WordPress is currently the most widely used content management system, with millions of websites running on it. However, with its growing popularity, the risk of malicious attacks on WordPress sites also increases.
Hackers are constantly developing new ways to illegally access WordPress sites, often motivated by the potential for financial gain or political motives. They may try to gain unauthorized access to sensitive information such as user data or payment details or use the site to launch further attacks on other websites. In some cases, hackers may also seek to deface or take down the site for personal satisfaction or to send a false message to compromise the site owners.
To safeguard against these threats, it’s essential to implement strong security plugins. The best options should be able to provide multiple levels of protection while being accessible for non-tech-savvy WordPress developers.
In this article, we will review Wordfence Security, a free security plugin with over four million active installations and highly positive user reviews.
Table of Contents
- Wordfence Security Introduction
- How to Use Wordfence Functionalities
- Extra Bonuses from Wordfence Team
Wordfence Security Introduction
Let’s start by reviewing who made this plugin, for what purpose, and what users think about it.
Who made Wordfence?
Wordfence Security, or simply Wordfence, is developed by Defiant Inc., headquartered in Seattle, Washington. The team of experienced security professionals is led by its founders, Mark Maunder and Kerry Boyte. Mark, the CEO of Defiant, has previously worked as an operation engineer, developer, and security consultant at numerous Fortune 500 companies in Africa, the UK, France, and the US.
Kerry began her career in security in the 90s, leading a team at Norton. She has since worked in various software industries, including computer engineering, software quality assurance, business development, and finance at companies such as Hootsuite and Microsoft.
According to its CEO, the company has a culture of transparency, collaboration, innovation, and commitment to serving its customers’ needs. In addition to the core focus on WordPress security, it is also engaged in philanthropy and makes a positive impact on the world in general.
What is the purpose of the Wordfence plugin?
Despite WordPress constantly developing and strengthening its security, there are several vulnerabilities that can be addressed only by specialized guard plugins. Wordfence is the most popular WordPress firewall and security planner, providing a comprehensive defense against hackers, malware, and other cyber threats.
To keep your site secure, protect your data, and provide website visitors with the best user experience, it’s essential to mitigate these common issues:
- A brute-force attack is a trial-and-error method to guess login information and gain unauthorized access to the website’s restricted data and the admin area.
- Malware and viruses are malicious software programs that attempt to damage your website or steal sensitive information. They can access your WordPress website through malicious advertisements, user inputs, outdated plugins, and themes. Sometimes, fake plugins that look legitimate are developed specifically for spreading viruses to websites.
- DDoS attacks are made to overwhelm your site with unwanted traffic from multiple resources, making it unavailable to users.
The Wordfence plugin offers powerful features to identify these and other security threats and block them from accessing your site.
What users think about the Wordfence security plugin
Wordfence receives generally positive reviews from WordPress users on different platforms. On Trustpilot, the plugin has a 4.5-star rating based on 111 reviews. Most users acknowledge its effectiveness in protecting their sites and ease of use. The few bad reviews mention two things: the support team doesn’t work 24/7 for paid users (which they do not promise); the plugin causes false positive actions (all security plugins do).
On the WordPress.org platform, where you can download the plugin’s free version, it has an even higher rating, 4.7 out of 5, based on almost 4,000 reviews. And again, generally, users praise its user-friendly interface and the ability to detect and block various security threats. I can see that the Wordfence team comments on most of the bad reviews with advice on how to use the plugin effectively. Some of the issues brought up in the negative reviews are limited functionality in Wordfence Free, difficulty installing and activating the plugin, and issues typical for security plugins.
Apart from Trustpilot and WordPress.org, Wordfence has received mostly positive reviews on various community forums. For example, when people discuss online security issues on our Crocoblock community forum, they mention Wordfence as the number one solution for strengthening site protection.
How to Use Wordfence Functionalities
Let’s now discuss in more detail what Wordfence’s free version offers to WordPress site owners, why so many people talk about it, and try to figure out if the common complaints that some users expressed are valid.
