If you’re looking for a security plugin for your WordPress site, you may be wondering if Wordfence protects against unwanted bot traffic.
Both the free and premium versions of Wordfence will stop bots that the plugin identifies as being malicious. No service is perfect, but you can also set up your own block lists within the plugin.
Before I dive into the specifics of Wordfence and what it gives you, I’ll take a quick general look at dealing with bot traffic.
Good And Bad Bots
Bots have a bad rep, which is usually well deserved. Most are trying to brute force crack your password, or trawl your website for emails to spam.
But it’s important to understand that not all bot traffic is bad. The search engines use bots to crawl your web content and ensure it can be found in their search results.
Google’s bot is called (rather unimaginatively) the GoogleBot. The oft-forgotten Bing has the BingBot. The biggest Chinese search engine adds a bit of naming variation with the Baidu Spider. And there are plenty of other good bots that are beneficial to your website.
So, we want to exclude bad bots while allowing good bots to do their things. Does Wordfence help us with that? In a word, yes. But you do have alternatives, including not using a plugin at all.
DIY Approach (Not Recommended)
I’ll point out from the start that you don’t need a WordPress plugin to stop bot traffic. If you have the technical know-how, you can configure the exclusion of specific bots yourself using methods like blocking a specific I.P. address.
It’s actually not that difficult to block a specific I.P. address. Your WordPress site has a special file (the .htaccess file) in which you can add a list of unwanted I.P. addresses. But it’s a far more difficult task for one website owner to keep up with the latest bots that slither (or explode) onto the scene.
Aside from that, these hackers are clever. They regularly change their I.P. addresses. A favorite nefarious technique is to hijack innocent I.P. sources such as unprotected home routers.
Block Bot Traffic With The Wordfence Firewall (Free)
The Wordfence plugin started as a scanner that checks your WordPress site for malicious files. The firewall was introduced at a later stage. What’s the difference between these two parts?
When people or bots visit your website, their browsers send requests to access specific web pages and scripts. A firewall monitors these requests as they come in, and looks for anything malicious.
To identify what is malicious, a firewall has a set of rules defined by the developers. I’ll give an example for Wordfence.
Wordfence firewall rule examples
Here are two rules from the Wordfence firewall rules list. You’ll see that they both relate to a popular SEO plugin.
I wrote an article on how Wordfence affects SEO, and I noted that one of the advantages is that Wordfence protects you from hacks through your chosen SEO plugin.
In this case, a specific version of the All In One SEO plugin had a vulnerability within its code. XSS refers to cross-site scripting. This allows browsers to be hijacked. If that browser is yours, and you are the admin of your website – now you have problems!
By the way, don’t be alarmed if you’re using All in One and are keeping it updated. Those vulnerabilities are in quite old versions of the plugin.
Bots and vulnerabilities
So, how does a hacker take advantage of a vulnerability like this? Hackers devise a call or request to your website that exploits a specific piece of (poor) code within that plugin.
They then fire up a bot or network bots to send these malicious requests to as many websites as possible.
But your Wordfence plugin has a specific rule that describes what these malicious requests look like.
Wordfence firewall protection from bots
The firewall is the first line of protection against malicious bots.
You may already know that Wordfence can also check a blacklist of IP addresses. You can build your own blacklist using the free version, and the premium version has a massive list of bad actors.
But checking a list requires an extra step of processing. The firewall already sees what’s in the request at this point. It’s faster to check if the request violates a specific rule (e.g. it looks exactly like the XSS rule) and reject it there and then.
This greatly helps with performance on your website. These bot requests don’t even hit the files on your site as they are blocked mid-flight.
How does the Wordfence plugin see your traffic before it hits your website?
The Wordfence plugin code on your site checks incoming requests before they hit the rest of the scripts on your website. How does that happen?
This explains a part of the Wordfence installation that many people find confusing. You are asked to back up a file called the .htaccess file. If you say yes, this file downloads to your local machine.
What’s going on here is that every request to your site triggers a call to this script. When you consent to Wordfence protection, it writes a line near the top of that very important script. This ensures that Wordfence code gets called before the rest of the WordPress code. And that Wordfence code is the firewall software.
The .htaccess script is so important to the working of a website that Wordfence requires you to take a backup before their installation modifies it. I remember being somewhat alarmed the first time this happened. I mean, it seems like they expect something to go wrong? Not at all. They’re just covering their rears from a very unlikely circumstance.
Why are there two firewall areas in the dashboard?
Here’s the firewall database from one of my newer websites. I use the community version of the plugin when a site is at low traffic.
The dashboard display confused me when I started to use Wordfence. Are there two separate firewalls? No, there’s not.
Both the free and premium versions of the plugin have the Wordfence firewall. The difference is how fast you have access to new rules about specific vulnerabilities. With the free version, the new rules are pushed out to your installation at 30 days. Premium users get them almost immediately.
I think they split out the display like this to encourage an upgrade to premium. I get that, but I still think it’s confusing.
