WordFence Review – Is It Really The Best WordPress Security Plugin?

Posted on February 14, 2017 by in Resources | 143 comments

WordFence Review – Is It Really The Best WordPress Security Plugin?

As with everything that is connected to the Internet, security is an important issue also in the WordPress sphere. In fact, the CMS has its own dedicated security team just for that reason and it’s also why we publish articles like this one.

As a consequence, there are a number of security plugins in the WordPress directory. By far the most popular: WordFence. With more than a million active installs, the majority of users seem to prefer this solution to all others.

Deservedly so? That’s what we want to find out. In this detailed WordFence review, we take an in-depth look at the security plugin in terms of setup, features and user friendliness. Want to find out if it really is the best WordPress security plugin? Then tag along.

Setting Up the Wordfence Security Plugin

As the first step in our Wordfence review, we will download plugin to a test site and go through the setup process.

Install the Plugin

You can install Wordfence like any other WordPress plugin. Just go to Plugins > Add New and enter the plugin name in the search box. After that, it should be the first item in the search results.

install wordfence

Click the large Install Now button and wait for the download to finish. Don’t forget to activate!

First Steps

Once active, the first thing the plugin will do is ask you to provide an email address for security alerts. While doing so, you also have the possibility to subscribe to the Wordfence email newsletter.

wordfence review onboarding

After that, you can start a tour around the plugin by hitting the respective button. This takes you around the plugin menus, where you learn all about what Wordfence can do. Once that is complete, it’s time to put what you have learned into action.

How to Use WordFence

Alright, let’s get to work and set up the security plugin.

Look at the Dashboard

Our first stop is the Wordfence dashboard. Here, you will see notifications about new versions and posts from the Wordfence blog on all things security.

Wordfence dashboard

Below that, you can see the status of your security system: enabled Wordfence features, blocked attacks for the day, week and month both for your site and the Wordfence network, login attempts, blocked IPs and top countries from which your site was attacked (if it was).

The dashboard is a great place to gain an overview about what happened to your site and the interest in hacking community to bring it down. That way, you can estimate the threat level and whether you need to take additional action or just be extra vigilant.

Do a Site Scan

Among the most important sections is the scan module. When you hit Start a Wordfence scan here, the plugin will audit your site for potential security problems so you can address them. These include:

  • Backdoors, malware and vulnerabilities
  • Modified core files
  • Unknown files in WordPress folders
  • Outstanding updates
  • Comments with unsafe URLs

What’s remarkable about this is that the makers of Wordfence have a server with every WordPress version and every plugin and theme in the directory ever. That way, the plugin can compare files on your server with their mirror and detect anything that has been changed from the original.

In addition, it lets you replace files with their originals even if you haven’t made a backup yourself. Now that’s service! However, it also means the scan can take a while depending on the size of your site.

Once done, Wordfence gives you a list of potential security issues and detailed recommendations on how to take care of them.

suspicious file

You can even look at files next to one another to see where the code has been changed. Mark whatever you have taken care of as fixed or, in case you know something is not an issue, choose to ignore it.

The Options panel at the top allows you to choose what to include in the scans.

[Wordfence scan options

For example, you can have plugin look for changed theme or plugin files, extend the scan to files outside your WordPress directory or use low resource scan for environments with little processing power.

Besides that, Wordfence will also automatically scan your site for problems once per day and notify you via email if it finds any.

Optimize the Firewall

Besides the site scan, Wordfence comes with a firewall that keeps threats at bay. You can find it under Wordfence > Firewall.

wordfence firewall

Its purpose is to filter attacks before they reach your site. In the premium version, the firewall rules are updated in real time, while in the free version they are refreshed every 30 days.

In the beginning Wodfence recommends to keep the firewall in learning mode, which is enabled by default. That way, it can better understand how your site works and who is supposed to be on there and who isn’t.

After a week, it will automatically switch to enabled, so there is nothing to do for you at the moment. However, you might want to click the big Optimize Wordfence Firewall button. This will allow Wordfence to add some stuff to your .htaccess file for a more efficiently running firewall.

Once that is done, the basic setup is finished and we can turn to the additional features Wordfence has to offer.

Additional Plugin Features

Here’s what else the plugin can do for you.

Advanced Firewall Settings

There’s more to the firewall than its basic functionality. For example, in the premium it comes with country blocking.

That means, if your site is receiving a lot of attacks from one particular region, you can completely block that country and even redirect traffic coming from there somewhere else.

Then there is the tab for blocked, locked out and throttled IP addresses.

wordfence blocked ips

Should the firewall determine someone wants to harm your site, it will automatically put their IP on this list. Of course, you can also add IPs manually. Under Advanced Blocking, there are even more options.

wordfence advanced blocking

Here, you can exclude whole ranges of IP addresses (in case you are being pestered by a network of sites), host names, user agents and referrers. Next, Brute Force Protection contains all options to protect your site from this type of nefarious attack.

Aside from that, you have the option to force admins to use strong passwords, determine the number of allowed login and forgot password attempts before locking out an IP, set the time interval in which attempts can occur and other options to keep your site’s login page safe. Finally, under Rate Limiting you have may limit crawler activity on your site.

Live Traffic

In the Live Traffic panel you see all traffic coming to your site including from non-human visitors like crawlers, scripts and RSS readers.

Wordfence live traffic

The view shows warnings for suspicious activity and can be filtered in many different ways: by registered users, attempts to access unavailable pages, the login page and much more granular. This enables you to pick up on DDOS attacks or unusual amounts of traffic from one IP address. In addition to that, Wordfence lets you run a WHOIS on any of the addresses for more information.


Wordfence also offers a number of tools in the section of the same name. The first one is a password audit, which is only available for premium users.

Through it, the plugin will check the quality of the passwords on your site. In contrast to WordPress’ own feature that helps users come up with strong passwords, this involves simulating an actual hacking attempt on the passcodes on your site. Afterwards, WordFence will tell you which ones need improving.

