With attacks on WordPress sites increasing at an alarming rate in both frequency and intensity, good security measures are no longer an option for site owners. The Wordfence plugin attempts to offer an all-in-one solution with real-time monitoring. I tested it on a heavily hit site, and it does work exactly as advertised, but it comes at a cost to both managing time and site performance. Read on for my full review and whether this plugin will make it onto my recommended list or not.
Wordfence provides a “complete anti-virus and firewall package…including two-factor authentication.” It also features network and geo-blocking, brute-force blocking, source code verification, file and core scans, and real-time attack reporting.
On the admin end, it features cellphone sign-in, strong password enforcement, disk space monitoring, detailed IP info, and content leech view.
There is a free and premium version available. The free version is what I tested.
The free version is missing the following: cellphone sign-in, remote and scheduled scans, country blocking, and premium support.
The Easy Part
You’ll find the plugin in the WordPress repository. Installation and setup are very easy. You can enter your email address to get notifications, but you may not want to and here’s why.
The Crazy Part
If your site is being hit heavily with both attack bots and legitimate crawl bots, you could get emailed to death. The developers claim that “situational awareness” is key to security. I beg to differ. If you have proper security in place, it, not you, should be handling the situation.
Are you really going to take the time away from your busy schedule just to read an email that hits are high? There’s nothing you can do to stop it. All you can do is be informed. To me, that’s a waste of my time.
The Insane Part
Here’s why I say that there is nothing you can do to stop it. There’s actually nothing that you want to do about it on a regular basis, over the long-term.
The plugin has an amazing array of tabs where you can view the live traffic on your site.
That’s very informative and interesting – for a while. After just a few days, you’ll start to see patterns of the countries and IP ranges that are bombarding your site. And then you’ll start playing a never-ending game of whack-a-mole to begin blocking those IP ranges. (You can block whole countries on the paid version.)
There are two serious issues with going down this path.
First, these bots rotate their IP ranges all day, every day. Once they report a range being blocked, they swap to another. The whack-a-mole game never stops.
And, once you block a range, if that set of IPs is every distributed to a legitimate traffic source, they will never be able to visit your site.
Blocking at the IP level needs to be a dynamic process so that IPs can be black and white listed in real-time as they change owners.
The Caveat of Country Blocking Part
As mentioned, the paid version has a country blocking feature. That sort of gets you around the insanity of blocking IP ranges. And, if all of your bad traffic is coming from countries where you have no hope of getting clients, well, there you go.
The problem is, you may find that a substantial chunk of the bad bots are coming from countries where you want to do business. That is especially true in the U.S. In-country server farms are being used by attackers more regularly now so they can run end around the country blocking features of plugins like this.
What are you going to do then? Kill off all of your U.S. business?
The Messy, Undesirable Part
All of those real-time logs are fun to watch for a while, but they are actually chewing up your hosting resources. Real-time logs of any kind put an extra load on your account CPU and memory. Plus, they take up space in your database.
I ran this WordFence test for only 4 days.
The performance hit could be measured within just a few hours.
After 2 days, there were 9 new tables in the database. After 4 days, there was a sustained performance hit.
And I had to remove 19 tables from the database after deleting the plugin.
(Your numbers will vary on these factors, depending on your site traffic. My tests were on a heavily trafficked site.)
The Security Part
Since its release, Wordfence has required multiple updates. Those have intensified in frequency of late. Most of them are not feature additions, they’re security patches. Wait a second, what? A security plugin that needs frequent security patches? Yep. The fact is, security is very much a cloak and daggar, cat and mouse, type game between security providers and hackers.
The necessity of plugin updates has become so pervasive that Wordfence recently incorporated an auto-update feature. When a vulnerability in the plugin is reported, and a patch is rendered, they will roll out an update that will take no more than 24 hours to complete globally. So, your site could still be vulnerable for a few hours, but that’s probably still less than waiting for you to open and react to an email notice from them.
The Good Part
Because so many folks use Wordfence and actively feed that data back to a central location, the developers can globally track heavy traffic including bot attacks, such as DDoS and Brute Force attacks. (You can see it in real-time on their home page.) But, that’s sort of like the same way Garmin reports traffic delays. You practically have to already be in the slowdown before you’re told.
However, the folks at Wordfence are very proactive with that info and they routinely contact host providers that are being walloped to help them stop the attack.
So, all those logs are benefiting the whole, as far as information gathering.
The Wordfence plugin works as advertised.
But, due mainly to the performance hit it causes, I won’t be using it.
There are other ways to do most all of what it provides, including:
- hard-coding security features into the root of the hosting and database
- hard-coding security features into the root where WordPress is installed
- light-weight plugins for Brute Force attacks
- CloudFlare CDN for all bot attacks
The main reason I like using CloudFlare to fend off bot attacks is because it is a cloud service. Bots must go through it before they ever reach your site. Hence, your hosting account does not take the resource and performance hit of dealing with so much bad bot traffic. Prevention is worth its weight in performance here.
Even the free version of CloudFlare has some DDoS protection. (There are no settings for it, but the protection is there.) The paid versions have more settings, including an “I’m Under Attack” switch that can be flipped on during a bot attack storm. The upper paid versions switch it on automatically.
And, you still can get reports of your site activity with CloudFlare too. You just don’t get bugged silly with useless email reporting.
I work with a variety of clients and monitoring and testing tools to identify performance and security concerns. There is no such thing as one-size-fits-all with keeping your site safe and running smooth.
Contact me for a free chat and let’s find solutions that work best for you.