Categories
Security WordPress

Enhance the Security & Performance of WordPress Blog using Wordfence

Wordfence is a powerful WordPress plugin which protects your website from Distributed Denial of Service (DDoS) attacks, malicious web crawlers and other types of attack techniques commonly used by hackers, script kiddies etc. The plugin can also scan your entire installation in real time for various types of existing as well as new vulnerabilities like Heartbleed etc.



Install the plugin for your self-hosted installation and activate it. Once the plugin has been activated it will ask you to enter your email address, so that you can receive security alerts about your installation from the service.

Once you have entered your email address, the plugin will instantly start a thorough scan of your installation for following:

summary

  • Remote scan of public facing site.
  • Whether your site is currently being used for Spamvertising.
  • Whether your own (the administrator’s) IP address is responsible for generating spam.
  • Latest critical vulnerabilities like Heartbleed etc.
  • Core files of your installation, themes and other plugins: Wordfence keeps an updated mirror copy of every version of WordPress that has ever been released on its cloud server. It also hosts every version of free themes and plugins that are currently present in the official repository of WordPress. The plugin does an integrity check of all your files and if it detects any change, then those changes are displayed at the end of the scanning process. If a file is corrupt or have some sort of malicious code in it, then you can restore a clean version of that file from the service’s cloud server. Keep in mind that if you are using a plugin or a theme which isn’t a part of the official repository, then the plugin won’t be able to perform integrity checks.

Note: Some of the above mentioned features are only available to premium members of the service.

You can check the activity log of the plugin at the bottom of the page along with a list of all the issues that the plugin has found for your site during the scanning process:

new issues

In this list you can also perform following bulk operations:

  • Select all repairable files.
  • Bulk repair selected files.
  • Select all deletable files.
  • Bulk delete selected files.
  • Mark all issues as fixed.
  • Ignore all issues.
  • Clear all ignored issues.

Note: You should perform above mentioned bulk operations with utmost caution. If you don’t understand something then contact your host and tell them about the list of issues that the plugin has found for your installation.

Live Traffic Tab

Live traffic tab of the plugin shows you a list of all legitimate human visits, visits from registered users, crawlers and Google bots who/which are visiting your website in real time. This page will also show you a list of all 404 not found error pages, login and logout attempts by various IP addresses and a list of top content consumers on your site:

live

JavaScript based analytic programs like Google Analytics, WordPress Stats (Jetpack) etc. may not be able to show you details like a list of all other web crawlers that are visiting your site, RSS feed readers, hack attempts and other types of attack techniques used by bots. But Wordfence categorizes all these details into tabs and using these tabs you will be able to distinguish between your website’s legitimate and rogue visitors very easily.

The live activity feed in various tabs will show you following details about a particular visitor of your site:

visitor details

  • Location (City, State and Country).
  • Exact landing page on your site.
  • Exact time of the visit.
  • IP address.
  • Type of web browser/user agent used.

Under these details you will be able to see following options:

  • Block IP: If you click on this hyperlink then the plugin will block the IP address of a particular visitor/bot from further visiting your website. Once an IP address has been blocked, you can unblock it manually by clicking on the Unblock IP hyperlink, which replaces the block hyperlink.
  • Block Network: If you think that lots of different IP addresses from a same network/range are constantly hitting your site, then you can block the entire network/range using this hyperlink. Once blocked, you can always unblock the range manually. Keep in mind that this option may block legitimate human visitors also.
  • Run WHOIS on a particular IP address: If you click on this hyperlink then you will be taken to the WHOIS Lookup page of the plugin.
  • See recent traffic: Clicking on this hyperlink will reveal all the recent traffic from a particular IP address.

If you ever see a suspicious IP address or an IP range in the live traffic feed, then you can instantly block that particular IP address or range from further visiting your site.

You can also run a WHOIS scan on these suspicious IP addresses and report your findings to your webhost. After this your host may enter all the attacking/suspicious IP addresses to your server’s firewall.

When a hacker is looking for vulnerabilities in your installation, he may generate lots of 404 not found error pages. If you see an IP address or a range that is constantly generating too many not found errors in your blog, then you may want to block all such addresses and notify your finding to your host.

