WordPress websites are being attacked everyday. Stats shows that more than 70% WordPress sites are vulnerable to attack. There are several security measures and tweaks one can implement to protect his site. Installing security plugin can help protecting your blog in a great way. In this article we will discuss about one such security plugin Wordfence: Wordfence security plugin is the most downloaded(8,918,933 times at the time of writing this article) security plugin for WordPress websites. Lets see some of its salient features-
- offers Brute-force login protection
- Scans files inside and outside WordPress installation for known virus, malware, trojan and backdoor.
- Compare plugins and open source themes and WordPress core files against WordPress.org originals.
- Prevent Double Dos attack and scan your site for HeartBleed vulnerability
- Offers firewall and checks for weak passwords
Setting-Up Wordfence security Options
After installing the Wordfence plugin Go to Dashboard>>Wordfence>>Options . You will get 2 type of options there – Basic Options and Advanced Options
- First option is Enable firewall : Make sure the box is checked otherwise you will not get crucial functions of this plugin like brute force protection and two factor authentication.
- Enable Login Security : Make sure the box is checked. It enables all security options such as locking users out after a defined number of login failures.
- Enable Live Traffic View: If you have a low cost hosting plan and don’t have sufficient resources , Uncheck the box as it might affect the loading speed of page. I have enabled it on my site as my server has sufficient resources.
- Enable automatic scheduled scans: Disable it as its better to perform such actions manually. You can scan manually whenever you want.
- Update Wordfence automatically when a new version is released?: Keeping Wordfence update is important as it make sure that your site is protected from the latest web threats. Its better to update manually if you often log into dashboard.
- Where to email alerts: Very important basic option. Enter your email address that you most often use. You can enter multiple email addresses separated using commas. You will get notification when someone log into your Dashboard.
- Security Level: The drop down list has different 5 security levels. Recommended is LEVEL 2 security i.e. Medium protection. This setting will be automatically labeled as Custom Settings when you make changes in advanced login security options.
- How does Wordfence get IPs: Let the Wordfence decide it. Select the option 1 because its makes good combination of security and compatibility.
Advance options are to provide more control over basic options.
- Alerts: Check all the options as shown in picture below.
- Email Summary and Live Traffic View : No change
- Scans to include: Uncheck the 3rd option i.e. Scan theme files against repository versions for changes , because it makes no sense when you are using commercial theme and have edited it. Same goes for plugins. Also uncheck the box where it says –Scan files outside your WordPress installation Because it may take a long time scanning files outside the WordPress installation. It may affect your website and user experience very badly. See recommended scan setting in the picture below.
- Firewall rules: No change
- Login Security options: These setting are crucial for WordPress site security. See the settings below in the picture and understand these options.
- Enforce strong password – Its pretty self explanatory.
- Lock out after how many failures – It is the number of login retries you want to offer to the user. Suppose you set it 5 , then a user can attempt up to 5 login failure and after 5 failed login attempt the Wordfence will lock out his IP address. Its common to forget passwords so set it at least 4-5 so that you don’t get locked out yourself. This option prevent Brute force attack.
- Lock out after how many forgot password attempts- It is the number of times a user can use forgot password form. 5 is sufficient for most of sites.
- Amount of time a user is locked out- This indicates how long an IP address will be stay locked out for when Wordfence locks them out. This option can drastically reduces the number of bruteforce attacks.
- Immediately lock out invalid usernames – This can be a great security option. It will immediately lock out the IP address of someone trying to login with invalid username. Remember that It can cause inconvenience because even a real user may miss-type the username. So don’t get locked out yourself by checking this checkbox.
- Other options: No change
So these were some important Wordfence security settings. As Wordfence is a complete security package , there are some other advance Wordfence feature you might like –
Using this feature , you can block a range of IP address by entering the IP address range and the reason you are blocking as shown in the picture below.
This option can be used when you know from which specific region the attackers are compromising the security of your WordPress website. You can block out any country.
Cell Phone Sign-in (Two factor authentication)
Its the same like we use in banking. The Wordfence will send a unique code on your cell phone and only you will be able to get in as you have the code to verify. To avail this feature go to Dasboard>>Wordfence>>Cellphone Sign-in and activate cellphone sign-in.
This was all for this article. Thanks for visiting my blog. Share it if you find it useful.