This beginner’s guide to Wordfence is a quick overview of what you need to know to secure your new WordPress site.
WordFence is one of the first plugins you should install on your website. The free version is enough for a small and growing site. When your site starts getting a high volume of traffic, you can review more advanced features.
How Wordfence Stops Bot Attacks And Bad Bot Traffic
The free version of Wordfence provides several methods to combat unwanted bot traffic that include:
- A firewall with extensive rules to identify known malicious bots
- Protection against brute force attacks that repeatedly attempt to guess admin passwords
- Rules that limit repeated crawling of your website pages
- Real-time display of traffic hitting your website
We have a separate article on how Wordfence stops bots that covers each of these features in detail. We also discuss the premium IP blacklist feature, which is a great choice for growing e-commerce sites.
Malicious login attempts
When you use Wordfence to watch live traffic, you’ll quickly see that login attempts are one of the most frequent attacks on your WordPress site. Hackers have automated systems that watch out for new WordPress websites, and they send malicious login attempts your way.
The default free Wordfence installation protects you from these attacks. By default, Wordfence allows twenty failed login attempts within four hours – and then it blocks the IP address from further attempts.
Does that default seem overly generous? If you have a very inept colleague (or you yourself are very forgetful of your passwords), you may want to change these defaults to be a little more defensive.
Our article on how Wordfence limits login attempts will guide you on the most effective settings for different types of websites.
Blocking And Whitelisting IP Addresses With Wordfence
The free version of Wordfence lets you block as many IP addresses as you deem necessary.
But how do you know which IP addresses are repeatedly hitting your site? This is where the real-time traffic display we mentioned in the previous section comes into play. Wordfence shows you the IPs of problem visitors and you can target them specifically.
Our article on how to block IP addresses with Wordfence starts with viewing failed logins (a typical attack) and then takes you through viewing live traffic. We have examples and pictures to show you how to block unwanted sources of traffic.
There are times when you want explicitly to ensure that some IP addresses are not blocked by Wordfence’s protection. Our article on how to whitelist an IP address in Wordfence will show you exactly how to do this.
How Wordfence Helps Your Search Engine Optimization (SEO)
Wordfence helps your website SEO in several ways:
- Stops your site from being hacked in ways that result in Google penalties
- Protects from bot attacks that can block Google and other search engines
- Protects from hacks to SEO plugins
- Shows you suspect traffic that should be blocked
We have a separate article on how Wordfence affects SEO, which goes into these topics (and more) in clear detail.
Concerned About Extra Plugins Slowing Your Site?
In general, you should keep the number of plugins you install on WordPress to a minimum. Every additional plugin adds an extra load, although the best plugins will strive to be very lightweight.
WordFence is one of the plugins that I consider to be necessary. However, you may see old reviews that say that it is a drag on performance! In my experience, the latest versions of WordFence have minimal impact on websites that aren’t hitting a high volume of traffic.
However, you don’t have to take my word for it. Our article on whether Wordfence slows your website will show you how to check and monitor your own installation for any issues. We also have tips on what to do if you experience performance problems.
Avoid Being Overwhelmed By Wordfence
I’ve already mentioned that automated bots watch out for new WordPress sites and hit them with login attempts. Wordfence protects you right out of the box from these crude attempts.
However, the monitoring tool also sends you alerts to tell you how hard it’s working. Personally, I turn down the level of alerts I receive from a website until it’s generating income.
Our article on how to turn off Wordfence alerts will take you through how to tailor the alerts to your needs. You don’t need to turn them off completely (and that is not advisable), but you can turn down the dial to avoid being deluged.
How To Remove Wordfence Properly
You may be thinking that get rid of any WordPress plugin is a simple matter of hitting the deactivate and delete links. But that is usually the wrong way with Wordfence!
Before you do this, check out our article on ways to remove Wordfence either partially or completely.