The second tool is the aforementioned WHOIS lookup. With it, you figure out where the IP addresses and domains trying to access your site are located. If you choose this option in the Live Traffic panel, you will also be redirected here.

Third on the list is another premium option called Cellphone Sign-in. Once enabled, it adds two-factor authentication to your site for the users or user level you choose.

Finally, the tool section has the Diagnostics tab, which contains a lot of different information about your server system, WordPress setup, database and more.


Wordfence offers a long long list of setting. In the Options panel you can enable and disable almost any feature and exert full control over how everything works. The section also contains all the settings you can control elsewhere in one convenient place.

Premium Features

I have already mentioned the premium version several times. If you choose to go for it, it will cost you $99/year for one API. The price gets more affordable with additional APIs and years added to the license.

wordfence pricing

Besides the features already mentioned above, there are a few more things premium users get:

  • Remote scan — The ability to scan the public side of your site for signs of compromise with an external tool.
  • Checking site against spam lists — Checks links on your site for blacklisted sites on the Spamvertized and Google Safe Browsing list and whether your IP address is known to generate spam.
  • Premium support — Free support is always available through the WordPress support forums. With the premium version you can get in contact with Wordfence directly and get help from their experts.

Wordfence – User Friendliness

With such an extensive feature list, it only leaves the question of how easy to use the plugin is. The answer is a bit of a mixed package.

First of all, WordPress security or web security in general are complex topics by themselves. You need some level of knowledge about how hackers access websites, what brute force attacks are, etc. in order to really understand what the plugin is doing.

The makers of Wordfence do a good job to give you as much help as possible. The plugin contains a lot of helpful blurbs (along with many suggestions to update to premium) and links to resources that explain features in detail.

So, with a bit of reading and self-directed education, most users should be able to figure things out. However, make no mistakes there is quite a bit to go through.

The biggest issue I ran into, however, was getting the scan to work to actually test it. As it turns out Wordfence doesn’t work at all in my local test environment. On the web server I was using later, the scan kept timing out and never completed.

I had to experiment a lot with execution times and memory limits to get it to run properly. Of course, this might also be due to my server environment. However, Wordfence’s hunger for resources is a common complaint and I doubt a less experienced user would have an easy time figuring this out.

So, if there was any way to make this easier, it would be great to implement it. Aside from that, however, Wordfence mostly deserves its reputation.

Wordfence Review – The Long and Short of It

Wordfence is by far the most popular WordPress security plugin and deservedly so. Even the free version offers loads of features to keep WordPress sites safe and off spam lists. From an extensive security audit over a full-featured firewall to heaps of additional options, the plugin will do its best to keep hackers and other shady individuals at bay.

From a user point of view, you can learn where threats to your site originate and have plenty of options to make the plugin work according to their needs.

Of course, that doesn’t deny that security is a complex topic. Even if Wordfence is very much “set it and forget it”, to get the most out of the plugin, users will have to do a bit of work.

So, is it truly the best WordPress security plugin? Well, users definitely seem to think so and there is little in this review that would contradict them.

However, what do you say? If you have used Wordfence before, we’d love to get your input on your experience and also what could be improved. Let us know in the comment section below!


  1. Excellent article, it would be interesting to do one about iThemes Security plugin to compare. regards

    • I agree with @Agustin – I’d love to see a post about iThemes Security and its comparisons.

    • I always run both 😛

      And yes, WordFence is the best WordPress security plugin.

      • Based on the fact that one product was not even mentioned I would say it is good but in comparison to Bulletproof Security it has one big lack, affordability! If you only have one site or if every site makes piles of money then I am glad you can afford Wordfence. I go with a product that you pay a sum and you own the product as far as I know forever including all upgrades. That could change but until now it has not. I paid several years ago when one of my WP sites got hacked, $49 and now I can use BPS on every site I want it on. I only have one site right now that makes any money. The rest are for interest. So if I had not found BPS I would have to remove Wordfence entirely due to the subscription model which hurts we small guys. So three cheers for BPS!!! I have never since 2012 had a site hacked since using BPS. So for affordability and for protection I vote for BPS for the best! And you can use it on as many sites as you need to and ownt the BPS Pro for only $59!!!!
        BPS! You are number one!

        • Hi Charles,

          Thank you for suggesting that plugin, I always look for plugins that charge a 1 time fee so that I dont have to worry about keep paying every month. I currently use the free version of Wordfence, but am looking for something more complete. BPS sounds great for just $59. Do you use any other security plugin or just BPS ?


          • I had 5 sites being “protected” by Bullet Proof Security. Everyone one of them was compromised and most of them were being hacked weekly. Wordfence found missing core files on EVERY site. BPS cancelled my support at about 4pm my time because I asked for help, leaving me in a meltdown. They disabled all of my keys leaving my sites totally unprotected. This claim of no site hacked is a pure lie. The BPS interface is a mess. Their support team called me names and were extremely unprofessional and rude. You get what you pay for.

      • Do you mean that you run both together?

    • Nick Schäferhoff

      Interesting thought, will keep it in mind for the future. Thanks for the comment!

    • If there is also an article about iControlWP it will be much helpful.

      Agustin I have used iThemes security plugin, their service is good, but if you are on a shared hosting environment there will slightly more load on your servers/account.

  2. Having used iThemes Security for years and now Wordfence I definitely prefer Wordfence. It does so much good and the team is very informative and proactive about threats.

    • Nick Schäferhoff

      Thanks for your input Chris!

    • That goes for me too, Chris!

  3. For all the WordPress sites that I manage, I have Wordfence installed on every single one of them. It’s probably the most essential plugin that I’ll ever use, since it notifies me of updates, logins, critical issues, and more.

    Plus, I love the comprehensive reports that it sends out, showing the activities of my sites.