Also if someone is constantly trying to log into your installation and every time his attempts are failing, then you should take a look at your logins and logouts tab. If you see lots of failed login attempts from a particular IP address, then someone is definitely trying to get into your installation and you should block that particular IP address.

The top consumer page allows you to check a list of your blog’s frequent visitors (humans as well as bots). Visitor details may include the name of the country, IP address, Hostname and time of last visit.

Performance Setup

Performance setup page of the plugin allows you to enable either Basic caching OR Wordfence falcon engine for your installation:

Note: If you are already using plugins like WP Super Cache, Hyper Cache, W3 Total Cache etc. with your blog, then you should disable them before testing/enabling the cache features of Wordfence. If you don’t do so, then chances are very that they will conflict with each other.

performance

Basic caching makes use of PHP to serve cached pages to your site visitors and don’t modify your installation’s .htaccess file. While Falcon Engine requires modifications in the .htaccess file, so that your web server serve can serve pre-rendered pages directly to your site visitors.

If you are going to enable Falcon engine for your installation, then Wordfence will ask you to take a backup of your current .htaccess file. Once you have took the backup and enable Falcon Engine, the plugin will disable following features of itself:

  • Country blocking to avoid extensive database lookups. But you can still make use of Advanced Blocking page of the plugin for blocking IP addresses. Keep in mind that certain features under advanced blocking won’t work like you won’t be able to block combination of IP range and web browser pattern together.
  • Live Traffic feed.
  • Certain firewall rules.

Under Cache options select following as per your site’s requirements (applicable for both Falcon engine and Basic caching):

  • Whether you want to enable SSL (all pages will be served via https://) support for your cached pages.
  • Whether you want to show hidden debugging data at the bottom of the source code of cached pages.
  • Whether you want to fully purge the cache whenever a scheduled post is automatically published in your blog.

Under Cache Management, you can either clear the cache manually or get the statistics about your current cache. The stats will show you following details:

  • Total number of files in cache.
  • Total number of directories in cache.
  • Size of all cached data.
  • Size of largest cached file.
  • When the oldest file in the cache was created?
  • When the newest file in the cache was created?

Under cache exclusions, you can enter a list of all those URLs, User agents and Cookies which you want to exclude from being cached by the plugin. You can create your list as per following rules:

exclusions

  • If a URL starts/ends with a particular value.
  • If a URL/User agent contains a particular term.
  • If a URL/User agent exactly matches a particular term.
  • If a cookie name contains a particular term.

The cache exclusion feature of the plugin can be considered very useful when you’d like to exclude dynamic pages (whose content is generated by some other plugin each time they are accessed) of your blog from being cached.

Blocked IPs

This page shows you a list of all those IP addresses which have been:

  • Temporarily blocked from accessing your site. However you can always unblock these IP addresses anytime or make the block permanent.
  • Locked out from logging in to your site’s dashboard. Such IP addresses won’t be able to use the Forgot Password feature of WordPress too.
  • Throttled for accessing your site very frequently.

You will be able to see following details for each IP address that has been blocked:

block

  • Location (City, State and Country).
  • IP address.
  • Hyperlinks for unblocking the IP address and making the block permanent.
  • Reason for blocking the IP address and who blocked it?
  • Whether any further access attempts have been made by the same IP address after the block was placed.
  • Time of last access.
  • Total number of hits to your site before the block was placed.
  • Number of blocked hits.
  • After how many minutes/hours the block will be lifted – This depends on what you have set under Login Security Options in Wordfence’s settings page.

In case you want to manually block an IP address permanently from your site, then all you need to do is to enter the IP address in the text field and click on Manually Block IP button:

manual block

If you click on Clear all blocked IP addresses or Clear all locked out IP addresses, then the plugin will remove all blocked/locked out IP addresses from the block list and all those IP addresses will be able to access your site once again. You should do this very carefully and after proper research, as otherwise attackers and bad bots will be able to get into your site once again.

