Server and application security are important factors to consider when running a website — especially a website based on WordPress. This easy to use guide will help take you through the steps of ensuring that your WordPress based blog is running as securely as possible thanks to Wordfence (and easy to use plugin that goes a long way to towards improving security on your WordPress installation).
Wordfence is a Web Application Firewall that can substantially improve the security of your WordPress site. It’s a WP plugin and can be managed entirely through your WordPress dashboard. In this tutorial, we’ll get you up and running with Wordfence.
Installing Wordfence
I’ve created a blog with absorbing content and wish to protect it from hackers.
I’ll head to my dashboard and click Plugins, then Add New.
In the search box, enter “wordfence”. Under “Wordfence Security – Firewall & Malware Scan” click “Install Now”.
The installer will spin for a few seconds as it installs.
When it’s done, click Activate.
Congrats, Wordfence is installed. You’ll be greeted with a success message. One of the options is to subscribe to their security alerts email list. I recommend subscribing, as their emails discuss current WordPress attack patterns.
Wordfence offers a premium mode. In this tutorial, we won’t be covering that option, so just click “No Thanks”. One of the nice things about Wordfence is that the product provides a lot of benefits even without paying for premium. You’ll occasionally run into things that are premium-only that maybe you wish you had, but even as a freebie, Wordfence is very beneficial.
Configuring Wordfence
On your dashboard’s left menu bar, you’ll now see a Wordfence section. Click it.
Wordfence has a few tutorial-like popups that will orient you.
At the top of the Wordfence dashboard, you’ll see this option. Click “Yes” so Wordfence can stay up to date.
Next, click on the orange tab to optimize your Wordfence wAF.
What this is actually going to do is prepend a call to a .php file before every php call WordPress makes. Click Continue.
If you’re curious, the file modified is .user.ini in your WordPress root. Here is the modification made:
You’ll notice that Wordfence says its in “Learning Mode”. The WF engine is being tuned for your site and it’s learning what typical access patterns users use. Typically you leave it in “Learning Mode” for a period of time (one week) before it moves into active mode.
Let’s look at some of the ways Wordfence is already protecting your site. Still on the Firewall page, click All Firewall Options. WordPress has put some generous defaults in place to protect you against people trying to guess passwords. Note also that WF prevents the use of passwords that have appeared in data breaches. This is a fantastic improvement. You and your admins are prevented from using passwords that are in well-known password databases.
Scrolling down, you’ll see Wordfence has put in some other protections to enforce strong passwords and prevent WordPress from leaking login data.
Under Rate Limiting, you’ll see that WF has put some defaults in place but they’re set to Unlimited. You may wish to tweak these. For example, no human should be retrieving hundreds of 404s per minute – that’s a sign someone is running a script. You could change that to 5 per minute and not risk disappointing any users while still blocking bots.
If you’ve changed anything, be sure to click “Save Changes” at the top. Now click on Scan on the left menu bar.
Wordfence Scans
Wordfence also includes a scanner that detects malware, inappropriate file permissions, etc.
Click “Start New Scan”. After running for a bit, here is the report I received:
Wordfence 2FA
Now click on Login Security in the left menu bar. You’ll receive a tutorial popup about Wordfence 2FA.
This is a great add-on for security, and it’s awesome that it’s now in the free version. Once you dismiss the popup, you’ll see that everything is ready for Wordfence 2FA:
In this case, I fired up Microsoft Authenticator on my iPhone, scanned that barcode, and my authenticator app registered it:
I’ll enter the six-digit code in Wordfence (where the 123456 is greyed out) to enable for my account, and then click Activate. WF informs me that I’m now setup.
Going back to Settings, you’ll see that you can enable 2FA on a per-user or per-role basis.
If you click Manage Users, you’re taken to the normal WordPress Users page, but there is now a “2FA Status” column.
Now when I login, after entering my username/password, there’s a second screen that requires 2FA.
Wrapping Up
There is much more you can do with Wordfence. The Tools menu, for instance, has a lot of great features that are very handy even besides their security value. I encourage you to read the Wordfence docs and see how this security tool can help keep your WordPress site safe.
Related Posts:
I also enjoy using LEBs! I have an empire of little guys for VPNs, larger guys for apps, and big guys for databases and storage. When I'm not in front a screen I'm into German Shepherd dogs, quality knives, target shooting, theology, tabletop roleplaying games, and forest hiking.
I enjoy writing technical articles here on LowEndBox to help people get more out of their systems. You can find me on LowEndTalk @raindog308
- Should You Change Your Windows RDP Port?Yes. - April 23, 2024
- DediRock: Not Just Dedicated Servers!They Have Cheap VPSes in Buffalo and Los Angeles, Too! - April 23, 2024
- You Don’t Want to Start a Hosting Company: A Parallel From History - April 22, 2024
Leave a Reply