Wordfence is a relatively new combination plugin / service for WordPress users worried about site security. This article aims to compare two aspects of the Wordfence WordPress plugin to competitors: site security options and anti-bot protection.
Wordfence as a Security Plugin
Here’s how Wordfence compares as a security plugin to three alternative ways of securing a WordPress site:
- Better WP Security – http://wordpress.org/extend/plugins/better-wp-security/
This is the gold standard as far as free WordPress security plugins. You have many intuitive security options available to you, including away mode (turning off the ability to login for a set time period), removing login error messages and changing the WordPress database table prefix to something other than “wp_”. It’s simple to implement and is much better than doing nothing, but it’s not quite as sophisticated and in-depth as the Wordfence service.
- Website Defender – http://www.websitedefender.com
I used to be high on Website Defender, but the free version is now essentially a gutted version of their $99/year plan:
- One scan every 30 days on the Free plan versus daily scans on the Pro plan.
- There are no malware / Trojan scans via the Acunetix Web Vulnerability Scanner, nor are there any WordPress database injection checks in the free version.
- No automated backups.
Although Wordfence also has a paid option, it’s free option gives you so much more than what Website Defender provides, including antivirus scans.
- Sucuri – Sucuri seems to be where people turn to after their sites have been infected. They do offer more proactive website monitoring, but the costs have prevented me from investigating further: $90/year for one site, $390/year for 15 sites.
- Wordfence – http://wordpress.org/extend/plugins/wordfence/
Wordfence is a recently introduced WordPress security service. One of the best features of Wordfence is that it scans your core WordPress files and checks them for viruses (a paid API is needed to scan your plugins and themes against the versions at the WordPress.org repository). What Norton Anti-Virus is to your computer is basically what Wordfence is for your WordPress site. Not only is Wordfence great for preventing an infected WordPress site, it can actually heal files (doing a diff on them to see how they’ve been hacked and then reconstructing them). This protection includes backdoor trojans and other kinds of malware that target WordPress sites.
Also, it’s login security options essentially replace the Login Lockdown plugin:
Wordfence as an Anti-Bot Plugin
There are multiple features that Wordfence has that makes it a great solution if you need to track down bandwidth-slurping bots and give them the boot:
- It includes a firewall to block common security threats like fake Googlebots and malicious hacker scans.
- You can rate limit or block security threats like aggressive crawlers, scrapers and bots using security scans to pry for your site’s vulnerabilities.
- You can choose whether you want to throttle or block completely users and robots who break your security rules.
- See all your traffic in real-time, including automated robots as well as humans.
- Wordfence will also show you 404 errors, login attempts and who or what is consuming most of your bandwidth. It will also reveal city-level geolocation, so you can know what country your security threats are coming from.
- Monitors disk space during a DDoS attack on your WordPress site, since filling up your disk is one way that a bot could cripple your site.
Below you can see how well Wordfence is able to pick out fake Google crawlers without any user intervention. Many bots don’t play nice, and fake Googlebots are only one example:
Wordfence Alternatives for Blocking Bad Bots
So let’s look at some alternatives to Wordfence for keeping the bad spiders away from your site:
- Spyder Spanker was originally offered as a free plugin on the (now defunct) CashTactics affiliate marketing website. WordPress users have needed an alternative to Chennai Central, an anti-bot plugin that has been orphaned. Spyder Spanker re-emerged in 2012 in both standard and pro versions (there is no free option, a fact that isn’t surprising seeing how it’s being sold primarily in affiliate marketing forums). The plugin is incompatible with W3 Total Cache, which unfortunately means it’s not an option for me.
- CloudFlare – https://www.cloudflare.com
CloudFlare is a service that blocks bots even before they reach your site. There’s a catch, and it’s a big one: you have to point the DNS of your site to Cloudflare. Many webmasters are not willing to give another company this kind of control over their site. I’ll return to Cloudflare in a later post, but they seem to be getting better and better and many of the “server not found” types of errors that plagued early adopters are becoming much rarer now.
The only issue with Wordfence I see so far is that it can be resource hungry. The plug-in itself can consume up to 8 MB of memory. Also, any time you have the admin screen open watching live traffic will likely tax your server’s CPU to some degree.