Hundreds of WordPress sites get hacked each day. How can you make sure yours isn’t one of them?
Let’s face it: WordPress security is a big topic. It can also seem a little scary at first glance. There are so many different ways that hackers can break into sites. How can you begin to protect your site against all these attacks?
Well, you can stop worrying! In this tutorial, I’ll show you how to install and configure a WordPress plugin that will dramatically beef up your site’s security, with very little effort on your part. The whole caboodle takes about 20 minutes to set up.
By the time you’re done, you’ll be able to relax, safe in the knowledge that your WordPress site is well-protected against those pesky hackers!
But first, let’s take a look at exactly how hackers do what they do — and why they do it.
8 essential steps to WordPress security
Wordfence is an awesome “quick win” for beefing up your WordPress security, but there are many more actions that you should take to secure your site. Our WordPress Security Checklist guides you through 8 easy-to-follow steps to lock down your WordPress. Click the button below to get started:
WordPress Security Checklist: Free Download
Enter your details to download your free copy of the WordPress Security Checklist:
You'll also get more awesome tech tips for online entrepreneurs sent straight to your inbox!
We won't share or sell your details. Opt out at any time.
Why — and how — websites get hacked
So why do hackers want to hack your little old WordPress site anyway? There are a couple of reasons:
- To get hold of secret information on your site. This might include your passwords, details of your users, customers or subscribers, and so on.
- To install malware on your site. Malware is nasty software, hidden inside the files on your site. Once they’ve managed to install their malware, hackers can do anything from sending viruses to your visitors’ computers through to inserting spammy links in your site’s pages. (This will really hurt your SEO, by the way!)
Hackers break into WordPress sites in various ways:
- Guessing your WordPress admin password. Hackers run programs that try to log into your site hundreds of times a minute, using different admin usernames and passwords (this is known as a brute force attack). If they get the right combination, they can log in and get full access to your WordPress admin.
- Using a security hole in your code. This can include WordPress itself (known as WordPress core), as well as any plugins and themes that you have installed.
- Using security holes in your web hosting. For example, there may be a bug in the web server software that runs on your site that lets hackers get into the site. Or they might be able to break into your hosting control panel or FTP accounts to upload malware.
How Wordfence protects your site from hackers
Wordfence is a free WordPress plugin that protects your WordPress site from hacking attempts. What’s more, if your site does get hacked and the hacker manages to install malware, then Wordfence helps you to remove the malware from your site and get it working normally again.
Wordfence protects your site in the following ways:
- Its Web Application Firewall analyses all visitor traffic just before it reaches your WordPress site. If it detects a hacker in amongst the traffic, it blocks them before they can reach your site and do any damage.
- Its Malware Scanner regularly scans the files on your site — including WordPress, plugins and themes — to see if any of them might contain malware. It also scans your posts and pages, looking for dodgy URLs and code that might have been added by hackers.
- Its File Repair feature helps you remove malware from your site. It shows you how the file has been altered by the hacker, and lets you replace the hacked file with the original, clean version at the click of a button.
Wordfence free vs. premium: what’s the difference?
The Wordfence plugin itself is free, but you can opt to pay $99 per year for a premium Wordfence subscription with more advanced features.
Wordfence’s homepage has a detailed list of the differences between the free and premium options. Briefly, here’s what you get if you sign up for premium:
- Real-time updates to counter the latest threats as they’re discovered. (Free users have to wait 30 days for the updates.)
- A real-time IP blacklist of known malicious IP addresses. This blocks hackers’ computers instantly before they can even touch your WordPress site.
- Country blocking lets you block off entire countries from your site — useful if users in a particular country are mainly trying to hack your site.
- Spam checking to see if your server or site is sending spam emails or “spamvertizing” (serving up spammy content in your pages).
- Remote scanning, which uses Wordfence’s servers to scan your server remotely. This lets Wordfence scan your site more thoroughly than the free plugin does.
- Schedule your scans to run when you like, as often as you like. Free users only get one automatic scan per day, and Wordfence decides what time of day to run the scan. (However, you can run manual scans whenever you like, even as a free user.)
- Improved login security. Premium users can sign into their site using their phone for improved security, and automatically check all their WordPress passwords to make sure they’re secure.
- Better comment spam filtering. Comment spam is where hackers and spammers post comments on your blog that contain spammy or dangerous URLs. The free version of Wordfence filters out the worst of these, but the premium version does a more thorough job.
So is the premium version worth it? If you want the best possible protection and peace of mind, then yes. However, the free version still offers really good protection from hackers, and is infinitely better than having no security plugin at all. Of course, you can start with the free plugin and upgrade to the paid subscription at any time.
How to install Wordfence
As with most WordPress plugins, installing Wordfence is super-easy. Just follow these steps:
- Log into your WordPress admin.
- In the left-hand menu, choose Plugins > Add New.
- Type wordfence into the top-right Search Plugins box and press Return.
- Find Wordfence Security in the search results, and click its Install Now button.
- Wait for a few seconds while WordPress installs the plugin. When it’s done, the Install Now button changes to an Activate button. Click the button to activate the plugin.
