Coming across the Wordfence Security plugin is probably one of the best things that have happened to my blog.
Being offline for almost a year, I was no longer updated to the latest stuff like WordPress plugins so I was glad that my friend Francisco blogged about Wordfence because if not for his post, I wouldn’t have known about the plugin or it could’ve taken me longer to find out about it.
For those who aren’t familiar with this plugin, Wordfence Security is an enterprise class security plugin that includes a firewall, virus scanning, real-time traffic with geolocation and more stuff. Here’s a video introduction:
To give you a better idea on how extensive this plugin is, check out the complete list of features:
- Sign-in using your password and your cellphone to vastly improve login security. This is called Two Factor Authentication and is used by banks, government agencies and military worldwide for the highest security authentication.
- Enforce strong passwords among your administrators, publishers and users. Improve login security.
- Scans core files, themes and plugins against WordPress.org repository versions to check their integrity. Verify security of your source.
- Includes a firewall to block common security threats like fake Googlebots, malicious scans from hackers and botnets.
- Block entire malicious networks. Includes advanced IP and Domain WHOIS to report malicious IPs or networks and block entire networks using the firewall. Report security threats to network owner.
- See how files have changed. Optionally repair changed files that are security threats.
- Scans for signatures of over 44,000 known malware variants that are known security threats.
- Scans for many known backdoors that create security holes including C99, R57, RootShell, Crystal Shell, Matamu, Cybershell, W4cking, Sniper, Predator, Jackal, Phantasma, GFS, Dive, Dx and many many more.
- Continuously scans for malware and phishing URL’s including all URL’s on the Google Safe Browsing List in all your comments, posts and files that are security threats.
- Scans for heuristics of backdoors, trojans, suspicious code and other security issues.
- Checks the strength of all user and admin passwords to enhance login security.
- Monitor your DNS security for unauthorized DNS changes.
- Rate limit or block security threats like aggressive crawlers, scrapers and bots doing security scans for vulnerabilities in your site.
- Choose whether you want to block or throttle users and robots who break your security rules.
- Includes login security to lock out brute force hacks and to stop WordPress from revealing info that will compromise security.
- See all your traffic in real-time, including robots, humans, 404 errors, logins and logouts and who is consuming most of your content. Enhances your situational awareness of which security threats your site is facing.
- Real-time traffic includes reverse DNS and city-level geolocation. Know which geographic area security threats originate from.
- Monitors disk space which is related to security because many DDoS attacks attempt to consume all disk space to create a denial of service.
- Wordfence Security for multi-site also scans all posts and comments across all blogs from one admin panel.
- WordPress Multi-Site (or WordPress MU in the older parlance) compatible.
- Premium users can also block countries and schedule scans for specific times and a higher frequency.
- Our online forums are available 24/7 to answer your WordPress security questions.
After reading the complete set of features and trying it out on my blog, Wordfence instantly became one of my all-time favorites and recommended plugins. By installing Wordfence, I was able to get rid of some plugins that provided individual features that were already incorporated in Wordfence – Exploit Scanner, Login Lockdown, WP Ban, WP Firewall and WP Security Scan. I think it was also a blessing in disguise because not only were those plugins redundant but some of them haven’t been updated for more than two years so their code could be outdated and make them useless. Another advantage of installing Wordfence is by having just one plugin to do all these functions, I can cut down on the overhead caused by installing multiple plugins and still maintain the security on my blog.
So how much is it you ask? It’s 100% FREE! There is however a Premium version ($39/year) that gives users these extra features – Cellphone Sign-in, Remote Scans, Country Blocking, Frequent & Scheduled Scans, Premium Support and Scan Core, Theme and Plugin Files. But for most users, the free version is more than enough and provides one of the best security features & protection for any WordPress blog.
I’ve been using Wordfence for over a month now and so far I haven’t had any major issues with it. The features I like most about it are the Scanning, Live Traffic, Firewall, Login Security (enforce strong passwords, lockout login failures, lockout after specified number of forgot password attempts, lockout invalid usernames, hide valid users in login errors and prevent users registering admin username if it doesn’t exist), Alerts (critical problems, someone is locked out from login, IP address is blocked, lost password, administrator account logs in, non-admin user logs in) and other options such as Hide WordPress version, Scan comments for malware and phishing URLs and Check password strength for user accounts.
Live Traffic is a cool feature that allows you to see your website visitors in real-time. Unfortunately, I had to disable it because it’s a bit IO extensive as it logs traffic used in querying the geographic database to figure out visitors’ location. If you want to try it out, just enable it and see how it works then disable it again when you’re done.
Mark Maunder, one of the co-founders of Wordfence Security (the same person who discovered the TimThumb zero-day vulnerability) was kind enough to provide me with a Premium license for this review, so I have access to the Premium Features such as Frequent Scans and Cellphone Sign-ins. However I had to disable Frequent Scans because the scan results were logged in the database and in time, the accumulated data resulted in bigger database size. Instead, I scheduled it to perform a scan once a week. I still haven’t decided whether I should enable Cellphone Sign-ins because I already enabled password protection on my WordPress installation.
Overall, Wordfence Security is an awesome plugin and a must-have for any WordPress-powered website. It’s easily one of the best security plugins out there for both free and premium markets. It’s also the only security plugin that can repair WordPress core files, themes and plugins on sites that have already been hacked or compromised.
Like I mentioned earlier, Wordfence Security is now one of my favorite plugins and I highly recommend it to anyone who uses WordPress. But then of course, not all users have the same resources, preferences or needs so it may or may not be the right security solution for you. The best thing to do is to try it out yourself and install it on your website. If you do, make sure the configurations are set up properly and that you only enable the features/options that you need. Because Wordfence uses quite a bit of the server resources, it’s not ideal to use on a shared hosting environment where resources are limited.
Based on user reviews that I’ve read, one thing that caused a bit of a problem was uninstalling the plugin. After uninstalling it, the database tables created by Wordfence were not removed. Users had to manually remove it themselves which can be a difficult task for some users. I haven’t tried uninstalling it yet so I don’t know if this issue has already been resolved in the latest version.
You can download Wordfence Security from the official WordPress plugin repository
So what do you guys think of Wordfence Security? Anyone else using it on their WordPress-powered websites? What feature/s do you like most and what new features would you like to see added in future updates? Please share your thoughts via the comments section below.