Wordfence is one of the more popular WordPress plugins in the world with over 2 million active installs at the time of this writing. It includes a number of security features (some free and some paid) including firewall, malware scanning, IP blocking, and login security. The Wordfence dashboard provides you a detailed overview all current security statistics on your site:
As you can see there is quite a bit you can do with just the free version of the plugin. Plus, it works fairly nicely right out of the box with only a few simple configurations. Notice there were 17 blocked firewall attacks in the past month? Without a security plugin installed there is a good chance those threats could be hitting your site unnoticed.
Below is a closer look at the Wordfence web application firewall:
The Wordfence WAF protects you from all the most common attacks like cross site scripting, SQL injection, and brute force attacks. The screenshot above shows a paid version of the plugin which also gets you some premium features like comment spam filters, “spamvertising” checks, IP spam checks, etc. And as you can see, the rules engine is just a simple list of check boxes that you can enable or disable as you please. Not included in this screenshot is a useful feature called Rate Limiting. This feature allows you to throttle or block certain people or crawlers that are abusing your site by hitting too many pages too fast. The settings are easy to configure using only drop downs.
Wordfence Website Scan
The Wordfence scan checks your whole WordPress site for vulnerabilities, including:
- the public configuration of your site
- log files
- the strength and complexity of user and admin passwords
- current disk usage
- unauthorized DNS changes
It can also check and compare the core WordPress, themes, and plugins files against the repository versions to ensure they are the same size and have not been modified.
Like the WAF, you won’t receive real-time updates to protect you from the most recent security threats out there. This is fine for some people, but it does leave you open to zero-day vulnerabilities. That said, you’re getting a lot of protection in the free version.
Wordfence Pros and Cons
The Wordfence plugin offers quite the security punch for a free app, and the paid version even steps it up another notch. If you are smaller publisher or personal blogger, you’re not going to find a better free security plugin than Wordfence to keep your site secure. There is a reason it has over 2 million active installs. That said… there is a downside.
The biggest problem with Wordfence is that it does seem to impact website performance. This can be said about just about any plugin (which is why you should only use plugins you need) but this one in particular is pretty heavy duty. We’ve seen a noticeable slowdown in the admin area of our site since install, and there does seem to be an impact to the public facing side as well (although there are a ton of variables that can affect that). If you’re going to use Wordfence be sure you’re using a good caching plugin for browser caching and a CDN to cache at the edge.