That’s it! WordPress is now installed and protecting your site.
You may be offered a tour as soon as you activate Wordfence. Feel free to click the Start Tour button, which takes you through each of the Wordfence admin pages. Alternatively, click Close to dismiss the popup.
Setting Wordfence options
Once you’ve installed and activated Wordfence, head on over to the Options page by choosing Wordfence > Options from the left-hand menu in the WordPress admin.
Most of the options are set to pretty good defaults, so you don’t need to touch them. However, there are a few options in the Basic Options section that you’ll definitely want to set:
- Enable automatic scheduled scans: This should be set by default. It makes Wordfence scan your site for hacks and malware once per day.
- Update Wordfence automatically when a new version is released?: This setting automatically updates the Wordfence plugin every time a new version becomes available. It’s a good idea to check this checkbox to keep your site as secure as possible. If it causes any problems, uncheck it again and remember to update your Wordfence regularly!
- Where to email alerts: Make sure you enter your email address here, so that Wordfence can email you if it finds that your site’s been hacked.
Once you’ve set these options, click the Save Options button to save your settings.
Running your first scan
The next thing you’ll want to do is run a Wordfence scan to check if your site’s been hacked. To do this:
- Choose Wordfence > Scan from the left-hand menu in the WordPress admin.
- Click the Start a Wordfence Scan button near the top of the page:
Depending on the size of your site, the scan takes anywhere from a few seconds to several minutes to complete. While it’s scanning, you’ll see various messages appear in the Scan Summary and Scan Detailed Activity boxes in the page:
Eventually you’ll see the text Scan complete appear in the Scan Summary box. Now scroll down the page until you see the New Issues box:
This lists any problems that Wordfence uncovered. Hopefully this box is empty, but you might see some minor issues such as plugins and themes that need updating. You can either update them by clicking the Click here to update now links, or you can choose Dashboard > Updates from the left-hand admin menu to update all of your plugins and themes at once.
If you see any critical messages (with a big red cross) — particularly messages like “File appears to be malicious” — then your site may have been hacked already. If that’s the case, follow these steps:
- Don’t panic!
- Take a look at this Wordfence help page, which explains how to tell the difference between a real hack and a false positive, as well as how to fix up any false positives.
- If it really does look like your site has been hacked and contains malware, then the next step is to clean up your site, either by following the instructions on Wordfence’s site, or hiring the Wordfence team to do it for you.
Setting up the Wordfence firewall
Wordfence’s Web Application Firewall blocks hackers before they can do damage to your WordPress site. It’s turned on automatically when you install Wordfence, but to start with it only runs as a WordPress plugin, which doesn’t offer the best level of protection. Wordfence calls this Basic WordPress Protection.
To make the firewall more secure, you want to set it so it runs before WordPress — or any other PHP files — have had a chance to run. That way, it can block hack attempts at the earliest possible point. Wordfence calls this Extended Protection.
To turn on Extended Protection, follow these steps:
- Choose Wordfence > Firewall from the left-hand menu in the WordPress admin.
- Click Optimize the Wordfence Firewall:
- There’s a lot of techie text on this page, but don’t worry about it unless you have more than one WordPress running on your site, or you know your server configuration is different to the one shown on the page. Just click Continue to move to the next step:
- The next page asks you to download a backup copy of your
.htaccessfile before Wordfence changes it. Click the Download .htaccess button to download the file to your computer, then click the Continue button to make the changes:
If all goes well, you should see the message “The installation was successful! Your site is protected to the fullest extent!”, and the Protection Level should now show Extended Protection:
You’ll also see that the firewall starts in Learning Mode. In this mode, the firewall analyses your site traffic for a while so that it can tell the difference between normal traffic and a hack attempt. After a week, the firewall automatically switches to Live Mode and starts protecting your site.
While the firewall is in Learning Mode, it’s a good idea to do all the things you would normally do: publish pages and posts; moderate comments; tweak themes and plugin settings; and tweak widgets. This gives the firewall a chance to see what “normal” activity on your site looks like.
Nice job! Here’s what to do next.
Now that you’ve installed and set up Wordfence, your WordPress site has a much better chance of keeping hackers at bay. Great work!
It’s important to keep on top of your WordPress security. Wordfence will email you whenever it discovers any issues with your site, and you should investigate these and fix them if necessary. It’s also worth checking out the Wordfence Dashboard (choose Wordfence > Dashboard in your WordPress admin), which gives you a good summary of your site’s current security status.
There are also many other steps that you can take to improve your site’s security. Make sure you download our free WordPress Security Checklist and work through the 8 simple action steps in the list. This will really help to keep your site as secure as possible.
Do you have any questions on Wordfence, or on keeping your WordPress site secure? Feel free to ask in the comments below!
[This article was updated on 15 Feb 2017 to cover the new user interface in Wordfence 6.3, and on 20 Mar 2017 to include the new IP Blacklist premium feature. Image credits: Computer and padlock by TheDigitalWay (CC0), cropped, edited // Fence by jarmoluk (CC0), cropped, edited]