As with everything that is connected to the Internet, security is an important issue also in the WordPress sphere. In fact, the CMS has its own dedicated security team just for that reason and it’s also why we publish articles like this one.
As a consequence, there are a number of security plugins in the WordPress directory. By far the most popular: WordFence. With more than a million active installs, the majority of users seem to prefer this solution to all others.
Deservedly so? That’s what we want to find out. In this detailed WordFence review, we take an in-depth look at the security plugin in terms of setup, features and user friendliness. Want to find out if it really is the best WordPress security plugin? Then tag along.
Setting Up the Wordfence Security Plugin
As the first step in our Wordfence review, we will download plugin to a test site and go through the setup process.
Install the Plugin
You can install Wordfence like any other WordPress plugin. Just go to Plugins > Add New and enter the plugin name in the search box. After that, it should be the first item in the search results.
Click the large Install Now button and wait for the download to finish. Don’t forget to activate!
Once active, the first thing the plugin will do is ask you to provide an email address for security alerts. While doing so, you also have the possibility to subscribe to the Wordfence email newsletter.
After that, you can start a tour around the plugin by hitting the respective button. This takes you around the plugin menus, where you learn all about what Wordfence can do. Once that is complete, it’s time to put what you have learned into action.
How to Use WordFence
Alright, let’s get to work and set up the security plugin.
Look at the Dashboard
Our first stop is the Wordfence dashboard. Here, you will see notifications about new versions and posts from the Wordfence blog on all things security.
Below that, you can see the status of your security system: enabled Wordfence features, blocked attacks for the day, week and month both for your site and the Wordfence network, login attempts, blocked IPs and top countries from which your site was attacked (if it was).
The dashboard is a great place to gain an overview about what happened to your site and the interest in hacking community to bring it down. That way, you can estimate the threat level and whether you need to take additional action or just be extra vigilant.
Do a Site Scan
Among the most important sections is the scan module. When you hit Start a Wordfence scan here, the plugin will audit your site for potential security problems so you can address them. These include:
- Backdoors, malware and vulnerabilities
- Modified core files
- Unknown files in WordPress folders
- Outstanding updates
- Comments with unsafe URLs
What’s remarkable about this is that the makers of Wordfence have a server with every WordPress version and every plugin and theme in the directory ever. That way, the plugin can compare files on your server with their mirror and detect anything that has been changed from the original.
In addition, it lets you replace files with their originals even if you haven’t made a backup yourself. Now that’s service! However, it also means the scan can take a while depending on the size of your site.
Once done, Wordfence gives you a list of potential security issues and detailed recommendations on how to take care of them.
You can even look at files next to one another to see where the code has been changed. Mark whatever you have taken care of as fixed or, in case you know something is not an issue, choose to ignore it.
The Options panel at the top allows you to choose what to include in the scans.
For example, you can have plugin look for changed theme or plugin files, extend the scan to files outside your WordPress directory or use low resource scan for environments with little processing power.
Besides that, Wordfence will also automatically scan your site for problems once per day and notify you via email if it finds any.
Optimize the Firewall
Besides the site scan, Wordfence comes with a firewall that keeps threats at bay. You can find it under Wordfence > Firewall.
Its purpose is to filter attacks before they reach your site. In the premium version, the firewall rules are updated in real time, while in the free version they are refreshed every 30 days.
In the beginning Wodfence recommends to keep the firewall in learning mode, which is enabled by default. That way, it can better understand how your site works and who is supposed to be on there and who isn’t.
After a week, it will automatically switch to enabled, so there is nothing to do for you at the moment. However, you might want to click the big Optimize Wordfence Firewall button. This will allow Wordfence to add some stuff to your .htaccess file for a more efficiently running firewall.
Once that is done, the basic setup is finished and we can turn to the additional features Wordfence has to offer.
Additional Plugin Features
Here’s what else the plugin can do for you.
Advanced Firewall Settings
There’s more to the firewall than its basic functionality. For example, in the premium it comes with country blocking.
That means, if your site is receiving a lot of attacks from one particular region, you can completely block that country and even redirect traffic coming from there somewhere else.
Then there is the tab for blocked, locked out and throttled IP addresses.
Should the firewall determine someone wants to harm your site, it will automatically put their IP on this list. Of course, you can also add IPs manually. Under Advanced Blocking, there are even more options.
