Last week we talked about how and why a site gets hacked. This week, we’ll talk a little about our first-line favorite tool for preventing hacking of WordPress websites. Wordfence is a security plugin that covers login security, live traffic, malware scans, blocking, a firewall, and more. Though there are plenty of other security plugin choices out there, we especially like the fact that the basic and very serviceable version of the plugin is free, and that it has over one million downloads—handily outpacing its competitors. When a plugin is so widely used as Wordfence is, it’s less likely to be abandoned and more likely to identify security threats in their nascent form. (It also doesn’t hurt that Wordfence is based in Delaware, after recent stories about Kaspersky Labs have revealed a case of the fox guarding the henhouse.)
Setup is fairly easy. You start by optimizing the Wordfence firewall. The firewall filters out malicious requests before they reach your site, relying on a list of blacklisted users. Users of the premium version of Wordfence get a blacklist of threats as they are identified in real time; users of the basic version get a “community” blacklist that are updated every 30 days. In our experience, the free version of the plugin is quite serviceable.
Wordfence’s Firewall
The Wordfence Web Application Firewall filters out malicious requests before they reach your site. Once it is enabled, it runs before WordPress itself, to filter attacks before plugins or themes can run any potentially vulnerable code. As new threats emerge, the rules are updated in real-time from the Wordfence servers for Premium members. Free users receive the community version of the rules which are updated 30 days later.
Live Traffic Visibility
Another really cool thing is that you’ll be able to see all the crawlers, RSS feed readers, hack attempts, and other bot traffic that hits your site—something you’ll never see in your Google Analytics dashboard. The feeling is akin to finally looking at your credit card statement after a month of reckless spending. Before you looked, it held bottomless possibility for badness. Now that you know, you can deal with it as needed. See the IP address of an entity that’s trying to log into your site? Block that brute force attack. You can also set a limit to failed logins. If a user tries to log in more than 20 times (for example), she is locked out.
Wordfence Scanner
While the firewall is great, our favorite part of Wordfence is its scanner feature. You can set it to perform scheduled or on-demand scans of your site for outdated themes and plugins, as well as to identify malware (gulp). It can even scan files outside of your WordPress directory!
Even if you keep your WordPress website updated, it’s easy to overlook plugins that have been abandoned. If a plugin hasn’t been updated in over a year, it can be incompatible with current versions of WordPress or contain security vulnerabilities that can threaten your whole website. Plugins are the single biggest benefit to using WordPress, allowing you to achieve all sorts of custom functionality. But they’re also the biggest downside, exposing your site to the possibility of hacking.