Cellphone Sign-in

Two factor authentication is a type of remote system authentication technique which is used to verify the identity of a person before he can access services in a computer system or in a network. Wordfence’s Cellphone sign-in feature allows you to sign in to your blog using two factor authentication technique, which enhances the sign in security of your blog.

If you enable this feature then you will be needing following 2 things every time you want to login to your blog’s dashboard:

  • Your original WordPress dashboard’s password.
  • A unique code which will be sent to you by the service via SMS to your registered mobile number.

In order to enable this feature all you need to do is to enter a username along with a phone number in which you want to receive the code from the service:

cellphone

Once you have enabled Cellphone Sign-in, you need to enter your original username and password for logging in to your dashboard. If the entered credentials are correct, then the service will send you a unique code via SMS to your mobile number. Now you are required to re-enter your username and re-enter your password, but this time you are required to enter your unique code at the end of your password separated by a space.

This feature eliminates the possibility of brute force as well as dictionary attacks, as because if a hacker is able to guess your password, still he won’t have your mobile device in order to receive the unique sign-in code. Thus he won’t be able to sign in to your dashboard.

Country Blocking

By making use of a commercial geo-location database, the plugin can block all visitors from an entire country from visiting your blog. You should make use of this feature with extreme caution and in special cases only (like when your blog is under attack from hundreds or thousands of IP addresses from a particular country). In order to enable country blocking select/set following options as follows:

Under country blocking options:

country blocking options

What to do when we block someone: When a visitor is blocked from a particular country and if you want the plugin to show a standard block message in visitor’s browser, then select Show the standard Wordfence blocked message from the drop-down menu.

And in case you want to redirect all your blocked visitors to some other URL, then select Redirect to the URL below from the drop-down menu and enter the URL in the provided text field of URL to redirect blocked users to.

Block countries even if they are logged in: If you enable this option then all registered users of your site whose IP address belongs to the blocked country won’t be able to do anything on your site.

Block access to the login form too: If you enable this option then your site visitors from a blocked country won’t be able to access /wp-login.php page of your installation.

Under Advanced Country Blocking Options:

Special users of your blog (like fellow administrators, authors, editors etc.) can bypass country blocking if they visit a particular URL on your site. You are required to set a special URL for such users under Advanced Country Blocking Options.

Whenever these users visits your special URL, they will be redirected to a particular page (say login page OR homepage) on your site and a cookie will be set in their browser, which will bypass existing country blockage.

Note: If these special user clears their browser cache, then they will be blocked again. To bypass country blocking, they will have to re-visit the special URL, so that a cookie can be set in their browser once again.

Under select which countries to block:

From the list select all those countries which you want to block permanently from accessing your site:

country list

The list contains all countries of the world and the IP to country database used by the plugin is 99.5% accurate in identifying from which country a particular visitor is visiting your site.

Scan Schedule

Wordfence not only monitors your installation in real time, but it can also scan it from time to time. On Scan Schedule page you can select from following options under Scan mode:

schedule

  • Let Wordfence automatically schedule scans: The service will automatically schedule a full scan of your installation as per the time zone selected in the General Settings of your blog.
  • Manually schedule scans using calendar below: Select your preferred scanning day and time or select from once a day, twice a day, weekends, Odd days and weekends and Every 6 hours.

Click on Save Scan Schedule button present at the bottom of the page once done.

WHOIS Lookup

WHOIS lookup page of the plugin allows you to send queries to a database which stores information about people (name, company name, contact number, address with zip code etc.) and their domain name/server (IP address, type of server, list of name servers etc.).

lookup

The WHOIS page of the plugin also allows you to lookup information about an IP address or a domain name. All you need to do is to enter an IP address or a domain in the field provided and click on Lookup IP or Domain button. The plugin will then fetch following details for you:

  • WHOIS server address of the registrar (company which have registered the domain name).
  • Registrar’s Name and official website.
  • Creation date of the domain: Date on which the domain was registered/re-registered.
  • Last update date: Date on which the domain was last updated like Nameserver change etc.
  • Expiry Date: Date on which the domain is going to expire and may become available for registration again.
  • Registrar Contact details including abuse Email address.
  • Contact details of the domain name owner like his name, full address with pin, state and country, telephone number, email address etc. Keep in mind that this information might not be available because of WHOIS Guard Privacy protection feature.
  • Nameserver details.
  • NetRange, CIDR, OriginAS, NetName, Net Type, Registration and update date, Organization name, Abuse Email address etc. of an IP address.