    • Nick Schäferhoff

      Ryan, thanks a lot for your comment. Looks like you really made up your mind. I’m sure others will appreciate the extra information. Cheers!

  4. For the last several years, I use WordFence premium version for all our sites and also for all our clients’ sites. To be very honest, I am yet to find a WP security plugin that is as feature rich as Wordfence is and also that does a great job of securing our websites.

    It is positively worth the price that I am paying for the WF APIs. As Nick mentioned, even the free version is excellent but, then you get so much more with the premium version.

    • Nick Schäferhoff

      Thanks for the input! Great to hear from someone who uses the premium version.

  5. Do you need Wordfence if you have managed WP hosting?

    • My understanding is that you do not. The management part of WP managed hosting comes with security services already.

      • Depends. SiteGroud security is mostly a joke, WP Engine security is top notch. You should do your research before committing blindly.


    • Depends on what server-side security your managed host has.

    • Nick Schäferhoff

      Also a valid point David, but I guess Wordfence comes cheaper for most people.

      • Cheaper??? Really? What can be cheaper than using a $59 product with free lifetime upgrades? Bulletproof Security. Sorry but I cannot afford Wordfence along with all the other expenses necessary to have decent sites. That is the only criticism I have. I have used it but simply cannot afford it. It is now for the Pro moneymakers not for we po’ boys 🙂

        • Nick Schäferhoff

          Hey Charles, I meant in contrast to most managed WordPress hosting Wordfence is probably a lot cheaper (especially if you use the free version). While I love managed hosting, not everyone can afford it. And I’m glad you found your solution with BPS!

    • The best option is no security plugin and use server-side security. StackPath, Sucuri, CloudFlare and SiteLock all offer WAF and DDoS.

    • Yes, since WordFence is a plugin, and preloads via PHP if you set it that way it’s far supierior to CloudFlare or any “security” managed WP hosting provides. Since WordFence deals with realtime data from millions or WordPress sites, they can see trends and block them before any security solution.

  6. Wordfence is the first plugin I install after installing WordPress. So far on the 60+ websites I manage it is working without any issue at all. Shared server, no problem.

    • Nick Schäferhoff

      Thanks Martha! And wow, 60 websites? That’s a passable sample that speaks volumes for the quality of Wordfence.

  7. I use iThemes Security plugin on all my sites, and it’s great. I really love the daily database backup I receive by email.

    But…these plugins won’t save you if your host is not reliable. My host has such a tight security, that occasionally I need to loosen it down a bit for my plugins to work 🙂

    • Nick Schäferhoff

      Hey Eitan, yeah hosting is an important piece of the security puzzle. Glad to hear you like iThemes security. I might look into that more deeply in the future.

  8. WordFence is a great plugin to be sure but I have noticed in efforts to optimize my sites’ load speed, WordFence is definitely a resource hog. Has anyone else run into this?

    • Nick Schäferhoff

      I had this problem indirectly. Couldn’t get the scan to finish until I made some major adjustments to it. Wordfence and low-powered servers don’t seem to get along well.

    • Nick Schäferhoff

      Hey Jasper, I use that as well in order to avoid spam entries into my web forms. However, I found that it completely bloats up my database. Have you run into that problem?

      • Nick Schäferhoff

        Need to correct myself here. The developer of WPBruiser got in touch with me and we could sort everything out. Great customer service!

  9. I’ve been using Wordfence on my client’s WordPress websites for years and love it. It isn’t a perfect solution, but it’s great for sites on shared hosting for clients with limited budgets. One important note – turning Live Traffic on can severely slow down a site and even create conflicts with other plugins, so I turn that setting off on all the sites I manage.

    • Nick Schäferhoff

      Erin, thanks for that tip. It will probably help a lot of the folks here who see a decrease in site performance with Wordfence.

  10. The problem with WordFence is that it eats up memory. My hosting company had me disable it on all our sites for that reason. Since then, no memory problems.

    • Nick Schäferhoff

      Hey Dave, you are not the first one to experience this problem. I also mentioned performance problems in the article above. Seems like that’s a weak point in Wordfence. Thanks for the comment!

  11. Interesting timing since just last month I installed Wordfence. Within 3 days my site, a Divi WordPress site was completely trashed. So much so that the only thing I could do was reinstall from a backup. Thank goodness for Updraft. I can not in any way recommend Wordfence. My site was working fine I simply thought I should begin using some form of security. In 24 hours after installing Wordfence it had found and recommended deletion of a half dozen files and had marked them with that yellow triangle. Big mistake on their part and mine. Needless to say Wordfence will never see the light of day on my site again.
    But hey, your article is good information about it.

    • I doubt that WF had anything to do with your site being trashed. There are one of two things that probably happened.

      1) That “little triangle thing” is informational and shows up often when a plugin user just changes things like version numbers etc. At that point you have to look at the data that was changed and decide to ignore it or not. Then if you decide to delete it or replace it you have to think about what that file is and does. If you make a mistake and the file is required you can then just revert that one file. If you “Bulk” try to delete or change those files and do not understand the use of those files then yes you can trash your site.

      2) if you had no security, and it seems you did not since you said “I simply thought I should begin using some form of security”, and this is the first time you ran this and the site was not updated for some time, then it might have been infected and you did not know it. Running wordfence it that environment and you can become overwhelmed with what it finds and once again make mistakes with correcting the infection.

      Wordfence provides you with the tools to prevent infection and correct infections. However if you are not familiar with those tools you can use a hammer to put in a screw and that never works out well.

      My guess is there were a lot of screws on your site and you used the hammer to correct them. Big mistake.

    • Nick Schäferhoff

      Hey Brad, yes I have read that Wordfence can often be too sensitive which leads to false alarms. Glad you got your site back ok. Thanks for the input and happy you liked the article.

  12. I’ve installed Wordfence on all but one of the sites I manage (All In One WordPress Security and Firewall on the ‘odd one out’), but none of the Wordfence-protected sites use the paid version.

