This post is a follow-up to Securing WordPress where I presented several methods to improve WordPress security. While most of the methods were easily implemented without specialized knowledge, others did require specialized knowledge of either WordPress or software configuration files. Fortunately, there are several WordPress plugins that will implement all of these security recommendations plus others I did not mention (e.g., limiting login attempts). In this post I will discuss the WordPress security plugin that I have been using: WordFence.
WordFence allows you to secure your WordPress website via a multitude of options. I’ll discuss the most important features below; more information on WordFence is available from the WordFence website. While simply installing WordFence and using the default options will give you added security, I recommend that you tweak the default settings slightly as I detail below.
In this section of WordFence options you set the basic parameters for how WordFence will protect your site and how you will be notified of WordFence actions:
- enable firewall (on by default)
- enable login security (on by default)
- enable live traffic view (on by default)
- enable automatic scheduled scans (on by default)
- enable automatic WordFence updates (WordFence asks after installation)
- where to email alerts (WordFence asks after installation)
The first two options, “enable firewall” and “enable login security”, represent the core security functions of WordFence and should always be enabled. In addition, “enable automatic scheduled scans” should be left on unless you are diligent about performing manual scans.
Live traffic view is useful to track and monitor access to your site on a per IP address basis. My recommendation is to leave this enabled unless there is a reason to disable it (such as insufficient server resources). Live traffic view isn’t critical to WordFence’s security functionality but it can be extremely helpful in identifying and blocking potential security threats.
By default, WordFence sends out email notifications of actions it has taken as well as warnings of potential security threats. Therefore, you should use an email address that you monitor often so you can immediately act on these emails.
WordFence can also automatically update itself when needed. Whether you enable this option is a personal preference. I’m something of a control freak, so I want to do a compatibility check of site updates and, hence, I leave this disabled. If you disable this like I do, make sure that you keep up on any updates to WordFence and install them as soon as is practical.
In the remainder of this post, I will detail the functionality of WordFence alerts, scheduled scans, firewall, login security and live traffic view features. Each of these addresses a different aspect of site security and, used together, can be very effective at keeping your site from being hacked. In general, you will want to enable all of these to provide the most comprehensive protection.
There are multiple actions that can generate an alert via WordFence:
- critical problems (on by default)
- warnings (on by default)
- IP address block (on by default)
- login lockout (on by default)
- “lost password” form used by a valid user (on by default)
- login by someone with Administrator privileges (on by default)
- login by someone without Administrator privileges
I would advise that you keep all of these enabled with the possible exception of “login by someone without Administrator privileges” (this is the default configuration after WordFence installation). The security risk posed by an illegitimate non-adminstrator user is significantly less than an administrator user. If you have a large number of non-administrator users, getting a notification whenever one logs in may generate an excessive volume of notifications.
Scans: WordPress Core, Plugin and Theme File Scanning
WordFence will by default scan the WordPress core, plugin and theme files comparing them against wordpress.org repository versions to identify if any of these files have been modified in any way. Adding malicious code to one or more of these files is one way hackers use to hijack your website and use it for their own purposes.
The webmaster with the hacked WordPress website that I mentioned in Securing WordPress had more than 10 files with malicious PHP code added in his installation (including the wp-config.php file!). If WordFence had been installed and activated, the likelihood of hackers being able to modify all these files and remain undetected would have been significantly reduced.
By default, WordFence is set to scan WordPress core and plugin files (theme file scans are off by default). I highly recommend that you keep the default settings and, if you want extra insurance, turn on the theme file scanning also. However, note that the WordFence scans are only able to compare your installed plugin and theme files to those in the wordpress.org repository. This means that most commercial plugins and themes will not be checked as the source code for these is not available in the wordpress.org repository.
Finally, I have observed a false positive for modified plugin files that was due to the installed and repository files have different EOL (end-of-line) conventions. While the files were technically different, nothing other than the EOL sequence used was modified. False positives are possible, but in my experience rare.
Scans: HeartBleed Vulnerability, Malicious Files, Backdoors, Trojans and Suspicious Code
Also part of the default WordFence scans is the ability to detect the HeartBleed vulnerability, malicious files, backdoors, trojans and suspicious code in your WordPress installation. All of these scans will alert you to potential security issues. By default, all of these are enabled and I recommend that you keep these enabled.
Scans: Out of Date Plugins, Themes and WordPress Version
One of my recommendations in Securing WordPress was to ensure that your version of WordPress and all installed plugins and themes were kept up to date. This is crucial as vulnerabilities are being constantly discovered and fixed; having old and insecure versions of WordPress, plugins or themes leaves you open to attack. The question is, though, how do you know when an updated version of WordPress or one of your installed plugins or themes is available?
Of course, you will see a notification of these in your WordPress dashboard when you login to your dashboard. But what if you rarely log onto your site? This feature of WordFence will send an email notification whenever it finds outdated versions of WordPress itself as well as any installed plugins and themes. No need to login to your dashboard!
WordFence incorporates a firewall that can block access to your site based upon several different conditions:
- immediately block fake Google crawlers (on by default)
- throttle web crawlers based on access rate, page views, 404 errors generated
- throttle visitors based on page views and 404 errors generated
- throttle based on 404 errors for vulnerable URLs
The WordFence default settings are not to throttle based on any of the above conditions. These are probably fine unless you have a high profile website that is an active target for hackers. In that situation you may want to implement some or all of the above throttling options. Using the WordFence live traffic view or a good statistics package to help with identifying access patterns for your site should help determine which options will be the most effective.
