Millions of sites are hacked daily. It doesn’t matter what type of content management system or custom setup you are using; you still need to protect it the right way.
When it comes to WordPress, you will get plenty of options for protecting your site. But, one that caught my attention early as WordFence.
I started using WordPress from 2014, and WordFence is the first security plugin that I used on my site. In the coming years, I tried multiple security plugins, including Sucuri. In this review, I will do an in-depth review of the WordFence plugin and services so that you can decide if it is a good fit for your site.
Also, if you are in a hurry, then check out the table for WordFence Complete Review.
| WordFence in a Nutshell | A WordPress Security Service Provider |
| What services WordFence offers | WordPress Plugin + WordPress Site Clean Services |
| What is the WordPress Site Clean Service? | It is the service that you can use when you need to remove malware from your site. |
| Steps to clean your site |
|
| Price of WordPress Site Clean Service | $179 per site |
| Is there any page limit to the WordPress Site Clean Service | No |
| Money-back guarantee for the WordPress Site Clean Service | 90-days if you follow their post-service recommendation |
| What does the WordFence plugin do? | A plugin that protects your site form malware using scanning and firewall |
| Is WordFence plugin free? | Yes, it can be used for free. |
| Is there any paid option for the WordFence plugin? | Yes, $99 per year, gives you access to advanced features. |
| Is it easy to setup? | Yes |
| Is the free WordFence plugin enough for your site? | Yes! |
| Ideal For | Businesses, Freelancers, Startups |
| What are alternatives to WordFence | Sucuri, Malcare |
WordFence Introduction
Before we get started, let’s look into what actually WordFence is.
What I am trying to say is that WordFence is more than just their plugin. They are a security service provider that protects millions of WordPress site owners from hacks and also helps them resolve issues when they are either hacked or compromised.
Yes, if you go to their site, you can get access to their WordPress Site Cleaning Service which starts from $179 per site. However, most of the time, the prices are increased due to demand. The highest I have seen the prices to be is 2.7 x. And that’s a lot. The only good thing about the service is that they provide a one-year premium subscription for their WordPress plugin that is normally priced at $99 per year.
It can take anywhere between 24 hours to 72 hours for them to fix. However, they do not have any turnoarund time mentioned which means that it can take few hours to few days before you get your site back.
Of Course, they are not alone in the market. Almost every security service provider, including MalCare and Sucuri, provides similar services for their customers.
To help you in the process, I have made a short but sweet comparison of the services offered by other security plugin.
| Plugin | Time | Pricing | Money-back guarantee |
| WordFence | No time is given | $179 per site, no page limit | 90-days money-back guarantee if you follow their post-hack recommendations |
| MalCare | 12 hours | $99 per year | Yes |
| Sucuri | 6 hours guaranteed response | $199 per year | 30-days money-back guarantee |
Now that I have talked briefly about their malware cleaning service and compared them briefly with other similar service providers, it is time to look at their plugin.
WordFence is popular not for their Malware cleaning services but also for their plugin. So, let’s cover it below.
The plugin lets you secure your WordPress site. Their plugin is free to use, and it is trendy. Right now, it has more than 3+ million installations. That’s impressive!
The WordFence security plugin offers a malware scan and firewall for your site. You can also use it to harden your WordPress site. By hardening, I mean making your site more secure than before. Making your site secure requires many other steps, but installing a security plugin gives you a head start to the whole process. I will not be covering the entire process of hardening your WordPress site, but I will cover the WordFence plugin in such a way that you will get the basics of hardening your WordPress site and secure it against malicious actors and hackers.
Getting Started With WordFence Plugin
To get started with WordFence, you need to install their free plugin from their repository. You can do it in two ways. You can either go to their official WordFence listing on the WordPress plugin repository or download and install it directly from your WordPress site dashboard.
Let’s install it from our site’s dashboard.
To get started, go to your WordPress website’s dashboard. Once there, you now need to click on Plugins > Add New from the main menu. Not sure how to do it? Check out the image.
Once you click “Add New,” you will be redirected to the plugins page. There you need to search for WordFence by typing in the search plugins textbox. If you did it right, you would see the WordFence plugin. Now, we need to click on “Install” for the installation to get started.
The Install Now Button will now change to “Activate.”
To start using the plugin, all you need to do is click on the “Activate” button as shown below.
Setting Up WordFence For the First Time
Setting up your WordFence plugin is very important. If you do everything right, you will make your site secure. That’s why we will go through the whole process of setting it up so that you do not miss anything.
