I’ve been impressed by the Wordfence Security plugin after running it on several sites for a few months. Here are some of my favorite features of this plugin:
- Scans core files, themes and plugins against WordPress.org repository versions to check their integrity.
- Lets you see how files have changed, and optionally repair changed files.
- Scans for out of date plugins, themes and WordPress versions.
- Scans for malware.
- Includes login security to lock out brute force hacks and to stop WordPress from revealing info that will compromise security.
- Allows you to block IP addresses from logging in or even accessing the site.
Update Nov. 9, 2016: Over the last 3 years, we’ve found “all-in-one” security plugins like Wordfence and iThemes Security to be bloated (they slow down the site) and more trouble than they’re worth (false positives, etc.). Instead, we use secure managed hosting such as Flywheel and WP Engine (aff. links). When clients choose not to use managed hosting, we follow some of the advice in Hardening WordPress. We also like Jetpack Protect and Force Strong Passwords. There’s still a place for Wordfence, so this post is still valuable.
Because Wordfence locks out IP addresses that attempt brute force attacks, I no longer need the Limit Login Attempts plugin. Because Wordfence can email me about available updates to core, themes, and plugins, I no longer need to use the WP Updates Notifier plugin. However, I’ve recently started using WP Remote to update sites en masse, so I don’t need Wordfence to notify me anyway.
Here’s how I configure Wordfence. You should adjust these steps for your situation and preferences.
- Install Wordfence Security from the plugin repository and activate it.
- In the admin menu, click Wordfence > Options.
- Uncheck Enable Live Traffic View. Live Traffic View can slow down your site, so only enable it when necessary.
- Set Where to email alerts.
- Set How does Wordfence get IPs. Unless you’re doing something special, select Use PHP’s built in REMOTE_ADDR. If you’re doing something special, choose another option.
- Under Alerts, select all options except Alert me when someone with administrator access signs in.
- Under Scans to include, select all options except Scan public facing site for vulnerabilities?, which is only available for paid members.
- Under Login Security Options, set Amount of time a user is locked out to 30 minutes.
- Click Save Changes.
- In the admin menu, click Wordfence > Scan. Click Start a Wordfence Scan. Address issues it finds.
See the Wordfence documentation for more details.
Other WordPress security plugins
Wordfence is great, but it doesn’t do everything. I still use these security plugins:
- Semisecure Login Reimagined to encrypt login credentials for sites without SSL
- WP Security Scan to change the table prefix (when first setting up a site)
- CloudFlare to protect sites behind a reverse proxy
What WordPress security plugins do you use?