Installing and activating the Wordfence plugin
The installation process for Wordfence is not difficult. In your WordPress panel, go to Plugins, and click “Add New.” Then, type WordFence in the search bar and click the “Install Now” button near the Wordfence Security – Firewall and Malware Scan sign, and when the installation finishes, click the “Activate” button.
If you’re a new user, click the “Get Your Wordfence License” after the plugin is activated. You will be taken to Wordfence.com and shown different license options. Click Get a Free License. Here, you will be reminded that a free license has a 30-day delay for firewall rules and malware signatures. If you’re OK with that, proceed by clicking “I’m OK waiting 30 days for protection with new threats.”
In the next window, enter your valid email, subscribe to the Wordfence mailing list if you wish, accept the Terms of Service, and click “Register.” You will now see a message confirming your license key has been sent to your email.
Check for the email containing the license key and click the “Install My License Automatically” button. You will be sent to your WordPress dashboard with your email and license key boxes pre-filled. Click “Install License.” Now you can access the Wordfence dashboard.
Optimizing security firewall
Wordfence plugin is ready to protect your site right out of the box. However, you can still customize some of the technical firewall settings.
By default, the firewall has a Learning Mode turned on when you first activate the plugin. This mode is active for one week, and during that time, the firewall is inactive. Instead, the plugin learns how your website functions and how to distinguish its normal activities from malicious threats. You can always switch between Enabled, Disabled, and Learning Mode options by going to Basic Firewall Options > Web Application Firewall Status.
If certain action is being blocked by the firewall, and you want it to let it through, turn on the Learning Mode. For example, you attempt to perform site backup using another plugin. If you turn on Learning Mode during this action, the plugin will learn to allow them in the future.
It’s advisable to change the basic protection level, offered by default Wordfence settings, to optimize. Basic protection means the plugin starts working after your WordPress site has been loaded, so some plugins and WordPress itself may carry malicious codes before Wordfence can detect it.
To turn on optimized protection, go to Wordfence Dashboard > Manage Firewall > Optimize the Wordfence Firewall. The plugin will autodetect your server settings, and you’ll be offered to download backup files before clicking the “Continue” button. Now the firewall is optimized, and it will load before WordPress.
Changing Wordfence login security settings
One of the most powerful Wordfence features is providing a wide range of options for securing your site from unauthorized access.
You can check your current login settings by visiting Manage Firewall > Brute Force Protection. By default, Wordfence forces admins and editors to use strong passwords, limits the number of attempts to access the site, and blocks users after several failed login attempts.
You can add extra layers of protection by enabling reCAPTCHA on login and user registration pages and two-factor authentication (2FA) for any user roles. These options with more advanced settings are available in the Login Security section of the Wordfence dashboard.
IP blocking and whitelisting
IP blocking and whitelisting are two common methods for controlling access to a website or network based on IP addresses. In the Blocking section of firewall settings, you can deny access to a specific IP address or a range of addresses or create custom patterns according to which the visitors can be blocked. Subscribing to Wordfence paid license allows country blocking.
IP whitelisting can be useful for restricting access to sensitive areas of your site to only authorized users. This involves specifying IP addresses or URLs that will bypass firewall rules. Whitelisting is used when site admins identify false positive actions (when a security plugin blocks actions or requests it shouldn’t).
Wordfence Scan function allows identifying viruses, bad URLs, malicious redirects, password strength, and more. Remember, the free plugin examines your site for known bad patterns and malicious URLs using signature updates delayed by 30 days.
The plugin is configured to perform scanning every three days, but you can run it manually anytime.
If the scan detects any security issues, you’ll see them in the Results Found section. You can read detailed information about each result, move them to Ignored Results folder, delete unwanted files, or restore infected files to their original version. In my case, Wordfence warns me about outdated themes and plugins.
There are many scanning and scheduling settings you can modify. Some of the important ones are:
- switching among three levels of scanning intensity, from limited detection capability with low resource utilization to high sensitivity scan for sites that may be hacked;
- limiting the number of issues sent to scan results;
- customizing site examination scanning only through a specified type of files or searching only for a specific type of threats;
- limiting the memory or time necessary for scanning.
