Security is one of the hottest topics in WordPress at the moment, and it has been for a while now. There have always been concerns with security in the WordPress world, and that’s where some of the best security plugins have come in to put people’s minds at rest.
Although there are still those who question the effectiveness of such security plugins, there are some that can do a very good job at keeping your WordPress site safe and secure in many ways. Rather than go through all this discussion in this review though, I’d suggest reading this article about understanding the WordPress security plugins eco-system.
Moving on, one of the heavy-hitters in the world of WordPress security plugins is certainly Wordfence. With over 6 million all-time downloads this is certainly one of the most favoured and trusted plugins out there. Let’s see why.
What is Wordfence Security?
Wordfence Security is a free enterprise class security and performance plugin aimed at making your site up to fifty times faster and more secure. It is 100% open source and free for all to use, however there is also a premium API key for added features and support.
By taking a look at their website’s homepage you will immediately see the positive effects that such a plugin could have. They display a map and graph showing you just a fraction of the work that Wordfence is doing to secure WordPress sites across the world.
Take a look at the video above for a quick introduction to Wordfence and what it offers, or keep reading below for a closer look at its best features and what it’s like to actually work with.
Some of its Best Features
For a complete list of all the features that the free version of Wordfence offers you can take a look at the plugin in the WordPress.org plugin repository, but below I’ll take a look at some of the main features that make this plugin so loved and so successful.
Firstly it’s good to note that Wordfence includes support for the majority of major plugins such as WooCommerce, ensuring that you won’t have to give up any of your site’s funtionality for security reasons. It also incorporates real-time blocking of known attackers, automatically protecting your site from those that have been blocked on other WordPress sites using Wordfence.
It includes scans for the HeartBleed vulnerability, a firewall to block the common security threats such as fake Googlebots, blocks entire malicious networks, and you’re also provided with the option of utilizing two-factor authentication among many other options.
Wordfence even contributes to performance optimization, making use of Falcon Engine; one of the fastest (if not the fastest) caching engines available today.
The New Wordfence 6
Wordfence, which has now reached 6 million downloads, has reached version 6, a version that includes a number of improvements with the main one being the introduction of IPv6 support. Since IPv6 is becoming more and more popular there have been more requests for Wordfence to include support for it, and it’s now available, ensuring that your site is kept secure against IPv6-specific attacks.
This support for IPv6 adds certain functionality to the plugin to ensure that features such as IP blocking now track and block IPv6 addresses, IPv6 addresses now appear in live traffic along with their geographic location down to the city level, and you’re even able to specify IPv6 addresses you want to ignore in live traffic.
Using the Wordfence Plugin
Wordfence is free to download and use from the WordPress Plugin repository, however you will need a premium API key to make use of certain additional features like Scan Scheduling and Country Blocking. Below I’ll briefly take you through the options on offer when using Wordfence, both in a free and a premium setup.
Installing the Plugin & Running Some Tests
Upon installing and activating Wordfence you are welcomed by a Wordfence tour that will take you through what Wordfence is, what it does, and the options available to you. If you’re new to the plugin I’d suggest following this tour to learn as much as you can about the plugin, but if you’re already familiar with it, you can simply end it and start working.
The first section you’re taken to is the Scan section of Wordfence. From here you can immediately scan your site to find any possible problems or warnings. Throughout each scan you’re provided with both a summary and detailed activity of said scanning so that you can keep track of what’s going on. You can find more details about how Wordfence scanning works in their documentation.
Once each scan is completed all the possible problems or warnings are listed in the New Issues tab below the scan summaries, showing you exactly which areas need fixing. You can also choose to ignore any particular issues, and these will be listed in the Ignored Issues tab.
Beneath the scan page is the Live Traffic section. This is an interesting section that provides you with a view of all your site activity in real time. You can check out whose viewing your site, on which pages, from which country, and much more.
You’re also provided with lists of Humans, Registered Users, Crawlers and so on in order to track different types of traffic. You’re even able to view a list of pages that weren’t found, logins and logouts, the top consumers and the top 404s; all valuable data that can prove very useful.
Setting Up the Main Options
The Wordfence Options section of Wordfence is where you can set up the plugin’s main features, ranging from enabling the firewall to other options such as whitelisting IP addresses and exporting your settings.
It’s a very long list of settings to go through, however, as a word of advice, it would be a good idea to always refer to the explanations beside each setting. They indicate which options are the most vital and how certain settings should be based on your particular setup. Most options even link to their explanation in the documentation to ensure that you fully understand them before choosing what to do.
