Do you want to install and setup the Wordfence Security Plugin on your website?

Wordfence is a popular WordPress plugin that helps you to tighten the security of your WordPress site and protect it from hacking. In this article, we will show you how to install and best setting to setup the Wordfence Security Plugin in WordPress.

What is Wordfence? How it Protects Your WordPress Website?

WordFence is a WordPress security plugin that helps you protect your website against security threats like malware, hacking, DDOS and brute force attacks.

It comes with a website application firewall(WAF), which filters all traffic to your website and blocks suspicious requests from the unknown.

It has a malware scanner that uploads all your WordPress core files, themes, plugins and folders for changes and suspicious code.

The basic WordFence plugin is free, but it comes with a premium version that gives you access to more advanced features such as country blocking, firewall rules being updated in real-time, scheduled scanning, and more.

Why Do Hackers want to Hack My WordPress site?

This is a good question and a few reasons why. These are:

• They want to take a good look around and steal any hidden information on the site. This can be customer details, email addresses, login details on other sites.
• They want your site down and leave a nasty slogan or message on the index page to hate you.
• They want to install a virus or malware on your server so they can create spammy links or send the virus to your visitors to use your email accounts.

Why You Need a WordPress Security Plugin?

WordPress is the world’s most popular content management system. It powers over 25% of all websites on the Internet. This huge number makes it a popular target for malicious attacks, hacking attempts, code injections, etc.

Most WordPress users are not experts or developers in online security system. There are some security best practices you can follow our WORDPRESS SECURITY GUIDE: 14 TIPS TO SECURE A WORDPRESS WEBSITE

You need a WordPress security plugin for advanced things like scanning for malware, blocking suspicious activity, or monitoring your website.

Having said that, let’s go over how to install and setup the WordFence Security plugin for maximum security.

How to Install and Setup Wordfence Security Plugin in WordPress:

The first thing you need to do is install and activate the WordPress Security Plugin. If you having problem to install a plugin, see our step by step guide on how to install a WordPress plugin

After activation, the plugin will add a new menu item labeled WordFence to your WordPress admin bar. Clicking on this will take you to the plugin settings dashboard.

This page shows an overview of the plugin’s settings on your WordPress website. You’ll also see security alerts and statistics for recent IP blocking, failed login attempts, blocked total attacks, etc.

WordFence settings are divided into several sections. The default settings will work for most websites, but you’ll still need to review them and change them.

Let’s start by scanning first.

Scanning Your WordPress website Using Wordfence:

Go to the Wordfence >> Scan page and then click on the ‘Wordfence Scan‘ button.

WordPress will now start scanning your WordPress files.

The scan will look for file size changes in the official WordPress core and plugin files.

It will look inside the files to check for suspicious code, backdoor, malicious URLs and known patterns of transmission.

Usually, these scans require a lot of server resources to run. WordFence does a great job of running scans as efficiently as possible. The time it takes to finish a scan will depend on how much data you have and the resources available to the server.

You will have the option to see the improvement of the sweep in the yellow boxes on the Scan page. The majority of this data will be technical. But you don’t have to worry about technical things.

Once the scan is done, WordFence shows you the results.

It will notify you if a suspicious code, infection, malware, or malicious file is found on your website. It will also recommend steps you can take to address those issues.

The free WordFence plugin automatically runs full scans on your WordPress site every 24 hours. The premium version of the plugin lets you set up your own scan schedule.

Setting up Wordfence Firewall:

WordFence comes with a website application firewall. This is a PHP based application-level firewall.

The WordFence firewall provides two levels of protection. The basic level enabled by default allows the WordPress firewall to run as a WordPress plugin.

This means, the firewall will load with the rest of your WordPress plugin. This can protect you from a number of threats, but the WordPress theme and plugin created to trigger it will be removed.

The second layer of protection is called enhanced protection. It allows WordPress to run before WordPress core, plugins and themes. It provides better protection against more advanced security threats.

Here’s how you set up enhanced security.

Visit the WordPress »Firewall page and click on the Optimize Firewall button.

WordFence will now run some tests in the background to identify your server configuration. If you know that your server configuration is different from what WordFence has chosen, you can choose a different one.

Click the Continue button.

Next, WordPress will ask you to download your current .htaccess file as a backup. Click on the ‘Download .htaccess’ button and after downloading the backup file, click the Continue button.

WordPress will now update your .htaccess file, which will allow it to run before WordPress. You will be redirected to the firewall page where you now see your security level as ‘enhanced protection’.

You will also notice a ‘Learning Mode’ button. When you first install WordPress, it tries to make sure that you and your users interact with the website so that it does not block legitimate visitors. After one week it will automatically switch to ‘Enabled and Protected’ mode.

Monitor Your Live Traffic with WordFence Security:

The vast majority of the traffic on any site comes from automated bots such as search engine crawlers, data mining bots, and automated spambots. It’s pretty common and nothing to be afraid of.

However, if your site is under a DDOS attack, you may notice certain IPs hit your website. You can monitor and block these IPs in real-time using the Live Traffic tool in WordFence Security.

Although the information collected by this tool can be very helpful, it does not help a website owner very much. Most attack bots use different IP ranges spanning different networks around the world. Blocking IP addresses effectively is very difficult.

BotNet switches to another network as you block an IP network. It’s a never-ending game where you can’t win by observing and blocking things yourself.

Advanced Settings and Tools in Wordfence:

WordFence is a powerful plugin with lots of useful options.

You can visit Wordfence » Options page to review them.

Here you can selectively turn the features on and off. You can enable or disable email notifications, scans and other advanced settings.

On the WordFence »Tools page, you can perform a password audit to make sure all users of your website are using a strong password.

You can run whispering for suspicious IP addresses and see diagnostics information to help with plugins or debug issues with your WordPress site.

Premium version users can set up a two-factor login to strengthen login security on their website.

Summary of  WordFence Security Plugin:

The WordFence Security Plugin is a good alternative to a basic WordPress security setup. However, this is not the best WordPress security plugin.

This puts a significant amount of pressure on your server. If you are in a shared hosting environment, this may affect your site performance. It messes up your WordPress data and saves a lot of information in your database.

Overall This plugin is good for beginners, you might also like to see Best Alternative WordPress Security Plugins Comparison.