Here, you can exclude whole ranges of IP addresses (in case you are being pestered by a network of sites), host names, user agents and referrers. Next, Brute Force Protection contains all options to protect your site from this type of nefarious attack.
Aside from that, you have the option to force admins to use strong passwords, determine the number of allowed login and forgot password attempts before locking out an IP, set the time interval in which attempts can occur and other options to keep your site’s login page safe. Finally, under Rate Limiting you have may limit crawler activity on your site.
In the Live Traffic panel you see all traffic coming to your site including from non-human visitors like crawlers, scripts and RSS readers.
The view shows warnings for suspicious activity and can be filtered in many different ways: by registered users, attempts to access unavailable pages, the login page and much more granular. This enables you to pick up on DDOS attacks or unusual amounts of traffic from one IP address. In addition to that, Wordfence lets you run a WHOIS on any of the addresses for more information.
Wordfence also offers a number of tools in the section of the same name. The first one is a password audit, which is only available for premium users.
Through it, the plugin will check the quality of the passwords on your site. In contrast to WordPress’ own feature that helps users come up with strong passwords, this involves simulating an actual hacking attempt on the passcodes on your site. Afterwards, WordFence will tell you which ones need improving.
The second tool is the aforementioned WHOIS lookup. With it, you figure out where the IP addresses and domains trying to access your site are located. If you choose this option in the Live Traffic panel, you will also be redirected here.
Third on the list is another premium option called Cellphone Sign-in. Once enabled, it adds two-factor authentication to your site for the users or user level you choose.
Finally, the tool section has the Diagnostics tab, which contains a lot of different information about your server system, WordPress setup, database and more.
Wordfence offers a long long list of setting. In the Options panel you can enable and disable almost any feature and exert full control over how everything works. The section also contains all the settings you can control elsewhere in one convenient place.
I have already mentioned the premium version several times. If you choose to go for it, it will cost you $99/year for one API. The price gets more affordable with additional APIs and years added to the license.
Besides the features already mentioned above, there are a few more things premium users get:
- Remote scan — The ability to scan the public side of your site for signs of compromise with an external tool.
- Checking site against spam lists — Checks links on your site for blacklisted sites on the Spamvertized and Google Safe Browsing list and whether your IP address is known to generate spam.
- Premium support — Free support is always available through the WordPress support forums. With the premium version you can get in contact with Wordfence directly and get help from their experts.
Wordfence – User Friendliness
With such an extensive feature list, it only leaves the question of how easy to use the plugin is. The answer is a bit of a mixed package.
First of all, WordPress security or web security in general are complex topics by themselves. You need some level of knowledge about how hackers access websites, what brute force attacks are, etc. in order to really understand what the plugin is doing.
The makers of Wordfence do a good job to give you as much help as possible. The plugin contains a lot of helpful blurbs (along with many suggestions to update to premium) and links to resources that explain features in detail.
So, with a bit of reading and self-directed education, most users should be able to figure things out. However, make no mistakes there is quite a bit to go through.
The biggest issue I ran into, however, was getting the scan to work to actually test it. As it turns out Wordfence doesn’t work at all in my local test environment. On the web server I was using later, the scan kept timing out and never completed.
I had to experiment a lot with execution times and memory limits to get it to run properly. Of course, this might also be due to my server environment. However, Wordfence’s hunger for resources is a common complaint and I doubt a less experienced user would have an easy time figuring this out.
So, if there was any way to make this easier, it would be great to implement it. Aside from that, however, Wordfence mostly deserves its reputation.
Wordfence Review – The Long and Short of It
Wordfence is by far the most popular WordPress security plugin and deservedly so. Even the free version offers loads of features to keep WordPress sites safe and off spam lists. From an extensive security audit over a full-featured firewall to heaps of additional options, the plugin will do its best to keep hackers and other shady individuals at bay.
From a user point of view, you can learn where threats to your site originate and have plenty of options to make the plugin work according to their needs.
Of course, that doesn’t deny that security is a complex topic. Even if Wordfence is very much “set it and forget it”, to get the most out of the plugin, users will have to do a bit of work.
So, is it truly the best WordPress security plugin? Well, users definitely seem to think so and there is little in this review that would contradict them.
However, what do you say? If you have used Wordfence before, we’d love to get your input on your experience and also what could be improved. Let us know in the comment section below!