Every website needs protection from all the nastiness out there. The viruses and those that would put them on your site are always lurking in the shadows. And nothing will kill a business faster than a website that gives viruses to all its customers.
A few weeks back we gave a list of our favorite plugins for WordPress. In that post, we touched on a plugin called Wordfence. This post will dig more in depth, showing you how to install the plugin and how we configure it for our sites.
Wordfence installs like any other plugin. But there is some extra installation needed so that the firewall can function. This makes it more effective in mitigating the bad traffic. To start off, download Wordfence from the WordPress plugin directory.
With the zip file in hand, log into the administration panel for your website.
- Click on the plugins section.
- Click on ‘Add New’.
- At the top of the window, click on ‘Upload Plugin’.
- Click browse, and select the zip file.
- Click ‘Install Now’
- Click ‘Activate’ on the screen after the install completes.
Now that the plugin install is complete, click ‘Close’ on the tour pop-up. Then follow the ‘Click here to configure’ in the notification banner on the top. Click ‘End the tour’ on the subsequent pop-up.
This setup screen will vary from server to server. Follow the instructions given to finish the firewall install on your site.
Most of the basic settings are pretty good. Yet I have found there are some options that could work better for most sites. Many of the options are on a single page, so I will only list the changes that I make to the options screen. This can be found under the new Wordfence menu in the dashboard.
Start towards the top of the page. Check the box to update Wordfence when a new version comes out. I like to also add an email address, so the notifications come to me instead of worrying my clients.
Next, uncheck the lost password and administrator sign-in boxes. These are more annoying than they are worth. I also uncheck the email summary box.
Add checks for scanning themes and plugins in the repository. Also, check scan images etc as executable.
A little farther down, check the lockout invalid usernames. Then the two most attacked names I see are ‘admin’ and the domain name without the .com etc on the end. Add those to the ‘immediately block the IP’ box.
The last change that I make is to check the box to block post requests with a blank user-agent.
Don’t forget to save.
The first scan & dashboard
Now that you have secured your site, it is time for the inaugural scan. This scan will point out any problems such as out of date plugins or themes. Make sure that you fix any problems that the scan finds. Your site should now be ready to face the next attacker.
After a week the firewall will switch from learning mode to enabled. Make sure to check back on the dashboard screen from time to time. Here you will find any notifications, as well as signatures and attacks blocked. You can also upgrade to the premium version.
Your firewall should be all ready to go. You can enjoy your site knowing that it should be virus free and clean for anyone who visits.
Are you keeping your WordPress website protected?
Download our free guide to understand how to keep your website safe and learn about the regular maintenance your website needs to stay secure.