How to Stop Hackers in Their Tracks with Defender

How to Stop Hackers in Their Tracks with Defender

Defender deters hackers with IP banning, login lockout, updating security keys, two-factor authorization, and more. Learn about Defender’s robust security features that prevent hackers from waltzing right into your WordPress site.

No hacker gets past Defender!

Defender is WPMU DEV’s answer to WordPress security.

Our powerful 5-star plugin provides complete security for your WordPress sites and brings you peace of mind by deterring brute force attacks, SQL injections, cross-site scripting XSS, and preventing hackers from exploiting WordPress vulnerabilities.

“Defender recently blocked over 3000 attacks in one week without any noticeable impact on the website. WPMUDEV knocking it out of the park on this one.” – David Oswald

Defender adds the best in WordPress security to your website with just a few clicks.

In order to stop the hackers from getting in, Defender configures powerful security measures, including allowing you to easily:

Security Tweaks

Right off the bat, Defender provides a number of Security Tweaks in the dashboard, allowing you to easily fix any issues that can be exploited by hackers and compromise your site’s security with just one click.

To help you stay on top of your security tweaks, Defender provides a checklist of all issues that need fixing and highlights these in yellow…

Defender - Security Tweaks - Issues
Defender highlights all issues in yellow.

And marks all resolved issues in green…

Defender Security Tweaks - Resolved
Security tweaks resolved and no longer an issue.

Let’s go through some of these one-click security tweaks…

Disable Trackbacks and Pingbacks

Defender can prevent trackbacks and pingbacks from causing DDoS attacks and spam comments.

Just click the Disable Pingbacks button.

Disable trackbacks and pingbacks.
Disable trackbacks and pingbacks.

Check Default Database Prefix

While Defender doesn’t change your default database prefix, it will detect whether it is using the default wp_ database prefix that WordPress normally assigns to new installations.

You can then change it and set a unique database prefix that will make it harder for hackers to perform SQL injection attacks if they run across any code vulnerability on your site.

This adds another layer of difficulty for hackers to overcome, further protecting your WordPress site.

You can quickly see if this function is enabled or disabled in the Issues or Resolved section.

Your default database prefix is resolved.
Your default database prefix is resolved.

Disable File Editor

As the file editor is built into WordPress, anyone with an admin account can edit your theme and plugin files and inject malicious code.

Disabling the file editor helps prevent this and any security holes in your admin that could become a problem.

Disable file editor.
Disable the file editor is seen as a security issue. That can be done with a click of a button.

If it’s an issue, just click Disable the File Editor in the Issues section.

Disable file editor button.
Disable file editor button.

The problem will be fixed and marked as Resolved.

Disabled file editor.
And now it’s disabled.

Hide Error Reporting

With Defender’s one-click security tweaks, you can make your site less prone to malicious attacks by disabling the built-in PHP and scripts error debugging feature of WordPress.

This feature displays code errors on the frontend of your website, allowing hackers to find loopholes in your site’s security.

Hide error reporting is now resolved.
Hide error reporting is now resolved.

Update Security Keys

As WordPress uses security keys to enhance the encryption of information, having a random, unpredictable encrypted password (e.g. 89080a8908908b098903c) can make it near impossible for hackers to come up with the right combination.

Defender’s Update old security keys feature lets you update these keys regularly and set a reminder for how often ut should notify the admin to regenerate these.

Where you'll regenerate the keys.
Where you’ll regenerate the keys.

Once your security keys have been regenerated, the update is then automatically marked as Resolved.

Where it shows security keys are updated. Also, you can set a reminder here to reset again in the future.

Prevent Information Disclosure

Another of Defender’s automated one-click Security Tweaks is to prevent the disclosure of sensitive files in servers that have been misconfigured, allowing malicious users to access your WordPress site or database.

Prevent information disclosure.
The status of the Prevent Information Disclosure security feature.

Prevent PHP Execution

Defender lets you disable direct PHP execution in directories that don’t require it, preventing plugin or theme vulnerabilities from allowing a harmful PHP file to be uploaded to your WordPress site’s directories.

Resolved Prevent PHP Execution.
Resolved Prevent PHP Execution.

You can also add exceptions to PHP files that you want to run and bypass Defender’s protection measures.

Where exempt PHP files can be placed.
Where exempt PHP files can be placed.


