Wordfence

The Wordfence plugin checks the integrity of your WordPress core files, themes and plugins. It also scans your site for malware and phishing URL’s, backdoors and virus infections.

Plugin Page: http://wordpress.org/extend/plugins/wordfence/

What You Need To Do

You need to:

  • Keep your WordPress site updated at all times.

  • Verify the integrity of your WordPress core files, themes and plugins.

  • Scan your site (files, comments and posts) for backdoors, malware and phishing.

  • Protect your site from brute force attempts to guess your user names and passwords.

The premium version of Wordfence adds:

  • Scheduling of security scans

  • Country blocking

  • Remote Site Scans

For details on the premium options and prices see this page.

Note! By using the premium version you also support the development of the free version of the plugin. This plugin adds significant security protection to your site and the price is very reasonable.

We recommend you support the further development of the plugin by going premium.

Why Wordfence Is Important

Keep your WordPress site updated at all times

As soon as an update is released anyone can see why the update was released.

The sooner you update the sooner you close any security holes that are now public knowledge.

Verify the integrity of your WordPress core files, themes and plugins

A common way to compromise a WordPress site is by modifying some of the files. Wordfence compares your core files, themes and plugin files against the official versions stored in the wordpress.org repository. If Wordfence discovers any differences it will notify you by email. You can also compare your version of the file with the official version, so you can easily see what has changed.

Wordfence also detects unknown files in the standard WordPress directories, which will alert you to malicious code placed in directories you would not normally look in.

Scan your site for backdoor, malware and phishing threats

Wordfence scans your site (files, comments and posts) for a large number of known backdoors, trojans, malware and phishing threats to ensure your site is clean. If any issues are found Wordfence will notify you via email.

Protect your site from brute force attempts

Wordfence keeps an eye out for failed login attempts. If someone tries to log in too many times with a wrong user name/password combination that IP address will be blocked automatically. This stops brute force attempts at guessing your login details.

Scheduling of security scans (premium option)

The free version will scan your site once per day. With the premium version you can manage the scan schedule. You can schedule your scans to run more frequently and at times with low traffic on your site.

Country blocking (premium option)

Country blocking is an effective way of lowering your security risk profile. If your site targets a specific geographic area you can block other countries from accessing your site. If you sell pizza in France there is probably no reason why someone from China would access your site.

Remote Site Scans (premium option)

The Wordfence scanning servers will connect to your site and scan your public facing pages (HTML, Javascript, CSS and other code) for vulnerabilities and intrusions.

How You Complete This Security Checkpoint

  • Add and Activate the plugin.
    Once activated the plugin will offer to take you on a tour of the plugin.
    Complete the tour or close the notification window.
    wordfence tour 

  • Go to the Wordfence Options panel.
    To receive email notifications you need to enter your preferred email address.
    wordfence basic options 

  • Under Alerts consider enabling the alerts for “when someone is locked out” and “when someone with administrator access signs in”.
    Those alerts will allow you to keep an eye on what’s going on with your site.
    You can always change these settings later.
    alerts 

  • Under Scans to include make sure you enable theme and plugin scanning.
    These are not checked by default.
    scans to include 

  • Enable the public facing site scan (premium version only).
    public facing scan 

  • You can leave the default values for the remaining options, but feel free to experiment.

  • Save your changes.
    save changes 

  • Select Country Blocking Options (premium version only).
    Note! Don’t block countries unless you really do not want the traffic.
    country blocking options 

  • Select Scan Schedule (premium version only).
    Every six hours is a good option.
    If you have high traffic volumes at certain times avoid scanning at those hours.
    scanning schedule 

  • Go to the Scan panel.
    wordfence scan panel 

  • And start your first scan.
    start scan 

  • On the first scan Wordfence will most likely find a number issues.
    Hopefully all of these are false positives, but you will have to investigate each issue.
    issues found 

  • Any issues found will appear on the New Issues tab.
    new issues 

  • A typical example of a false positive is when a plugin author makes minor updates to a plugin file in the wordpress.org repository without releasing a new version.
    Note the highlighted text in this example.
    Click See how the file has changed.
    false positive 

  • You can see that the change was in the comments, so this is safe.
    If obfuscated code was added to a file you should be worried.
    Important! If you are ever in doubt about a file change you can ask about it on the Wordfence forum.
    view file differences 

  • If you are comfortable with the file you should click Ignore until the file changes.
    ignore until file changes 

  • Other false positives can include files we have added to the WordPress installation, for example .htaccess files as described in the article Using .htaccess Files To Secure WordPress.

Sample emails generated by Wordfence:

  • New updates are available.
    email alert updates available 

  • An administrator has logged in to the site.
    email alert admin login 

  • An IP address has been banned because of too many failed login attempts.
    email alert login block 

  • Unrecognized file found on the site.
    email alert unrecognized file found 

  • Your DNS records have changed.
    Note! If you use Cloudflare this message can be caused by Cloudflare making changes to their name server setup.
    email alert dns change 

[gn_box title="Important" color="#dddddd"]Do you use a WordPress Plugin which is not in the WordPress Plugin Directory? If so make sure you get on their mailing list for updates. It is up to you to keep that plugin updated as Wordfence cannot generate email alerts for it.[/gn_box]

Recommendation

If you are happy with the update notifications provided by Wordfence you can uninstall the Update Notifications plugin.

The Wordfence security plugin does not enforce password strength or allow you to reset all user passwords. However it does notify you if any users have weak passwords.

Do you have user registration enabled on your site?

Or do you allow other people to contribute content to your site using their own logins?

If you answered yes to one of those questions we recommend that you use Login Security Solution in addition to Wordfence to strengthen your user management.

If you are the only person logging in to your WordPress site you do not need to use the Login Security Solution – Wordfence will be fine. Of course you still need to use a good password management solution with strong passwords – see Password Management.

The Sucuri WordPress Security Plugin has a very good Web Application Firewall and some great monitoring options, and Wordfence has very good Integrity Checks, Live Traffic Viewer and traffic throttling – if you ever need that.

We recommend that you use both plugins.

Should you use the premium version?

The premium version of the plugin adds functionality that could be very useful to you. Even if you do not need the extra functionality we recommend that you consider signing up for the premium version to support the development of the free version. The price is very reasonable. For pricing and licensing click here.

Further Resources

Related articles:

whiterabbitFollow The White Rabbit

[gn_spoiler title="Click Here" open="0" style="1"]Are you reading this article as a part of the Interactive Version of The WordPress Security Checklist?

Then you can find your next article below.

If not you should take a look at the Table Of Contents.

Next article: Sucuri WordPress Security Plugin
Previous article: Block Bad Queries[/gn_spoiler]

Questions Or Comments?

Please leave them below. Thanks!


About Anders Vinther

Anders is on a mission to make it easy for you to secure your WordPress.

Let's make it harder for the bad guys!

Want More?

Sign up for our newsletter and we'll let you know when we have got new stuff about WordPress Security for you. See past emails.


Most Popular Articles – All Time

Most Popular Articles – This Week

Comments

  1. creekmore says:

    Have you had any trouble running W3 Total Cache and Wordfence. When I run both wordfence gives all kinds of warning, alerts and stuff..

Speak Your Mind

   Login Using:

*

To create code blocks or other preformatted text, indent by four spaces:

    This will be displayed in a monospaced font. The first four 
    spaces will be stripped off, but all other whitespace
    will be preserved.
    
    Markdown is turned off in code blocks:
     [This is not a link](http://example.com)

To create not a block, but an inline code span, use backticks:

Here is some inline `code`.

For more help see http://daringfireball.net/projects/markdown/syntax