by Adam Preiser updated December 27, 2017

How To Secure Your WordPress Websites With Wordfence – Review & Tutorial


Share on facebook
Share on twitter
Share on linkedin

In this tutorial video, I show you how to secure your WordPress website using Wordfence.

Now I will tell you upfront that Wordfence is not the best security plugin for WordPress by a long shot. In the video, I will show you all the weaknesses of Wordfence and compare it to iThemes Security.

Video Transcript

This videos can be all about Wordfence and
securing your website with Wordfence hi my

name is Adam from were I make
WordPress videos for non-techies if you enjoy

the content in this video please consider
clicking on that subscribe button and if you’d

like video notifications there’s a little
bell off to the right of that and go ahead

click on that and you too will let you know
when I have new videos so this is a video

in a video series where I’m just talking about
WordPress security and the various plug-ins

and methods to secure your WordPress websites
in the first video of the series I took a

look at five different security plug-ins and
gave summit some of my shared some of my personal

experiences using those plug-ins as well as
talked about the pros and cons of the ones

that I have personally used and this video
to be about Wordfence and I have personally

used Wordfence I don’t use Wordfence right
now now the reason is because I believe that

iThemes Security which is also free is a much
better plug-in however I did commit to making

this video because I know there’s a lot of
people that really like Wordfence and there’s

deftly pros and cons with each so some of
it’s going to be up to you and what your preference

is in him and he hit on some of these different
pros and cons as I’m walking through setting

up and installing the plug-in so here it is
in the page for WordPress sorry

for Wordfence a security and you can see it’s
got a massive amount of active installations

which can be a good sign that’s definitely
a good thing now there are features in the

plug-in that are only available if you pay
for the premium version of the plug-in which

you can see on their websites and inside of
the plug and you’ll see there’s lots of little

advertisements and things settings that don’t
really do anything because you need the premium

version here I am on their website and as
I go through the tutorial you’ll see what

is in the free version and what is in the
paid version so not to go through that right

this moment but I do want to share with you
or looks take a quick look at how much this

plug-in costs if you wanted the premium version
so I’m to go here and click on and get a premium

and so your presented with this now it’s a
per site per year charge for Wordfence so

when you click on the pricing you get this
option here to enter the quantity of sites

that you wanted on in the amount of years
so Vince just one website and one year that

you want to pay for its hundred dollars I
think that’s a little on the pricey side if

you have three websites the price starts to
go down you get a 32% discount but now you’re

looking at $200 and if you wanted to do multiple
years you get more discount so if you did

two years it’s it you can get the point the
paid version of this is going to add up really

quick this is in comparison to iThemes if
you wanted the paid version of that where

there is a lifetime option its unlimited sites
and you’ll find that it’s very comparable

to Wordfence so here we are I’m on a website
here him to go to plug-ins I’ve already downloaded

by haven’t activated it because I want to
show you something that I don’t like about

Wordfence and I want to show you the technical
side of it first so that you can visually

get an idea because if you look at my first
video in the series I said that there is a

performance hit on your website when you use
Wordfence it’s a little on the bloated side

if you ask me so missing something technical
here this is a list of the tables that are

in this WordPress website so WordPress is
taken up about the 12 of them which is on

every single WordPress installation and we
have these three here these are the ones from

iThemes Security so you can see iThemes Security
is adding three tables to the database now

let me just do a quick refresh of this page
so that you can see this is how it is right

now so have a total of 15 tables in the database
the let’s see what happens after I activate

Wordfence some to go ahead and click on activate
it’s gonna take a sack because it’s adding

a whole bunch of tables to this WordPress
installation right now and you can see it

still spinning and going okay so I’m in a
come back to this to work as I really like

how they have this year and I think if you’re
using this plug-in you might want to go through

the tour now to go back here and so you so
we had 15, go ahead and click on refresh and

you can see there’s a whole lot more tables
now in my WordPress database so went from

15 tables total now remember three of those
tables were iThemes so you get 12 with WordPress

and then he got three with iThemes Security
and the minute I activated this plug-in right

here you can see it jumped to an additional
24 tables that Wordfence creates in your WordPress

database so this is why I was talking about
in the first video that if you want to use