Let’s get started.
To access WordFence for the first time, you need to click on WordFence in your main menu and then click on Dashboard.
Once there, you will be greeted by their “Recommended Settings Change.” It is a handy option to get started. It will ask you to change the settings so that it can track all traffic. It is recommended that you do enable it by clicking on “Yes Please.”
Next, it will ask you to review their Privacy Policy and Terms of Use. These are important for businesses that work with critical data. So, take your time and review them before proceeding. I did go through it briefly and found no alarming issues that can be of any concern for sites using it. However, if you are a business that works with critical data, you might want to check out their terms and privacy policy deeply to see if there is any sort of thing that bothers you.
Now, let’s see how the WordPress dashboard looks like.
Well, that’s a lot of things on the dashboard. It gives you an eagle-eye view of what’s happening on your site and also gives you access to quick options to work with.
The first thing to notice here is the upper section, where it lets you know about current WordPress protection. As we just installed the plugin, it is taking its time to adjust itself to the site. At the time of writing, it is still currently learning about the traffic and scanning the site.
It also tells you about the premium protection status. If you are using the free version, then it will show as disabled. The premium version offers better protection. We will discuss more the premium version and what it has to offer later on. For now, let’s stick to setting up WordFence.
Scan Your Website
It is easy to get lost in the plethora of WordFence options. Before you fiddle with them, it is good to do a preliminary scan on your site. This will help you figure out if your site is compromised or not.
The scan is also the most important part of the WordFence security plugin. To access it, you need to go to WordFence > Scan.
Here, you can run a scan and also find all the scan options, including scheduling and other scans activity-related information.
This is how the scan page looks like:
Pretty descriptive! Here, we click on the “Start New Scan.” This will start the scan, and you can see the window update with the progress.
The “Start New Scan” button will now change to “Stop Scan.” You can also see the steps that it will take during the scanning process. The box marked with (1) showcases the steps that are locked as we are using the free version. It will skip it and then start checking out the following.
- File changes → See if the core files are modified or not.
- Malware scan → Check if your site is free from malware or not.
- Content Safety → Ensure that the content is safe for consumption by the visitors.
- Public Files → Check if there is no sensitive file open for public.
- Password strength → Checks if your WordPress site admin has a strong password or not
- Vulnerability Scan → See if any vulnerabilities need fixing.
- User and Option Audit → Checks if the user and options are properly set.
Going Through the Scan Results
Amazing, we did our first scan! And found some interesting results. The scan took 3 minutes 33 seconds for my site, which is a decent speed. In your case, the time needed depends on your server capacity and also on your site and plugin configuration.
Yes, the WordFence plugin uses your server resources! Unlike other providers who use cloud servers to scan your site. Sucuri is one of the best examples as they use cloud-based solutions to protect WordPress sites.
Anyway, Let’s get back to our scan results.
As you can see it displays the results in the “Results Found” and “Ignore Results.” The ignored results are not that important as you can simply ignore it. However, for the results, you can take action for each one of them. The plugin is saying that two of my plugins are not available on the WordPress.org repository. It is also marking it as critical.
So, is it correct? Yes, it is.
There can be multiple reasons for the plugin to be not available on the repository. It can be because the plugin developers stopped issuing updates, or it is removed from the respiratory system by the WordPress team for not meeting the guidelines. The best thing you can do from here is to check out more details on the right hand side of the listed problem. You can also Google the issue and do your own research. Once you do the research, you are free to take the desired action.
In case of any malware, it will automatically try to fix it by removing it completely from your WordPress installation.
But there is one thing that you should know. The free version takes a community approach, and your site is scanned using 30 days delayed signatures. That can be too much for sites that rely heavily on security, but for the majority of sites, that are not an issue.
Scan Option and Scheduling
Our first scan option was done based on the custom scan type. This means that the scan took place based on your site. Apart from the custom scan type, you can also choose the following:
- Limited Scan: For low resource utilization
- Standard Scan: Recommended for all websites
- High Sensitivity: To check if the site is hacked with malware or not
You can also schedule your scan with the plugin. However, the free version doesn’t let you manually set the scheduled scans and only the plugin determines when to do the scan. That’s okay for most sites, but not for many.
This option is enabled by default so let it be!
Apart from that, you also get access to other options, including General, Performance, and Advanced. Each one of them gives you access to tons of options, and you should only touch them if you know what you are doing!.
