Securing Your WordPress site: Wordfence Security Review

Securing Your WordPress site: Wordfence Security Review

Chances are, you’re here because you love WordPress, and you love the idea of protecting the site you worked on so tirelessly to create. There are a lot of plugins out there to secure your site, but there’s one that’s often overlooked, and perhaps shouldn’t be.

Boasting a feature-packed feature list to stop hackers in their tracks, it’s consistently being updated to help protect against newer threats.

It’s Wordfence Security.

Although it’s still fairly new, having been created in 2011, WordFence Security has quickly attracted more than 3 million users. The plugin’s parent company Feedjit started out as a real-time analytics company before adding the security plugin to its repertoire when one of its founder have his WordPress site hacked.

While the issue was quickly resolved, the ordeal prompted Mark Maunder to donated his code to help protect others and the result was Wordfence.

The plugin and company has since grown, which seems understandable when you consider Feedjit’s founders have a combined 40 years of experience in programming at many high-profile companies such as the BBC, Coca Cola, and Norton Antivirus.

But how does their plugin fare against the harsh realities of the technological world we live in? I tested it out for a lengthy period of time to help answer that question. What follows are my honest discoveries.

Securing Your WordPress site: Wordfence Security Review

How Much Does it Cost?

There is a free version of the plugin that isn’t just for a trial period; it’s completely free. If you’re looking for a few more robust features, there is a premium version of the plugin, which costs $39 per year, per API key.

If you purchase multiple API keys for multiple websites, bulk discounting is available. For example, having Wordfence on five websites is $23.80 per website. That’s a 39% discount. The discount also increases with each API key you purchase.

Another wonderful aspect is how the APIs work. The clock starts ticking down on them only when you begin to use them, so you can essentially stockpile your API keys for future use. It’s recommend you do this since the folks behind Wordfence can’t continue offering such huge bulk discounts as their plugin improves so rapidly.

If you’d like to play around with their pricing and see how big of a discount you can receive for yourself, their pricing page includes a built-in calculator.

What Do You Get?

You’re not purchasing the plugin but an API key. One API key works for one website for the total number of years you select when you purchase it. One year is the minimum amount of time for which you can purchase an API key.

With each API key comes a slew of features including protection from comment spam, “spamvertising,” malware, back door vulnerabilities, fake Google bots, brute-force attacks, and unauthorized DNS and file changes. With that, you also get the option to run frequent scans, repair files, block IP addresses, or networks, force strong password creation, monitor your disk space, and implement two-step verification with your cell phone. You’ll also enjoy faster support for any issues you come across with their ticket system.

This isn’t even the entire list of features, either. These are just the highlights. You can see the full list of features on the front page of the WordFence website.

How Does It Work?

Once you sign into your Wordfence account, you’ll see the API keys you have purchased by clicking the “Get API Keys” button in your dashboard. From there, you just have to select one of your keys and click to reveal them on the far left of the list.

You can find your Wordfence API key from the "Get API Keys" page on the left of the list.

Then you head over to your WordPress site, and download the Wordfence plugin for free. From the Wordfence tab ,which will appear on your dashboard when the plugin is activated, select “Options.”

There will be a box with your free API key already in it. Erase it and enter in your new key. Don’t forget to scroll to the bottom of that section and click the button to save.

Activate your premium Wordfence options by entering your API key.

The last step is to choose which options you would like enable from comment filtering and email alerts, to which files to scan and what malicious hacks to search.

Select what to scan from the Wordfence options page.

Once you save your selections, you have other options listed under the Wordfence tab in the dashboard. You can block IP addresses, and even entire countries, set up a schedule for scans, and two-step verification, and even view the traffic on your website as it’s happening.

Once you set up alerts to your email, you’ll also be notified when files have been modified without your permission, critical problems arise, or a many number of options which you have pre-selected on the “Options” page.


Learning Curve / Ease of Use

There are so many options to ensure the safety of your site that it can also be your downfall if you don’t pay close enough attention. If you misconfigure your WordPress URL, for example, the plugin will not work, and it will not give you any warning. I learned that the hard way.

If you accidentally enable high sensitivity scanning, you run the risk of having false positives. Similarly, if you set the option too low for locking out users who have too many password attempt failures, you could have a lot of annoyed users on your hands with angry emails in your inbox to boot.

That being said, all of the options are compactly explained, so unless you’re a total beginner, you’ll very likely be able to figure it out without issue. The biggest issue is human error – your error.