Wordfence is going to be at the expense of
performance of your website and this is just

one indication of that and you can see it
right here with your own eyes all right so

I really like how Wordfence has this tutorial
are so like a tutorial it’s a tour and the

first thing is the pop in your email address
now I will say that one of things I love about

Wordfence is that there a singular focus company
now a few years back they tried it came to

attic caching features to Wordfence and that
didn’t work out and so they got rid of that

and they just are staying with the one focus
which is security and I actually like that

I like that they are paying attention to security
matters there’s a lot of great information

on their blog I would definitely recommend
popping your email address in here even if

you’re not using Wordfence to give them your
email address so that you can stay on top

of WordPress’s security news so that’s very
good so I’m not going to go through the tour

right now but I highly recommend it to anyone
to go through the Torah and the reason I like

to go through this because for this tutorial
I’m to go straight to the different setting

options so what if you first see is this option
right here that you have to go through this

process to enable what they call a web application
firewall so you do need to go through and

enable that and it’s actually a little tricky
so let’s just do that real quick, click on

this button here that says click here to configure
and hear some information about an eminent

and the torques I don’t want to go through
it right now so first you have to know some

technical mumbo-jumbo on your server and I
can tell you right now most people I am you

know this because I mean you just see a bunch
of acronyms here and you don’t even know what

the heck it is off the top your head but anyways
you’re supposed to select one of these and

then click on the continue button in this
is going to make it so this web application

firewall will work for you so I am like if
I click on continue takes me to the next step

and then it wants me to download the HD Access
file that’s a security related file on your

web hosting account then click on continue
and then is supposed to turn this thing on

so anyways you have to go through that process
so you have this new option here for Wordfence

and you have these different options that
he gives you know most of the options are

to be in the options link right here and but
I’m to start with the dashboard and one of

the strengths of Wordfence is they have a
really pretty dashboard I mean I was talking

about iThemes Security and they have no real
dashboard in the free version if you have

the paid version there’s a dashboard I do
think they should add some kind of a dashboard

on the free version so people can visually
feel like it’s working but that’s really all

that a dashboard is is it visually feeling
that it’s working so when you see here all

of this information half of it is trying to
sell you on the premium version which is totally

cool I mean that’s the only way he can fake
money deftly not hate non-that so the half

of this is showing use trying to get you to
they show you what you don’t get with the

free version and the other half is just some
global information not necessarily on your

website but also on the entire network of
Wordfence based website so it’s pulling a

lot of this data in from their website now
I like dashboards but I think there was you

know the problem with the dashboard as I don’t
think I’m to be looking at a security dashboard

I am to look at sales dashboards analytic
dashboards from postcards and dashboards not

really excited to look at a security dashboard
but it is pretty and I definitely think it’s

a plus that there is this dashboard here so
now let’s move on so for someone to go to

the scan option here now what the scan is
now there’s some premium version of the scan

so right here it says that if they find some
kind of new vulnerability when you scan it

on the free version you’re not going to suck
to be of the detect this this new threat they

find because you’re using the free version
you have to pay or you have to wait 30 days

to get these new threat signatures that they
can identify now I will say I don’t place

a lot of value in the scan and it’s not to
Wordfence’s scan it any of these scans I just

don’t put a lot of value in them is, like
if you had a PC computer and you you put in

an antivirus and the scans like half the time
they don’t ever find the problem the virus

and then the other times they can’t get rid
of it and then the other times it gets rid

of it and it comes right back so I really
don’t put a lot of value in any of these scans

that these plug-ins offer even the one back
comes with the paid version iThemes Security

it’s never found anything I think the best
tools for prevention is prevention meaning

you have a plan with having a good solid backup
off-site that you have access to and you know

how to restore and then having some good best
practices in place so you can do a manual

scan here this is definitely a plus if you
because it might make you feel like it’s doing

something but if you look at the comments
or the support comments of Wordfence on the page you can see a lot of people
saying it’s not finding the problems so I