When you perform a WHOIS lookup for an IP address, you will be able to block an entire range of IP addresses from that particular network. The block hyperlink will be present in front of NetRange field in the lookup results. You should use the block option very carefully as it may restrict legitimate visitors from visiting your site.

Advanced Blocking

Google bot is a trusted web crawler and many bad bots tries to visit your site by spoofing Google bot’s identity. These bots will then start seeking for vulnerabilities in your installation and you won’t even notice them/their activities as you might think that Google bot is crawling your blog for indexing content. The Advanced blocking page of the plugin allows you to block these type of crawlers as well as suspicious visitors from your website that matches a particular browsing pattern.

On this page you are required to enter an IP range and name of user agent/browser as follows:

block bots

  • If you only want to block a range of IP addresses then enter the range as 168.200.200-192.168.200.999.
  • If you want to block a crawler or a web browser from completely accessing your website then enter its user agent. For example, the user agent of the latest version of FireFox browser while writing this post is Mozilla/5.0 (Windows NT 5.1; rv:31.0) Gecko/20100101 Firefox/31.0. For blocking it you can enter its user agent as *Mozilla* or *FireFox* or *Gecko* in the field provided.

And if you think that a web bot is pretending to be someone else, then enter its IP range along with its user agent and the plugin may block the spoofing bot from further visiting your website.

Once you have created your own block rule, you can always delete it from the bottom of the page:

block pattern

Options Page

The options page of the plugin allows you to customize how Wordfence should work for your site? You can set/select following things on this page as per your site requirements:

Under License:

  • API Key and its Type: In the API key field you will find your unique alphanumeric license key for Wordfence. If you have bought the premium version of the plugin, then you will get a separate premium API key for your blog and your status under Key type currently active will change from FREE to PREMIUM or PAID.

Under Basic Options:

  • Enable Firewall: Checking the box in front of this option will enable all firewall functions as per your preferred firewall settings (discussed below).
  • Enable login security: Checking this box will enable all login security functions as per your selected login rules (discussed below).
  • Enable live traffic view: Enabling this option allows you to see all your blog’s traffic in real-time on the live traffic page of the plugin. Live traffic logging is enabled by default for your blog and if you want to disable it, then all you need to do is to uncheck the box present in front of this option and click on Save Changes button.
  • Advance comment spam filter: Enabling this premium feature allows the plugin to filter SPAM comments from the comments section of your blog. Keep in mind that if you are already using Akismet with your blog, then there’s no need to enable this option.
  • Check if this website is being Spamvertised: Spamvertising is a SPAMMY promotion technique in which a spammer includes your domain name in spam emails and then send those emails to tons of people around the world. Enabling this premium feature tells the service to regularly monitor spam database of various services to check whether your domain name is appearing as a link in spam emails.
  • Check if this website IP is generating SPAM: A typical shared hosting server hosts thousands of websites and many of them may use a single IP address. If some other person’s account gets compromised on your server and a hacker start using his account for spamming and other malicious activities, then after sometime almost all spam monitoring services may blacklist your server’s IP address. Enabling this premium feature of Wordfence will instruct the service to regularly check various spam services for the blacklist status of your server’s IP address.
  • Enable automatic scheduled scans: Enabling this option instructs the plugin to automatically scan your installation for vulnerabilities and malware from time to time.
  • Update Wordfence automatically when a new version is released: Enabling this option will give the plugin full authority to update itself automatically without user intervention. In this way you will always remain up to date in terms of your installation’s security.
  • Where to email alerts: Enter an email address where you’d like to receive security alerts about your website from the service. If you want to receive these alerts in more than one email address, then enter multiple email addresses each separated by a comma.
  • Security level: From the drop-down menu select your preferred level of security for your site. You can select from Level 0: Disable all Wordfence security measures, Level 1: Light (Basic) protection, Level 2: Medium protection, suitable for most sites, Level 3: High security. Use this when an attack is imminent, Level 4: Lockdown. Protect the site against an attack in progress at the cost of inconveniencing some users and Custom Settings.
  • How does Wordfence get IPs: If you see suspicious visitors from fake IP addresses or you see them appearing from your internal network, then you should select Use PHP’s built in REMOTE_ADDR (provided that you are not using Nginx or some other front-end proxy/firewall) from the drop-down menu. If still these suspicious visitors continues to appear then select either Use the X-Real-IP or X-Forwarded-For HTTP header which my Nginx, firewall or front-end proxy is setting. And if you are using CloudFlare with your site, then you can instruct the plugin to use the CF-Connecting-IP HTTP header to get a visitor IP.

