Every day, Lucid Gen has about 200 attacks when looking through Wordfence’s report. However, I am completely assured under the protection of Wordfence because I am using the Premium version with full advanced security features. If you are looking for a security plugin for WordPress then do not skip this article. I will guide you how to use Wordfence Security Premium in detail, and also share how to activate Premium for free.
Related posts
What is Wordfence Security
Wordfence is a product of Defiant – is the world leader in WordPress security. This plugin features firewall and malicious code scanning for WordPress websites.
Wordfence is always up to date with the latest firewall rules, malware signatures and malicious IP addresses needed to keep your website safe.
In addition, this plugin also integrates 2FA (2-Step Verification) and a set of other extra features. Wordfence is the most comprehensive WordPress security solution today.
Wordfence Premium Features
Free Edition Features
- Firewall – Firewall
- Web Application Firewall – Web application firewall: this feature helps to protect your website against attacks and hackers from outside. Keep it short, but its use is the most important.
- Brute Force Protection – Brute Force Attack Protection: protects your website against classic attacks, which is to try millions of different usernames and passwords to detect your login information.
- Block – Block IP: you can add any IP to your website block list, you can also add rules to automatically block.
- Rate Limiting – Limit access and steal content: this feature has 2 good points. The first is to block crawlers (crawling bots) to prevent your website from being scanned and content stolen. The second is to prevent bandwidth attacks or DDOS, for example, bad guys access your website in a short time, consuming resources and slowing down your website, making users have a bad website experience friend.
- Scan – Malware scan : scans all files on your website for known malicious code, backdoors, shells and other types of malware on Wordfence data
- Tool – Other supporting tools
- Live traffic – View real-time traffic: you can see which country the most recent visits come from, are users or bots. However, we just need to focus on the hits that Wordfence blocked. Like Lucid Gen blocking about 50 IPs a day.
- Whois Lookup – Check your IP or domain information: this easy-to-understand feature is available on many networks, ignored.
- Import / Export Options – Import and export Wordfence settings: if you have many websites that need to use Wordfence, you just need to configure it properly and then export the settings to another website, less effort to start over.
- Login Security – Login security
- 2-step verification: a very necessary feature nowadays, I have introduced in the article how to enable WordPress 2-layer security .
- reCAPTCHA: helps to determine if the logon is a robot or not, does not allow the login to try continuously, also has anti-Brute Force effect mentioned above.
Premium features
- Premium of firewall
- Real-time Firewall Rules – Auto add firewall rules: Wordfence’s firewall uses firewall rules to identify and block malicious access to your website, protecting you from WordPress attacks and the latest security holes.
- Real-time IP Blocklist – Self-blocking IP according to Wordfence’s blacklist: block IPs that regularly attack WordPress websites, help protect website and increase website performance (ie, save resources for bad guys).
- Country Blocking – Blocking IP by country: feature is according to Lucid Gen is best of Wordfence Security Premium features. Block countries around the world from accessing login page or your entire website. It’s great if I block all countries (except Vietnam) from accessing the login page.
- Premium of malware scanning
- Real-time Malware Signatures: automatically detects malware on your website in real-time, just like other anti-virus software on your computer, detects malware that it blocks and reports immediately.
- Spamvertising Checks: check if your website has “Spamvertis” (which is the term that says advertising bad content through spam) or not.
- Spam Check: check that your website’s IP is generating spam.
- Blocklist Check: check if your website is in the list of blocking domain names.
How to activate Wordfence Security Premium
After downloading Wordfence, do not activate the plugin, but follow this guide to activate the Wordfence Security Premium key first.
Activate Wordfence Security Premium
You use the File Manager on hosting or use the Edit plugin feature on wp-admin to edit the wordfenceClass.php file.
wp-content/plugins/wordfence/lib/wordfenceClass.php
Go to the 2005-2009 line (later versions may differ slightly) for the following lines:
// Sync the WAF data with the database.
$updateCountries = false;
if (!WFWAF_SUBDIRECTORY_INSTALL && $waf = wfWAF::getInstance()) {
$homeurl = wfUtils::wpHomeURL();
$siteurl = wfUtils::wpSiteURL();
Then add these lines right below the row:
wfConfig::set('isPaid', 1);
wfConfig::set('keyType', wfAPI::KEY_TYPE_PAID_CURRENT);
wfConfig::set('premiumNextRenew', time()+31536000);
The end result will look like this:
// Sync the WAF data with the database.
$updateCountries = false;
if (!WFWAF_SUBDIRECTORY_INSTALL && $waf = wfWAF::getInstance()) {
$homeurl = wfUtils::wpHomeURL();
$siteurl = wfUtils::wpSiteURL();
wfConfig::set('isPaid', 1);
wfConfig::set('keyType', wfAPI::KEY_TYPE_PAID_CURRENT);
wfConfig::set('premiumNextRenew', time()+31536000);
This is an overview of the activation process of Wordfence Security Premium.
