Wordfence is a plugin we deploy on nearly all of our client websites.
What's It For?
In one word: Security!
Wordfence is one of many security-focused plugins in the WordPress space that help to protect against hacking. (Others include MalCare, Sucuri, iThemes Security All-in-One WP Security and BulletProof).
Broadly speaking, there are three main attack vectors for hacking WordPress sites: through insecurities with the host; through insecure PHP code (usually from a plugin); or through getting into the admin somehow. Wordfence offers tools and systems to help mitigate problems with each of those (though its ability to prevent issues with a host is pretty limited).
We use Wordfence because it makes our clients' sites safer.
One way to think about it is that while WordPress isn't insecure per se, any website is a potential target. Wordfence makes it much harder for a happenstance hacking to occur, and can even help protect against many targeted attacks (though we should note: it's not foolproof — no security software is!).
What's It Do?
A lot! But in general Wordfence's features fall into two broad categories:
Wordfence implements a firewall (also known as a WAF or "Web Application Firewall").
As their documentation describes it, the Wordfence Web Application Firewall is a PHP based, application level firewall that filters out malicious requests to your site.
Basically, Wordfence has a bunch of code that watches for how the site is being accessed and prevents certain kinds of communications from being received or responded to if they look fishy. It can block bad behaving site visitors, such as bots attacking the site.
Wordfence also performs regular scans of the code and files within the site to check for anything fishy.
This includes checks for potential security risks (such as publicly-accessible files that could contain sensitive information) as well as the presence of suspicious code — i.e. evidence of a hack or compromise.
What About Cloudflare, Pantheon, premium, other plugins, etc.
As mentioned in the intro, we install and configure Wordfence on nearly all client websites. And how important Wordfence is varies a bit.
A big part of what Wordfence does is its firewall... but Cloudflare is also a firewall!
While having both in place is somewhat redundant, Wordfence does some things Cloudflare doesn't (and vice versa).
As "Wordfence is fully compatible with CloudFlare" we generally still activate Wordfence on Cloudflare-using sites, even though it has less work to do. That said, if for some reason Wordfence is causing issues on a site behind Cloudflare, disabling it is not nearly as risky as doing so when CF isn't in place.
Pantheon, like Wordfence and Cloudflare, implements a firewall.
But unlike Cloudflare, Pantheon's isn't fully compatible with Wordfence. Thankfully, production environments in Pantheon are so locked-down that it's pretty much impossible for a ne'er-do-well to get in via a code or hosting insecurity.
While getting in through the admin and messing up the database is still theoretically possible, the risk factor there is low enough (especially given Pantheon's regular backups) that we do not run Wordfence on Pantheon.
In general, the free version of Wordfence provides a ton of security and covers what almost all of our clients need.
What it doesn't do is allow for configuring blocking specific visitors by country of origin — so if a site is getting pummeled by bots from China, we can't just block all traffic originating from there.
Usually the firewall is smart enough to start blocking attacks all coming from somewhere, but if we want to proactively do a blanket block Premium is necessary (or Cloudflare).
Other Security Plugins
Wordfence is one of a handful of "top recommended" security plugins. We started using it years ago after our preferred-at-the-time plugin, Better WP Security, started causing bugs and performance issues for our clients. Since we switched to Wordfence, we haven't looked back — it seems to do the job and remains highly regarded.
If you need to use some other reputable security plugin, such as iThemes Security or Sucuri, we can totally help set that up, but please note: We're less familiar with some of these and may need additional time to provide services and configuration changes for these other plugins.
Commonly Reported Issues
Wordfence will email a report to whoever it's configured to send such information to. There are some common themes that come up in these reports that clients may ask about, including:
Blocked Hacking Attempts
Wordfence likes to show that it's busy actively doing things, so it sends out emails reporting back on how many suspicious-looking site visits it blocked and their country of origin.
Sometimes people get anxious about this — "Who is trying to hack my site? What's going on?" — but unless there are thousands of blocks happening regularly, there's no reason for concern: the report just means Wordfence is doing its job to keep out indiscriminate "drive by" bots and hack attempts that happen all the time to all websites.
If the blocked attempts get really high in volume (like in the thousands), there might be reason to be concerned, simply because it means Wordfence is having to work extra hard to block them and it might be slowing the site down a bit.
If that's the case, adding in Cloudflare or upgrading to Premium to try to pre-emptively block "bad guys" before Wordfence needs to analyze their behavior may be warranted.
Public File Alerts
One thing Wordfence looks for when it scans a site's files are things that may be security risks because they could contain sensitive information — not necessarily because they are evidence of hacking.
Even when a file doesn't contain super sensitive information (if user passwords are encrypted, for example), they can contain things that generally shouldn't be out in the open, such as lists of all users or all form submissions (which may contain things like people's postal addresses or donation histories).
When Wordfence spots a file like this, we usually delete it, even though the security risk of these files is generally very low as they're hard to find.