Defender’s Firewall adds a hardened layer of protection against a hacker’s attempts to gain entry to your site through brute force attacks.

It comprises a number of security measures, including:

Login Lockout

Defender locks out any user who tries to log in and fails repeatedly to get the credentials right.

Login Lockouts dashboard.
Defender’s Login lockouts dashboard.

You can configure login lockout options such as the lockout time, lockout message, and ban usernames.

Adjusting the threshold lets you specify how many failed login attempts defender will allow in a given time period before triggering a lockout.

Login lockout threshold
In this example, Defender will ban users with 5 failed login attempts within a 5-minute period.

You can set the duration of the lockout or permanently lock out offending users.

Login lockout duration.
Ban users temporarily or permanently.

Like most of Defender’s features, you can customize the message that will be displayed to locked out users.

Customizable login lockout message.
Customize your message to locked out users.

You can also automatically lockout and ban users if they attempt to log in using common usernames (e.g. admin).

Banned username message.
Defender locks out and bans users attempting to log in using a banned username.

404 Detection

Defender keeps an eye out for repeat offenders. These are usually bots that crawl every link on your site trying to find a back-end admin area so they can wreak havoc or requests from the same IP addresses for pages on your WordPress site that don’t exist.

If this happens too frequently, Defender will block users from accessing your site.

You can specify how many 404 errors within a specific period will trigger a lockout and choose the ban duration for offending users, either for a specific timeframe (in seconds, minutes, or hours) or permanently.

Defender Firewall - 404 Detection.
Defender Firewall – 404 Detection.

You can also customize the message displayed to locked out users.


Manage unlimited WP sites for free

Unlimited sites
No credit card required
Blocked message.
Don’t leave hackers guessing why they’ve been locked out.

Defender’s Blocklist automatically bans users and bots from accessing any files and folders you specify.

If a common file or folder in your website is missing, you can record it in the Allowlist area. Any attempts to access these won’t count toward a lockout.

Defender Firewall - 404 Detection - Files & Folders section
Ban or allow users to access files and folders.

Specifying file types and extensions to auto-ban or allow is as simple as entering these into the plugin’s fields.

Defender Firewall - 404 Detection - Filetypes & Extensions section.
Auto-ban or allow access to filetypes and extensions.

Defender monitors all interactions on your website. However, with the click of a button, you can also choose to include or exclude monitoring 404s from logged-in users.

Click to monitor 404s from logged in users.
Click to monitor 404s from logged-in users.

Geolocation IP Lockout

Defender lets you ban traffic from any location–even an entire nation– if you don’t want traffic coming to your site from certain places. Geolocation IP lockout is a great added security bonus that prevents users in undesirable locations from getting anywhere near your site.

IP Banning inside Defender’ Firewall stops unwelcome visitors with just a few clicks.

Defender - Firewall - IP Banning - Locations section.
Ban countries you don’t want traffic coming from to protect your site from hackers in that location.

You will need to sign up for a free account with MaxMind to get access to the free GeoLite2 Database.

After confirming your account and creating a password, you can generate a license key.

Maxmind - Generate license key
Generate a license key to access the GeoIP database.

Adding this license key to Defender lets you download, add, and access the GeoLite 2 database.

Defender - Locations section - GeoIP database license
Add your GeoIP database license key to download the list of countries.

After successful license activation, the Location section will let you specify countries to block or let traffic through from a drop-down menu.

Defender Locations - GeoIP database dropdown menu
Block or allow traffic from selected countries.

IP Banning

You can block IP addresses by adding these to Defender’s Blocklist. Users with those IP addresses won’t be able to visit your WordPress site and will be greeted instead with a customizable message.

IP block message.

Defender lets you add any addresses you want to ban into its Blocklisted IPs section and supports both IPv4 and IPv6 formats.

Blocklisted IP addresses
Enter banned IPs you want to block.

Alternatively, you can allow IP addresses and exempt users from the ban rules for login protection, 404 detection, or IP ban lists.

Allowlisted IP addresses.
Add allowed IPs.

Once you have added an active list, Defender monitors these IPs. It also lets you release any blocked IPs that were inadvertently banned.

Defender - Firewall - IP Banning - Active lockouts.
Unblock banned IP addresses.

Additionally, you can easily import and export any list data you have already compiled to and from Defender with just one click.