    The only premium feature I’d like to get and wouldn’t mind paying for is the ‘real time updates’ (free users are at least 30 days behind on paying customers), but getting Wordfence for 20+ sites that don’t generate any income is simply too costly for me, especially considering I don’t want country blocking, password audits or remote scans. Therefore I’m currently looking at alternatives that are more cost-effective and AIOWPSF seems to do the trick so far.

    I’d be interested to read an objective comparison between the various security plugins, but I’m guessing that’s not what this blog is for 🙂

    • Nick Schäferhoff

      Hey Roland, if there will be more reviews of security plugins, I’ll make sure to refer back to this article.

      • I’d also support a look or comparison between the security plugins. In addition to WordFence, see a lot of people using Sucuri Security and iThemes Security as well. I’m always happy to see people are using anything 🙂

  13. Botom line:Love it

    but it does slow down your site over time. You need to delete logs from time to time to keep your site chugging along.

    Don’t let customers see the threat emails. When you update WP it gives you a modified core files email that looks scary.

    If users try to login and fail, you can receive emails, but sometimes robot login attempts are so many, you will be bombarded with scary emails. Just set it to email you when a user logs in and view the report on IP’s being blocked.

    It also has a super cache feature to speed up your site, but I found it broke most of the sites I use.

    I think it’s an awesome plugin, but it does provide you with some false positive information and it will require maintenance from time to time. I would recommend it if you have no server side security at all or are on a shared hosting plan. Just make sure you are always updating your plugins, themes and WP when they require updates. Wordfence will let you know when anything needs an update and do take action.

    • FYI, WordFence removed the caching feature from the plugin

    • Nick Schäferhoff

      Hey Jaime, I also get a lot of emails from some client sites. Mostly about users that have been logged out due to too many login requests. You get used to the script attacks. Thanks for all the additional input!

  14. WordFence has rich features but it’s resource hungry as you mentioned. It gives sense of security by looking at the live firewall.

    • Nick Schäferhoff

      Sometimes a sense of security is all you need. Thanks for the comment Liew!

  15. Up until a couple months ago, I’d never used any security on my WordPress sites. One day, I was in my biggest client’s site (135 pages of SEO driven commercial services) and on a whim, I decided to look at the users. There was a “service.controller.lb15” user and I about died. I then went on to look at the site in whole, and then the traffic. The traffic was wayyy down for the previous 10 days. I notified the owner of the company and he proceeds to tell me that about a week or so earlier, he was on the site and it directed him to a porn site. I was like “Why didn’t you tell me this sh*t?!”.. He said he was busy. (craziness).

    I went looking for a virus scanner / firewall and I ended up with Wordfence. The whole site was chewed up. The backups were chewed up now and I had my work cut out for me. It took me 7 hours to fix everything and left me with a migraine headache. I’d never seen anything like it.

    We went ahead and bought the paid version of Wordfence ($99 a year) and I absolutely love it. It emails me anytime anybody logs in (Me having the only login and it still emails me). It emails me if any of the files change, etc.

    There is quite a bit of traffic on this site so I wasn’t surprised that the “hackers” were still trying to get back in. The site was getting 10-15 different login attempts per week, malicious files were trying to be uploaded, and the list goes on. This activity has finally came to a halt as ‘they’ appear to have given up. Wordfence also emails when updates are available for core, theme, and plugin files. I have it scanning the site 2x a time and everything is great. I now use the free versions on the rest of my other sites and always make sure that I have clean backups for all.

    I’m not sure how good any other security plugin works but after what I’ve seen here, I wouldn’t even try anybody else’s. Wordfence is my hero. lol

    This is not a paid endorsement. 🙂


    • Jason,
      Did you get to the bottom of the “service controller” hack? I suspect it was something unpatched, which the scanners do not always catch.

      And one cannot always patch instantly without testing in the WordPress ecosystem. Incompatibility is not rare across plugins, and fresh upgrades can introduce bugs, even if they patch vulnerabilities

      • wp.service.controller.* is a known hacking attempt.

    • Nick Schäferhoff

      Hey Jason, I got cold sweats just reading your story. Happy you could sort it out and that Wordfence played a part in it.

  16. Wordfence is the first plugin I ALWAYS install. On a few customer sites with ecommerce I use the Premium version.

    The reports are rich but easy to understand and the Wordfence team is very reactive. Additionnaly thier newsletter is worth reading (even if you don’t use the plugin subscribe to the newsletter!).

    A 5 star plugin!

    • Nick Schäferhoff

      Hey Louis, looks like you have found your security solution of choice. Cheers!

  17. We depend on WordFence to protect dozens of websites and it does a great job. It’s a bit pricey but we buy multiple API’s at a time. Their customer service does a great job.

    It is a resource-hungry app, but these days we encourage clients to spend a bit extra to be able to build fast page loads, throughput and storage into our sites. We also make sure server environments are state-of-the-art, so timeouts on WF scans has not been an issue.

    I think the settings are beyond most of our clients capabilities (or interest), so I’d say it’s not a plug-in we would recommend installing and leaving up to an inexperienced site owner to fine-tune.

    Their customer support has been exemplary.

    • Nick Schäferhoff

      Hey Jeff, thanks for the perspective of a premium user and how to handle Wordfence with clients. Cheers!

    • Ditto on this comment, most shared hosting is oversubscribed and you’ll never get a full scan completed. If you care about your site spend the money and get decent hosting where you can use WordFence.

  18. Is there any reason to use Wordfence premium and Sucuri premium together? Or would that be redundant.

    • Ditch Sucuri and stick with WordFence premium, it has a better firewall that utilizes real time data.

    • Nick Schäferhoff

      That would be an interesting thing to learn. I hope someone else can shed some light on this.

  19. I definitely love wordfence. I, like others, use it on every site I create. One tip: if you want to save a bit on the API cost, and have more than one side, you might try putting them in to a single multisite network. You can use one API key for the whole network if that’s the case.

