My use and administration of WordPress is relatively recent. In part, I took it on to build my skills and broaden my experience. Coming from an ‘old school’ developer background where I have focused on databases, server management tools and processes, and more recently cyber security, an easily employed and feature rich product is tremendously helpful to navigate a new environment. Wordfence is one of those products. Out of the box it is comprehensive and easy to use.
Thus far I find help quickly for every question and function. After installing the plugin suite, configuration is not difficult. Since I am not in a hurry or facing a deadline, I take my time to explore the dashboard, firewall, and scan views.
Built-in operations I particularly like are Scan, Firewall, and Login-security. In one place, three basic security features, once configured, provide strong protection managed simply: Scan what you have, block bad actor access, strong authentication for authorized users.
The scan feature looks for malware, expired or vulnerable plugins, file changes, and other undesirable elements which may be present on a WordPress site. I like the periodic email alerts. With the three sites I am currently handling, the alerts are informative and timely without being so persistent as to become spam at risk of being ignored. An email alert I received this morning spurred me into fixing a possible remote code execution (RCE) vulnerability and to write this review.
If the email alerts were spam, I would not be writing a good product review.
Enabling two-factor authentication (2FA) on multiple sites is a smooth process. Because online security is increasingly important, I think everyone should use some form of multi-factor authentication (MFA), especially for administrative accounts. Wordfence integrates this feature leveraging the free Google reCAPTCHA v3 Service, which requires a Google account. Enter your keys, apply 2FA to specific user roles, and establish a grace period.
Users will need the Google Authenticator application on their mobile device. If you have inexperienced users, training may be the hardest part of implementation. This knowledge and skill is worth it to users, as MFA/2FA becomes a common requirement for online access to banks, remote work, and anyplace personal or financial information is accessible.
The firewall feature is self-enabling after the plugin installs, and a week or so of analysis on a site. The default is a web application firewall, premium features connect with Wordfence live aggregated data. The application-level blocking is a minimal requirement and recommended for any site. Making it harder for bad actors to act is a good thing.
The live traffic information lets you see who is probing your site, where they are coming from, and block them explicitly. Blocking can be fun. Highly recommended.
Jerry Pournelle, in his old Byte magazine column, would sometimes have Orchid and Onion awards. I always enjoyed his reviews. It is a catchy phrase, long in use for the good and not-so-good. One could assume it comes from community farm fairs. The sentiment still holds. Wordfence deserves an orchid. Keep up the good work.