Under Alerts:

  • If you’d like to receive an instant alert whenever the plugin automatically updates itself then check the box in front of Email me when Wordfence is automatically updated.
  • Check the boxes in front of Alert on critical problems, Alert on warnings, Alert when an IP address is blocked, Alert when someone is locked out from login, Alert when the lost password form is used for a valid username present in your installation, Alert me when someone with administrator access signs in and Alert me when a non-admin user signs in as per your requirements.
  • Set a value for Maximum email alerts to be sent per hour. Before setting a value in this field, you should contact your webhost and ask them their hourly/daily email limit which they may have placed on each and every account on a server. If you try to exceed this limit then they may start sending your warning emails or may terminate your outgoing mail service!

Under Live Traffic View:

  • If you check the box in front of Don’t Log signed in users with publishing access, then the plugin won’t log and show your blog’s authors and other fellow administrators in the live traffic feed.
  • If you don’t want certain registered users to appear in your live traffic feed, then enter the username of all those users separated by a comma in front of Usernames to ignore
  • If you want the plugin to ignore certain IP addresses (like your home/office network, IP address of your fellow administrator and authors etc.) completely from appearing in the live traffic, then you can enter all those IP addresses separated with a comma in front of IP addresses to ignore
  • If you don’t want certain web browsers to appear in the live traffic feed, then enter the user agent of all of them in the field provided in front of User agent to ignore.

Under Scans to include:

  • Scan public facing site for vulnerabilities: This is a premium feature of the service which constantly scans each and every page of your publicly accessible website to find a malicious code which the scanner may have missed. Hackers can craft malicious PHP code in such a way that a malware scanner may not find anything suspicious in the code. But when the final version of your website/webpage is rendered in a browser, this code converts itself/generates into something malicious.
  • Heartbleed vulnerability: If you are using a vulnerable version of the OpenSSL software meant for transport layer security (TLS) protocol, then the plugin will notify you about it via alerts.
  • Scan core files against repository versions for changes: The content of certain important core files of WordPress like wp-config.php, wp-login.php must not be altered in any case. The plugin constantly scans these files against their repository version and notify you if it detects any type of abnormal change.
  • Scan plugin as well as theme files against repository version for changes: If you are using a plugin or a theme that is available on the official repository of WordPress, then the plugin will scan all their files against the repository versions and will notify you about possible alterations.
  • Scan for signatures of known malicious files: The plugin will scan each and every file of your installation for malicious code by examining the hash signature of the file.
  • Scan file contents for backdoors, Trojans and suspicious code: The plugin will scan the content of each and every file for malicious code that may compromise your account as well as the computer of your website visitors.
  • Scan comments for known dangerous URLs and suspicious content: If someone (human or bot) has left a URL in the comments section of your blog which leads to a malicious website or the comment consists of a suspicious code, then the plugin will notify you instantly.
  • Scan for out of date plugins, themes and WordPress versions: For maximum security it is recommended that you should always use updated version of all your plugins, themes and the CMS itself.
  • Check the strength of passwords: If you or some other user of your blog is using a weak password, then a hacker may easily get into your installation.
  • Scan options table: wp_options table in your blog’s database contains some important information about your installation like your site URL, admin email address etc. The plugin can monitor this table for possible alterations.
  • Monitor disk space: Each and every file of your installation as well as your site’s database consumes certain amount of disk space on your server. If you are going to hit your allotted disk space limit then the plugin will notify you about this.
  • Scan for unauthorized DNS changes: If a hacker manages to hijack your DNS server and starts redirecting all your traffic to some other malicious webpage, then the plugin will instantly notified about this via Email alerts.
  • Scan files outside your WordPress installation: Suppose your blog is located at com and you are hosting a PDF file say abc.pdf completely outside of your WordPress installation in a folder named test so that its access URL becomes yourdomain.com/test/abc.pdf. If you enable this option then the plugin will also scan these types of files that are hosted outside of your installation for malicious code.
  • Scan image files as if they were executable: Steganography is a technique using which a person can hide malicious executable files behind an image. Enabling this option instructs the plugin to treat all image files as executable and scan all of them for possible malicious code.
  • Enable high sensitivity scanning: Enabling this option will instruct the plugin to scan each and every file of your installation with utmost precision. Keep in mind that this option may generate lots of false positives.
  • Exclude files from scan that matches a particular wildcard pattern: If you are hosting files like .tar.gz, .zip, .rar in your installation and want to scan them, then enter all their extensions separated by a comma like *.sql,*.tar, *.zip etc. in the field provided, so that the service can scan them for malicious code.

