WordFence is a great security plugin for WordPress that allows you to secure your WordPress installation and prevent brute force attacks, rate-limit visitors (or Bots), block banned IP’s that are accessing your site and more.
Fyi
20th Dec 2017: Wordfence report Backdoor in Captcha Plugin Affects 300K WordPress Sites
Backup
Before I started I performed a quick mysql backup from the command line to ensure my WordPress is backed up. Read my guide on installing WordPress from the command line (here) and securin Ubuntu (here).
Don’t forget to backup your WordPress files.
Download and extract WordFence
I downloaded and installed the Wordfence plugin via command line. I visited https://wordpress.org/plugins/wordfence/ and got the plugin URL for the latest version (e.g https://downloads.wordpress.org/plugin/wordfence.6.3.19.zip).
I downloaded the plugin zip file from the command line to my WordPress plugins folder. Read my guide (here) on managing WordPress from the command line.
Now the Wordfence plugin can be activated in WordPress.
Enter your email to receive Wordfence alerts.
Your Wordfence Dashboard will show local and global issues and statistics.
I set these default Wordfence options.
More Wordfence Options
Set Permissions (for Firewall)
You may need to create a log folder (e.g /www/wp-content/wflogs/) and set permissions to allow Wordfence to work.
Now I can enable the Wordfence firewall via the WordFence plugin at /wp-admin/admin.php?page=WordfenceWAF
Wordfence Firewall
Don’t forget to configure the Wordfence firewall.
Firewall Install Options
I do not have FTP setup so I’ll do a manual install based on these instructions.
I manually added this to my ~/nxinx/sites-available/default config.
I added this to my nginx config.
This did not work as specified in the official Wordfence docs (https://docs.wordfence.com/en/Web_Application_Firewall_FAQ#NGINX) so I added the following.
Accessing a test /test.user.ini file in a web browser returns a 403 (always test access)
I added this to my active php.ini configuration file.
I restart PHP.
I added my IP to the Wordfence whitelist textbox to ensure I am not blocked: /wp-admin/admin.php?page=WordfenceSecOpt
Tip: Grab your IPV4 address from https://ipv4.icanhazip.com/
Recent Wordfence Scan Summary (1st Scan)
Wordfence Dashboard allows you to see local and global stats.
Wordfence (In Progress) Scan summary.
My Issues
Wordfence alerted me that I needed to update WordPress and some plugins (see my guide on installing and managing your WordPress via the Command Line here).
I updated my WordPress core files (via the command line).
I updated my WordPress plugins (via the command line).
Output:
I manually updated my WordPress theme (from my.studiopress.com website) and uploaded via SSH
I could then SSH into my server and extract the theme.
Wordfence Dashboard
Wordfence allows you to see worldwide Blocked IP’s by the Wordfence network.
You can also see local successful or failed login attempts. The Ukraine IP 91.200.12.49 tried to log in to my WordPress installation but was banned globally as it was seen unsuccessfully logging into 900 other global servers, good work Wordfence.
Attacks blocked locally.
View global WordPress attacks by countries
Wordfence Features I like
- Finding abandoned plugins
- See Globally banned IP’s
- See local failed login attempts
- Brute force protection.
- Stats on local blocked events.
- Identification of old files.
- Simple reports.
Wordfence Features I don’t like
- Your mouse must be active in the window for scans to complete/seen.
- Setup firewall almost requires FTP.
Wordfence: 7.02 updated (listed here)
Revised Dashboard looks nice
More to come, I will update this guide over time.
Donate and make this blog better