Overview

According to a recent study, 73% of the most popular WordPress installations are susceptible to attacks, with many versions having several exploitable vulnerabilities. Unfortunately, WordPress installations being hacked happens far too frequently these days so the need to make sure your blog is secure is more prominent than ever.

Enter Wordfence. Wordfence is a WordPress plugin which includes a firewall and anti-virus scanning. It gets smarter as it learns from other sites it protects. Wordfence’s parent company is Feedjit, and due to the wealth of their experience, Wordfence is well coded and secure. Powered by their cloud scanning servers based in Seattle, they keep an updated mirror version of every WordPress, plugin and theme released. It has an average rating of 4.9/5 on the WordPress plugins page, with over 700 voters.

Wordfence menu1

Scan

Wordfence is a small plugin which installs quickly. A small menu is added to the dashboard. The first thing Wordfence asks you to do is to “Start with a Scan”. It immediately starts scanning your files, providing a simple activity log and issues where you can fix or ignore the issue. Scans happen on web server which makes them very fast and this doesn’t consume a lot of bandwidth. It scans core WordPress files, themes and plugins to verify the security of the source. This is very handy to see if your plugins or version of WordPress is out of date and has potential vulnerabilities. It continuously scans for malware and phishing URLs, monitors disk space for potential denial-of-service attacks and supports multi-site so you’re able to scan every blog with one click. Wordfence automatically scans your site once a day.

Protection

Wordfence limits or blocks security threats like aggressive crawlers and bots that scour the web to steal content. The firewall can also block entire malicious networks and IPs. It checks the strength of all user and admin passwords to enhance login security. It also locks out brute force hacks and stops WordPress from revealing compromising information.

Wordfence scanning

Reporting

Wordfence has a live traffic display showing hits to a blog’s server. The reporting is sectioned into “all hits”, “humans”, “registered users”, “crawlers”, and more, and even shows reverse DNS and geographic area. It notifies you about changes to WordPress files and invalid login attempts. A Whois lookup is included for details on who is accessing your site.

Paid features

A paid “premium” version offers added options, starting from $39 per site per year. The cost goes down on average if you pay for more years or domains. Some of the additional features are Two Factor Authentication (signing in with your password and phone), scheduled scanning (for specific times and a higher frequency), and country blocking.

So in a nutshell…

Wordfence is the 9th most popular WordPress plugin overall, and the most popular security plugin. The features in the free version are certainly enough for most websites and it is definitely worth adding to your site for added security and peace of mind. One of the handiest features is letting you know about out-of-date plugins and WordPress versions you have, which can be hacked into easily. Because as fantastic as WordPress is, it can be hard to keep track of everything.

We both design and host WordPress sites, and security is a top priority for us. If you’re thinking about additional security to non-WordPress sites, take a look at our CloudFlare post.