Wordfence Caching uses the Wordfence Falcon cache. This is a very fast server-side caching system that has two modes of operation; basic caching and Falcon Engine. Both modes generate the cached pages in the same way, however they serve them up differently. As is explained in the documentation:
In basic caching mode, pages are served by WordPress and PHP which is compatible with more environments but offers only a 2 or three times performance improvement. Using “Falcon engine” mode, pages are served directly from your web server without executing any PHP at all, which is incredibly fast. We’ve seen performance improvements of 40 to 50 times. Web servers using this configuration have gone from being able to handle 20 requests per second to over 800 requests per second.
The Wordfence caching system is not a requirement when using Wordfence. You’re free to rely on a well configured web server and its performance which should be more than enough for most cases. What Falcon does is provide a very fast server cache to give your site a boost in performance, especially when under attack.
Applying the Premium Settings
As I mentioned earlier, you have the option of upgrading to a premium license by purchasing a premium API key. This will provide you with a number of additional features within Wordfence’s settings. Each of these features and their respective options are explained in detail in the Wordfence official documentation.
The first premium feature in the menu is the Password Audit. This is a valuable feature that allows you to audit your website’s passwords by simulating a password cracking attempt using Wordfence’s high performance servers. Once the audit is complete it provides you with a report showing you which passwords are vulnerable, giving you the chance to alert the users in question so that they can strengthen their passwords.
Cellphone Sign-in is the next premium setting. It uses two factor authentication to verify you as the administrator and allow you to access your website from your cellphone. This level of security is also used in banks and militaries worldwide, proving its worth as a security feature. It’s part of the premium package for the simple reason that Wordfence are charged per SMS that is sent when a user signs in.
Country Blocking is another interesting premium feature that includes a number of settings to choose from. It stops attacks, content theft or other malicious activity that might originate from a particular geographic region. In short, Wordfence relies on a commercial IP to country database to determine which country an IP address is from. This database is installed on your WP server with the plugin so as to speed up the IP to country lookup and have minimal to no impact on your site’s performance.
Under your Wordfence Options you’re also provided with three new spam-related options. You’ll benefit from the following: An advanced comment spam filter that, in addition to the free comment filtering, also filters comments against several additional real-time lists of known spammers and infected hosts; an additional scan to ensure that your site domain name is not appearing as a link in spam emails; as well as another scan that checks with spam services if your website IP address is listed as a known source of spam email.
In addition to these features you will also have another scan option where you can scan the public facing site for vulnerabilities, as well as an option to set up Scan Scheduling.
Regular scans are a vital part of maintaining a secure WordPress site. These are what keep your site secure and keep you updated with what’s going on with your site. As part of the premium features you can choose to either let Wordfence automatically schedule your scans for you, or you can opt to schedule them yourself.
When scheduling the scans yourself you can choose any day of the week and any hour within that day. Wordfence even provides a few shortcuts to automatically set the scans for once a day, twice a day, on weekends, on odd days and weekends, or even every 6 hours.
Documentation & Support
How to use the options and settings for Wordfence is explained quite well within the plugin itself, however if you come across any issues or require some more help, you can always refer to their official documentation or the support team. The documentation is very detailed, explaining all the features in detail and providing you with a number of troubleshooting options and common errors.
If you have a premium API key you are also welcome to use the premium support forum on their website that contains a good number of FAQs that should cover any minor issues you might come across.
If you don’t have a premium API and are using the free version of the plugin you can refer to the WordPress.org support forum instead. The replies here aren’t as quick as the premium forum, however the same can be said for the majority of (if not all) WordPress plugins out there as first priority is always given to premium support requests.
Licenses & Pricing
As I’ve already mentioned there are two versions of Wordfence; the free plugin that can be downloaded from WordPress.org, and a premium API key that can be purchased from Wordfence.com to benefit from the additional premium features.
At the moment, the pricing for the premium API key varies on the number of license you purchase; the more you purchase the cheaper they will become. Also, the clock on a particular license key will only start ticking once that license key has started being used on a WordPress site, so if you’re a developer you can stock up on a number of license for the coming months or years and save yourself a lot of money. You can find out more about the licensing and pricing options in the video above.
Conclusions & Recommendations
I’ve had Wordfence running on a new website for the past two months or so, and since then I have had no issues whatsoever. It is constantly reliable, providing me with email notices for crucial updates and errors, and blocking any and all attempts.
The features and options it offers are various and detailed, allowing you to keep your mind at ease that your WordPress site is safe, secure, and performing at the level you want it to be. The premium API key should definitely be something to consider if you plan on taking your site’s security seriously. It offers a number of features that could prove vital in improving site security as well as performance.
The documentation is great, offering you detailed explanations of each feature. This is something that’s definitely needed for a large portion of users since security features aren’t one of the more talked about or taught topics, even though that’s changing as of late.
What are your thoughts on the Wordfence Security plugin and WordPress site security in general? How have your experiences been with Wordfence or similar security plugins?