With over two million active installations, Wordfence Security is one of the most popular security plugins for the WordPress platform. It’s designed to detect and protect your WordPress installation from unwanted intrusion as well as other security risks.
In this guide, we’ll download, install and configure Wordfence Security to protect your WordPress installation.
Download and install Wordfence Security
Sign in to your WordPress administration menu and, from the sidebar, select Plugins > Add New. Search for Wordfence Security and install it, then activate the plugin. To learn more about installing WordPress plugins, read this HostPapa knowledge base article: How to install plugins in WordPress.
Once activated, you’ll notice a new Wordfence entry in your admin sidebar. You’ll be invited to enter an email address for security notifications, which you should do. Once you’ve signed up for alerts, you can take a tour of the plugin’s features. Click Start Tour to do so.
The Wordfence dashboard
Once the tour is complete, head to Wordfence > Dashboard to review your current security status. The dashboard provides security notification, allows you to view enabled features and review a range of statistics.
Not all features are available in the free edition of the plugin. To upgrade to the paid edition of Wordfence and unlock the full suite of features, select Wordfence > Upgrade to Premium.
Scan your website for security issues
To run a security scan of your current WordPress installation, select Wordfence > Scan from the sidebar.
Wordfence scans and compares the core WordPress files installed on your site with a clean backup of the latest release, stored on Wordfence’s servers. It’s a quick and comprehensive way of uncovering changes in the files which may be security backdoors, malicious files or other exploits.
Click the Start a Wordfence Scan to get started.
Review the Scan Summary and Scan Detailed Activity panels for live updates as the scan progresses.
Once the scan has completed, you’ll be notified of the results. Check the New Issues and Ignored Issues tabs towards the bottom of the page to review the scan findings in detail.
You’ll be notified of suspicious files, changed files and known exploit found in your WordPress installation, alongside recommended actions to resolve discovered issues. Use the I have fixed this issue or Ignore this issue links to confirm your action.
The free edition of Wordfence runs a scan of your WordPress site every 24 hours. Check out its Premium edition if you’d like to configure your own scan schedules.
Configure the Wordfence firewall
The Wordfence firewall detects and filters out malicious requests to your site. It is set up to run at the beginning of WordPress’ initialization to filter any attacks before plugins or themes can run any potentially vulnerable code. The Premium edition of Wordfence includes real time rule updates, ensuring that your site is protected from newly discovered exploits at the earliest opportunity. The free edition of Wordfence also supports rule updates, with a 30-day delay.
Before the firewall can protect your site, it must be configured. At the top of your WordPress admin pages, you will see To make your site as secure as possible, take a moment to setup the Wordfence Web Application Firewall.
Click the Click here to configure button and Wordfence will quickly scan your server configuration to identify the best firewall settings for your site.
Should you disagree with the recommended configuration, you can use the dropdown menu to select an alternative setup – this option is for advanced users. Click Continue to proceed.
The firewall configuration will make changes to your WordPress folder’s .htaccess file. As a result, you’re invited to download a backup of the file, which you should do and keep in a safe place. Find out more about securing your WordPress site using the .htaccess file in the HostPapa knowledge base article: How to restrict access to your website with .htaccess and the cPanel IP Blocker.
Click Continue to proceed, then check for a status notification at the top of the page.
You’ll notice that the Firewall Status is initially set to Learning Mode. This mode allows Wordfence to learn about your site, ensuring that your normal users are not inadvertently blocked. It’s recommended that you run Learning Mode for a week before you enable the firewall via the Firewall Status dropdown menu. You can set a date and time for enabling access from the Web Application Firewall page.
Lower down the page, you can review and toggle the Wordfence Firewall Rules, used to match network activity to known attacks, configure Whitelist URLs (which will not be tested by the Firewall) and configure Advanced Settings.
Block IP addresses
Once Wordfence is set up and monitoring your website, you can head to Wordfence > Blocking to review any suspicious activity that has been detected.
Wordfence will automatically block access to suspected intruders – first as a temporary ban, then permanent. You can, of course, manually block IP addresses on a permanent basis should you wish to. At the tabs at the top, you can review blocked IPs, blocked countries (Premium edition only) and use the Advanced Blocking tab to block IP ranges, hostnames, user agents and referrers of your choosing.
View live traffic
The Live Traffic section provides real-time updates on IP addresses attempting to access your website and those that are being blocked by Wordfence. Each entry includes:
- IP Address
With tools to manually block or unblock the IP address, run a WHOIS lookup and see recent traffic from that address.
Wordfence includes additional security tools, most of which are exclusive to the Premium edition. They include password auditing, which runs an automated attempt to crack your administration password, WHOIS lookup for tracing IP address ownership, Cellphone Sign In (two-factor authentication support) and a suite of diagnostics. Access these features from the Tools menu.
For further questions, or if you need help, please open a support ticket from your HostPapa Dashboard. Follow this link to learn how.