A website or blog without a security plugin is like a castle without guards. This becomes more important when it comes to WordPress as 37% of the overall websites on the internet are running on WordPress software.
Hackers and script kiddies try to take control of a website to run malicious programs, malware and steal user credentials. They can even run spam activities which can severely harm your brand reputation.
To hardening the security of your website, installing a good reputable security plugin is a must and this is what we are going to show you in this tutorial, all step-by-step.
We will install and setup Wordfence plugin for WordPress. We will give you a detailed introduction to Wordfence options and how to configure it properly to protect your blog effectively from hacking attempts.
What is Wordfence Security?
With over 2 million downloads, Wordfence is one of the most popular WordPress security plugins. With its built-in real-time protection technology, Wordfence will protect your website from multiple security threats including hacking attempts, malware programs, suspicious traffic and activities and even brute-force attacks. You can see the real-time protection in action even on their website.
The plugin is free for basic use which is really enough for most of the websites but if you want to go an extra mile, you can also look into buying Wordfence premium license which will give you even more advanced features and Wordfence support.
We are going to start with Wordfence installation tutorial and if you follow along and complete all the steps, your website will be much more secure than it is now.
How to Install and Configure Wordfence Plugin
Let’s start with the fun part. Actually installing and configuring the plugin to get it to work in WordPress.
- From your website dashboard, install and activate the plugin. see how to install a plugin is WordPress if you need some guidance here.
- Once installed, a new menu item Wordfence will appear on your dashboard. This is a central place to set all options related to Wordfence.
You may be asked to take a Quick Tour after activating the plugin. It is recommended to take the tour.Woopoo's Good Practice
As you can see from the image, the main items we got are:
- Live Traffic
- Upgrade to Premium
Wordfence default options for all of the above menu items will work out of the box with most important features already switched on. You may need to slightly adjust them according to your own blog or website settings. Let’s see them in detail.
Wordfence dashboard will give you a quick view of the overall security settings enabled on your website.
You will be able to see login attempts either successful or failed, IPs blocked, firewall rules and summary and other related information. We don’t have to do anything here. Let’s move on.
Scanning WordPress site with Wordfence
From your dashboard, go to Wordfence > Scan and click Start a Wordfence Scan to instantly scan your website.
It will scan all WordPress files to check for any suspicious programs, malware or spam scripts which may have running silently on your website. It includes scanning each and every file including WordPress core files, themes and plugins files and any other files hosted on your web server.
You can see the scan progress in real-time on the same page. You don’t need to worry if you don’t understand the information appearing in the yellow box while scanning as it is more related to technical stuff.
Once the scanning will be complete, it will show you any issues if found which need to fixed. It will also show you recommended actions to solve those issues which may include updating or replacing WordPress files, updating plugins or any mis-configured files.
Wordfence Firewall Settings
Wordfence built-in Web Application Firewall will effectively block any hacking attempts comes to your blog. Wordfence firewall comes with two types of protection: Basic WordPress Protection and Extended Protection. By default the firewall works on the basic one but we need to change it to extended protection to get the most out of it. Extended version will sniff any new attacks even before they struck your website and block them effectively.
Let’s change firewall settings from basic to extended protection. Click Firewall from the Wordfence menu.
- Click Optimize the Wordfence Firewall.
- The process will automatically detect your server configuration and apply the firewall settings accordingly. Click Continue.
- In the next screen, it will ask you to download your old htaccess file because it will update the file with firewall rules added. Just download the file and continue.
- Once done, you will see Protection level changed to Extended Protection. Yes! you have just enabled the full protection mode successfully.
Firewall status may have switched to Learning Mode which is fine. Wordfence monitor your website traffic for a week or so and then automatically switched to Enabled and Protecting mode.Woopoo's Caution
Let’s move on to the next tab which is Brute Force Protection.
Brute force is a hacking technique to guess passwords continuously against dictionary words.see our article what is brute force attack for more details. Wordfence will also save your blog from such attacks.
The settings on the tab are mostly self-explanatory. It’s good idea to reduce the number for Lock out after how many login failures to 5 instead of 20. We don’t even want them to guess password for 20 times.
Click Save Options once done. Also see how to secure WordPress login in 2 easy steps for more actionable content.
Blocking IPs to Protect WordPress
Blocking menu item will show the IP addresses that has been blocked due to certain suspicious reasons. Wordfence will even show you the country names from where those IP-addresses are originating. This will help you out diagnose the problem more clearly and take appropriate actions. For example, you can manually block more IP-Addresses coming to your website from the same country.
From the Country blocking tab, you can block a country or redirect to a different URL by easily selecting the country names only. Make sure not to block your own country or you will be locked out.
Don’t change any values in the Wordfence Blocking section unless required.Woopoo's Caution
Monitoring Live Traffic using Wordfence
From Wordfence main menu, click Live Traffic to access live traffic data coming to your website in real-time. Wordfence updates live traffic by default every two seconds to show you common actions taken which could be a human, bot, warning or if something has been blocked from accessing your website.
From the Wordfence tools menu, you can shoot password audits, whois lookup and the feature worth mentioning in detail is Cellphone Sign-in option although it is only available to premium members.
It is a two factor authentication method for WordPress which essentially means you will be given a code on your mobile phone to login to your WordPress site.
Wordfence Options Menu
In the options menu, you will find your API Key. API key uniquely identifies your Wordfence installation to perform scans and other activities. You don’t have to do anything with it.
Moreover enable Update Wordfence automatically to auto update Wordfence and add your email in Where to email alerts. It should be an email address you check frequently because any issues or problems found on your blog will be send to this email.
Exporting and Importing Wordfence Settings
Once you are done with all the settings, its always a good idea to take a backup copy of all the settings you have made. This will help you out if you want to apply the same settings to another site.
From the options menu, scroll all the way down to see export settings. Click the button Export Wordfence Settings.
It will generate a token with a long number. Make a note of this number and save it. Whenever you want to resume the same settings on another website, just copy and paste the number in Import Settings and your settings will be applied automatically, a big time-saving option.
How to delete Wordfence plugin
In case you didn’t get what you want from this plugin and want to delete Wordfence plugin from WordPress, you need to take one extra step before deleting it.
- Go to Options menu and look for the option Delete Wordfence tables and data on deactivation and enable it. Don’t forget to click Save Options button all the way down.
- Now from Plugins menu, you can first deactivate and then delete the plugin safely. It will clear all Wordfence traces from your WordPress files and database tables thanks to the option we selected before deleting Wordfence.
Wordfence Locked Out Problem
If you have accidentally locked out yourself due to wrong configurations done in Wordfence then you will not be able to access even WordPress login to undo the steps. This is particularly true if you have messed with either country blocking or IP blocking settings under Blocking menu.
To get back the control of your blog again:
- Login to your hosting account (public_html or www) using FTP account. see FTP easy setup for WordPress beginners
- Go to wp-content > plugins directory.
- Delete wordfence folder located in plugins directory.
- Go two steps back and you will land on the root of your server (typically where you have installed WordPress), open .htaccess file.
- Delete all code from # Wordfence WAF to # END Wordfence WAF. Save the file again.
Make sure to clear all caches and try to login to WordPress dashboard. Hopefully you will get everything back.
In this tutorial, we have reviewed best Wordfence settings which will keep hackers at bay and protect your WordPress blog from hacking attempts. Wordfence system will keep emailing you about your blog’s updates or if any issues they found.
If you still have any questions do let us know using the comments section below.