Hackers beware! With over 30 features, your site is sure to be safe with Wordfence. Amazingly, there are a lot of options that aren’t even listed on their website. Some of these unlisted features include:

  • Hiding your WordPress version
  • Choosing how much memory Wordfence is allowed to use
  • The option to participate in the real-time Wordfence Security Network
  • Scan for known viruses and vulnerabilities such as the almost recent HeartBleed
  • Scan files outside your WordPress installation
  • Scan image files as if they were executable
  • Automatic updates to newer versions within 24 hours of its release

This plugin’s features definitely go above and beyond. Here’s the list of the scanning options:

  • Scan public facing site for vulnerabilities?
  • Scan for the HeartBleed vulnerability?
  • Scan core files against repository versions for changes
  • Scan theme files against repository versions for changes
  • Scan plugin files against repository versions for changes
  • Scan for signatures of known malicious files
  • Scan file contents for backdoors, trojans and suspicious code
  • Scan posts for known dangerous URLs and suspicious content
  • Scan comments for known dangerous URLs and suspicious content
  • Scan for out of date plugins, themes and WordPress versions
  • Check the strength of passwords
  • Scan options table
  • Monitor disk space
  • Scan for unauthorized DNS changes
  • Scan files outside your WordPress installation
  • Scan image files as if they were executable
  • Enable high sensitivity scanning. May give false positives
  • Exclude files from scan that match defined wildcard patterns

Arguably, the best feature is the fact this plugin is consistently and regularly updated to offer even more new and important features, as well as protect you against new vulnerabilities which may arise in the future.

Out of the box

The Wordfence plugin does work well right out of the box and includes most of the features you want and need. It’s easy to set up, as long as you avoid making any errors along the way.

With as many features that are offered automatically in the free version, you may start feeling like you’re stealing and have the urge to buy an API key. That should give you a fairly good idea of how good this plugin is after a fresh install.

Value for money

Wordfence definitely sets a new standard for value. You get so many features both in the free and paid versions that I can’t help but be left in awe.

For the current price, it’s well worth it. I have been personally using the premium version for just over a year now, and I have encountered no break-ins, no approved spam comments, and no malicious files or vulnerabilities that have not gone unnoticed.

These issues used to run rampant on my website, and it got so bad at one point that I was having spam placed right into my posts, pages, and also in the meta data. This episode prompted me to install Wordfence in the first place.

After being protected for so long now with no issues, I can sleep very well knowing this is the norm. Judging from the 5 star ratings from more than 1,750 people in the plugin directory, a lot of people are experiencing the same peaceful night’s sleep.

This plugin is complete in and of itself, and you will likely not need any other security plugin, with the exception of one to prevent fake logins, for example. However, the Wordfence team are considering this feature for future releases.

It’s difficult to imagine a feature that’s not already included, and paired with a pretty low price tag and steep discounts, you get so much bang for your buck with this plugin.


The only real soft spot I have found with this plugin is its support. Free users are still able to access support through a forum, but it will likely take a few days or more to receive a response.

To be fair, most plugins don’t offer support for their free versions, so perhaps it’s a healthy compromise. As for premium users, you have a slightly better option.

Paid users have access to a support ticket system after logging into the Wordfence website. Ticket times are a bit faster, but it’s ultimately not very efficient since you’re left having to wait for emails to be sent to you.

Also, it’s not terribly helpful that you have to check your account for a response, and when you do you’ll likely have to send many messages back and forth to get to the root of your issue.

The entire process can be very lengthy, but from what I can gather looking through the forum, it seems as though one person is handling all the tickets, so when you get down to it, waiting a couple days to receive a response really isn’t so bad. The responses are usually very efficient, which helps.

Still, if a massive hack is imminent, and something goes wrong, you’ll probably be left vulnerable and your site open to attack for a potentially dangerous amount of time depending on your particular situation.

Final Thoughts

Despite some fairly long support wait times, this plugin is feature-packed to the brim – so much so, it’s overflowing. It’s a strong, efficient plugin at a sustainable price. You’re protected from practically everything, with more protection being consistently added as the need arises.

As long as you’re willing to read the instructions carefully and double-check your WordPress site and Wordfence options configuration for accuracy, you’ll be safe in the knowledge your site is secure.

Wordfence is a security plugin that should not be overlooked. Hackers: You have been forewarned.

Image Credit: Feedjit Inc.

The Good

  • It has so many features, you can't count them all on your fingers and toes.
  • It's consistently being updated to include protection against the latest threats.
  • There's both a free and premium version of the plugin, and the free one still has a tonne of features included.
  • Both paid and free versions include tech support, so you'll never feel all alone; at least not with this plugin, anyway.
  • Feature suggestions are taken very seriously, so if there's something you want to see, it will be thoroughly considered at the very least.
  • Both free and paid plugins offer a complete firewall, and blocking of brute-force attacks, malware, back door vulnerabilities, and loads more.

The Bad

  • Get ready to wait a while for a response from tech support.
  • This plugin is known to give false positives, which can be frustrating if you're not sure how to use the plugin.
  • There's so many features and options, there's definitely a learning curve going on.
  • Simple misconfigurations can cause the plugin to stop working without warning.
  • Site scans tend to take up quite a lot of memory, which can be a hassle if you're not aware of it.
  • Does not currently include protection from fake sign ups, although it's under consideration for future releases.

Wordfence Security by Feedjit

  • Learning curve / ease of use:
  • Features:
  • Out of the box:
  • Value for money:
  • Support:
  • Overall: