7 days of WordPress plugins, themes & templates - for free!* Unlimited asset downloads! Start 7-Day Free Trial
FREELessons: 10Length: 37 minutes

Next lesson playing in 5 seconds

Cancel
  • Overview
  • Transcript

2.6 Install and Configure Wordfence

In this lesson, I’ll introduce you to Wordfence, the most popular WordPress security plugin. Wordfence has a lot of great features that let you scan your site for vulnerabilities and protect against some attacks.

Related Links

2.6 Install and Configure Wordfence

Hello everyone, I am Reggie Dawson. Welcome to the WordPress security tips course for Tuts+. Wordfence is the most downloaded WordPress security plugin. Now before we looked at specialized plugins that do one specific thing to secure your site. Wordfence can be considered a security suite because it offers many different tools to help you protect your site. For example, we can use Wordfence to enforce strong passwords if we'd like. After installing Wordfence, we get a new menu item. If we click on Wordfence, we will brought to the dashboard. Now at the top of the dashboard, we have any notifications. If we scroll down, we have a menu that displays the feature status of the plugin. Although many features are only available in the premium version, we can get a lot done with the free version of the plugin. The rest of the dashboard gives you widgets that display stats on any things that Wordfence has blocked. Then if we go over to the Wordfence options, we can look at a few of the settings available to us. At the top, we have an API Key which identifies your WordPress installation to the Wordfence servers. Then the first setting is for rate limiting and advanced blocking. Rate limiting lets you thwart brute force attacks by throttling or blocking any request that meets a certain threshold. Enable login security allows us to use features such as two-factor authentication, although this is reserved for the premium version of the plugin. Login security also allows us to use strong passwords. Then the next option, enable live traffic view, allows you to turn on live traffic logging. We will talk more about this in a moment. Then the following three options are all premium features that deal with spam. After that, we can enable scheduled scans, set Wordfence to automatically update, decide where to email alerts, and determine how Wordfence will get its IP address. Beneath that, we have more settings that allow us to fine tune the different parts of Wordfence. We can configure alerts, email summaries, traffic view, scans to include rate limiting rules, login security, dashboard notifications, and other options. Now there are a lot of settings that are useful in here, but we won't look at these since they are replicated in the various pages of Wordfence. Then in the Wordfence Scan menu, we can see the results of our last scan. We can also manually start a scan from here. This scan will alert you if you have been hacked. But in the free version, the updates to the threat signatures lag 30 days behind the premium version. In this window we have scan summary, a scan detailed activity, and then if you scroll down, you get a detailed list of all the issues with the site. Then if we click on Scheduling, we learn that Wordfence is managing our scheduled scans right now, as manual scheduling is a premium feature. Then in the options, we can control how our scans will run. This is the information that was replicated from the main options page. Then in the Firewall page, we see that it is in learning mode. In this mode, Wordfence will learn about your site to protect you better. Since we are in the free version, we only have basic protection. Then after that, we have our rules that protect us by detecting various signatures that match known exploits. The only drawback is that updates to these exploits take 30 days after they are available to the premium version. Then at the bottom of this page, we can whitelist any IPs that are safe to bypass the firewall. Then in the Brute Force Protection tab, we can enforce strong passwords and lock out users after a certain number of login failures. In the Rate Limiting tab, we can control access to our site and slow or block any requests that exceed the allocated bandwidth. For example, if a request exceeds two a minute, we can throttle or block the requests. Then on the Blocking page, we can see IPs that have been blocked, IPs locked out from login failures, or IPs being throttled because of visiting the site too much. We can also manually enter an IP address to permanently block it. Country Blocking lets you block a specific country, but this is a premium feature. Then in Advanced Blocking, we can enter a full range of IP addresses to block. Then finally, we have what I feel is the most useful part of Wordfence, the Live Traffic monitor. This serves to monitor network traffic on your site. We can also block networks and IP addresses directly from the Live Traffic page. Then the Tools menu is mostly for premium features such as Password Audit and Cellphone Sign-in. It also has a WHOIS Lookup and the Diagnostics feature. Now this was just a basic overview of Wordfence. Make sure you check out the documentation and decide if Wordfence is for you. In the next video, we will look at the security plugin.

Back to the top