Update new version
When you want to update to the new version and still keep Wordfence Security Premium, follow these steps:
- Step 1: You deactivate Wordfence.
- Step 2: You update Wordfence to the new version.
- Step 3: You can re- activate Wordfence Security Premium as instructed above.
- Step 4: Re- enable the Wordfence plugin and use it as usual.
Wordfence Premium User Guide
Lucid Gen will now walk through Wordfence’s most prominent (essential) features. Some other miscellaneous settings I did not mention in this article is because it is not so important, when you have time you can research more and customize as you like.
After activating the plugin you will receive this message, enter your admin email, select NO to not receive Wordfence newsletters, check the agreement with the terms and click Continue.
When entering Dashboard, click No thanks in the message asking if you want to automatically update the new version or not. How to update must be manual as the instructions above.
Turn on the firewall and configure website protection
Turn on the firewall
Option 1: The first time using Wordfence, you will see the message “To make your site as secure as possible, take a moment to optimize the Wordfence Web Application Firewall” click CLICK HERE TO CONFIGURE . Then, you click DOWNLOAD and CONTINUE button to complete.
Option 2: Click on Firewall on the left menu, on the right, go to All Firewall Options and then click OPTIMIZE THE WORDFENCE FIREWALL button . Then, you click DOWNLOAD and CONTINUE button to complete.
You have turned on the firewall. But when using it, Wordfence will leave Web Application Firewall Status in Learning mode , you just leave it to learn, it will jump through Enable and Protecting .
Configure Brute Force Protection
- Lock out after how many login failures: Block IP after many failed login attempts, this item I will leave 1-2 times because we are real admin, there is no reason to log in wrong many times.
- Lock out after how many forgot password attempts: Blocking IP after sending password request many times, I will keep it 1-2 times .
- Count failures over what time period: The total number of times is counted in what period of time, I leave 1 day to be stricter (choose maximum).
- Amount of time a user is locked out: How long will the user be locked out of IP, I choose 2 months (choose maximum).
- Immediately lock out invalid usernames: Block IP immediately if anyone logs in with these usernames, enter the names that everyone thinks, remember not to enter your username.
- The rest of the options: these are not important, you should turn them on.
Configure Rate Limiting
- How should we treat Google’s crawlers: How you handle content crawlers (bots that scan Google content), you choose Verified Google crawlers will not be rate-limited . Google scans freely to get indexed quickly. The other bots we will handle with the options below.
- If anyone’s requests exceed: if the user or bot exceeds the number of hits, I choose 120 per minute then block it (120 pages per minute then block IP).
- If a crawler’s page views exceed: if the bot exceeds the existing number of pageviews, I choose 120 per minute then block it .
- If a crawler’s pages not found (404s) exceed: if the bot exceeds the number of non-existent pageviews, I choose 60 per minute then block it .
- If a human’s page views exceed: if the user exceeds the existing number of pageviews, I choose 120 per minute then block i t.
- If a human’s pages not found (404s) exceed: if the user exceeds the number of pageviews that do not exist, I choose 60 per minute then block it .
- How long is an IP address blocked when it breaks a rule: How long will the IP be blocked, I choose 1 month (maximum level).
Login page security
If you follow this guide of Lucid Gen then make sure the bad guys can’t attack Brute Force too. Because they have not managed to get into the login page, IP has been blocked. If you can access the login page, you have reCAPTCHA so you cannot detect the password, and add 2-step verification. Maybe by the time they go down the hole, they can’t get in this way.
Block countries
In which country you live, only that country can access the login page, the rest of the countries will be blocked. For example, if you live in Vietnam, you will do like this.
Click Blocking on the left menu, on the right you select Country, check Login Form , click Pick from list (choose from the list). Then, click the Block all button above, scroll down to find Vietnam to quit and click the Update block button .
Block by URL
The bad guy in a foreign country no longer matters, but what about the bad guy in your own country. Just do it this way and you won’t have to worry.
The logic of this section: bad guys often try to access your login page using the default URL easy to think of as wp-login.php, login, admin, dangnhap, dangnhap … Then you will change The login page URL becomes a URL that no one can think of, only you know. Then, you set Wordfence to automatically block bad guys from trying to access predictable URLs like the ones above. When they are blocked, how can they try it again, every time they persevere, they have to change IP, with this difficulty, they will give up ^ _ ^.
Step 1: You install the WPS Hide Login plugin to change the login URL.