Under Firewall Rules:

  • Immediately block fake Google crawlers: Checking the box in front of this option will instantly block all web crawlers which I trying to act like Google bot and enter your site. Keep in mind that this option may also block legitimate web users who are using Google bot as their user agent OR who are using data compression proxy.
  • How the plugin should treat verified Google crawlers: Select from Verified Google crawlers (like AdSense bot, Google Image bot etc.) have unlimited access to this site, anyone claiming to be Google (this may include users who are using Google bot as their user agent in their browser OR who are using data compression proxy) has unlimited access and Treat Google like any other crawler. It is recommended that you should select either first or the second option.
  • If anyone’s requests exceed: Select from the drop down menu what the plugin should do when the total number of access requests from a particular user exceeds a particular threshold during a particular interval of time.
  • If a crawler’s page views exceed: Select from the drop-down menu what the plugin should do if the total number of access requests from a particular bot exceeds a particular threshold during a particular interval of time.
  • If a crawler’s pages not found (404s) exceed: If a web crawler is generating too many 404 not found error pages in your blog, then select from the drop-down menu what the plugin should do with that crawler.
  • If a human’s page views exceed: Getting lots of page views from a legitimate human being is good as it may reduce your blog’s bounce rate and may also allow you to earn revenue from various advertising networks like AdSense etc. But if a visitor is generating TOO MANY page views during a particular period of time, then select from the drop-down menu what the plugin should do?
  • If a human’s pages not found (404s) exceed: If a human visitor is generating too many 404 not found error pages during a particular period of time, then the plugin can either throttle or block that visitor.
  • How long is an IP address blocked when it breaks a rule: Select the time in minutes for an IP address to be blocked if it breaks a particular rule of firewall.

Under Login Security Options:

  • Enforce strong passwords: If you want all your blog’s fellow administrators, authors and editors to use a strong password, then select Force admins and publishers to use strong passwords OR Force all members to use strong passwords from the drop-down menu.
  • Lock out after how many login failures: Select from the drop down menu the total number of login failures after which the plugin automatically bans an IP address from further accessing your site.
  • Lock out after how many forgot password attempts: Select from the drop down menu the total number of Forgot password attempts using yourdomain .com/wp-login.php?action=lostpassword page of your blog after which the plugin automatically locks out a particular IP address or range.
  • Amount of time a user is locked out: For how many minutes/hours/day you want a particular user to remain banned from accessing your site?
  • Immediately lock out invalid usernames: If you enable this option then whenever someone types a username that do not exist in your blog, the plugin will instantly lock out that particular IP address. Keep in mind that if by mistake some legitimate user of your blog types his username incorrectly, then the plugin will also lock him out.
  • Prevent users from registering ‘admin’ username (if it doesn’t exist): If you have enabled public registration in your blog, then enabling this option will prevent all users from registering admin as their username.
  • Prevent discovery of usernames through ?/author=ABC scans: If you visit the profile page of any particular author of your blog, then the URL may reveal the exact username used by that particular author. Enabling this option will prevent that discovery.
  • Immediately block the IP of users who try to sign in as these usernames: Enter a comma separated list of all those usernames which must be blocked instantly by the plugin when someone tries to sign in using them.