Are you like me with a mix of free and premium plugins across multiple sites? Be sure you don’t use the same administrator login and password across your sites. I accept a degree of risk by using the community version, but that risk should not spread to my larger sites.
Blocking Bots With Wordfence Brute Force Protection (Free)
We’ve covered the Wordfence firewall which intercepts bad bot requests before they hit the rest of your website. That’s the first level of protection.
If you’re running the free version of the plugin, your next layers of protection include Brute Force and Rate Limiting. I’ll look at Brute Force Protection in this section.
This is the most common form of bad bot attack on WordPress websites. Wordfence has a set of rules that identify typical patterns (or signatures) of these attacks.
The defaults are interesting. Wordfence looks for 20 login failures within a four-hour period before blocking that IP address for four hours. Are you wondering why it’s so lenient? Why not kick these bots out after two or three failures?
Well, studies show that we humans make a lot of mistakes. Five or more attempts by real and legitimate WordPress admins or authors are common. If you have a team of authors, your entire day could be spent fielding forlorn pleas to go in and unblock them. This is why Wordfence is lenient.
Configuring the options
What if you are the sole user of your WordPress site, and you use a secure password tool for logging in?
That’s a good reason for changing the default options to be more strict. This will enhance the performance of your website. You could cut bad traffic in half here.
But I suggest you don’t be too aggressive and set it to one or two attempts. You’ll probably lock yourself out as the sole administrator when you mix up your sites (yeah, I’ve been there). Of course, you will recover your access. But the process is a pain in the neck, and you tend to makes these mistakes when you’re stressed out about some problem on the site.
Using Wordfence Rate Limiting To Block Bot Traffic (Free)
When you use WordFence to apply Rate Limiting, you are capping the number of requests that a visitor can make within a minute.
For example, you can cap it to 1920 requests within a minute or way down at one request within a minute. By default, Wordfence doesn’t apply caps. You’ll see the settings set to “Unlimited”.
Here are two rate-limiting rules that aren’t active on my fresh site.
I think that Wordfence defaults to Unlimited as opposed to a very high number is that a reasonable cap depends on the website. Suppose you have a sports site with changing scores. You may need to allow a very high rate of calls per minute.
But even if you have a content site with no sales or other forms, then you probably shouldn’t set a low number here. When you pull up a simple web page, your browser makes multiple calls to the site. If you’re not familiar with what typical requests look like, I suggest you don’t tinker with these settings for standard visitors.
Why don’t we go heavy on crawlers?
You may associate crawlers with negative impact on your website. But I explained in an early section that there are good bots that crawl your website. Some of these are from search engines, and you usually want your web content to be available in search results.
But suppose your website is being hammered by crawlers that are scraping your content without value to you? If they are being bad internet citizens, all they are giving you is a performance hit.
At that point, you can start looking at the crawler options that Wordfence provides.
And you’ll notice that right at the top, there’s a special place for Google’s crawlers. This lets you apply a general rule to crawlers while letting Google’s bots bypass these rules. (And any other bot that successfully pretends to be from Google).
Blocking Bots With The Wordfence IP Blacklist – Premium Protection
I’ve talked about the sequence of Wordfence protection, where Brute Force and Rate Limiting kick in after the Firewall.
I skipped the Wordfence IP Blacklist which comes into play straight after the Firewall – but only if you have the paid version of the plugin.
The IP Blacklist is a lengthy list of specific I.P. addresses of the top known bad bots. The list is constantly updated by the Defiant security teams (Defiant is the company behind Wordfence).
This part of the plugin fires before traffic is let through to hit your website pages. So, it’s a popular choice with busy commerce sites that attract bad actors. Eliminating bot traffic at this layer gives a great advantage to website performance as well as the prevention of malicious actions.
As this is a paid service, some of the details are proprietary. For example, you don’t get to see the IP addresses that are blocked here.
However, there is another part of the free plugin where you can view the bots that are hitting your website.
Use Wordfence To View Bot Traffic (Free)
If you’re not used to seeing website traffic then you may be a little alarmed by the Wordfence dashboards. On the second day of a brand new website, I was seeing entries like this in the failed login display:
No, that’s not me. The only reason I’m hiding the IP is that it may have been hijacked from an innocent victim.
You can see that this is a snapshot in the recent past. I also wrote in another article about how to use Google Analytics to view bot traffic. But that isn’t real-time.
The free version of Wordfence lets you view real-time traffic. By default, the option is set to log security traffic only. That means login attempts.
You can switch over to logging all traffic to see what’s going on across your website.
Here’s an example from one of my sites, where Wordfence has identified the visitor as a bot. The plugin has already taken action of blocking the IP due to too many failed login attempts.
Be warned that the identification of bot versus human is not always correct. As a case in point, I pulled up a page in my browser and saw the hit appear with the assignment of a bot.
Tracking all traffic to your website is resource-intensive and can only degrade the performance of your website. But it can be very useful to turn on this view and watch what’s going on for a while. Then you can revert back to security-only logging.