Let’s change it into a funny URL that no one can think of. For example url-no-anyone-doubt, it is true that the URL no one came up with ^ _ ^.
Step 2: You go to All Options in the left menu to find the Advanced Firewall Options section. Please paste the URLs that the bad guys easily guess into the Immediately block IPs that access these URLs section.
Danh sách này là ví dụ cho bạn nhé
/wp-login.php
/wp-login
/dang-nhap
/dangnhap
/login
/admin
Turn on 2-step verification for login
I recommend that you enable 2-factor security for any account that is important to you on the Internet. In the past, this feature was the year in Wordfence Security Premium, I added it to the regular version later.
Click Login Security on the left menu, then use Google Authenticator to add the 2-step verification code to your device.
Turn on reCAPTCHA login
Having reCAPTCHA will make it difficult for bad guys to detect your password, if you have configured the Brute Force Protection strictly like you, you can also ignore it, because reCAPTCHA is not currently compatible with the sites. using Woocommerce.
Step 1: To use reCAPTCHA feature, visit Google reCAPTCHA page to create an account. You choose reCAPTCHA v3 offline.
You will use this Site key and Secret key to fill out Wordfence.
Step 2: You go to Login Options on the Wordfence menu, on the right you select the Settings tab, scroll down to the Enable reCAPTCHA on the login and user registration pages section, then check the box and Paste the key and Save .
Scanning for malicious code
When using this section, you will ask Wordfence to scan or schedule to automatically scan. When there is a problem Wordfence will list below, you just follow that and fix the error only. However, you don’t have to fix all the problems, you can ignore them for your own reasons.
In this section, you only need a little configuration, click Scan Options and Scheduling .
Go to the detailed installation page you configure as this tutorial:
- Scan Scheduling: since we are using Wordfence Security Premium, you have the right to schedule scans at your disposal. I will have Wordfence scan late at night so that it won’t affect performance during hours with lots of access.
- Basic Scan Type Options: You choose the highest level of High Sensitivity.
- Performance Options: You check Use low resource scanning to scan slowly without rushing to keep good website performance.
As for the Advanced Scan Options section, paste the following 2 lines into the Exclude files from the scan that match these wildcard patterns (one per line) so that Wordfence will ignore the file you have edited to activate Premium.
wp-content/plugins/wordfence/lib/*
wp-content/plugins/wordfence/lib/wordfenceClass.php
Use other tools
The features in the Tools section are unimportant, but they are also less helpful for you in some cases.
View and install Live traffic
Usage: sad to watch and play, seeing any man deliberately attacking the web many times, then click the block button handy.
Setting:
- Traffic logging mode: access log mode, you should choose SECURITY ONLY so that Wordfence only logs for malicious access that is blocked. If you leave all the traffic on will cause the website performance to decrease significantly and we do not need to record what normal traffic does.
- Amount of Live Traffic data to store (number of rows): the number of rows of logs is saved, the lower the number of logs, the less resources your server will use.
- Maximum days to keep Live Traffic data (minimum: 1): the number of days to keep the diary, I leave it 7 days, you can keep it more depending on your purpose.
- Other options: not important, leave it as is.
Use Whois Lookup
You can paste the IP or domain website to check the information. Just like any other Whois site.
Export and import Wordfence settings for other websites
This feature is quite handy when administering multiple WordPress websites. You only need the best configuration for a website and then export its installation code to import to another website.
Configure email notifications
Make sure your website has SMTP to send the email. You configure as you do to receive only important alerts, monthly aggregate reports. That will help reduce your email.
Note when using Wordfence Premium
Plugins when using will also sometimes have problems. I see the 2 most common problems when using Wordfence are errors when moving hosting and accidentally you are blocked from your website.
Handling errors when moving hosting
You open the File Manager on your hosting to update the new / home / username / public_html / path for the following files:
- .htaccess
- .user.ini
- wordfence-waf.php
For example, if I edit wordfence-waf.php file, the way to see the new path and replace the old path will be like this, copy above and paste downwards.
What to do when you are blocked by Wordfence
- Option 1: You enter an administrator’s email on the blocked notification and send a request to open the blocking IP address. Then, check your email and follow the instructions to unblock your IP address.
- Option 2: You can turn on 4G to change the IP address and login again.
- Method 3: You use File Manager on hosting to change the name of the Wordfence folder (public_html / wp-content / plugins / wordfence), the plugin will automatically deactivate, after you log in and then you can rename the message. Wordfence entry and re-enable it.
Conclusion
With this Wordfence Security Premium tutorial, I believe that your website will be absolutely secure, if you don’t use unknown plugins, there is nothing to worry about securing your WordPress website.
Have you used Wordfence yet? Leave a comment below to let me know and support you!