The general options look like …
Whereas in performance options, you get…
And, Advanced scan options are as below.
WordFence Firewall: Blocking The Harmful Packets
The WordFence Web Application Firewall lets you protect your website against a variety of online threats. The good thing is that it is turned ON as soon as you install the plugin. But, you optimize it further to get the best protection. The default protection it provides is the Basic WordPress Protection.
Let’s make the firewall more secure.
First, go to WordFence > Firewall.
From there, choose Manage Firewall, as shown in the image below.
Next, click on “Optimize the WordFence Firewall” option to get started. You do not have to worry about other options or text there.
Once you click there, it will throw a wall of text and technical jargon. But you do not have to worry about it. All you need to do is “DOWNLOAD .HTACCESS” so that you can restore your site if something goes wrong.
Now, all you need to do is wait. If everything goes right, you will see a message popup as “Installation Successful.”
If something went wrong, then check out the file permissions on your site. Also, the firewall is learning about your site, so it is always better to do action on your site and make it learn your behavior so that it can protect you in the best possible way.
WordFence Tools
The tool section (WordFence > Tools) gives you access to useful tools! They are as follows:
- Live Traffic: Check out the live traffic related to your site. It also shows failed login attempts.
- Whois Lookup: It lets you check the domain name and IP address-related information
- Import/Export: Here, you can import or export your WordFence options
- Diagnostics: Here you can check the logs related to troubleshooting
WordFence Login Security Settings
One of the finest features of the WordFence security plugin is its login security settings. If you do not know that hackers mostly go hack the login to get access to the site and that’s why you need to harden your site’s login security.
Well, you can do it by going to WordFence > Login Security.
2FA Settings
2FA is two-factor authentication that you enable on your site. By doing so, you can enable 2FA on your site and make it very secure!
So, every time you login, you will be asked for the 2FA code that is generated by the authenticator app of your choice. All you need to do is scan the QR code in an authenticator app, and you are set!
Also, make sure that you download the recovery codes in case you lose your phone or the authenticator.
The settings tab contains more login security options.
For instance, you can enable 2FA settings for all the roles or a few roles.
You can also whitelist some IP addresses for 2FA. This is useful if you are an administrator and login on your site frequently. This way, you do not have to enter the 2FA code now and then.
Lastly, the WordFence login security also added support for reCAPTCHA on user registration and login pages. This adds another layer of security to your site.
WordFence Paid Plans and Features
By now, you should know that the free version is limited. The paid version goes for $99 per year and offers many advanced features, including the following:
- You can check real-time updates
- The paid version lets you block entire countries! Well, this is useful when your site is getting targeted by hackers from one state or you do not want a specific audience to access your content.
- Offers remote scanning where you can remotely scan your site.
- Offers spam checking for better spam management.
- You get the ability to schedule the scans manually. The plugin automatically decides the best time to scan(generally once per day) for free users.
In my opinion, the free version works for most websites. However, if you are a business that requires the best possible security and peace of mind, then it is not a bad idea to go for the paid version. I suggest that you start with the free version and see what it has to offer. Once you are satisfied with what it has to offer, you can choose to get the paid version.
WordFence Pros and Cons
There are many things to love and hate about WordFence. Let’s list the WordFence Pros and Cons below.
WordFence Pros
- The plugin is free to use
- The plugin is easy to install and configure
- The plugin configures itself according to the site type
- Great dashboard with quick access to some features and information
- Amazing documentation, and you do not have to leave the app to access it
- The free version offers access to support forums and community
- The WordPress Site Cleaning Service lets you get rid of the malware easily
- The Cleaning Service also gives you access to a one-year WordFence security plugin premium.
WordPress Cons
- The free version is limited to 30 days old signatures for scanning
- The free version is functional, but it is limited enough for you to consider buying the premium version. For example, you cannot manually schedule scanning on the free version.
- The premium version is slightly costly.
- Their WordPress Site Cleaning Service is always priced higher due to their pricing model.
Conclusion
So, where do we stand with WordFence? Do I recommend it? Well, yes! I do.
You can get started with the free version. It offers good enough options for sites that require basic protection. There are also tons of options to play with the free version. For the paid version, I would like you to try the free version and decide if it fits your requirement and long-term goals.
You might also be thinking, how does it stack against Sucuri? Well, according to what I have seen, Sucuri is also a good option as it provides DNS level firewall and other essential security features such as DDoS protection. So, maybe you want to try that out too!
So, what have to decide? Comment below and let us know.