don’t really put a lot of weight into it but
I understand it might make people feel better

about it now you do a manual scan if you have
the paid version you can do a scheduled scan

and then there’s options here of what it’s
going to scan as well so this is the scan

and that’s just kind of my real world experience
with the scanning in general so now let’s

take a look at the firewall now this is a
weakness in my opinion of Wordfence and here

is the deal with the when the first video
I said one of the best features of a security

plug-in is that it patches in to a shared
network of of IP addresses the band and so

what that means is if I’m running the Wordfence
right here on this website and here’s a totally

unrelated website just some other random people
the person has an installed Wordfence and

then some trying to hack into there are websites
that that attacker info’s going to go into

a network and then get pushed down to my website
and that’s this this shared network to have

all these websites keeping each other secure
and that is huge now Wordfence kind of has

that but they don’t really because in the
free version of the plug-in you get access

to that database but it’s 30 days out of date
and so you so someone attacks website a and

then they go to attack your website website
be you’re not going to benefit from that unless

you have the paid version or it’s been 30
days but the reality is if some is trying

to hack into a bunch of WordPress websites
the likeliness is in 30 days or to be using

a different IP a different method something
different altogether so I kind of find that

aspect of their application firewall kind
of on the worthless side now I could be wrong

I don’t have hard-core data evidence to see
if the same attack is happening 30 days later

are from the same IP at originating from the
same IP address and all that kind of stuff

so that is actually negative here this is
up a positive with iThemes Security is its

real time so if some attacking in the into
trying to hacking the site a and site bees

immediately protected because that information’s
going to go up to iThemes and come down to

protect you so unfortunately knowing I don’t
like about Wordfence is that they have the

most popular security plug-in but they’re
kind of making you feel like you’re you might

think that your website safer than it really
is when there’s other options out there that

are at the same price level or less expensive
so iThemes Security’s free and then it it

it it it will do a better job of keeping you
secure real time versus a Wordfence so anyways

that is kind of is something that I don’t
like about this and I actually didn’t realize

this you know I think the last time I used
Wordfence I had to take him off my sites because

they slowed it down but the last time I used
the Wordfence I don’t think they had this

restriction in place where I’m not going to
benefit from the network until after 30 days

and then it’s pretty useless at that point
anyway so here are your brute force options

lecture let me go back after you install it
you’re gonna want to go right here and you

got this firewall status they recommend leaving
it in this learning mode for a week and so

you could do that and if you remember hopefully
you do you come back and switch it to enabled

and protected I think it would be smarter
of them to have it automatically switch to

enabled and protected because most people
install some security thing and where it’s

out of sight out of mind five minutes later
I’m not going to sit there and sell let me

set a reminder to come in here a week later
and switch it so unfortunately a lot of people

that might just install and activate Wordfence
or not even though their firewall isn’t as

good as others are probably not benefiting
from it at all because they have to come in

here later and enable it so that is the firewall
now they do have brute force protection and

this is where you’re going to set those thresholds
a brute force is to prevent people from trying

every username and every password some real
common ones to get into your website or even

attempt to get into your website is not like
as always you have like good policy for protecting

it your your your having good security policy
as far as the password strength and all that

you’re not using admin or administrator for
your username your to be safe in that regard

but still when you have that request and that
attempt happening it sows on your website

because it takes away from the resources on
your web hosting account and it can be problematic

by default they have very high thresholds
here so this is basically saying lock someone

out after 20 failed login failures and here’s
another option after 20 forgot password attempts

it’s like holy cow this should be much lower
I would maybe set them to five and if it’s

your website and you’re the only one logging
in so it’s not one where you have other people

login and you can even make this lower and
I would also increase these time periods so

I would maybe increase this to the max to
a day and then increase this to a max as well

so this is basically saying those five failures
are counted in a 24 hour.

