Last updated: June 15, 2017 (1 day ago)
Tested up to (WP version): WP 4.8.0
Rating: 5 (out of 5)
THE MOST DOWNLOADED WORDPRESS SECURITY PLUGIN
WordPress security is all we do. Secure your WordPress website with Wordfence. Powered by the constantly updated Threat Defense Feed, our Web Application Firewall stops you from getting hacked. Wordfence Scan leverages the same proprietary feed, alerting you quickly in the event your site is compromised. Our Live Traffic view gives you real-time visibility into traffic and hack attempts on your WordPress website. A deep set of additional tools round out the most complete WordPress security solution available.
With over 22 million downloads, Wordfence is the most popular WordPress security plugin available. Wordfence Security is 100% free and open source. We also offer a Premium API key that gives you Premium Support, Country Blocking, Scheduled Scans, Password Auditing, real-time updates to the Threat Defense Feed, two-factor authentication, and we even check if your website IP address is being used to Spamvertize. Click here to sign-up for Wordfence Premium now or simply install Wordfence free and start protecting your website.
You can find our official documentation at docs.wordfence.com and our Frequently Asked Questions on our support portal at support.wordfence.com. We are also active in our community support forums on wordpress.org if you are one of our free users. Our Premium Support Ticket System is at support.wordfence.com. Learn about WordPress security at wordfence.com/learn.
This is a brief introductory video for Wordfence:
Wordfence Security is Multi-Site compatible and includes Cellphone Sign-in which permanently secures your WordPress website from brute force hacks.
WORDPRESS SECURITY FEATURES
- Web Application Firewall stops you from getting hacked by identifying malicious traffic, blocking attackers before they can access your website.
- Threat Defense Feed automatically updates firewall rules that protect you from the latest threats. Premium members receive the real-time version.
- Block common WordPress security threats like fake Googlebots, malicious scans from hackers and botnets.
- Real-time blocking of known attackers. If another site using Wordfence is attacked and blocks the attacker, your site is automatically protected.
- Block entire malicious networks. Includes advanced IP and Domain WHOIS to report malicious IP’s or networks and block entire networks using the firewall. Report WordPress security threats to network owner.
- Rate limit or block WordPress security threats like aggressive crawlers, scrapers and bots doing security scans for vulnerabilities in your site.
- Choose whether you want to block or throttle users and robots who break your WordPress security rules.
- Premium users can also block countries and schedule scans for specific times and a higher frequency.
WordPress Login Security
- Sign-in using your password and your cellphone to vastly improve login security. This is called Two Factor Authentication and is used by banks, government agencies and military world-wide for highest security authentication.
- Enforce strong passwords among your administrators, publishers and users. Improve login security.
- Checks the strength of all user and admin passwords to enhance login security.
- Includes login security to lock out brute force hacks and to stop WordPress from revealing info that will compromise WordPress security.
- Scans core files, themes and plugins against WordPress.org repository versions to check their integrity. Verify security of your source.
- See how files have changed. Optionally repair changed files that are security threats.
- Scans for signatures of over 44,000 known malware variants that are known WordPress security threats.
- Scans for many known backdoors that create security holes including C99, R57, RootShell, Crystal Shell, Matamu, Cybershell, W4cking, Sniper, Predator, Jackal, Phantasma, GFS, Dive, Dx and many many more.
- Continuously scans for malware and phishing URL’s including all URLs on the Google Safe Browsing List in all your comments, posts and files that are security threats.
- Scans for heuristics of backdoors, trojans, suspicious code and other security issues.
- See all your traffic in real-time, including robots, humans, 404 errors, logins and logouts and who is consuming most of your content. Enhances your situational awareness of which security threats your site is facing.
- Real-time traffic includes reverse DNS and city-level geolocation. Know which geographic area security threats originate from.
- Monitor your DNS security for unauthorized DNS changes.
- Monitors disk space which is related to security because many DDoS attacks attempt to consume all disk space to create denial of service.
Multi-Site WordPress Security
- Wordfence Security for multi-site also scans all posts and comments across all blogs from one admin panel.
- WordPress Multi-Site (or WordPress MU in the older parlance) compatible.
- Fully IPv6 compatible including all whois lookup, location, blocking and security functions.
Major Theme and Plugins Supported
- Includes support for other major plugins and themes like WooCommerce.
Free Learning Center
- The Wordfence website includes an in-depth WordPress Security Learning Center.