Other tools offered by the Wordfence plugin
If you’re looking for an advanced solution to address all common online security issues, Wordfence Security is the right choice. However, it includes more advanced features that aren’t necessary for most other security plugins and are designed to make a site admin’s job easier.
Live Traffic view lets you see real-time traffic on your site and monitor who attempts to access different pages. A color code will tell you whether these are humans or bots and their status (warning or blocked).
You can utilize the Whois Lookup function to find out who owns a domain name or an IP address that is visiting your website.
The Diagnostics window gathers information about all your plugins, themes, and server environment in one place. This data can be used for troubleshooting configuration or compatibility issues.
Import/Export Options are to copy and paste your security settings to another WordPress site using the Wordfence plugin.
All these tools can be accessed in the Tools tab of the Wordfence dashboard.
Extra Bonuses from Wordfence Team
Some of the very useful Wordfence tools that WordPress site owners should know of are outside of the plugin.
Blog, forums, and documentation
Wordfence.com is an important source of information about cybersecurity. The Wordfence blog is the platform where the company publishes articles related to WordPress security. It is being updated regularly and can be valuable to those who want to stay up-to-date on the latest online protection trends.
The Wordfence Learning Center contains tutorials, webinars, checklists, videos, survey results, and cybersecurity-related guides. The resources are meant for every skill level, from WordPress newbies and computer sciences students to expert developers.
The Help Documentation is a well-structured collection of support tutorials for the Wordfence plugin. It covers topics like plugin installation and configuration, troubleshooting, and optimization. You can search for useful information by browsing through different thematic sections or using the quick search tool.
In addition to previous methods of acquiring information on cybersecurity, you can access Wordfence support forums moderated by the plugin staff and experienced users. Here, users can ask questions, engage in discussions, share their experiences, and get help from other users or the plugin team.
If you’re administering the security of multiple websites with installed Wordfence Security plugins, you can easily and quickly monitor all your sites from a single dashboard. Wordfence Central is a service that allows you to view security findings and configure plugin settings on different sites.
To use Wordfence Central, you need to have Wordfence Security installed on all WordPress sites you want to manage, and you must sign up for an account on the Wordfence website. It is free to use, and it works with free or paid plugin licenses.
To secure the WordPress community, Wordfence included the entire vulnerability database in their free product called Wordfence Intelligence. This tool is the most current resource for WordPress vulnerability data.
The information here is presented through lists, infographics, and charts. You can learn about top offending IPs, generic vulnerabilities blocked by Wordfence, and other real-time cybersecurity-related data.
By now, you should have seen that Wordfence free plugin includes tons of tools and customization options to defend WordPress sites against online threats. The main disadvantages of the free version are the 30-day delay in receiving threat intelligence from Wordfence servers and customer support limited to support forums.
The paid plugin versions are $119, $490, and $950 per year. The main difference among them is the level of customer support, ranging from ticket-based to personalized. The premium features they offer are:
- real-time rules and signatures;
- country blocking;
- real-time IP blocking;
- manually scheduled scans;
- spam and blocklist scans.
The function of Wordfence Security is to provide WordPress websites with multi-layered protection against hackers’ attacks and bots.
Wordfence offers free and paid versions of the Wordfence Security plugin.
Wordfence Security free plugin removes all malware, viruses, malicious links, and codes it detects from websites.
Wordfence Central is a free Wordfence product that provides centralized management and monitoring across all your WordPress sites powered by Wordfence Security plugin.
Wordfence Security is the most popular solution to protect WordPress websites from various online threats for a reason. The free version includes:
- Firewall protection: Wordfences firewall protects your website from various online attacks and blocks malicious traffic.
- Malware scanner to check the website for security issues and outdated elements.
- Protection against brute-force attacks, such as two-factor authentication, reCAPTCHA, and login security options.
- IP blocking and whitelisting to restrict/allow access to sensitive website areas.
- Live Traffic view to monitor traffic to your website in real time.
Overall, Wordfence presents a plugin that effectively integrates an advanced complex security toolset with an easy-to-use, straightforward interface and thorough support documentation.
To compare Wordfence to other solutions, check out our article about the best WordPress security plugins.