    • Nick Schäferhoff

      Sneaky, but thanks for the tip!

  20. I had a tough time dealing with memory issues, probably caused by our hosting provider but I was never able to resolve the issue so I switched to iThemes Security Pro with no errors on installation or operations. I didn’t have time to fight with our hosting provider who never claims that there’s any issue with their system… always blame your plug-ins or try to upsell you on better plan that costs more $.

    I’ve been happy with iThemes Security and haven’t had any issues since installing it. Also had issue with the cache feature of WF as we use SSL and not all caching options seem to play nice with SSL.


  21. We use iThemes for all our sites. I would like to see a comparison review as well.
    Bottom line…. we have never had a site hacked after running iThemes

  22. Wordfence is essential. I use Wordfence + Bullet proof security + WP all in one security with no issues.

    • Nick Schäferhoff

      Thank Chris, happy to hear you have your site security covered.

  23. Have used WordFence for a couple of years, free and premium version, and it’s good… but I like iThemes Security better. Just a friendlier interface, some nicer WP tweaks, and a perfect combo with their iThemes Sync tool (central management dashboard) and BackupBuddy. I admin my switch was mainly due to this combo-package, but the more I use iThemes Security, the more I like it. That being said, never ran into problems with WordFence, nor had I any site infected.

    • Nick Schäferhoff

      Eric, thanks for giving some input for an alternative solution. I also like iThemes security and might look into it in more detail in the future. Cheers!

  24. People have reported being shut down on their shared server hosting providers because wordfence uses too many resources. Can really spike the CPU hard when doing its heavy heavy scans. Only the paid version allows throttled scanning.

    Further, my webmaster wont let me use it at all, because they are all about security, and wordfence requires write access to files outside of the uploads directory, which causes exceptions in the php log files if you dont give it write access, which is in itself a security risk.

    So not really thrilled with wordfence. PHP is the worst place to do security work. Its just too heavy of a plugin. Attacks, password guessing, sql injections, ip bans/firewalls, etc, should be handled lower on the infrastructure stack where its far more faster and efficient using compiled languages like C/C++.

    • You offer a different perspective than most here… but you don’t offer a solution. What security plugin would you recommend?

    • Nick Schäferhoff

      Thanks for the lively discussion! Good to hear a different perspective.

  25. I’ve been a wordfence user with several websites for some time now and so far I’m a happy one. I have to say that they have improved the tool significantly during this time, adding new features or improving the dashboard.

    • Nick Schäferhoff

      Good to hear Manuel. It’s always nice to see plugin developers pushing the envelope to get better.

  26. I use Wordfence along with wp-cerber. I have had no issues. I like wp-cerber in that it allows you to set a custom login url so you eliminate the attacks to wp- admin.php login. It will actually block IP’s that tries to to login at wp-admin.php

    • Nick Schäferhoff

      I’m not WP-Cerber but happy to hear you have found a working combination.

  27. How does this plugin affect site performance?

    Recent WordPress’ improvements have reduced our hosting company’s service to continual 500 errors whenever we go into the WordPress admin area.

    • Nick Schäferhoff

      Hey Joel, several people in the comment section said that they saw a decrease in performance with Wordfence. It seems to be quite resource hungry.

  28. Hi everybody, I am using Wordfence and thinking about using the free version of CloudFlare for a Website to add shared Https protocol. I do not need more than that, since it is not an e-commerce and there is not password transmission. Do you think there may be any conflict or problem by having the plugin of Wordfence and that of CloudFlare installed ? Does anyone have some experience with using both the plugins?
    Thanks a lot and have a nice day!

    • I have both running on all sites I manage/own. Never had to do anything special when setting up on Cloudflare but you can get support from them (even on the free version) if you need it.

  29. From the comments I gather that I may be the only one out there, with a very different perspective on Wordfence.
    About 2 years ago, I read a blog post just like this one, and decided to get Wordfence, and the premium version as well. It appeared to be a good idea, for not long after installing, I got the first reports of attempted log-ins to my site. Great – A good investment then.
    As time went by, the number of log-in attempts declined to where I for months wasn’t getting any reports.

    But then something happened.

    I was coming up on my renewal, when the number of attempted log-ins exploded. I was getting several emails a day, telling me how Wordfence had blocked someone after 20 attempts.

    I got a bit suspicious about the sudden surge in attempted log-ins – mainly due to my renewal coming up – and me not having had any such reports in the months leading up to.

    So I decided to install another plugin, that limits the number of possible log-ins. I set the limit to 3.
    Afterwards I was still getting reports from Wordfence about someone having attempted to log-in 20 times. I tested myself from another browser and was logged out after 3 attempts.
    I then contacted people in my network who live in different parts of the world – and asked them to log-in. ALL where blocked after 3 attempts. AND I got NO report from Wordfence on any of these.

    This made all the red flags go up – and I cancelled my subscription immediately.

    Now I run this site to where you can only log-in from my IP.

    • Nick Schäferhoff

      Hey Chris, thanks for your input. That does sound a little weird.

  30. Love Wordfence. I’ve used several including iThemes – which I also liked, but decided to include Wordfence on all my sites. I use MainWP to manage my sites with the Wordfence extension which installs Wordfence and sets up my default settings.

    Occasionally I’ve gotten locked out of a site (even though I whitelisted my IP). I’ve learned that deleting htaccess and replacing with default htaccess and disabling Wordfence, I am able to get back into my backend and troubleshoot.

    Other than that, I love Wordfence. I also appreciate their emails and blogs that educate me on current attacks and threat levels.

    • Nick Schäferhoff

      Hey Bob, thanks for mentioning that. Maybe someone else will run into the same issue.

    • Nick Schäferhoff

      Thank you for the comment!

