Wordfence: Enhancing WordPress Security
Wordfence is a highly-regarded security plugin for WordPress. It includes a scanner that monitors for hacked files and a firewall with updated rules to block malicious bots proactively.
A valuable but not immediately visible feature within Wordfence allows users to configure firewall rules, enhancing the ability to block hackers, scrapers, and spammers.
Although you need to navigate through several menus to find this feature, it offers an easy and effective method to protect your site from unwanted activities. Scrapers, in particular, are problematic as they steal your content and republish it elsewhere. With Wordfence, you can take action against these scrapers.
Using tools like Wordfence helps reduce the content that can be plagiarized by scrapers.
Several WordPress security plugins and SaaS solutions, including Sucuri Security and Cloudflare, are highly recommended. Wordfence is one among many, and it’s up to you to choose which fits best within your workflow.
Wordfence and other solutions can function well as set-it-and-forget-it options. However, the user-configurable firewall in Wordfence provides an opportunity to enhance protection against bots.
Before increasing the firewall’s strictness, it’s crucial to understand the extent to which these rules can be applied.
Wordfence WordPress Security
Wordfence protects over 4 million WordPress sites with a reliable firewall that blocks bots grabbing too many pages too quickly or showing signs of hacking activities. The firewall blocks the rogue bot’s IP address temporarily, after which the block is lifted. The default settings work well, but sometimes bots manage to scrape a site by acting slowly or changing IP addresses.
These bots can often be blocked more efficiently using customized Wordfence settings.
Wordfence Firewall Rules
Efficient bot blocking can be achieved using server-level tools, multiple plugins, or an .htaccess file. However, editing an .htaccess file is complex and mistakes can crash your site. Firewall rules offer an easier alternative.
Wordfence allows you to create blocking rules based on:
- IP Address Range
- Hostname
- Browser User Agent
- Referrer
IP Address Range
This refers to the IP address from which the bot or human is accessing your server.
Hostname
The hostname is the name of the server host, though some visitors may only show an IP address.
Browser User Agent
This is the browser the visitor claims to be using, often manipulated by bots to evade detection.
Referrer
This is the page from which a bot or human reportedly clicked a link to arrive at your site.
Wordfence Custom Pattern Blocking
To block malicious bots using any of the above variables, you can create custom rules in the Custom Pattern Blocking tool.
Step 1
Click the firewall link from the left-side admin menu in WordPress.
Step 2
Select the tab labeled "Blocking".
Step 3
Choose the “Custom Pattern” tab and create a firewall rule in the appropriate field. Use the “Block Reason” field to add a descriptive phrase like Hostname, User Agent, etc.
Step 4
Make your rule by clicking the “Block Visitors Matching This Pattern” button.
Should You Block IP Addresses with Wordfence?
Wordfence simplifies the creation of firewall rules to block bots efficiently. However, permanently blocking thousands of IP addresses is not efficient and can slow down your WordPress installation. Temporary blocking is fine, but for permanent blocks, an .htaccess file is more suitable.
Hostname Blocking with Wordfence
Blocking hostnames can effectively counteract hackers, spammers, and scrapers. Using Wordfence’s Live Traffic log, you can identify and block problematic hosts. Be cautious with some hosts, as blocking them might block legitimate bots too.
Block Hackers and Scrapers by User Agent
Old and outdated browser user agents are commonly used by rogue bots. After noticing an increase in hacking bots using Chrome 90, I decided to block these bots by their Browser User Agent. Tools like GTMetrix use specific Chrome UAs; you can allow these tools while blocking bad bots by selectively choosing which UAs to block.
Be Careful When Creating Firewall Rules
Always research and verify that no legitimate bots or site visitors are using the browser user agents or hostnames you plan to block. Use your traffic log files or the Wordfence traffic logs for this research.
By following these guidelines, you can significantly enhance your WordPress site’s security using Wordfence’s advanced features.
