I’ve been impressed by the Wordfence Security plugin after running it on several sites for a few months. Here are some of my favorite features of this plugin:
- Scans core files, themes and plugins against WordPress.org repository versions to check their integrity.
- Lets you see how files have changed, and optionally repair changed files.
- Scans for out of date plugins, themes and WordPress versions.
- Scans for malware.
- Includes login security to lock out brute force hacks and to stop WordPress from revealing info that will compromise security.
- Allows you to block IP addresses from logging in or even accessing the site.
Because Wordfence locks out IP addresses that attempt brute force attacks, I no longer need the Limit Login Attempts plugin. Because Wordfence can email me about available updates to core, themes, and plugins, I no longer need to use the WP Updates Notifier plugin. However, I’ve recently started using WP Remote to update sites en masse, so I don’t need Wordfence to notify me anyway.
Here’s how I configure Wordfence. You should adjust these steps for your situation and preferences.
- Install Wordfence Security from the plugin repository and activate it.
- In the admin menu, click Wordfence > Options.
- Uncheck Enable Live Traffic View. Live Traffic View can slow down your site, so only enable it when necessary.
- Set Where to email alerts.
- Set How does Wordfence get IPs. Unless you’re doing something special, select Use PHP’s built in REMOTE_ADDR. If you’re doing something special, choose another option.
- Under Alerts, select all options except Alert me when someone with administrator access signs in.
- Under Scans to include, select all options except Scan public facing site for vulnerabilities?, which is only available for paid members.
- Under Login Security Options, set Amount of time a user is locked out to 30 minutes.
- Click Save Changes.
- In the admin menu, click Wordfence > Scan. Click Start a Wordfence Scan. Address issues it finds.
See the Wordfence documentation for more details.
Other WordPress security plugins
Wordfence is great, but it doesn’t do everything. I still use these security plugins:
- Semisecure Login Reimagined to encrypt login credentials for sites without SSL
- WP Security Scan to change the table prefix (when first setting up a site)
- CloudFlare to protect sites behind a reverse proxy
What WordPress security plugins do you use?