Having a website get hacked and destroyed is soul destroying, and is made easier when you use a convenient CMS like WordPress, Luckily Tools Like Wordfence Exist to make sure you aren’t defenceless against hackers.
Wordfence is a free (with paid options) WordPress plugin that can help to really secure your site from all types of nasty situations you would never want to get into. This article will cover why you need this plugin or at least one of the alternatives we will also list.
This article will only be covering the free options, as while the paid features are fantastic, we here at Unblogged UK try to minimise recommending paid solutions.
Stopping malicious traffic before it even sets foot on your website, Wordfence offer a powerful firewall that is constantly updated with new rules, stopping all known bad traffic from getting onto your site.
The firewall is an extremely powerful preventative measure that will stop all known hackers in their tracks, unfortunately, due to the nature of relying on previously found malicious traffic, this on its own will not secure your site from all hackers, but that is where the other features in Wordfence come in!
Brute Force Protection
WordPress by default, has no brute force protection, which means that a hacker, or bot can keep attempting to login until they succeed. This is where the Wordfence brute force protection module comes in!
This is an extremely versatile module that can be modified further for those extra paranoid individuals, that will lock out users who fail too many logins, use the “forgotten password” form too often, preventing WordPress from leaking your username as well as (optionally) locking out a user that uses an incorrect username, which while not ideal for some scenarios, is an extra security measure.
The brute force protection will help to stop most hackers, since they often rely too often on brute force attacks, you can give yourself extra security with the free Google reCaptcha plugin that adds a captcha to all forms on the site, making it very expensive for hackers to even attempt to brute force your site.
Powerful Malware Scanner
There are time where all the preventative measures in the world can’t save you, cases such as vulnerabilities in a theme/plugin you are using on top of old plugins (that you could be using) being re-purposed for malware or back-doors are difficult to avoid outright.
This is where the malware scanner comes in, being built and optimised for WordPress, the scanner will be able to pick up just about any backdoor or malware that has found its way onto your site.
Fix Broken/Hacked Files
Backdoors can be injected through any file, and Wordfence has a really simple but effective way of minimising this, and that is simply to check all files against their WordPress repository to see if there are any differences, and if any are found inform you with the option to make it the same as the repository version.
For developers, this may end up flooding you with changed files, but I still suggest keeping it on, because if even one of those files was edited by someone who wasn’t you or someone you know, then things can go south very quickly.
To say Wordfence is the only WordPress security solution, or even the best Security solution would simply be me trying to push opinion as fact. Out of all the security plugins I have used that are free, my favourite has been Wordfence, but the two I will mention below are also worth a look, as they may be a better fit for your needs.
All In One WP Security & Firewall – Implements a lot of the same sort of things as wordfence, as well as checking for vulnerabilities.
iThemes Security (formerly Better WP Security) – adds a lot of extra security features, even more than WordFence, such as changing the admin url. Does have a malware scanner, but is a bit of a pain to setup since it uses the VirusTotal API, which also means that it uses conventional antivirus scans, over ones built from the ground up for the WordPress platform.
Each of Wordfences features work together to make sure that your site is secure, and is an essential plugin for your WordPress site! But must be used alongside best security practices, which include:
- Not Using a Generic Username
- Not Using a easy to guess password
- keeping plugins/theme/code up to date
- not using the same password multiple times