And if you are locked out your to be locked
up for 60 days I like to set mine up this

way however I do have people logging in to
my website but if they have a problem and

they keep putting it in and it doesn’t work
right though usually just reach out to me

on my contact form and I can go in and help
them out so here immediately lockout valid

for usernames you don’t want to enable that
one and if you wanted to add some usernames

that your typical that someone that’s trying
to hack into your website would enter for

them so they could be immediately banned you
can pop it in here is to be admin administrator

your your the name of your website or something
along those lines because those are typically

what would automatically use some of these
bots would do in order to try to hack into

your website and any others rate limiter I
actually think this is a plus this is actually

very cool basically if someone or theirs about
doing some suspicious things on your website

you can immediately ban them or you can throttle
them down that means they’re going to be able

to make requests on your website a lot slower
so it right here is like for instance if someone’s

visiting a lot of 44 pages that’s when someone
goes to a URL and it’s not a valid URL that’s

typically an indication that the looking for
vulnerabilities on your website so you could

throttle that down so say if they make 10
the failures in the minutes then to go ahead

and throttle them or block them I do like
that these options are here you can take a

look at this and decide how you want to implement
this if at all I do like that you have these

tooltips although I wish when you hovered
over it that there’d be a pop-up saying what

it is and said you have to click on it it
opens up in a new tab it takes you to the

Wordfence documentation that’s some some of
the stuff is really written in geek speak

unfortunately so let’s take a look at blocking
the blocking options right here know what

I do like about this is it’s letting you know
what is being blocked on your website right

now I really like that this is there and you
can go here and you can also probably remove

blocks right here you got these clear options
and you can manually pop someone’s IP address

in the block them from your website I do do
this from time to time now the country blocking

is actually very interesting I guarantee puts
a load on your website because it’s basically

taking some’s IP address and then comparing
it upon known IP address schemes for these

various countries and is very easy to get
around and it’s only a premium feature but

you go here and you can block out certain
countries I personally don’t see a huge use

of for this unless you’re being attacked by
some but it’s all game about so he is he think

at around anyway so you know I’m sure some
people find value in it but there’s tons of

ways to get around it anyway you got some
advanced blocking options here so you can

pop in and block IP address ranges you can
block different computers based on hostname

user agent referring website others there’s
all kinds of power that you have there and

I do think that is a very good so just to
have this option in their live traffic this

is what’s going to cause problems on your
website so I really don’t like that they have

this enabled by default I would encourage
anyone to disable this to turn this off and

also in the options I’m in a show you where
you can disable the logging feature and that’s

where and whenever anything visit your website
it’s taken this information is tossing it

in database was can happen is your WordPress
database is going to get massive and it’s

going to get slower and that’s a guarantee
so essentially this is going to show you real-time

website activity now this website that I’m
doing this installs on is on my local machine

so as not to show me any activity unfortunately
but you would start seeing some activity here

and now most of their websites activity is
really just a bunch of bots anyway I really

only find value in this if your websites been
attacked but you know I just still find limited

value in it then what are you going to do
okay ask yourself that this life you school

but say your website was being attacked what
you gonna do then what what what snacks you

could try may be manually blocking blocking
IP addresses of like that but anyways I would

strongly say turn this off and it’s funny
they know it’s a problem because right here

it’s telling you how much memory you set for
Wordfence to be able to use and how much is

using and so there put in that there for a
reason someone go ahead and disable that and

you really should do that as well now here
is the tools section of Wordfence as well

and if these aren’t a lot of emerges advertisements
for the paid version so right here password

auditing I’m not really fan of password auditing
I have it in iThemes Security and I’m not

paying attention to that I do care for an
admin account on my website administrator

right account has a good strong password so
anyways doesn’t matter yet to pay for this

feature who is look up I don’t know who’s
going to log it in their WordPress website

for who is look up you can do that on Go Daddy
name Chi pension faith websites I’m not going

to be doing that in my WordPress website cell
phone signing is also caught two factor authentication

