WordFence Security Plugin Tutorial: Secure, Block and Stop Malicious Attacks to WordPress websites for FREE

If you’re on the lookout on how to secure WordPress sites, then Wordfence Security Plugin is the ultimate WordPress security plugin you should put some thoughts on.

Infact, in this Wordfence Security Plugin Review, i am going to show you how to install, activate and setup Wordfence for your WordPress website security.

I’ll also show you how i used WordFence to scan and remove malware that was installed by an attacker to one of my client’s website.

In brief, if you’re on the look out for how you can safeguard your WordPress website, block those attacks before reaching you or you’re simply looking for a tool to help monitor your website health, then this a plugin you should checkout and here is video tutorial i made just for that.

WordFence Security Plugin Tutorial (Video)

Feel free to watch my complete WordFence setup tutorial below. If it’s not what you’re looking for, feel free to skip to the next section.

Among what’s covered in this video is 

  1. How to install and active WordFence security plugin for FREE
  2. How to setup WordFence security plugin (settings)
  3. How to configure the WordFence Firewall
  4. How to scan for malware and vulnerabilities in WordPress websites using WordFence
  5. How to monitor live traffic to your WordPress website
  6. How to block or whitelist visitor traffic and IP addresses using WordFence
  7. Intro to advanced custom WordFence setup in the free version
  8. How to set up two factor authentication (2FA) with WordFence for WordPress websites
  9. The WhoIsLookUp function in WordFence
  10. Import and export WordFence setting to several other WordPress websites

Special WordFence Security Plugin Features

1. Free Wordfence Firewall

This Web Application Wordfence firewall runs at an endpoint and enables full integration with WordPress. It helps to identify and block malicious traffic to your website without breaking encryption or leaking data.

It has an inbuilt malware scanner that blocks malicious code and content requests. This firewall feature yet again limits the number login attempts to your WordPress website as well as enforces stronger passwords.

2. Wordfence Security Scanner

The Wordfence scanner checks your website’s files and content (posts and comments) for suspicious content and dangerous URLs, backdoors, redirects, code injections and SEO spam. It repairs changed files and checks their integrity as it reports the changes to you.

The files include those from core (WordPress), themes and plugins.

[bctt tweet=”In fact, the Wordfence scanner enabled me to spot malicious files that were installed on my client’s website by an attacker. The malicious code could overwhelm the server with bloat traffic and website couldn’t show up and any more.” username=”gotechug”]

By simply scanning and getting the results, i could delete all the files and secure the website with Wordfence with no techie skills required.

3. Leaked Password Protection

Wordfence puts together an amazing way to protect you from becoming a victim of already leaked passwords and sensitive data from the various data breaches. This makes your website stay on top of the game when it comes to protection of user data and website security.

This feature helps you to protect yourself from a specific threat and enables you to block website users to already known compromised passwords. Specifically, administrator passwords spotted in recent and previous data breaches will have to be reset so as to login.

To Read: Elementor Landing Page – A Step by Step Guide

4. Two-Factor Authentication (2FA)

With the two factor authentication, you basically outsmart the attackers and they permanently are unable to log into your website EVEN when they get your username and password.

The 2FA requires whoever wants to access the website to provide as secondary piece of information like confirming your login with the user’s phone number or through scanning a provided QR code.

With Wordfence, you’re in position to enable 2FA for any user role and you wish and you have the ability to use time based one time password standard applications like Google Authenticator and 1Password.

To Read: 50 Secrets To Speed Up WordPress Sites In 2019

WordFence Security (Frequently Asked Questions)

What is Wordfence Plugin?

Wordfence is a WordPress website security freemium plugin that enables you to protect your WordPress websites from malware and brute-force attacks. It includes a malware scanner, an inbuilt  endpoint firewall, leaked password protection and two factor authentication features.

How do I set up Wordfence?

To install Wordfence plugin, you simply log into your WordPress admin dashboard, and on the left-hand menu, choose plugins > Add New. Next you type and search for Wordfence in the search box. On return, you’ll see Wordfence Security – Firewall and Malware scan, then click install and activate button.

Is Wordfence a Firewall?

The Wordfence Web Application Firewall is a PHP based, application level firewall that filters out malicious requests to your site.

How much does Wordfence Premium Cost?

A single user access to the plugin premium features goes for $99 per year and as low and $74.25 for 15+ users per year per user.

How do I turn off Wordfence?

