Wordpress Security has become a very hot topic recently after many hosting companies and websites have been recently attacked.
It’s caused some real headaches and although most hosting companies have it under control now you’ll be surprised how many hackers still try to gain access to your WordPress sites every day!
The problem is more serious than many think, and nobody expects it to happen to them until it does.
Then it’s all tears…
I want to tell you about a “no tears” FREE solution (no, no promotion here) that I have installed across all my sites.
Wordfence WordPress Security Plugin
It’s honestly been a lifesaver and keeps stopping hacking attempts from rouge hackers every day. Each day I get at least one Wordfence alert.
Here’s one that just hit this site at the time of writing (you can turn these notifications off but I love seeing them get slammed – hehe)
So, the purpose of this post is to show you how you can also secure your WordPress site (for free). You can of course buy into other systems that will probably give you more advanced security, but setting up this plugin on your site takes less than 5 minutes and I’ve never had a problem.
Follow this step by step guide below to see how I set it up:
Step #1: Add the plugin.
Go to: Plugins -> Add New
Step #2: Search for “WORDFENCE”
Step #3: Install the Wordfence Security plugin as shown below:
Step #4: Activate the Worfence plugin after installation.
Step #5: Optional – you can choose to signup for new WordPress alerts, start a “tour” or just close the message. You decide what you want to do, but if you signup for alerts then you only have to do this once (not for each site you own).
Step #6: Wordfence Security Options.
The first thing to do is set the “options”. I find that out the box it isn’t strict enough, so I like to lock things down a little more.
Step #7: Basic Options.
First, you should set your email address to get alerts. When someone breaks a rule you’ll get an email alert.
Next up, change the security level from Level 2 to Level 3 and “save changes”. This will be the baseline for the other settings we’ll go through.
Step #8: Alerts.
By default Wordfence doesn’t send you an alert when an IP address is blocked. It’s always good to know who’s been locked out. So I setup the top three options as below. If you set too many alerts they may get a little overwhelming.
Step 9: Scans to include.
There’s a paid members option in here. I personally haven’t found the need for it as Wordfence combined with my Rackspace hosting provides enough security to keep the baddies at bay.
The only option I haven’t selected is to monitor disk space. It could be an issue if you’re uploading lots of new images/files (large) etc. in your posts. Also it adds extra overheads, so I prefer to leave it unchecked.
Step 10: Firewall rules.
I stick with the default “Level 3” options here, I’ve tested it over time and it doesn’t affect SEO. You CAN select to block fake Google crawlers, but I prefer to leave this option unchecked as I don’t want it accidentally blocking real Google crawlers.
Of course this is up to you 😉
Step 11: Login security options.
Here I change the lockout to 5 bad attempts and the lockout duration to 1 day. After all, you don’t want to give them too many chances – right? This helps reduce attacks and excessive notifications if they try attack you again within 24 hours.
If you have a membership site you may need to up the login attempts, but if someone can’t get their login right within 5 attempts then they need to seriously re-evalute themselves!:)
Step 12: Other options.
This is the last section in the Wordfence login options setup. I leave it all as the default settings as they suit me just fine. All you have to do in this area is hit “Save Changes” (unless you want to make your own changes).
NOTE: Once you save these options your security level will change to “custom”.
Step 13: Wordfence Scan – the fun part! 😉
Under the Wordfence menu, select “Scan”. This will take you to the scanning page.
Step 14: Start a Wordfence Scan.
Click the button to start a scan. Notice underneath there’s a “kill link”. You may need this is your scan doesn’t complete for whatever reason. Usually the full scan takes around 2 minutes. If it’s not making any progress after this you should hit the kill scan link and try again.
Step 15: Scanning.
Once you start the scan you’ll see Wordfence work through your site. If there’s any issues or warnings they’ll be flagged during the scan. You’ll get options after to addresses them.
CAUTION: Make sure the file is unknown and not a theme file/plugin. Optiomizepress has two files that are flagged but they’re ok, so you should choose to “ignore” them unless they are changed. Just be careful and it’s preferable to backup any files you’re going to delete before deleting them.
Step 16: Scan Summary.
Once the scan is complete you can review issues and take action as explained above. If there’s any issues you’ll be presented with various options to “fix” them. If not you’ll see the message below.
NOTE: Sometimes you may need to run the scan several times before it completes. Being mostly a free solution they don’t have the best servers and the scan can time-out. Just persist with it and it will complete.
Once you have a cleared site, it’s pretty much maintenance free. Wordfence just does what it’s meant to do and keeps those out those nasty hackers!
I hope you enjoyed this article and look forward to your comments below.
Take care and be safe 😉
Disclaimer: There’s many other solutions out there, but Wordfence has been working extremely well and I’ve not been hacked or experienced any downtime across any of my 30+ sites. Obviously this also depends on your hosting and how well managed/protected your web-server is.