Under Other Options:

  • Whitelisted IP addresses that will bypass all rules: Enter a list of IP addresses, separated by a comma, on which NO Wordfence rule will apply. You can also enter an IP range in this field using this format: 168.1.[1-50].
  • Immediately block IP addresses that access these URLs: If you do not want any IP address to access a particular resource page on your site then enter the page’s URL in the field provided. You can enter multiple URLs in the field each separated by a comma. This option can be very useful when an attacker is trying to bring down your site/server by hitting a particular page constantly.
  • Filter comments for malware and phishing URLs: If someone has left a comment in your site which contains a malicious URL then the plugin will filter it completely.
  • Check password strength on profile update: Whenever you or some other registered user of your site updates any information in your/their profile or change the password, the plugin will check whether your password is strong or not.
  • Participate in the Real-Time WordPress Security Network: This will ensure that your site is protected from any ongoing attack. The plugin will also send information about any attacks your installation to its network so that other sites on the network can also be protected.
  • Maximum memory Wordfence can use: Enter a maximum value in megabytes that the plugin can use on your server/account. Before entering a value here, you may want to contact your host.
  • Maximum execution time for each scan stage: Set a value for maximum amount of memory execution time required for each scan stage.
  • Enable debugging mode: Check the box in front of this option if you want to enable debugging mode for your site. This option can be considered very useful if you are a developer. However keep in mind that it may increase the load on your database.
  • Delete Wordfence tables and data on deactivation: If you ever want to deactivate the plugin in future then Wordfence can delete all its associated data from your blog’s database. Keep in mind that after this all your previous settings will be lost permanently and you have to set everything again from scratch.
  • Disable Wordfence Cookies: If you enable this option then all the visits in live traffic feed will appear to be new visits.
  • Start all scans remotely: This option can be considered highly useful if your scans aren’t starting. Enabling this option will launch a remote scan of your publicly accessible site.
  • Add a debugging comment to HTML source of cached pages: If you are a developer then enabling this option will allow you to enter comments to the source of cached pages while using debugging mode.

At the very bottom of the options page you will find following links:

1. Click to test connectivity to the Wordfence API servers: This hyperlink allows you to test the connectivity of your server with Wordfence server using cURL and wp_remote_post(). If the connection test is successful, then you will see something like following message in your browser:

test results

If the test fails then you need to show the failed test result to your host and they might be able to troubleshoot the problem for you.

2. Click to view your system’s configuration in a new window: This option will show you the complete system specification of your account/server. You may see following important information on this page:

  • Current PHP Version.
  • Linux System Information and Build Date.
  • Configuration Commands.
  • Server API.
  • Support for Virtual Directory.
  • Configuration File Path, also known as php.ini.
  • PHP API and Extension.
  • Zend Extension.
  • Support for IPv6.
  • Registered PHP, Socket Transport and Filter Streams.
  • PHP Variables etc.

The contents of this window are exactly the same contents of a phpinfo() file.

3. Test your WordPress host’s available memory: Clicking on this hyperlink will test the available memory for your account on your server. You may get something like following result in your browser:

starting test

The result includes details about following:

  • Maximum amount of memory configured in php.ini: This entity is generally configured by your webhost for each account on a server. However you can always increase the value of memory_limit = by editing its value in the ini file of your installation. Although it is recommended that you should always contact your host first before editing the value.
  • Current memory usage: Memory usage by the plugin.
  • Maximum memory: The plugin will set a value for maximum amount of memory available for itself. This value remains always lower than the maximum amount of memory configured for your account.
  • Memory Benchmark Result: The benchmark result shows you the amount of memory that your web host allows you to use for each PHP process hosting your WordPress site.