Defender - Firewall - IP Banning - Import and export IP address lists.
Import and export IP address lists easily.

Web Application Firewall (WAF)

If you’re hosting your website with WPMU DEV, a Web Application Firewall is enabled via Defender adding an initial layer of protection against hackers and bots before they can even reach your site.

If any vulnerabilities match our WAF filters ruleset covering common attacks, any vulnerable files in your WordPress core, plugins, or themes will be virtually patched, while also respecting any rules set in Defender’s firewall.

Defender Web Application Firewall
WAF blocks hackers and bot attacks before they ever reach your site!

Two Factor Authentication (2FA)

Defender enhances your WordPress site’s security by adding an extra step in the login process with two-factor authentication. This makes it extremely difficult for a hacker to login to your account.

Enable Two-factor Authentication

With a click of the Activate button, you can configure authentication settings. All the recommended settings are on by default and you’ll have plenty of options.

You can assign User Roles that will require 2FA by clicking on each one.

2FA-User roles section
Defender lets you specify which user roles require 2FA.

If you have a Lost Phone, you can enable this setting to send the authentication code to the user’s email instead.  You can also Force Authentication that will force users to activate 2FA and create Custom Graphics instead of using the default Defender icon.

Lost Phone, Force Authentication, and Custom Graphic options.
Set up Lost Phone, Force Authentication, and Custom Graphic options.

Defender uses the Google Authenticator app. Download and set up instructions are in the User Profile dashboard, allowing you to easily install the app on your device from the App Store or Google Play.

2FA Setup instructions.
Enable 2FA on your User Profile to access setup instructions.

2FA functions by scanning the barcode and entering the 6-digit passcode shown on your device.

Google authenticator.
Google authenticator screen.

Defender’s 2FA feature adds the first impenetrable layer of security and protection against hackers.

Two way authentication area for Defender.
No passcode, no access.

Advanced Tools

Defender provides two Advanced Tools to enhance site security and thwart hackers from accessing your site:

  • Masked Login Area: Change the URL path to your login screen to something other than the default wp-admin.
  • Security Headers: Enable security headers to add an extra layer of security to your website.

Let’s take a quick look at how easy it is to make it hard for hackers to find your login screen:

Login Masking

With Defender, you can easily change your default URL to mask (hide) your login area, preventing hackers and bots from locating and accessing your login URL.

You can choose your own mask login URL and enter any slug you like (e.g. ‘my-awesome-login’). We recommend choosing a login URL that bots will find almost impossible to guess.

Mask Login Area - Masking Inactive.
Create a new login URL that bots won’t be able to guess.

Setting up your new beefed-up secure login URL is as easy as entering a new slug and clicking Save Changes.

Mask Login Area - Masking Active.
Your WordPress site now has a new login URL.

Defender Makes It Harder To Hack WordPress And Easier For Hackers To Go Elsewhere

With Defender monitoring your WordPress site 24/7, hackers have no reason to stick around.

Defender amps your security and stops Hackers in their tracks. In fact, Defender automatically resolves many common security issues as soon as you activate the plugin.

Defender protects your site against hackers and malicious bots before they even visit your site with WAF, lets you perform one-click security tweaks, and then continuously guards and monitors the perimeter with advanced security hardening features like login masking, two-factor authentication, malware scanning, audit logging, and firewall protection.

To learn more about WordPress security, check out our Ultimate Guide to WordPress Security.

For more information on how Defender works, be sure to view the plugin’s documentation.

Also, keep an eye on our roadmap for all the exciting new features coming soon to Defender, the ultimate WordPress security plugin.

Have you ever been hacked? Or, has Defender ever saved the day for your WordPress site? Let us know in the comments!

N. Fakes

N. Fakes Nathanael Fakes is a blog writer and cartoonist at WPMU DEV. He’s worked with WordPress for over a decade. Beyond WordPress, he’s a published author, syndicated cartoonist, and donut enthusiast. Connect with Nate on Instagram and learn more about his work on his comics website.

Martin Aranovitch

Martin Aranovitch Martin Aranovitch is a blog writer and editor at WPMU DEV. He is a self-taught WP user who has been teaching businesses how to use WordPress effectively almost since the platform began. When he is not writing articles and tutorials, he’s probably off bushwalking in the mountains. Connect with Martin on LinkedIn, Facebook, and his WordPress client training website.