One of my must-have WordPress plugins is a WordPress security plugin called Wordfence. I install Wordfence on all my own sites as well as those of my clients. It is a key component of my Website Management Program.
Available both in free and paid versions, Wordfence provides, among other things, the ability to monitor who logs in to your WordPress site and who tries to and fails. The latter is often more important than the former! You can monitor admin logins or user logins or both. I recommend monitoring at least admin logins as anyone with admin permissions can do a lot of damage on your site in a very short time. Monitoring admin logins on a client’s site helped spot and deal with an intruder very quickly as detailed in my earlier post on that subject.
If You Already Use Wordfence…
NOTE: If you’re already using Wordfence and have updated to the latest version, you may have seen a message appear in your administrator dashboard that reads as follows:
Please go to the Wordfence Options Page and set the option that tells Wordfence how your site gets visitor IP addresses. This is important to avoid IP spoofing attacks.
There is a new option in the latest version that determines how Wordfence knows the IP addresses from which visitors originate. If you see the above message, click on the linked text “Wordfence Options Page” or find the Wordfence section in the left sidebar and click Options.
The last option under the Basic Options section at the top of the page is labeled: “How does Wordfence get IPs:”. This is a dropdown with four options. The first option is the warning message telling you that the option isn’t set. The second option is the recommended option for most cases. Unless you know exactly what the third and fourth options mean, select the second option that begins “Use PHP’s built in REMOTE_ADDR.” You’ll note that at the end of the option text it says “Try this first”.
Be sure to click the Save Changes button. You will be prompted to reload the page.
Who’s That Knocking At My Door?
Knowing who’s trying to log in is valuable, if a bit disconcerting at first. When you turn on this option, you’ll soon see that there are bogus login attempts happening on your site regularly. Most of these attacks are scripts trying to figure out your login ID and password. Wordfence can be configured to stop attempted logins after a certain number of failures which is very effective in stopping brute-force password attacks. Unprotected, your WordPress site will allow an infinite number of log in attempts which means a malicious bot (automated script) can try endless combinations of user ID and password until they either get in or give up. This is why strong passwords are a must! It is also a compelling case for getting rid of the default Admin user ID. Why give the bad guys half the combination?
Wordfence provides the ability to block certain IP addresses, if desired. Once blocked, anyone attempting to access your site from a blocked IP address is denied access altogether. This ability came in very handy this past weekend when one of my sites was subjected to a bogus search robot hitting my login page over 8000 times in a few minutes. This caused an alert at my web hosting provider, HostGator, which prompted them to contact me because my site was using excessive server resources. I was able to log in to my site, get the offending IP from Wordfence and subsequently block it from accessing my site.
Check For Real and Unexpected Updates
Wordfence can also scan WordPress files, plugin files and theme files comparing them against the latest versions in the WordPress repository. If your version is out of date, you’ll get a warning from Wordfence urging you to update to the latest version.
In addition, Wordfence can detect files that don’t belong in the WordPress core directories and alert you to those. These two functions let Wordfence detect unauthorized changes to files on your site and provide an early warning if your site has been hacked. Again, I’ve found this capability helpful on several sites where we were able to detect intrusions early and get rid of them before they did any serious damage.
Where To Get Wordfence
One More Thing…
One final note, I would be remiss in not mentioning the outstanding support I’ve received from Mark Maunder, the author of Wordfence. Questions posted in the Wordfence forum have been promptly and expertly answered and Mark has now started a mailing list to which he posts security alerts. Wordfence gets my highest recommendation.