The Wordfence WordPress security plugin is full-featured and constantly updated by our team to incorporate the latest security features and to hunt for the newest security threats to your WordPress website.
Secure your website with Wordfence.
Secure your website using the following steps to install Wordfence:
- Install Wordfence Security automatically or by uploading the ZIP file.
- Activate the security plugin through the ‘Plugins’ menu in WordPress.
- Wordfence WordPress Security is now activated. Go to the scan menu and start your first security scan. Scheduled security scanning will also be enabled.
- Once your first scan has completed a list of security threats will appear. Go through them one by one to secure your site.
- Visit the Wordfence Security options page to enter your email address so that you can receive email security alerts.
- Optionally change your security level or adjust the advanced options to set individual security scanning and protection options for your site.
- Click the “Live Traffic” menu option to watch your site activity in real-time. Situational awareness is an important part of website security.
To install the Wordfence WordPress security plugin on WordPress Multi-Site installations:
- Install Wordfence Security via the plugin directory or by uploading the ZIP file.
- Network Activate Wordfence Security. This step is important because until you network activate it, your sites will see the plugin option on their plugins menu. Once activated that option dissapears.
- Now that Wordfence is network activated it will appear on your Network Admin menu. Wordfence Security will not appear on any individual site’s menu.
- Go to the “Scan” menu and start your first security scan.
- Wordfence Security will do a security scan of all files in your WordPress installation including those in the blogs.dir directory of your individual sites.
- Live Traffic will appear for ALL sites in your network. If you have a heavily trafficked system you may want to disable live traffic which will stop logging to the DB.
- Firewall rules and login rules apply to the WHOLE system. So if you fail a login on site1.example.com and site2.example.com it counts as 2 failures. Crawler traffic is counted between blogs, so if you hit three sites in the network, all the hits are totalled and that counts as the rate you’re accessing the system.
How does Wordfence Security protect sites from attackers?
The WordPress security plugin provides the best protection available for your website. Powered by the constantly updated Threat Defense Feed, WordFence Firewall stops you from getting hacked. Wordfence Scan leverages the same proprietary feed, alerting you quickly in the event your site is compromised. The Live Traffic view gives you real-time visibility into traffic and hack attempts on your website. A deep set of additional tools round out the most comprehensive WordPress security solution available.
How will I be alerted if my site has a security problem?
Wordfence Security sends security alerts via email. Once you install Wordfence Security, you will configure a list of email addresses where security alerts will be sent. When you receive a security alert, make sure you deal with it promptly to ensure your site stays secure.
Do I need a security plugin like Wordfence if I’m using a cloud based firewall (WAF)?
Wordfence provides true endpoint security for your WordPress website. Unlike cloud based firewalls, Wordfence executes within the WordPress environment, giving it knowledge like whether the user is signed in, their identity and what access level they have. Wordfence uses the user’s access level in more than 80% of the firewall rules it uses to protect WordPress websites. Learn more about the Cloud WAF identity problem here. Additionally, cloud based firewalls can be bypassed, leaving your site exposed to attackers. Because Wordfence is an integral part of the endpoint (your WordPress website), it can’t be bypassed. Learn more about the Cloud WAF bypass problem here. To fully protect the investment you’ve made in your website you need to employ a defense in depth approach to security. Wordfence takes this approach.
What differentiates Wordfence from other WordPress Security plugins?
- Wordfence security provides a WordPress Firewall developed specifically for WordPress and blocks attackers looking for vulnerabilities on your site. The Firewall is powered by our Threat Defense Feed which is continually updated as new threats emerge. Premium customers receive updates in real-time.
- Wordfence Security verifies your website source code integrity against the official WordPress repository and shows you the changes.
- Wordfence Security scans check all your files, comments and posts for URLs in Google’s Safe Browsing list. We are the only plugin to offer this very important security enhancement.
- Wordfence Security scans do not consume large amounts of your bandwidth because all security scans happen on your web server which makes them very fast.
- Wordfence Security fully supports WordPress Multi-Site which means you can security scan every blog in your Multi-Site installation with one click.
- Wordfence Security includes Two-Factor authentication, the most secure way to stop brute force attackers in their tracks.
- Wordfence Security fully supports IPv6 including giving you the ability to look up the location of IPv6 addresses, block IPv6 ranges, detect IPv6 country and do a whois lookup on IPv6 addresses and more.
