Securing Your WordPress site: Wordfence Security Review

How Much Does it Cost?

There is a free version of the plugin that isn’t just for a trial period; it’s completely free. If you’re looking for a few more robust features, there is a premium version of the plugin, which costs $39 per year, per API key.

If you purchase multiple API keys for multiple websites, bulk discounting is available. For example, having Wordfence on five websites is $23.80 per website. That’s a 39% discount. The discount also increases with each API key you purchase.

Another wonderful aspect is how the APIs work. The clock starts ticking down on them only when you begin to use them, so you can essentially stockpile your API keys for future use. It’s recommend you do this since the folks behind Wordfence can’t continue offering such huge bulk discounts as their plugin improves so rapidly.

If you’d like to play around with their pricing and see how big of a discount you can receive for yourself, their pricing page includes a built-in calculator.

What Do You Get?

You’re not purchasing the plugin but an API key. One API key works for one website for the total number of years you select when you purchase it. One year is the minimum amount of time for which you can purchase an API key.

With each API key comes a slew of features including protection from comment spam, “spamvertising,” malware, back door vulnerabilities, fake Google bots, brute-force attacks, and unauthorized DNS and file changes. With that, you also get the option to run frequent scans, repair files, block IP addresses, or networks, force strong password creation, monitor your disk space, and implement two-step verification with your cell phone. You’ll also enjoy faster support for any issues you come across with their ticket system.

This isn’t even the entire list of features, either. These are just the highlights. You can see the full list of features on the front page of the WordFence website.

How Does It Work?

Once you sign into your Wordfence account, you’ll see the API keys you have purchased by clicking the “Get API Keys” button in your dashboard. From there, you just have to select one of your keys and click to reveal them on the far left of the list.

Then you head over to your WordPress site, and download the Wordfence plugin for free. From the Wordfence tab ,which will appear on your dashboard when the plugin is activated, select “Options.”

There will be a box with your free API key already in it. Erase it and enter in your new key. Don’t forget to scroll to the bottom of that section and click the button to save.

The last step is to choose which options you would like enable from comment filtering and email alerts, to which files to scan and what malicious hacks to search.

Once you save your selections, you have other options listed under the Wordfence tab in the dashboard. You can block IP addresses, and even entire countries, set up a schedule for scans, and two-step verification, and even view the traffic on your website as it’s happening.

Once you set up alerts to your email, you’ll also be notified when files have been modified without your permission, critical problems arise, or a many number of options which you have pre-selected on the “Options” page.

Ratings

Learning Curve / Ease of Use

There are so many options to ensure the safety of your site that it can also be your downfall if you don’t pay close enough attention. If you misconfigure your WordPress URL, for example, the plugin will not work, and it will not give you any warning. I learned that the hard way.

If you accidentally enable high sensitivity scanning, you run the risk of having false positives. Similarly, if you set the option too low for locking out users who have too many password attempt failures, you could have a lot of annoyed users on your hands with angry emails in your inbox to boot.

That being said, all of the options are compactly explained, so unless you’re a total beginner, you’ll very likely be able to figure it out without issue. The biggest issue is human error – your error.

Features

Hackers beware! With over 30 features, your site is sure to be safe with Wordfence. Amazingly, there are a lot of options that aren’t even listed on their website. Some of these unlisted features include:

• Hiding your WordPress version
• Choosing how much memory Wordfence is allowed to use
• The option to participate in the real-time Wordfence Security Network
• Scan for known viruses and vulnerabilities such as the almost recent HeartBleed
• Scan files outside your WordPress installation
• Scan image files as if they were executable
• Automatic updates to newer versions within 24 hours of its release

This plugin’s features definitely go above and beyond. Here’s the list of the scanning options:

• Scan public facing site for vulnerabilities?
• Scan for the HeartBleed vulnerability?
• Scan core files against repository versions for changes
• Scan theme files against repository versions for changes
• Scan plugin files against repository versions for changes
• Scan for signatures of known malicious files
• Scan file contents for backdoors, trojans and suspicious code
• Scan posts for known dangerous URLs and suspicious content
• Scan comments for known dangerous URLs and suspicious content
• Scan for out of date plugins, themes and WordPress versions
• Check the strength of passwords
• Scan options table
• Monitor disk space
• Scan for unauthorized DNS changes
• Scan files outside your WordPress installation
• Scan image files as if they were executable
• Enable high sensitivity scanning. May give false positives
• Exclude files from scan that match defined wildcard patterns

Arguably, the best feature is the fact this plugin is consistently and regularly updated to offer even more new and important features, as well as protect you against new vulnerabilities which may arise in the future.

Out of the box

The Wordfence plugin does work well right out of the box and includes most of the features you want and need. It’s easy to set up, as long as you avoid making any errors along the way.

With as many features that are offered automatically in the free version, you may start feeling like you’re stealing and have the urge to buy an API key. That should give you a fairly good idea of how good this plugin is after a fresh install.

Value for money

Wordfence definitely sets a new standard for value. You get so many features both in the free and paid versions that I can’t help but be left in awe.

For the current price, it’s well worth it. I have been personally using the premium version for just over a year now, and I have encountered no break-ins, no approved spam comments, and no malicious files or vulnerabilities that have not gone unnoticed.

These issues used to run rampant on my website, and it got so bad at one point that I was having spam placed right into my posts, pages, and also in the meta data. This episode prompted me to install Wordfence in the first place.

After being protected for so long now with no issues, I can sleep very well knowing this is the norm. Judging from the 5 star ratings from more than 1,750 people in the plugin directory, a lot of people are experiencing the same peaceful night’s sleep.

This plugin is complete in and of itself, and you will likely not need any other security plugin, with the exception of one to prevent fake logins, for example. However, the Wordfence team are considering this feature for future releases.

It’s difficult to imagine a feature that’s not already included, and paired with a pretty low price tag and steep discounts, you get so much bang for your buck with this plugin.

Support

The only real soft spot I have found with this plugin is its support. Free users are still able to access support through a WordPress.org forum, but it will likely take a few days or more to receive a response.

To be fair, most plugins don’t offer support for their free versions, so perhaps it’s a healthy compromise. As for premium users, you have a slightly better option.

Paid users have access to a support ticket system after logging into the Wordfence website. Ticket times are a bit faster, but it’s ultimately not very efficient since you’re left having to wait for emails to be sent to you.

Also, it’s not terribly helpful that you have to check your account for a response, and when you do you’ll likely have to send many messages back and forth to get to the root of your issue.

The entire process can be very lengthy, but from what I can gather looking through the forum, it seems as though one person is handling all the tickets, so when you get down to it, waiting a couple days to receive a response really isn’t so bad. The responses are usually very efficient, which helps.

Still, if a massive hack is imminent, and something goes wrong, you’ll probably be left vulnerable and your site open to attack for a potentially dangerous amount of time depending on your particular situation.

Final Thoughts

Despite some fairly long support wait times, this plugin is feature-packed to the brim – so much so, it’s overflowing. It’s a strong, efficient plugin at a sustainable price. You’re protected from practically everything, with more protection being consistently added as the need arises.

As long as you’re willing to read the instructions carefully and double-check your WordPress site and Wordfence options configuration for accuracy, you’ll be safe in the knowledge your site is secure.

Wordfence is a security plugin that should not be overlooked. Hackers: You have been forewarned.

Image Credit: Feedjit Inc.