Tired of hackers and unwanted people? The ultimate Wordfence Toturial
Thousands of WordPress sites is getting hacked daily, due to poor management and poor plugins. But how can you be sure, that yours isn’t going to be the next?
The fact: Security is boring and compliated.
The reality: Security is needed to keep you out of trouble.
How to secure your WordPress website is a huge topic, and it can be scary while watching at first glance. There are differnet ways and attack methods hackers use to break into sites, and how can you ensure all of them at the same time – without always looking over your shoulder ?
During this toturial, we will show you how to install, maintain and configure a WordPress plugin called Wordfence, that can beef up the security with little effort from you. It takes about 20 minutes to complete.
When you are done, you can relax, safe in knowledge that your WordPress site is well protected against cruel hackers who just steal.
How are websites getting hacked?
Hackers can break into WordPress sites through a number of various ways:
Guessing your WordPress admin password
One of the most obvious is by guessing password, brute force attacking the login forms of WordPress.
Hackers have special programs that can try to log into your site hundrets of times a minute, using different admin usernames and password. If they get the right combination, they can now log in and gain full access to your WordPress backend.
Using a security issue in your code
WordPress plugins is the most common reason for security holes, but it can include the WordPress core as well – or that awesome theme you just found for free on another website.
Using security bugs from your hosting shared provider
All shared hosting providers offer full FTP accounts, SMB access, online File Managers and access through a number of other ways to access your webhost.
These are often some of the abused methods, where the hackers again can run scripts to try brute force attacking through the login scripts.
Why Wordfence protects from hackers
Wordfence is both a free and paid WordPress plugin that can protect your WordPress site from hackers and brute force attempts. Whats more, if you anyway get hacks, Wordfence helps you to remove the malware again from your site, and reach a stable mode.
Wordfence have the following combinations of ways to keep you safe:
Web Application Firewall
The Web Application Firewall is analysing all visitor traffic just before it reaches your WordPress site. While reviewing the traffic it tries to detect a hacker amongst the traffic, and block them before they reach your site and can do any kind of damage.
The Malware Scanner is on a regulary basis scanning the files of your site – including WordPress itself, plugins and all themes – to see if any of them contains malware or obscure codes. Secondary it scans all posts and pages, logging for URLs and code that potentially have been added by cruel hackers.
The Wordfence File Repair service, helps removing the malware again from your site – if you have been attacked. It shows you which files have been modified by the hacker, and replace the hacked file with an original version by click of a button.
Free or paid ? What is the best?
Wordfence is free of charge to use, but you can increase your services by 99$per year for their premium subscription.
Wordfence has a full and detailed list of the difference between the plans, and for most small websites the free plan gives all you need.
You can see the counter of the latest threads they have discovered, while on the free plan the data is 30 days delayed.
Real-time IP blacklist
You can see the counter of the latest malicious IP addresses they have discovered, while on the free plan the data is 30 days delayed.
Free users can only perform one automatic scan per day, while premium users can choose as many scans as they like – and at any time they like.
Is it worth it? There are no clear answer, but it does certainly increase your protection further and gives you a peace of mind. The free version covers 99% the requirements of all websites, and is certainly better than no plugin at all.
How to install Wordfence
Wordfence is crazy easy to install, and have only few steps to follow.
1) Log into your WordPress admin
2) Click Plugins > Add New
3) Search for Wordfence in the top-right search box and press enter
4) Find Wordfence Security and click the button “Install now“
Wordfence is now installed within few seconds and requires now an activation of the plugin for moving forward.
There will be a popup asking for your e-mail address, on which you will receive warning and status updates related to your security plugin. Enter your e-mail and tick/untick the box for being part of their general mailing list.
You will now be asked if you have upgraded for Premium, on this page you can click “No thanks” and continue.
Improve your usage of Wordfence
Once Wordfence is installed and activated, go to the Options page by in the left pane click Wordfence > All Options.
Most settings are set correctly as defaults, so don’t start changing them just for the sake of fun. However the following is worth checking.
This should be set by default as ENABLED, but make sure it is turned on, as it checks your site daily for hacks and malicious code.
Global Options > General Wordfence Options
Make sure the checkbox “Update Wordfence automatically when a new version is released” is checked, as it constantly updates your Wordfence plugin so you don’t need to worry about this anymore.
Starting your first scan
Now, lets check if you have already been hacked and just didn’t know about it yet.
Click Wordfence > Scan
Click the “START NEW SCAN” button.
Depending on how large a site you ahve, the scan can take from few minutes to several hours to complete. While it’s scanning, you can see a progress bar along with a status message showing you what piece Wordfence is currently scanning.
When it have finished, you will get the “Scan Complete” and you can now see which results have been found in the “Results Found” tab on your screen.
Review each result individually, and make sure to update all plugins that is outdated.
File appears to be malicious
You can get a message on a result saying the file might be malicious, and this tells your website may already be hacked. In that case, follow the guide shown on the page – Wordfence have a straight forward guidance on how to resolve this kind of touble.
Nice job - you are now in a safe zone
Everything is now set up for Wordfence, and your WordPress site has a much better security to keep the hackers away. Good work!
Wordfence will keep emailing you when it discovers any kind of issues with your site, so make sure to review these and fix them if neccessary. It is worth to check out the Wordfence Dashboard from time to time, as it gives an overview of your current status.
Just shoot with questions about Wordfence below in our comments section.