Login Security Options
Here is where WordFence provides the most value to the average WordPress admin. The large majority of attacks on your WordPress install will likely come from attempts to brute-force login using the standard WordPress login form. These options provide tools to deter these sorts of attacks and once you enable them you will likely be amazed at the number of attacks to which your site is subjected.
The available options are:
- enforce strong passwords (by default, “Force admins and publishers to use strong passwords (recommended)” is enabled)
- lock out after a specified number of login failures (I recommend setting this to 3 or less)
- lock out after a specified number of forgotten password attempts (I recommend setting this to 3 or less)
- count failures over what time period (by default, “5 minutes” is enabled)
- lock-out time period (I recommend setting this to “1 day” or greater)
- immediately lock out invalid usernames (off, by default)
- don’t reveal valid usernames in login error message (on, by default)
- prevent registering the “admin” username if it doesn’t exist (on, by default)
- prevent discovery of usernames via ?/author=N scans (on, by default)
- immediately block attempted login with specified usernames (blank, by default)
I recommend setting more strict restrictions on login failures and forgotten password attempts. In general, bona-fide users won’t submit multiple forgotten password requests and will, hopefully, not have many failed login attempts (see the IP whitelist option below to ensure you always have access, though). You should also consider a longer lock-out period than the default “5 minutes” to further discourage brute-force hackers.
The “don’t reveal valid usernames in login error message”, “prevent registering the “admin” username if it doesn’t exist” and “prevent discovery of usernames via ?/author=N scans” options should all be enabled. Each of these blocks a method hackers use to discover valid usernames on WordPress installations. Once a valid username has been determined, the hacker is 50% of the way to gaining unauthorized entry!
As a corollary to the above, the “enforce strong passwords” should be enabled for at least users with administrator or publisher privileges. Even better would be to force strong passwords for all users, but that may generate some pushback from users especially if you require registration in order to submit comments.
Finally, if you implemented my advice to avoid using “admin” as a username, you will likely want to add that to the list of “immediately block attempted login with specified usernames”. Brute force attacks on WordPress sites invariably try to login with the “admin” username first and you might as well shut these down from the get-go.
“Whitelisted IP addresses that bypass all rules” should contain an IP address that you can use should you be locked out by inadvertently tripping any of the other security rules. Be aware, though, that many internet access providers will occasionally change your IP address. If you set an IP address which then subsequently changes, you could still end up locked out! If you set an IP address here, make sure to monitor your public facing IP address and make appropriate changes to WordFence should it change (if you Google “ip address” the results will include your public IP address as well as links to other websites you can use in determining it if you wish).
“Immediately block IP’s that access these URLs” would be useful if you have renamed the wp-login.php and/or wp-admin.php files (I’m not a fan of doing this, but if you insist you can Google for instructions). Otherwise, I’m not sure this is very useful; but, read my comments under Live Traffic View concerning access to your site that generates 404 errors. You may want to add some of these URLs to this list.
“Hide WordPress version” provides some security through obscurity by not advertising what WordPress version you are using. That said, be aware that there are several other methods of determining which version of WordPress you are running so this is of debatable utility. It doesn’t hurt, though.
“Participate in Real-Time WordPress Security Network” allows WordFence to “crowd-source” the IP addresses that hackers are utilizing. If one WordPress site running WordFence is attacked from a given IP all other WordFence installations will be informed of the IP address and be able to block it with very little resource utilization. This is a huge advantage in the fight against hackers and should be left on at all times.
WordFence also includes a caching function to decrease the time required for the web server to create a given page on your site. By default, the caching functionality is off and I have honestly not experimented with it on any of my sites. If you need or want to decrease the time needed to serve pages from your site, you might want to give this option a try. There are several other caching plugins for WordPress, but if WordFence’s caching works it would be better to utilize it than install another plugin.
Live Traffic Monitoring
Live traffic monitoring is a useful tool for gaining insight into who is accessing your website, which URLs they are accessing, the source IP address and hostname plus other information. Typically, this is information that is more usefully presented by any number of website statistics packages (e.g., Jetpack, Google Analytics and others).
That said, live traffic monitoring has great utility in helping to determine the source of attempts to breach the security of your website and easily block them. For this purpose, click on the “Pages Not Found” tab in the live traffic monitoring page. Here you will see a list of accesses to your site that generated a “404, Page Not Found” error. These can be quite interesting as they reveal some of the URLs that attackers attempt to access and leverage to breach your website security:
In this example, you can see attempts to access URLs such as /cgi-bin/php4, /cgi-bin/php.cgi, etc. (note also the broken link that lead to a 404 error at the bottom; an occasional check here can lead to broken links on your site). The majority of these hack attempts are from sources outside the United States (either directly from other countries or via proxy servers). If you are extremely security conscious, you can add the IP addresses or entire networks of these hackers to your WordFence IP blacklist simply by clicking the appropriate link.
In similar ways, the “Top Consumers” and “Top 404s” tabs can also be used to ferret out attempted attackers and block their IP addresses.
Hopefully, this overview of WordFence has convinced you to install it on your site. However, if WordFence isn’t quite to your liking, check out these well regarded security plugins for WordPress:
The key to keeping WordPress secure is being proactive. It is much easier to deal with securing your site upfront than it is to clean up the mess once you’ve been hacked.