (unless you want to upgrade to the full package)
What does it do?
‘Leak password protection‘ – Monitors your password in breaches and blocks them if they have been compromised. ‘Live Traffic’ which monitors attackers globally and can actively block their IP address.
‘Advance Manual Blocking’ – Allowing you to instantly block entire networks of human or bot activity that comes up as suspicious behavior on your website.
‘Country Blocking’ – A paid option, which allows you to block all commonly active hacking countries.
‘Repair Files’ – Monitors your core WordPress install, alerts you if core files have been effected and recovers them, and lastly ‘Two-Factory Authentication’ allowing to stop brute force attacks all together.
To install Wordfence security plugin on your WordPress website following these instructions below:
- Login to your WordPress administration console (wp-admin)
- Click on ‘Plugins’ and click ‘Add New’
- Search for “Wordfence” and locate the plugin similar to below
- Click install, then click activate when the install has completed.
Configuring Wordfence (Free version)
We make some small configuration changes to the default install to beef up security. On the left of your WordPress admin console menu you will now see ‘Wordfence’ expanding this menu you will get the following options:
- Dashboard – This gives you an overall view of your WordPress health including security blocks.
- Firewall – This is the core component of the security plugin, giving you options to tweak and view the firewall settings.
- Scan – Scanning will scan all your website posts, comments, files, themes, plugins, URLs and even users for security issues. Consider it a virus scan for your website
- Live Traffic – View security related traffic events and block anything that is suspicious. This is a easy way to block script attacks from the same IP address.
- Login Security – Setup Two-Factor Authentication to block all login security risks. (Requires 2FA app)
Tweak Firewall > Brute Force Protection
We change the lock out after how many login failures to 3. Same for password attempts 3. We count the period over 5 minutes and lock any end users out for 1 hours who match this criteria. Login scripting are common attacks and deterring these are important. Just remember to use your correct login information so you do not lock yourself out for an hour.
Tweak Firewall > Rate Limiting
We also set the exceeds to 240 per minute for all options but this has no effect to Google crawlers. We do this as a simple way to stop humans or scripts/bots from using unlimited bandwidth on our server by way of request overloading. 240 requests per minute is plenty for any human or bot crawl, and more importantly enough that our server can handle.
The Wordfence security plugin has many other options, but out of the box performs extremely well as a simply and effect way to help protect your website. Some of our clients have reported 70 to 200 attempts a day being blocked that would normally go unchecked.
For larger scale websites and businesses you can also upgrade to the premium edition which unlocks full functionality for $99USD per year, with reduced costs for 2 and 3 year pay up-front options.