  31. I initially use the free WordFence plugin on all my clients’ WordPress sites, and give them an education about the importance of securing WordPress. I include the client’s email address along with mine for notifications. When the client gets an email notification from WordFence, they often call me asking “What’s this email from WordFence about a Critical Update”? I then have the opportunity to upgrade them to a “Premium” SEO Plan, generating more revenue and giving them better customer service. Clients that are on an SEO Plan get the Premium WordFence plugin. So, in turn, I have an opportunity to upgrade the client to a SEO Plan if they are not already on SEO.

    • Nick Schäferhoff

      Hey Frank, nice tactic for upselling your services.

  32. Wordfence is an awesome solution, but you have to know what you’re doing with it. It is not a set it and forget it solution until you get it tweaked to your site’s environment. But it can’t solve problems with bad hosting, and it won’t protect you if you have bad passwords or old plugins/themes with vulnerabilities. If you mark everything for deletion and you have code injections within valid files, it is going to mess up your site. Security is more than a plugin. That being said, Wordfence’s plugin has matured especially in the last year, and the company is doing exceptional work in the world of WordPress security.

    • Nick Schäferhoff

      Hey Katie, yes especially with security and caching plugins there is always a learning curve. The topic is very complex and users need to educate themselves in the process. You are also right about that just a plugin is not enough, you also need to follow best practices to keep your site safe.

  33. There was a strong review of Sucuri by WPBeginner. Any thoughts on that tool vs WordFence?

    • I’ve actually only used Sucuri (and sometimes SiteLock). It stops attacks and speeds up the site a the same time. They are also usually the first company to mention vulnerabilities with WordPress. They delayed making the REST API issue public so we could all upgrade to WordPress 4.7.2 without getting hacked.

    • Nick Schäferhoff

      Hey Bruce, I have not looked into Sucuri in detail so I don’t feel qualified to answer but I’d also be interested to hear from someone who has used both.

    • I operate about a dozen WP sites on a VPS, and have been targeted by hackers numerous times.

      I used to use – and swear by – Sucuri.

      Recently, my main revenue site was again targeted, and the attacks were sophisticated and persistant.

      I thought Sucuri was keeping the site safe, yet external scans showed file tampering and malware that Sucuri didn’t pick up.

      I installed Wordfence, ran a scan, and it found all the files I had identified.

      It also had a better & easier mechanism for blocking hacking attempts by letting me see the networks – not just the IP address – and block them.

      Along with a few other features, I was impressed enough that I promptly moved all my sites over to Wordfence.

  34. Tried both and had issues with WordFence so I switched to iThemes and had no problems since. Easy to use, lots of how do and what does this do information. One little issue I have found it best to disable when migrating a site from one hosting platform to another and then enable it again. Apart from that it is excellent.

    • Nick Schäferhoff

      Thanks for your comment Shakya and for the tip for migrating websites!

  35. I can’t get “Optimize the WordFence Firewall” to run—ever.

    I’m on GoDaddy Classic Web Hosting (no CPanel, no Managed WordPress) but plan to leave GD for SiteGround. When I click configure I get “The changes have not yet taken effect. If you are using LiteSpeed or IIS as your web server or CGI/FastCGI interface, you may need to wait a few minutes for the changes to take effect since the configuration files are sometimes cached. You also may need to select a different server configuration in order to complete this step, but wait for a few minutes before trying. You can try refreshing this page.”

    Refresh doesn’t work. Don’t understand “Alternate Method” and I don’t have an “php5.ini” file because GoDaddy support refused to help make one as previously promised. Any ideas?

    From WordFence: “Alternate Method: We’ve also included instructions to manually perform the change if you are using a web server other than what is listed in the drop-down, or if file permissions prevent this change. You will need to append the following code to your php.ini:

    auto_prepend_file = ‘/home/content/t/c/o/tcosmas/html/newsite/wordfence-waf.php’

    • Make sure your root .htaccess file permissions are set to 755, then Wordfence will be able to edit it and add the proper lines so that your firewall is optimized. You can also add the code below to your .htaccess file.

      Make sure you place the code BEFORE the “# BEGIN WordPress” line..

      # Wordfence WAF

      php_value auto_prepend_file ‘/home/content/t/c/o/tcosmas/html/newsite/wordfence-waf.php’

      Require all denied

      Order deny,allow
      Deny from all

      # END Wordfence WAF

      Make sure the correct file path for the site in question is set, though. I just copied what you posted as an example.

  36. Wordfence is one of the first plugins I install on every new site, plus Clef for login security. It has never let me down. And it’s got me out of trouble on several occasions. Not sure why you were having scan problems, it has run okay for me on some very cheap servers! I have found that the live traffic view can be a resource hog though.

    • Nick Schäferhoff

      Hey Mark, I’m not sure what the problem was either. The scan just timed out a lot in the beginning until I played with the options. The host I’m using is not the fastest so I figured it was a resource problem.

  37. Awesome post!.. I use Wordfence on every WP site I build, as well as iThemes security. What ever Wordfence doesn’t do, iThemes does, and I also disable any iThemes features that Wordfence is already taking care of, as to not cause conflict between the two plugins. I believe that using both is a must.

    I agree with other comments here suggesting an iThemes Security plugin review. I’m look forward to it in the near future hopefully. 🙂 Keep up the good work!

    • Juan,

      Thanks for that helpful advice, on the way you combine the use of iThemes Security and Wordfence.

      Which version of Wordfence are you using- the free, or the paid?

      • Hi John,

        Thank you! Currently using free versions.

    • Nick Schäferhoff

      Hey Juan, happy to hear those two plugins get along. I will look into doing a review of iThemes security in the future.

      • That would be great, I can’t wait! 🙂

  38. If you use WordPress install WordFence period.

    On managed WordPress you don’t need the WordFence firewall.

    The biggest problem WordFence had was already mentioned – poor performance. Wordfence to their credit worked with ISPs and corrected the problem a few months ago. The scans don’t use a lot of resources now or hang.