I happen to find it’s a premium feature I
happen to find it the most annoying feature

on the face of the earth I tried in turning
that on once and it makes life so inconvenient

now if that I can understand for like a banking
type of online service where you need the

most bulletproof security imaginable but I
just don’t feel that my website I need to

go through that extensive level I have everything
else in place my website is nice safe and

secure I don’t think I need to factor authentication
and I don’t think you need to factor authentication

either then we got this diagnosed Gnostics
tab right here it’s going to give you some

info that you can send to them and this is
what I where I discovered how many tables

that this plug-in adds because when you go
here let me scroll down you right here chose

to skip showing a list of all the tables and
so I’m seeing WordPress tables and it’s all

Wordfence Wordfence Wordfence remember I showed
you in the beginning it adds about 24 tables

to your database which is almost double what
you would have actually that is double what

WordPress gives you by itself okay so then
we got the options here and I’m in a rep type

this whole review and you might be surprised
what I say at the end so here is a default

API key that you gets and here’s a bunch of
options now most of these you’re going to

just want to leave the default but we want
to take a look at some of the ones that our

performance related for sure so for example
enable a live live traffic view this is unchecked

because you saw that I turn the feature off
but if the future was on this would be checked

because it needs to what is on a need some
place to store all that visitor information

and it’s going to slam it’s going to slam
your database you just want to make sure that

there is unchecked there’s a common spam a
few feet I will actually why do I even talk

about it’s a premium feature but there’s other
plug as I do that anyway to help reduce comment

spam and here’s a couple other little checks
that are actually really good to have but

you have to have the premium version of it
as well okay enable automatic scheduled scans

this is interesting because just a moment
ago we saw the scans as scheduled this scan

is only in the paid premium version but were
not getting that notice right here that this

is just a premium all actually I’m sorry the
the premium thing is above the checkmark I

was just assuming that it’s below the check
mark so you’re getting the common spam filter

in the free version and not getting the spammer
ties the checking your IP address and you’re

not getting the scan so right here I like
that when a plug-in has this option this checkbox

will allow allow a Wordfence to update itself
in your WordPress installation this is pretty

good if you have one of those sites were you’re
not really on top of it are paying attention

to it so right Harry McKenna want to put your
email address and and this is where alerts

are to be sent to now where they do a great
job is in the alerts options here so go ahead

and up popping your email address right here
and then let’s scroll down here and take a

look at these alert options so some of these
you’re definitely going to not want to so

this is going to let you know you probably
want this one is if Wordfence is automatically

updated that’s a good one if EMF Wordfence
is the activity you can leave that on the

one that you don’t want is right here alert
when an IP address is blocked what people

realizes the minute you put a WordPress website
on the Internet there’s bots that are going

to start trying to log into a just an automatic
thing you leave that on your to get all these

emails it’s just not worth it so definitely
disable that in as well as this one if someone

gets locked out from failing to log in properly
you can go ahead and uncheck that now you

can leave this notification on if you want
to know when someone is requesting a loss

password if you wanted and right here this
will let you know and that’s good to leave

on as well when someone actually logs and
that has administrator rights and so there’s

couple more options here this was really nice
you can choose the maximum amount of email

alerts you want per hour so zero is unlimited
and either second to be so many with the different

options that we just selected so you can leave
this at zero if you wanted I do like that

you can just get an email summary if you want
right here so you could probably uncheck these

options there and just get that email summary
and you can do that daily or weekly it’s up

to you next we have some live traffic view
options Yorty know my opinions on that what

it’s gonna do to your website here’s what
you can choose to include when it actually

does a scan of some of these are actually
kind of nice but they probably don’t fit most

of us is so is saying is scan your theme so
to compare your theme to what’s on the latest

download on my problem is most
of us are really getting our themes from

were probably buying it directly or something
maybe theme for Sir direct vendor like Beaver

Builder or Divi so but those are nice if you
have everything from the WordPress repository

