I've set up a lot of WordPress sites; in fact, every site I use personally is powered by the world's most widely used blogging platform.
When it comes to the security of my sites, I don't leave anything to chance. That's why there's really only one plugin I consider a must-have for WordPress: Wordfence.
Wordfence is more of a security suite than a plugin—it offers features that can only be matched by installing multiple plugins, and who has time for that? This powerhouse comes with more features than you'll probably ever need, including:
- WordPress Firewall: Identifies malicious traffic and blocks attackers before they can access your site. Firewall is automatically updated so the firewall rules will always protect you from the latest threats.
- Blocking Features: Real-time blocking (Premium version). If another Wordfence-protected site is attacked, and the attack is blocked, your site will automatically be protected. Entire malicious networks can be blocked with advanced IP and Domain WHOIS in use to report such networks. Aggressive crawlers, scrapers, and bots will be blocked. Throttle users and robots who break your security rules.
- Login Security: Enable two-factor authentication (Premium feature). Strong password enforcement for users.
- Security Scanning: Scans for Heartbleed as well as scans the integrity of core files, themes, and plugins.
- Monitoring Features: View all traffic in real-time, including reverse DNS and city-level geolocation. Monitor DNS for unauthorized changes. Monitor disk space.
That list barely scratches the surface. For a complete list of features, go to the official Wordfence plugin site.
SEE: Cybersecurity Research 2016: Weak Links, Digital Forensics, and International Concerns (Tech Pro Research)
The installation process will depend upon how your WordPress site is hosted. I will assume you either host your own WordPress instance, or you pay a third-party host. Note: If you are using the free Wordpress.com site, you won't be able to install a plugin like Wordfence.
To install Wordfence, follow these steps.
- Log into your WordPress site as the administrator.
- Go to the Plugins page (you'll find the Plugins link in the left navigation) and locate and click the Add New button.
- In the Search Plugins text area, type wordfence and hit Enter on your keyboard.
- When the Wordfence plugin appears, click the Install Now button and allow the installation to complete.
- Click the associated Activate button for Wordfence, and you're ready to go.
After a successful activation, a window will pop up asking for an email address (this is where alerts are sent) so add that and click Get Alerted (Figure A). Then, you can then either click the Start Tour button or skip the tour by clicking the Close button.
Wordfence has been successfully installed and is ready to protect your site.
You should see a new menu entry in the left navigation labeled Wordfence. Click that entry to reveal the full menu (Figure B).
The Wordfence menu of options.
Click the Scan entry and then click the Start A Wordfence Scan button. Clicking this button will request the scan to begin and, once it starts, it will run immediately and display the results as each section completes (Figure C).
A completed Wordfence scan.
With each option scanned, Wordfence will offer available options should something be amiss. The options will include a link to illustrate how to resolve any possible issue. Some of the solutions offered are limited to Premium subscribers only (check out the Wordfence price matrix).
I highly recommend you take a close look at the firewall configuration. There isn't much you can do with the free subscription, but you can enable/disable rules, and add to the whitelist URLs.
When you first install Wordfence, the firewall will be placed in Learning Mode. It is important that the Wordfence firewall is left in Learning mode at first; if you immediately switch the firewall to Enabled and Protecting, some of your plugins could be blocked (if they send data that resembles an attack).
To take advantage of Learning Mode, visit your site (you could recruit others to help with this) and do everyday tasks. Make sure to use any plugins you have enabled, and visit every page on your site as well as write and publish posts/pages/etc., change themes, alter plugin settings, write/moderate comments...anything you can think of. After you use every feature on your site, go back to the Wordfence menu, click Firewall and then select Enabled and Protecting from the Firewall Status drop-down (Figure D).
The firewall is still in Learning Mode.
You can also configure a date to automatically switch the firewall over to enabled. Make sure the data gives you enough time to get through all the features of your site.
There's so much more
Wordfence is the plugin you need to ensure the security of your WordPress site(s). Once you have your WordPress instance exactly how you want it, install Wordfence and allow it to stand sentinel for your site. You won't regret taking the time to get up to speed with this invaluable plugin.
- How to work with PGP keys using GnuPG (TechRepublic)
- How to install the privacyIDEA authentication system on Ubuntu (TechRepublic)
- The common problem with Drupal, Joomla, and Xoops (TechRepublic)
- Five free WordPress backup solutions (TechRepublic)
- GoDaddy buys WordPress management tool ManageWP (ZDNet)
- Breaches showing patterns of both desirable, questionable characteristics (ZDNet)
Jack Wallen is an award-winning writer for TechRepublic and Linux.com. He’s an avid promoter of open source and the voice of The Android Expert. For more news about Jack Wallen, visit his website jackwallen.com.