    On managed WordPress I’ve run some sites with and without WordFence to determine if WordFence was needed. For 23 sites, once a month I enabled WordFence and ran a scan and no errors.

    With a large install base I have never been hacked, but to be fair I use other counter measures too.

    • Nick Schäferhoff

      Thanks for the insights, Mike!

  39. I had WordFence for years on a number of sites until their new firewall caused problems. It was very difficult to delete because it had created a hidden .user.ini file. Without deleting this file, deleting the wordfence-waf.php file causes the site to crash. I was somewhat frustrated that they would install hidden things without clearly documenting it and leave me having a down site while looking for a solution.

    I went with iThemes Security Pro for all my sites and have been quite happy with it.

    • Nick Schäferhoff

      Jim, thanks for letting us know about your problems with Wordfence. Happy to hear iThemes is working out for you.

  40. Wordfence is a great largely free product, especially when linked to updating plugins with infinitewp.com. I’ve had problem on server configurations where you can’t access the php.ini file you can’t use it. If you think native wordpress install is secure, set a test site and look at the usage stats after a couple of day. 1000MB scam usage is no joke. It still amazes me that such large security holes exist in wordpress and officially recommended plugins. Is it time to create a quality mark/health warning? Its also time to accept that we live in a time of not when you will get hacked but how many times. So much so that we have abandoned WP on most sites and gone back to html. Its also important to backup/secure/separate your site, lists, credit card payments service and product downloads.

    • Nick Schäferhoff

      Hey David, thanks for your input!

  41. Wordfence looks great but it is heavy ? Should we go with Sucuri Complete Security plan ? It is costly but looks good. What do you say ?

    • Nick Schäferhoff

      Hey Faraz, unfortunately I don’t know enough about Sucuri to make a recommendation. Maybe someone else here has an opinion.

  42. Hey All,

    Sorry to be Mr. Cranky here, but A) this IS NOT a “report” about security for WordPress or anything else. It is an ad for Wordfence, I don’t care how they spin it.

    B) Wordfence gives you enough valuable data allowing to “feel” safe, but I can tell you with it installed on 24 sites, there are some huge holes in whatvthey call protection.


    So much so that I have painstakeningly moved all of our sites onto our most protected server only to find new files being created and existing files being modified allowing for very bad injection code to run.

    Furthermore, all of our WordPress installations are constantly updated – including the plugins without fail – and we have taken great care in limiting group and directory access further than would be found in a standard WordPress installation. And as a side note, none of the sites have tue same set of plugins.

    We are huge cheerleaders of all things WordPress, but other than what seems like a great “IP doing bad things” routine and deep scans that reveal the fact that code has been modified, having run Wordfences on 3 different servers that have nothing to do with each other, as a protector of your files, it seems to be a total and complete failure.

    “WANTING TO BELIEVE”, I cannot help but feel that they are rolling out the red carpet for mods to take place. We all hope this is not the case, but after 4 very active months chassing our digital asses, it has just become too painful.

    In closing, their pricing is a tough one – especially considering the number of sites we have online. If they wanted folks like us to actually pay them for a larger set of services, their prices need to come down, but more importantly, real protection over file writing and modification would be a great service for them to actually aspire to!

    Sincerely and without hesitation,

    Max Laing, D. MP
    CEO / Project Development
    ActionCore, Inc. and the Allowing Success Network

    • Nick Schäferhoff

      Hey Max, sorry to hear you had some bad experience with the plugin. Just wanted to let you know that the article above reflects my true experience with the Wordfence (including the part where I couldn’t get it to run properly). I have nothing to gain from advertising the plugin (there isn’t even an affiliate link in the post) and tried to include critical comments from others on the web. Do you have any other recommendation? I’m sure others would be keen to hear it.

  43. Yes it is most downloaded security plugin for WordPress websites.

    • Nick Schäferhoff

      Nobody can argue with that. Thanks for the comment!

  44. I heard just yesterday from a reliable source that the free version of Wordfence is usually about 30 days behind the paid version in terms of version upgrades. Is this true?

    • Nick Schäferhoff

      What I found is that the detection rules of the firewall only get updated every 30 days while in the premium version it happens in real time. Maybe that’s what you are talking about?

  45. One of the best plugins we always use for our clients.

    • Nick Schäferhoff

      Thanks for the input, Justin!

  46. And have any one tried to use IP Geo Block?

  47. Has anyone tried Secupress from the WP Rocket team? I’m a big fan of their products in general but there is a fair amount of cost involved.

  48. Wordfence is not allowed on some premier hosts like WP Engine because it is such a resource hog. Just and FYI.

  49. Wordfence saves the hassle of installing other brute force plugins aswell checking files for changes. I’ve never used the cache and always disable Live Scan. I’ve been using it for years without problems on fast shared hosting and a few VPS’s.

  50. I’ll throw in another request for an in-depth comparison with Sucuri (and iThemes, if someone has the time). I have used Wordfence for a long time, and was happy with it — until it wouldn’t complete a scan, for weeks. Turns out it was triggering my hosting company’s automatic thread-kill tool, due to memory usage.

    I finally decided to move to a VPS, which took care of the memory problem. But along the way, I read WP Beginner’s review of Sucuri, and decided to give it a try as well.

    At this point, I feel like the old man wearing a belt with his suspenders. So, would really appreciate a point-by-point comparison of the two. Thanks!

    • Nick Schäferhoff

      Hey Bruce, that sounds like a good idea. Maybe I can do a post like that in the future. Cheers!

  51. Wow…It took me for ever to read all these posts. I got no work done!!

    Amazing info here. I also post up onto Divi User on Facebook which is also a big help. Maybe you should do a post on how helpful getting connected to that would be. Anyway I digress.

    I use iThemes Security on all my my websites that I design. I have never had an issue with that plugin. I just might try WF on my next new one. I just hope its not a BIG learning curve.