Sears and more options for what to scan you
can go ahead and leave those all enabled with

the checkmark and then here some additional
options right here and it’s up to you I would

go ahead and read the information and documentation
to see if you actually want to enable that

or not alright so here’s our rate limiting
which is an option that we saw in the firewall

but you also have it right here that we also
have our thresholds for failed login attempts

right here and then we have some notification
options the hear some more premium options

that you don’t get access to but I do like
this updates needed so you’ll get notifications

for that when you’re in the dashboard Wordfence
but your to get it when you log in your WordPress

website whether there’s updates available
so here’s where you can white list your IP

address is in some of that specific stuff
as well these are and want to leave by default

but you might want to also enable this hide
WordPress version it’s up to you some people

say that if the look and see the WordPress
version you’re using then they can know what

vulnerabilities exist if they exist on that
version but if you’re keeping WordPress up-to-date

you don’t even need to worry about that check
this out okay so now or in the home stretch

you which is awesome and sure you’re happy
about that right here is how much memory can

Wordfence use and they obviously have this
year because there is performance problems

with this plug-in and tell you when you actually
click this it takes you to their did their

document site and they say that you know Wordfence
is going to have trouble in affordable hosting

so if your web hosting services like under
10 bucks you’re going to probably run into

some trouble performance issues but if you’re
spending 30 bucks 100 bucks or whatever per

month you’re probably not can have any problems
with Wordfence but probably it down those

pricing levels anyway the host already has
some kind of proactive service so right here

is one of my favorite favorite features and
I wanted show it right now it’s is delete

Wordfence tables and data on deactivation
so you see here were I have 39 tables now

because of Wordfence will at least they give
you this option you can click on here and

you can then delete it have Wordfence deleted
if you disable Wordfence this is actually

something that all plug-in and theme creator
should add themes don’t typically add tables

adjust plug-ins and I do like that they have
that so I want to demonstrate that right now

so you can see I’ve got these 39 tables on
him to show you 39 tables a minute go here

I’m going to deactivate it’s going to take
a moment to to deactivate I’m in a go here

and I’m in a do a refresh in your to see this
go back down to 15 that’s because with that

checkbox you can fully get away from Wordfence
and fully get it off your website all that

would be left is going here in then deleting
the plug in files itself it’s going to go

ahead and remove all those tables all that
data all that blowed in your WordPress websites

database it’s going to get rid of all of that
now you might think all this guy Adam he hates

Wordfence after you just listen to me for
the last 20 minutes kind of point out all

of its flaws and you know what I think it’s
important to just have some security tools

on your website so I’m not heat on Wordfence
I’m happy for the over 2 million people that

are securing their website with it I do believe
that you get better security out of the free

version of iThemes Security and I also believe
that iThemes Security is a better value for

your money if you did want to have the paid
version of one of these tools if you had Wordfence

the paid version of Wordfence on three websites
you could already have purchased the actually

for websites you could already have purchased
the full version of iThemes Security that

has unlimited installs and lifetime updates
where with Wordfence on year to Juergen have

to pay up again so I mean I’m not opposed
to paying money to keep something safe and

secure however this is a situation where there’s
definitely a better free option available

and there’s definitely a better paid option
available as well so if you didn’t see my

iThemes Security video I would encourage you
to go and take a look at that Intel me what

you think about that you can also see the
first video in this video series I should

just put a link down below to the to the playlist
I have links to everything down below a link

to Wordfence you can just go to
also leave a link to iThemes Security if you

did purchase iThemes Security through my link
I’m giving you access to my security training

course on my websites normally $99 I’m given
that for re-so let me know what your experience

with the Wordfence is and I also want to invite
you to kind of critique me a little bit you

know I’m trying not to be so harsh but try
to speak the truth in these videos so you

think I’m being too hard on Wordfence I want
to hear from you down below I deftly want

to give everything a fair shake I am an opinionated
person and I like opinionated people I want

to give everything a fair shake what is your
experience with Wordfence have you used it

has it covered your butt and if you’re deciding
on a security plug-in after this video which

one do you think that you would want to install
on your website so anyways thanks for watching

this video I appreciate having you on the
channel and I’ll see you in the next one

My passion is making the best quality video tutorial online, for non-techies. When I am not behind the camera, I am usually helping out one of my YouTube subscribers.

Join The Conversation

Your email address will not be published. Required fields are marked *

Stay Up To Date

Enter your name and email for the lates news, updates, and tutorials.