Non-disclaimer Disclaimer: This is NOT a paid review of Wordfence. It does not include any affiliate links. We just think it’s awesome.
Wordfence is a security plugin for WordPress websites. It combines a firewall, login security, malware scanning, and other security tools. I’ve used a lot of different security plugins over the years. Wordfence is far and away the best one I’ve come across. It is easy to use, has the features we want and need, and the price is right: It’s free. Yes, there is a premium upgrade, but you don’t need it to secure your site.
So what’s so great about Wordfence?
Firewall & login security: Wordfence automatically blocks a lot of the bad guys from getting into your site. It guards against known attack patterns. You can rate-limit or block fake Google crawlers. It also protects your site against brute-force (login) attacks. If you sign up for a premium account, you can also get their real-time IP address blacklist so if there is an active wide-scale attack on the web you’re covered.
Alerts to security problems: Wordfence scans your site every day. If it sees something it doesn’t like, you can get an email about it. It could be a plugin is out of date or WordPress needs to be updated. Or it could be that files changed in one of your site’s plugins and you really need to go check it out because you didn’t update it.
File comparison: Wordfence can check your files against what is in the WordPress repository. That means you can see exactly how a file on your site has changed compared to what it should look like. Most of the time it’s harmless. Sometimes, it’s a hack. If there is a new version of a plugin and you haven’t updated yet, you can get false alarms so beware of that.
Attack notifications: My heart still skips a beat every time I see “Increased Attack Rate” in the subject line of an email. But, I’m also relieved because I know Wordfence is doing its job. If this email comes in along with a “down” notification from our monitoring service, then I know it’s a big deal.
Activity reports: You can get reports daily, weekly, or monthly. This is a good check to make sure things are getting updated on the website and nothing has changed that shouldn’t have. It also gives you a brief breakdown of the top IP addresses that were blocked and top login failures. After noticing a pattern with the Wordfence-blocked IP addresses, I’ve used the report info to set up permanent blocks so those addresses can’t reach our server again. Most likely the bad guys have moved on with new IP addresses by then but it usually doesn’t hurt to take that step.
Import/Export settings: We maintain a lot of sites and create a lot of dev/staging sites. It would be a big hassle to configure every setting we use on each new installation. Thankfully, I learned about the export/import feature early on. Now, we have one code we use for every live website and another for every dev site. It makes for a quick and painless install.
Most importantly, it works and it gives us peace of mind. Not to say if you install Wordfence and do nothing else you won’t get hacked, but you’re setting your site up with a great head start.