The Wordfence plugin checks the integrity of your WordPress core files, themes and plugins. It also scans your site for malware and phishing URL’s, backdoors and virus infections.
Plugin Page: http://wordpress.org/extend/plugins/wordfence/
What You Need To Do
You need to:
Keep your WordPress site updated at all times.
Verify the integrity of your WordPress core files, themes and plugins.
Scan your site (files, comments and posts) for backdoors, malware and phishing.
Protect your site from brute force attempts to guess your user names and passwords.
The premium version of Wordfence adds:
Scheduling of security scans
Remote Site Scans
For details on the premium options and prices see this page.
Note! By using the premium version you also support the development of the free version of the plugin. This plugin adds significant security protection to your site and the price is very reasonable.
We recommend you support the further development of the plugin by going premium.
Why Wordfence Is Important
Keep your WordPress site updated at all times
As soon as an update is released anyone can see why the update was released.
The sooner you update the sooner you close any security holes that are now public knowledge.
Verify the integrity of your WordPress core files, themes and plugins
A common way to compromise a WordPress site is by modifying some of the files. Wordfence compares your core files, themes and plugin files against the official versions stored in the wordpress.org repository. If Wordfence discovers any differences it will notify you by email. You can also compare your version of the file with the official version, so you can easily see what has changed.
Wordfence also detects unknown files in the standard WordPress directories, which will alert you to malicious code placed in directories you would not normally look in.
Scan your site for backdoor, malware and phishing threats
Wordfence scans your site (files, comments and posts) for a large number of known backdoors, trojans, malware and phishing threats to ensure your site is clean. If any issues are found Wordfence will notify you via email.
Protect your site from brute force attempts
Wordfence keeps an eye out for failed login attempts. If someone tries to log in too many times with a wrong user name/password combination that IP address will be blocked automatically. This stops brute force attempts at guessing your login details.
Scheduling of security scans (premium option)
The free version will scan your site once per day. With the premium version you can manage the scan schedule. You can schedule your scans to run more frequently and at times with low traffic on your site.
Country blocking (premium option)
Country blocking is an effective way of lowering your security risk profile. If your site targets a specific geographic area you can block other countries from accessing your site. If you sell pizza in France there is probably no reason why someone from China would access your site.
Remote Site Scans (premium option)
How You Complete This Security Checkpoint
Under Alerts consider enabling the alerts for “when someone is locked out” and “when someone with administrator access signs in”.
Those alerts will allow you to keep an eye on what’s going on with your site.
You can always change these settings later.
You can leave the default values for the remaining options, but feel free to experiment.
A typical example of a false positive is when a plugin author makes minor updates to a plugin file in the wordpress.org repository without releasing a new version.
Note the highlighted text in this example.
Click See how the file has changed.
You can see that the change was in the comments, so this is safe.
If obfuscated code was added to a file you should be worried.
Important! If you are ever in doubt about a file change you can ask about it on the Wordfence forum.
Other false positives can include files we have added to the WordPress installation, for example .htaccess files as described in the article Using .htaccess Files To Secure WordPress.
Sample emails generated by Wordfence:
If you are happy with the update notifications provided by Wordfence you can uninstall the Update Notifications plugin.
The Wordfence security plugin does not enforce password strength or allow you to reset all user passwords. However it does notify you if any users have weak passwords.
Do you have user registration enabled on your site?
Or do you allow other people to contribute content to your site using their own logins?
If you answered yes to one of those questions we recommend that you use Login Security Solution in addition to Wordfence to strengthen your user management.
If you are the only person logging in to your WordPress site you do not need to use the Login Security Solution – Wordfence will be fine. Of course you still need to use a good password management solution with strong passwords – see Password Management.
The Sucuri WordPress Security Plugin has a very good Web Application Firewall and some great monitoring options, and Wordfence has very good Integrity Checks, Live Traffic Viewer and traffic throttling – if you ever need that.
We recommend that you use both plugins.
Should you use the premium version?
The premium version of the plugin adds functionality that could be very useful to you. Even if you do not need the extra functionality we recommend that you consider signing up for the premium version to support the development of the free version. The price is very reasonable. For pricing and licensing click here.
Follow The White Rabbit[gn_spoiler title="Click Here" open="0" style="1"]Are you reading this article as a part of the Interactive Version of The WordPress Security Checklist?
Then you can find your next article below.
If not you should take a look at the Table Of Contents.
Please leave them below. Thanks!