If you’re a WordPress user then site security should be at the top of your priority list. As the most popular CMS on the planet, it has more than its fair share of hackers, bots, and bad actors with WordPress websites in their crosshairs. You don’t want malware to creep onto your site, nor do you want uninvited guests barging in past your login screen. You can choose from many different solutions for keeping your site’s perimeter locked down, but WordFence is one of the best options out there, and in this WordFence review, we want to walk you through what it can do for you so to see it its the right security option for your site.
Subscribe To Our Youtube Channel
Setting Up the WordFence Security Plugin
Like most WordPress security solutions, WordFence is available as a free plugin on the WordPress.org plugin repository. You can always upgrade to the premium version for additional features and support, but the free version of WordFence is powerful and mostly what we will focus on in our review.
Install and activate it as you would any other plugin from Plugins – Add New in your WordPress dashboard. Once that step is complete, you will have a new WordFence menu item in your left-hand sidebar.
WordFence can seem a little overwhelming to new users, but they’ve actually done a great job of making it easy to get started. In the primary dashboard, you will see a lot of information. But it’s simple and easy to digest. We’re going to walk you through what it all means and get you ready for your first site scan.
How to Use WordFence
The dashboard gives you a good overview of the current state of your site at the point of the last scan you took. The top row contains boxes with current percentages of protection (based on WordFence features enabled). We want to note that you will very rarely see these at 100%. To gain 100% in any metric of protection, you will need to be a premium subscriber.
The thing to remember is that these percentages aren’t nearly as meaningful as the results of a scan in the Notifications box. Or the absolute numbers you see in the Firewall Summary box at the bottom.
With all that in mind, WordFence has very customizable settings. But we suggest that your first step is actually running a scan with its default settings. They’re strong out of the box, and the immediate results will help you get a feel for what the plugin can offer.
How to Run a Scan with WordFence
Scanning your site with WordFence is simple. Just go to WordFence – Scan (1) in your WP admin panel.
Just press the Star New Scan (2) to have the plugin begin moving through the (3) series of checks that it makes on your site. You will notice some of them are locked for premium users. However, most are open to free installations. When it’s finished, you will have a whole list of issues that the site might have in the Results Found (4) tab. These range in priority from Low to High and use a green/yellow/red coding.
Reviewing Results of a WordFence Scan
For serious threats, such as hidden malware or unknown files, press the Delete all Deletable Files (5) button, and those will be taken care of for you.
The rest are pretty straightforward, as WordFence describes what each is and how to fix it. Upgrade a plugin or theme, update WordPress because of security vulnerabilties, and so on. You can even ignore issues if you’re aware of them, but need to hold off on handling them for one reason or another.
Advanced WordFence Security Features
The most prominent advanced feature that WordFence offers is the WAF, or Web Application Firewall. You can find this feature, unsurprisingly, under the WordFence – Firewall menu option.
This is some of the real power of WordFence, especially for free users. The WAF lets you set how much of your site’s resources can be used by crawlers and other robots and scripts around the web. This means protection from scripts that are potentially installed before you can scan (from malware) or even some sites that target WordPress servers for brute force attacks.
You can also block entire IP ranges from accessing your site. As you can see in the image above, WordFence can handle this automatically, as well. The plugin caught these IPs and blocked them on its own.
You can dig deeper and set whitelists, blacklists, services which can crawl the site, and set specific rules in place on your own to keep your site fenced in just like you need it.
Most users won’t need to fiddle with these settings. These are definitely advanced options that let you completely optimize your site. If, however, you’re in a sensitive industry or have a history of being targeted, these are incredible.
These same kind of in-depth options and rules are available for rate limiting and all other sections of WordFence’s security. It being so customizable is a big reason it’s so popular (and effective).
Additionally, WordFence has built-in two-factor authentication (2FA). That is incredible because 2FA is one of the top ways to keep your site safe and secure.
Under WordFence – Login Security, you can choose a user and then set them up to receive a login code via Google Authenticator, FreeOTP, Authy, and other popular 2FA apps. If you do not have 2FA already enabled on your WordPress site, installing WordFence for this alone is worth it.
WordFence premium does offer many benefits over the free version. However, typical users (bloggers, content creators, small ecommerce shops, etc.) may not have need for them. But for those who do, they’re priceless. Or, technically, $99.
For what you get, that is a drop in the bucket compared to the lost person-hours, revenue, page rank, and social capital that a security compromise can cost you.
