Wordfence Security Plugin: WordPress Firewall & Anti-Malware

I've been impressed by the Wordfence Security plugin after running it on several sites for a few months. Here are some of my favorite features of this plugin:

  • Scans core files, themes and plugins against WordPress.org repository versions to check their integrity.
  • Lets you see how files have changed, and optionally repair changed files.
  • Scans for out of date plugins, themes and WordPress versions.
  • Scans for malware.
  • Includes login security to lock out brute force hacks and to stop WordPress from revealing info that will compromise security.
  • Allows you to block IP addresses from logging in or even accessing the site.

Update Nov. 9, 2016: Over the last 3 years, we’ve found “all-in-one” security plugins like Wordfence and iThemes Security to be bloated (they slow down the site) and more trouble than they’re worth (false positives, etc.). Instead, we use secure managed hosting such as Flywheel and WP Engine. When clients choose not to use managed hosting, we follow some of the advice in Hardening WordPress. We also like Jetpack Protect. There's still a place for Wordfence, so this post is still valuable.

Note: This page contains affiliate links. Please see Affiliate Disclosure.

Wordfence Security Blocked IPs
Wordfence Security Blocked IPs
Wordfence Security Scan Summary and Scan Detailed Activity
Wordfence Security Scan Summary and Scan Detailed Activity

Because Wordfence locks out IP addresses that attempt brute force attacks, I no longer need the Limit Login Attempts plugin. Because Wordfence can email me about available updates to core, themes, and plugins, I no longer need to use the WP Updates Notifier plugin. However, I've recently started using WP Remote to update sites en masse, so I don't need Wordfence to notify me anyway.

Wordfence Configuration

Here's how I configure Wordfence. You should adjust these steps for your situation and preferences.

  1. Install Wordfence Security from the plugin repository and activate it.
  2. In the admin menu, click Wordfence > Options.
  3. Uncheck Enable Live Traffic View. Live Traffic View can slow down your site, so only enable it when necessary.
  4. Set Where to email alerts.
  5. Set How does Wordfence get IPs. Unless you're doing something special, select Use PHP's built in REMOTE_ADDR. If you're doing something special, choose another option.
  6. Under Alerts, select all options except Alert me when someone with administrator access signs in.
  7. Under Scans to include, select all options except Scan public facing site for vulnerabilities?, which is only available for paid members.
  8. Under Login Security Options, set Amount of time a user is locked out to 30 minutes.
  9. Click Save Changes.
  10. In the admin menu, click Wordfence > Scan. Click Start a Wordfence Scan. Address issues it finds.

See the Wordfence documentation for more details.

Other WordPress Security Plugins

Wordfence is great, but it doesn't do everything. I still use these security plugins:

Leave WordPress Security to the Experts. Sign Up Today!

If website security has you worriedly wringing your hands, get one of our WordPress Maintenance Plans and enjoy some peace of mind. All of our plans include security scans; our Gold and Silver plans also include malware removal. Rest easy. We’re watching your site.

Filed Under: 

Want tips to rocket-boost your website?

Simply sign up.

26 comments on “Wordfence Security Plugin: WordPress Firewall & Anti-Malware”

  1. Thanks for this useful article. I am using Wordfence Security plugin in all of my blogs of WP. It works really great as it helps keep my sites clean and working. Fantastic plugin!

    1. I'm using WP Remote and Wordfence together on over 20 sites on various hosts, and am not having issues. WP Remote used to recommend adding their IP address as a whitelisted IP address in Wordfence > Options > Other Options, but I'm pretty sure it worked even when I didn't add that. It looks like WP Remote removed that recommendation from their site. I currently have that address whitelisted on all my sites.

  2. Thanks for a detailed post on setting WF up correctly. I found a lot of the security plugins I was using hadn't been updated in over 2 years so wanted to switch, and reduce the number of plugins being used.

    I've followed your guide and set it up accordingly. I found there wasn't a check box for turning off live Traffic reports, so that's still running.

    Great post all the same and has really helped me set it up for the best results.

    Nice one,
    Barry

    1. Barry, they moved the checkbox for Enable Live Traffic View after I wrote this post. It's now at the top of the WordFence Options page, under Basic Options. I just updated the post accordingly.

  3. thanks a lot for your article. i've seen that if i use tor web wordfence can't help me to discover who use tor. Have you an idea how to block tor web users?

    thanks in advance

  4. One of the best plugin when it comes to secure your wordpress account from hack. Everyone who is using worpdress give it a try.

  5. Security can not be compromise in any sense. its a perfect plugin in security point of view. I would suggest everyone to implement as they should.

  6. Security is a major concern for website owners. Since WordPress is one of the most popular content management systems, it is always on the hitlist of attacker and hackers. If your website host does not care about security of your website, you should not care about the host. Cloudways secure and managed wordpress hosting not only maintains a healty and secure server environment, but also ensures that your application level security is not breached with the integration of the WordFence plugin in the console.

  7. Yes. that is true that plugin is very important for WordPress security. We recommend this to all of our word press outsourcing clients.

  8. WordFence. WordFence is one of the most popular WordPress security plugins.
    BulletProof Security.
    Sucuri Security. ...
    iThemes Security (formerly Better WP Security) ...
    Acunetix WP SecurityScan. ...
    All In One WP Security & Firewall. ...
    6Scan Security.

Ready to Blast Off?

Let's talk.

Contact OptimWise
crossmenuarrow-right