Wordfence – Protect your WordPress website
Last year we had some issues on a server which ran a WordPress site, where the server itself kept getting hacked, but this would then allow the hackers to alter core WordPress files, add very similar named files (such as the same filename but with an ‘s’ on the end of it), and inject full blown sites. After having PHP upgraded, disabling a number of unused (by us) functions such as exec(), we started the tedious process of checking for hacked files within WordPress. The problem was the hackers had used a PHP function to set the file modified time to an old date, so I couldn’t just look at the most recently changed files. This was 2 days before Christmas too and I wasn’t impressed by the timing!
Wordfence WordPress Security Plugin
Anyhow, during this time I came across Wordfence. What a breath of fresh air! For a start, it’s free. This is always a winner, in part because I’ve paid out for things in the past and discovered they don’t work or don’t do what I need. This way I could give it a full test drive to see how well it ran, and it’s safe to say it ran well. Wordfence is a WordPress plugin that offers file scanning/comparison to the WordPress repository, throttling of site visitors when necessary (too many hits per minute), blocking after numerous attempts to log in using brute force attacks, user password security, its own firewall, and much more!
For me, the main feature at the time was the scanner. I could run a scan on the server, have it compare every core file and plugin with the originals on the WordPress server, and see if any had been changed. At first this picked up the same root file being changed daily. I would change it back, alert the host and then just wait for it to happen again! At least it gave us a chance to pin point what the problem was and secure the hole. On another site, one morning, I had an email from it telling me I, as admin, had logged in from Hong Kong at 2am. I promptly changed my password! I checked the logs and thankfully they hadn’t done anything, but it was a bit bizarre!
Other Security Features
Since we first started using Wordfence, they’ve now brought out their own firewall. It gets updated with known threats as they uncover them, often to third party plugins and themes. It also comes with its own caching system for speeding up your site. I’ve not tried it yet as my site is fairly quick usually anyway, but it’d be good to try on a slower or busier site. You can also run a password audit to check on the security of your user’s passwords, and enforce strong passwords. Finally, you can throttle your less than desirable visitors who seem to just visit 404 pages, or make multiple page requests within X minutes (so likely to try and bring your site down or hack it!).
It also shows live traffic and gives you the option to block IPs right on the page. Useful if you spot something looking exceptionally dodgy! Just don’t lose your day to watching your visitors.
All in all, I’m very impressed with Wordfence and it’s worked well on our busier sites. Personally I believe it’s a must use for any WordPress site especially if you’re serious about security.