In your WordPress dashboard, head to the left hand menu, locate WordFence> ALL Options > General Wordfence Options. Enable option “Delete Wordfence tables and data on deactivation” and save. Scroll down to the section “Import/Export Options” and click “Export Wordfence Options”.

Does Wordfence slow website?

I use Wordfence on my website and works pretty fine. I have not experienced any performance issues in regards to having Wordfence activated and working on any of my websites. 

What To Do If am locked out of my site?

Make sure that it’s Wordfence that is locking you out of your site. If you have been locked out by Wordfence, the block page will mention “Wordfence” and state a reason for the block. If you contact Wordfence support, include that reason in your message for faster assistance.

If you have accidentally locked yourself out of your site, enter your admin email on the block page to receive an email that will allow you to unlock yourself. If that doesn’t work, please log in to your website using FTP/SSH or any file manager your web host may be providing via their administration panel and rename the wordfence plugin directory located in wp-content/plugins/.

You can name it wordfence_. When the Wordfence folder has been renamed you should be able to log in. If you are still seeing a block page at this point, clear any cache you have in WordPress or on the server.

Once logged in, reactivate Wordfence by naming the wordfence_ folder back to wordfence. If you then get locked out again, it likely means your IP-address has ended up on your list of blocked IPs. Disable Wordfence again by renaming the wordfence folder. Then install the Wordfence Assistant plugin and use it to either

  • Disable the Wordfence Firewall. You can now enable Wordfence and examine Wordfence blocks to determine which one locked you out.
  • Clear all currently active blocks in Wordfence. This is an easier method.

If you are able to access WordPress admin but have problems using normal methods of unblocking in Wordfence or can’t find the IP address of the user you are trying to unblock you can use the Wordfence Assistant to clear all currently active blocks in Wordfence.

Credit: Wordfence

What is in the /wflogs/ directory?

These files in wp-content/wflogs/ contain Firewall configuration data and information on blocked attacks. The Firewall needs these files because it can run before WordPress has loaded, and the database is not available at that time. Files normally included in the wflogs directory are config.php, attack-data.php, ips.php, rules.php, wafRules.rules, and .htaccess.

Newer Wordfence versions will also have config-livewaf.php, config-synced.php, config-transient.php, and GeoLite2-Country.mmdb. Some hosts may have additional temporary files in the same directory with similar names, or may also have temporary files with long names containing the letters “nfs”.

Some of these files begin with a line that says `<?php exit(‘Access denied’); __halt_compiler(); ?>`. This prevents anyone from viewing the file contents in a web browser even if the web server does not support .htaccess files, while allowing the rest of the contents to be read as data. Much of the data is encoded or in a binary format, for various reasons, including performance.

Credit: Wordfence

Does WordFence Block Background Requests?

The Wordfence Firewall can block background requests that use AJAX, showing a message that says “Background Request Blocked”. This can prevent certain types of attacks, but some plugins and themes may cause this message as well, even when their requests are safe. It is most likely to occur when adding custom HTML or javascript code in fields that are separate from the WordPress core.

As the admin of the site, you can choose to whitelist these blocked requests by clicking the Whitelist button, if you were simply working on the site when they occur. The message is only shown for logged-in admins of the site, so regular visitors, subscribers, authors, editors, or other types of users on your site will not see them.

If you see this message when clicking a link that was sent to you by another person, or a link from another site that leads to your site, it may not be safe to whitelist. You can contact us about blocked requests if you are not sure whether they are dangerous or not. Be sure to include a description of what you were working on at the time.

Credit: Wordfence


Hopefully this article helps your understand the best WordPress Security Plugin setup and configuration. If i left out something, please let me know in the comment box below and shoot me an email.

Talk soon

Also Read. . .

6 Best SCUM server hosting services

If you are an avid survival gamer and are thinking of venturing into the intense world of SCUM, then you know that having the right server may either make or break your gaming experience.  The

Read More »
Newsletter Subscription (EF)
Hamza comes from a design background with over 10years of experience in Web and Media design. He enjoys making web design videos on his YouTube channel GoTechUG. He also writes web design articles on this website. In his free time, Hamza loves riding a bicycle, swimming or going hiking.

Leave a Comment

Your email address will not be published. Required fields are marked *

Recommended Tools

Hostinger offers premium WordPress hosting for small and medium size websites at an affordable price rated 4.5/5 on Trustpilot


Elementor is the WordPress most popular page builder with over 10 million active users