The enormous popularity of WordPress makes it a valuable target for automated hacking attacks. From the point of view of a person who wants to gain benefits, e.g. in the form of data theft, creating a botnet or placing spam links, writing a bot that searches the Internet and uses errors in millions of websites is extremely beneficial. Once written, the program will be successively and automatically break into the pages and do what it was created for, bringing benefits to its author. Unless we fix a problem or protect ourselves in other ways and prevent malware from having free access to the site.
The statistically high number of attacks on WordPress is not due to the poor quality of the code, but rather to a combination of popularity, often amateurish approach to system management, random quality of add-ons and poor hosting. However, this does not mean that WordPress is not secure. Security updates are published on an ongoing basis, are installed automatically and apply even to older versions of the system. Hosting companies are increasingly willing to offer dedicated software to filter out unwanted actions, and there are plug-ins available to add custom security to the CMS.
More than two million active users – that’s the number of installations that Wordfence Security can boast of, which for many people is the basic line of defense and protection of WordPress. It is also one of the first repositories of plugins for “firewall”, “security” and “antivirus” in search results. No wonder – its usefulness, even in a free version, is very high.
Wordfence Security offers, among other things:
The last version of this popular plugin has been completely redesigned. It’s true that many experienced users are frustrated with this change because it has led to a complete reorganization of all settings. From my point of view, however, this is a very good move. The specialized functions now have their own screens – Firewall, Scanner, Additional tools and General settings.
In the header of each subpage we will see simple counters showing the degree of implemented security measures. It is worth noting that for many of these options it is impossible to achieve 100% without buying a premium version. However, I get the impression that the authors of the plug-in approach the subject of security in a responsible way and most of the premium options concern precise settings that are not available or automated in the free version (for example, we do not have the possibility to set up automatic scans schedule – Wordfence will decide for us when to run them). The refreshed graphic design has gained in readability. It is more accessible to users, has a clear division into page sections and uses consistent communication by means of the same colours and icons. The limitation of the maximum width of the interface is also pleasing, which will be appreciated by the users of very large monitors.
Although the plug is designed so that most of its functions will work immediately after installation, some require manual switching on.
After activating the plugin, you should see a message displayed at the top of the back page encouraging you to configure the Web Application Firewall. Although the firewall works as soon as you open the plugin, it loads as part of WordPress by default. The advanced configuration of this module makes it possible to filter out some attacks even before the basic functions of the system are started, so it is more efficient.
If we decide on advanced configuration, the configurator will guide us through this process, detecting the type of server software we use and offering file backup of .htaccess, and php.ini. The changes that will then be made concern the server configuration – if we do not have access to the page file system via FTP or we do not know how to restore the changes in the php.ini or .htaccess files in case of a crash – we should better not decide to take this step, because it may cause us to lose access to the backend of the page. In this case it’s worth asking for the help of an expert.
Fortunately, other plugin functions can be configured without any problems using the graphical interface. Individual settings should be adjusted to our needs – regardless of the fact that it is worth changing the default values, which I am writing about below:
By default, the scanner only analyzes files directly related to WordPress CMS and excludes installed plug-ins and templates from the scan. Fortunately, in the free version we can use the scan also in these areas of the system. To change the scanning settings, we must:
On the next scan, Wordfence will analyze not only the main system files, but also the files of templates and plug-ins in search of malicious code.
Wordfence can send cyclical reports or immediate alerts about current events to the website. It is worthwhile to enable weekly reports – they offer a reasonable overview of the site’s status, for example, by informing you about outdated plug-ins. In order to include reports, we need to:
With such a configuration, every week on our e-mail we will find a clear summary of the website status.
There are types of attacks that allow you to load any file into the uploads folder, where WordPress stores the files you upload by default. However, you can prevent any code in this folder from being executed. To do this, you need to:
The changes made make it impossible to run any script from the uploads folder.
Instead of installing an additional, popular Limit Login Attempts plugin, you can use the options built into Wordfence. The firewall allows you to block too many login attempts and reset the password with the ability to specify the time of blocking and the number of attempts. In order to configure the lock it is necessary to:
In the same area you can also enable automatic blocking after entering certain logins. Many scripts start with trying to log in to an “admin”, “administrator” or “root” account. Entering these logins will help you block unwanted actions before the limit is reached. If your account has such a login, you should consider changing it to a more custom and difficult to guess one.
Wordfence Security is the perfect sealing tool for WordPress and to inform administrators about risks. It is worth remembering that no plug is a panacea and will not protect us from every possible attack. Even the most sophisticated security measures will be useless if we log in via the “admin” account and our password is “administrator”. Hosting companies are also not without fault. Having a large number of scripts on one hosting account without the default “open_basedir” restriction can lead to mutual infection and the spread of malware within the hosting account – not all companies block such activities in the standard. In this case, protecting and cleaning one system from malware is pointless, as malicious scripts can happily wreak havoc on the other side.
The installation and configuration of this plugin adds a basic layer of security to your website and, just as importantly, offers e-mail reporting of problems encountered, allowing you to perform manual actions.
Wordfence is of course not the only solution of this type dedicated to WordPress CMS. If you are using a competing product, leave a comment below, and share your opinion on how does it compare to Wordfence. I’ll be happy to read what safety techniques you’re using on your website.