WordFence is a great security plugin for WordPress that allows you to secure your WordPress installation and prevent brute force attacks, rate-limit visitors (or Bots), block banned IP’s that are accessing your site and more.
Advertisement:
Fyi
20th Dec 2017: Wordfence report Backdoor in Captcha Plugin Affects 300K WordPress Sites
Backup
Before I started I performed a quick mysql backup from the command line to ensure my WordPress is backed up. Read my guide on installing WordPress from the command line (here) and securin Ubuntu (here).
1 | /usr/bin/mysqldump --all-databases > /mysql-database-dump-prewordfence.sql -u 'user' -p'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx' |
Don’t forget to backup your WordPress files.
1 | sudo cp -R /www-root/* /backup/www-backup/ |
Download and extract WordFence
I downloaded and installed the Wordfence plugin via command line. I visited https://wordpress.org/plugins/wordfence/ and got the plugin URL for the latest version (e.g https://downloads.wordpress.org/plugin/wordfence.6.3.19.zip).
I downloaded the plugin zip file from the command line to my WordPress plugins folder. Read my guide (here) on managing WordPress from the command line.
1 2 3 4 | cd /www-root/wp-content/plugins/ sudo wget https://downloads.wordpress.org/plugin/wordfence.6.3.19.zip sudo unzip /www-root/wp-content/plugins/wordfence.6.3.19.zip rm -R /www-root/wp-content/plugins/*.zip |
Now the Wordfence plugin can be activated in WordPress.
Enter your email to receive Wordfence alerts.
Your Wordfence Dashboard will show local and global issues and statistics.
I set these default Wordfence options.
More Wordfence Options
Set Permissions (for Firewall)
You may need to create a log folder (e.g /www/wp-content/wflogs/) and set permissions to allow Wordfence to work.
1 2 3 | cd /www-root/wp-content/ mkdir wflogs sudo chmod -R 777 /www-root/wp-content/wflogs/ |
Now I can enable the Wordfence firewall via the WordFence plugin at /wp-admin/admin.php?page=WordfenceWAF
Wordfence Firewall
Don’t forget to configure the Wordfence firewall.
Firewall Install Options
I do not have FTP setup so I’ll do a manual install based on these instructions.
I manually added this to my ~/nxinx/sites-available/default config.
I added this to my nginx config.
1 2 3 | location ~ ^/\.user\.ini { deny all; } |
This did not work as specified in the official Wordfence docs (https://docs.wordfence.com/en/Web_Application_Firewall_FAQ#NGINX) so I added the following.
1 2 3 | location ~ (\.ini) { return 403; } |
Accessing a test /test.user.ini file in a web browser returns a 403 (always test access)
1 2 3 | 403 Forbidden nginx |
I added this to my active php.ini configuration file.
1 | auto_prepend_file = '/www-root/wordfence-waf.php' |
I restart PHP.
1 | sudo systemctl restart php7.0-fpm |
I added my IP to the Wordfence whitelist textbox to ensure I am not blocked: /wp-admin/admin.php?page=WordfenceSecOpt
Tip: Grab your IPV4 address from https://ipv4.icanhazip.com/
Recent Wordfence Scan Summary (1st Scan)
Wordfence Dashboard allows you to see local and global stats.
Wordfence (In Progress) Scan summary.
My Issues
Wordfence alerted me that I needed to update WordPress and some plugins (see my guide on installing and managing your WordPress via the Command Line here).
I updated my WordPress core files (via the command line).
1 2 | sudo wp core update > Success: WordPress is up to date. |
I updated my WordPress plugins (via the command line).
1 | sudo wp plugin update --all |
Output:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 | >Enabling Maintenance mode... >Downloading update from https://downloads.wordpress.org/plugin/>add-to-any.1.7.19.zip... >Unpacking the update... >Installing the latest version... >Removing the old version of the plugin... >Plugin updated successfully. >Downloading update from https://downloads.wordpress.org/plugin/>display-posts-shortcode.2.9.0.zip... >Unpacking the update... >Installing the latest version... >Removing the old version of the plugin... >Plugin updated successfully. >Downloading update from https://downloads.wordpress.org/plugin/>wordpress-seo.5.5.1.zip... >Unpacking the update... >Installing the latest version... >Removing the old version of the plugin... >Plugin updated successfully. >Disabling Maintenance mode... >+-------------------------+-------------+-------------+---------+ >| name | old_version | new_version | status | >+-------------------------+-------------+-------------+---------+ >| add-to-any | 1.7.17 | 1.7.19 | Updated | >| display-posts-shortcode | 2.8.0 | 2.9.0 | Updated | >| wordpress-seo | 5.4.2 | 5.5.1 | Updated | >+-------------------------+-------------+-------------+---------+ >Success: Updated 3 of 3 plugins. |
I manually updated my WordPress theme (from my.studiopress.com website) and uploaded via SSH
1 | scp ~/Downloads/genesis.2.5.3.zip sshuser@www.example.com:/www-root/wp-content/themes/genesis.2.5.3.zip |
I could then SSH into my server and extract the theme.
1 2 3 | cd /www-root/wp-content/themes/ unzip genesis.2.5.3.zip rm -R genesis.2.5.3.zip |
Wordfence Dashboard
Wordfence allows you to see worldwide Blocked IP’s by the Wordfence network.
You can also see local successful or failed login attempts. The Ukraine IP 91.200.12.49 tried to log in to my WordPress installation but was banned globally as it was seen unsuccessfully logging into 900 other global servers, good work Wordfence.
Attacks blocked locally.
View global WordPress attacks by countries
Wordfence Features I like
- Finding abandoned plugins
- See Globally banned IP’s
- See local failed login attempts
- Brute force protection.
- Stats on local blocked events.
- Identification of old files.
- Simple reports.
Wordfence Features I don’t like
- Your mouse must be active in the window for scans to complete/seen.
- Setup firewall almost requires FTP.
Wordfence: 7.02 updated (listed here)
Revised Dashboard looks nice
More to come, I will update this guide over time.
Donate and make this blog better