But what do you get from WordFence premium? First of all, you get real-time updates. This means that while free users get them when the plugin is updated (which is still often), premium subscribers get them in real-time as WordFence can take care of them. As malware, non-trustworthy IPs, and other vulnerabilities are reviewed and fixed, WordFence protects your site from them. Immediately.
Additionally, WordFence monitors your site’s reputation on known databases of compromised and dangerous sites. And they also offer premium users country blocking. That service kicks in as soon as a malicious attack is discovered so that your site is covered. They boast that their response time is 1/300,000th of a second. That amount of time is pretty much unfathomably fast.
Premium Support is worth the price alone, if you ask us. When you need support because of a security issue on your WordPress site, having priority for your ticket can be a site-saver.
What Sets WordFence Apart?
WordFence is an incredibly strong choice specifically for free users because of its WAF. The plugin sends daily alerts and offers real-time monitoring, automated blocking rules, and suggestions on improved security. It helps monitor the integrity of your WordPress files and scans for malware. For the price of absolutely nada.
Many other WordPress security plugins offer similar site scanning capabilities that help clean up malware and shore up security vulnerabilities. But WordFence stands out because of its free preventative care for your site. When you add in the premium upgrade features, WordFence is top-tier and making sure that your site stays fenced in.
If your site is newer or has never had security issues before, WordFence is a solid choice to make sure that (probably) never happens. And if it does, you will have the tools to take care of it in just a few clicks.
WordFence Review Summary
Overall, we think that WordFence definitely earns the popularity it has garnered. With one of the few completely free WAFs out there, site scanning, and built-in 2FA, there’s really no reason not to have WordFence installed (unless you’re using a different security plugin or service, at which point you already have these bases covered, anyway). Premium users getting priority support for their tickets and real-time updates can be the difference in your site being compromised for an hour and compromised for a month. Review your needs, and then you can decide if the WordFence premium upgrade is worth it. And if security is a concern at all (which it should be), WordFence is a fantastic level of protection for any kind of WordPress site.
What have been your experiences with WordFence and how it protects your site?
Hi,
Thanks for sharing.
I’ve been using Wordfence for a while now on multiple websites and I’ve had a good time with it. The wordfence Firewall and real time scanning are really good. It’s packed full of features to keep your sites secure.
Before getting this, I didn’t realise how many hackers I get daily. I’m glad I got this security plug in.
Thanks
Thank you for the informative review! I’d like to add a couple of things from my experience using Wordfence: it has a chance to add real security benefits to your site, but also to lose you lots of visitors…
The paid feature – IP blacklist – is, unfortunately, obscurity being sold as security. Apparently, the blacklist is updated and reviewed automatically without much human input. Also, to make the obscurity part complete, the IP’s in the blacklist are not available, niether the reasons for them being included, as the authors themselves document on the blog https://www.wordfence.com/blog/2017/03/wordfence-ip-blacklist/ . So before paying up for this premium feature, blog owners may want to ponder the impact of blindly trusting a blacklist provider, which is amplified by ISP’s NAT-ing groups of their customers through ever scarcer public IPv4’s. Endpoint firewalls – as this service is being marketed – tend to address client’s endpoint (devices for browsing the internet, not servers) needs. The kind of server-side firewalls that provide real IP reputation services do exist, they’re available from several major security & firewall vendors, and those products are much more into the security territory, rather than snake-oil obscurity: you can actually see the IP filters in effect, you can also query their IP reputation databases. And of course the results also include the reasons why the IP in question was blacklisted.
Is WordFence Premium compatible with WP Network? I’m planning on setting up a network of sites and I’m not sure I’d have to buy a subscription for the network or for each site
WordFence is very good solution in paid version. As free solution I prefer All In One WP Security & Firewall combined with Cloudflare.
I agree with all the other comments, it’s the first plugin I install on every WordPress site. I took over a website which was infected (source from the server) we paid for them to clean it and they were fantastic, included in the fee is an upgrade to premium for the year. They also contacted the host to get them to patch the vulnerability. Love their weekly broadcast!
I’m a huge fan of Wordfence! They host a weekly live YouTube broadcast every Tuesday all about website security called Wordfence Live. Chloe, Ram and Scott really know their stuff!
I have never seen that! Thanks for the heads-up. I will definitely be checking that out!
For me it’s the best WordPress security solution, by far!
I use WordFence on all my sites to provide brute force and 2fa for admin logins. It just works and my go to WP firewall plugin.