  52. I installed wordfence on a site that I built with Divi, for an NGO.

    During 24 hours, no attacks.
    After 24 hours I got so many attacks that I stopped the wordfence email alert.

    I’m getting suspicious here. Why did I get so many attacks just after wordfence was installed?

    It looks like they published the site’s URL somewhere. Or there’s a leak or a hole or whatever, that tells bot that a site is using a wordfence install.

    It makes sense because the settings I use are off by default (automatic logout of unused user names). So hadn’t I put it on, there would be bots at work trying to find a user name and the password.

    I used to recomment wordfence but now I’m really unsure. I’m going to have to hide the login pages.

    • What you are watching is spiders (bots) trying to find security holes on your website. There’re just snooping around and not attacking just yet. Once they detect a hole, that’s when they can get a bit more aggressive if the hacker so chooses. By default WF doesn’t block those spiders until they start digging in. I’ve seen a few attempts and Wordfence blocked them without me having to do anything.

      I normally block (set up rules) the IP of any spider that tries to access any plugins that I don’t have. WF FAQs says that isn’t necessary, which I agree, but for a piece of mind, I wanted to block them just because.
      Some spiders have looked for my wp-login.php page so I made a rule to block that for I’ve changed my login URL as suggested by Elegant Themes https://www.elegantthemes.com/blog/tips-tricks/how-to-create-a-custom-wordpress-login-url
      I’m currently using WPS Hide Login plugin which is an ease to use. It allowed me to dump iThemes Security plugin all together.

      When you first install WF it starts to watch how things work on your website before it sets firewall rules. Then once it gets an idea, then the firewall locks in. On my old site, I installed WF and in about 6 months, I started to see many spiders crawling all over. This started about 6 months before the elections. Now I’m not seeing as much. My new website the first thing I installed was WF. It’s been about a month now, and I haven’t seen any spider, but just a few Google bots watching my site for any updates.

      Overall I really like WF. It’s been the best security plugin I’ve ever used.

  53. I’m in doubt concerning WordFence. The 1st week, there were about 50 to 100 attacks/day. After a week, it went up to 972 within 4 to 5 hours in the early morning. All were from a single IP address in France. Every second a try to wp-login.php looking at the Life Traffic. Why were they not blocked?
    I started looking for information about the plugin until I arrived here. Some of the comments let me in doubt, about the efficiency, the reporting,…

    As I’m about to open a front-end login, I’m unsure about the best plugin(s) to install in order to correctly protect my site.

    Any experience/advise is welcome.

    • Read my comment above. I too see many spiders crawling about my websites. Those are really not attacks, but spiders looking for security holes that they might try to explore later.

      WF by default doesn’t block those spiders. They are really just looking around and not attacking. You can set rules like I did to block any spider that tries to search for plugins you don’t have. I even blocked my wp-login.php page as I have renamed it.

      There are a few times my sites were attacked and WF blocked them without me having to do anything. I now have a policy on every new website I build is to install WF before anything else.

      I wouldn’t worry about those spiders from France. Just block the IP and you’ll stop seeing them in your live feed in a few days.

  54. I have sitelock thru my hosting program. Is using another security program still recommended? My website is not set up for comments. Just want to be sure that my site is secure.

  55. Nick,

    So I’m reading your wonderful post and I see a screenshot of the live traffic. Lynnwood, Wa was the first thing my eye focused on and I started to freak out because that’s the city I live in.

    Then I realized, wait…, those are NetRiver servers. Well I was relieved. NetRiver is right next door to Red Lobster where a friend works at and I visit often. I’ve wanted to stop in NetRiver and tell them thanks for providing Wordfence the servers that are being used to protect my websites. It’s really weird that my host provider is in Southern California and the security servers are right here in my home town.

  56. Hi
    As a novice Can you tell me if I need wordfence along with Cloudflare and what differences are there? Are they redundant? I have siteground cache for speed and pretty fast loading theme I’m building ( my themeshop) thanks!

  57. I like Wordfence every time I install it on a fresh install but as soon as I hit 30+ plugins or so, I need to switch to AIOWPS because WF slows down larger websites way too much. At times, the scanner stops working altogether, doesn’t finish or runs out of memory (512M php memory available).

    I see they’ve been doing some work on it lately but it seems rather cosmetic. If I was them, I’d rewrite the whole thing and include a bloody custom login url. I miss that feature in WF since day one.

  58. Thanks for sharing.
    I am using User Activity Log Pro Plugin for security enhance. It helps to monitor and keep track of all the activities occurs on the admin side.

  59. You can go bonkers trying to keep your sites safe. Hackers love a challenge and 99% of security is keeping your wordpress core, themes and plugins up to date and try not use too many. Wordfence is very handy if you need to track a malicious files that’s turned up over night but hackers hide them all over and know how to bypass WF.

    I like the Divi theme because it cmes with so many modules which would normally require extra plugins. The only time we got hacked was with an out of date gravity forms plugin which they quickly patched (Gravity is excellent though just want to say). Also use good hosting. Siteground offer a scanning feature for an extra few sobs.

    WordPress would not be so popular if it was not secure. It would be called wordpress plus wordfence.

  60. Have been a long time user of WordFence. Can you write a comparison of iThemes Security. It would be a post everyone would love to read. Not much comparison articles on the web.

  61. Hi, i’m looking for a way to secure my WP website, without adding any css and jQuery scripts on frontend, pure vanilla js solution – is it possible? Do you know any plugins that don’t requires loading jQuery?

  62. In answer to one of the previous enquiries, I use Wordfence and iThemes Security together on all my sites. There doesn’t seem to be a conflict and I haven’t noticed any major speed issues.

488,929 Customers Are Already Building Amazing Websites With Divi. Join The Most Empowered WordPress Community On The Web

We offer a 30 Day Money Back Guarantee, so joining is Risk-Free!

Sign Up Today

Pin It on Pinterest