Will Wordfence slow down my website?
No. Wordfence Security is extremely fast and uses techniques like caching its own configuration data to avoid database lookups and blocking malicious attacks that would slow down your site.
What if my site has already been hacked?
Wordfence Security is able to repair core files, themes and plugins on sites where security is already compromised. You can follow this guide on how to clean a hacked website using Wordfence. However, please note that site security can not be assured unless you do a full reinstall if your site has been hacked. We recommend you only use Wordfence Security to get your site into a running state in order to recover the data you need to do a full reinstall. If you need help repairing a hacked site, we offer an affordable, high-quality site cleaning service that includes a Premium key for a year.
Does Wordfence Security support IPv6?
Yes. We fully support IPv6 with all security functions including country blocking, range blocking, city lookup, whois lookup and all other security functions. If you are not running IPv6, Wordfence will work great on your site too. We are fully compatible with both IPv4 and IPv6 whether you run both or only one addressing scheme.
Does Wordfence Security support Multi-Site installations?
Yes. WordPress Multi-Site is fully supported. Using Wordfence Security you can scan every blog in your network for malware with one click. If one of your customers posts a page or post with a known malware URL that threatens your whole domain with being blacklisted by Google, we will alert you in the next scan.
What support options are available for Wordfence users?
Providing excellent customer service is very important to us. We offer help to all our customers whether you are using the Premium or free version of Wordfence Security. For help with the free version, you can post in our forum where we have dedicated staff responding to questions. If you need faster or more in-depth help, Premium customers can submit a support ticket to our Premium support team.
Where can I learn more about WordPress security?
Designed for every skill level, The WordPress Security Learning Center is dedicated to deepening users’ understanding of security best practices by providing free access to entry-level articles, in-depth articles, videos, industry survey results, graphics and more.
The dashboard gives you an overview of your site's security including notifications, attack statistics and Wordfence feature status.
The Web Application Firewall protects your site from common types of attacks and known security vulnerabilities.
The Wordfence Malware Scanner lets you know if your site has been compromised and alerts you to other security issues that need to be addressed.
The Wordfence Security Live Traffic view shows you real-time activity on your site including bot traffic and exploit attempts.
Block IPs that are known to be malicious, manage IPs that have been locked out and see recently throttled IPs that violated security rules.
The Wordfence Options page is where you manage high-level Wordfence features and upgrade your license to Premium.
The Advanced Options page allows technically-minded users fine-tune their security settings.
Latest Change log entry:
- Improvement: The scan will alert for plugins that have not been updated in 2+ years or have been removed from the wordpress.org directory. It will also indicate if there is a known vulnerability.
- Improvement: Added a self-check to the scan to detect if it has stalled.
- Improvement: If WordPress auto-updates while a scan is running, the scan will self-abort and reschedule itself to try again later.
- Improvement: IP-based filtering in Live Traffic can now use wildcards.
- Improvement: Updated the bundled GeoIP database.
- Improvement: Added an anti-crawler feature to the lockout page to avoid crawlers erroneously following the unlock link.
- Improvement: The live traffic “Group By” options now dynamically show the results in a more useful format depending on the option selected.
- Improvement: Improved the unknown core files check to include all extra files in core locations regardless of whether or not the “Scan images, binary, and other files as if they were executable” option is on.
- Improvement: Better wording for the whitelisting IP range error message.
- Fix: Addressed a performance issue on databases with tens of thousands of tables when trying to load the diagnostics page.
- Fix: All dashboard and activity report email times are now displayed in the time zone configured for the WordPress installation.
+ Jason's Comments
Wordfence Security is my preferred solution. It has an easy and automated scanner that check for malicious code and can compare the WordPress, Theme and Plugins files with the original WordPress library, allow you to view the differences and revert to original version of file or delete it. Wordfence has a firewall preventing malicious scripts from operating, a built in traffic log which allows you to block bad IP addresses, a method to automatically limit fake crawlers and limit and block login attempts by hackers.
Wordfence Premium provides real time updates to the Firewall rules (blocking malicious scripts) & the IP blacklist (completely blocks known malicious IPs from accessing your website), provides front facing page scans and country blocking.
Website Optimization and Maintenance
There are a few ways to optimize and speed up your website for viewers and search engines: database clean up, image optimization, page / script compression, CPU / server load optimization, server file caching and utilize browser caching.