WPMU DEV Defender security plugin
This guide explains how to use Defender’s security features to protect your WordPress sites from malicious attacks.

Stop Hackers in Their Tracks

If you’re unfamiliar with security plugins it may be helpful to read our blog post, How to Stop Hackers in Their Tracks with Defender, before proceeding. The post discusses Defender’s features in a less technical manner than this guide and can help users formulate a plan to make the most of our premium website security plugin.

Once Defender is installed and activated, refer to this guide for assistance configuring and managing Defender. Use the index on the left to quickly access guidance on specific features.

If you haven’t installed Defender yet, then you should visit the Defender Pro page where you can explore the plugin’s many features and sign up for a free trial membership.

6.1 Quick Setup

Link to chapter 1

The Quick Setup popup appears the first time the Defender Dashboard is accessed.

All of Defender’s security modules are enabled by default. We recommend enabling all features and then configuring any security exceptions you require within the individual modules. Disabling any feature creates a significant gap in your site’s security.

Click Get Started to proceed or click Skip to advance to the Dashboard with all modules disabled.

Quick setup wizard in Defender

Defender’s key modules include:

  • Automatic Malware Scans and Reporting — Configure Defender to conduct regular security scans and to notify admins if anything suspicious is discovered
  • Audit Logging — Track and log all changes to a site, creating a database of critical information about events impacting your site
  • Firewall — Protect your site by identifying and blocking problem users by IP Address
  • Blocklist Monitor — Defender will monitor the Google blocklist and notify you if your site appears on the list.

6.2 Defender Dashboard

Link to chapter 2

The Dashboard consists of the Overview and Quick Access panels for each Defender module. Admins, particularly those managing multiple sites, can use the Dashboard to determine if a website’s security configuration needs attention.

Recommended Reading

Looking for a concise guide to using Defender’s prime features to your advantage? Read our blog on how to Get the Most Out of Defender Security.

The tutorials banner in the dashboard provides quick links to various tutorials that may be of help to you. Click Read article to read the respective article or click View all to access all of our tutorial resources.

You can also remove the banner by clicking on the X icon. Even if you remove the banner of tutorials, you will still be able to access all of the quick-links to articles in the Tutorials tab.

Defender dashboard tutorials

Overview

The Overview panel provides a snapshot of Defender’s security configuration and activity. In the top right-hand corner, you can use the View Documentation button to access Defender documentation (this document). Use the Overview to quickly assess the site’s current security status:

  • Security Tweaks Actioned – The number of tweaks identified that have been actioned relative to the total number found.
  • Malware Scan Issues (Pro) – The number of instances of suspect PHP functions and suspicious code that have yet to be addressed. A green check mark indicates that no unaddressed issues exist.
  • Last Lockout (Pro) – The data and time a user was lock-out for exceeding the login attempt threshold.

Dashboard overview in Defender

Quick Access

The Quick Access panels provide easy access to every Defender module, allowing admins to activate/deactivate modules, view logs, and generate reports.

  • Security Tweaks – Suggested actions admins can take to address potential vulnerabilities identified during Malware Scanning. Click View All to access the Security Tweaks module.
  • Web Application Firewall – WPMU DEV’s new hosted WAF filters requests against a highly optimized managed ruleset covering common attacks and performs virtual patching of WordPress core, plugin, and theme vulnerabilities.
WAF & White-Labeling

Note that the Web Application Firewall module will not be visible or accessible if the White-Labeling option is enabled in the WPMU DEV Dashboard plugin. See White Label Plugins in WPMU DEV Dashboard documentation for more on that.

  • Blocklist Monitor – A recurring check to ensure a site has not been identified by Google as unsafe to visit. Click the toggle button to enable/disable the Blocklist Monitor.
  • Advanced Tools – Use to enable Security Headers or to mask a site’s login area. Click the Activate buttons to enable and configure either security measure.
  • Preset configs – Allows you to bundle your Defender settings to download and apply them to your other sites.
  • Malware Scanning – The process of checking a site for known vulnerabilities in code and configuration. Scanning is how Defender knows what Security Tweaks to suggest. Click View Report to access the Malware Scanning module.
Malware Scanning for Pros

The free version of Defender scans a site’s WordPress core files for modifications and unexpected changes. Defender Pro– free to WPMU DEV members– also scans plugins and themes and searches the entire site for suspicious code. Visit the Defender Pro page where you can explore the plugin’s many features and sign up for a free trial membership.

  • Firewall – Blocks IP addresses that repeatedly attempt to access a site with incorrect login credentials or pages that do not exist. Click View Logs to open the Firewall module.
  • Audit Logging – Track and generate reports regarding all security-related events on a given site. Click View Logs to access and configure a site’s audit logs.
  • Two-Factor Authentication – Add an extra layer of security to your WordPress account to ensure that you’re the only person who can log in, even if someone else knows your password.
  • Reporting – Configure and automatically export reports on the results of Malware Scanning, the Firewall, and Audit Logging. Reports are configured within the Malware Scanning, Firewall, and Audit Logging modules.

6.3 Security Tweaks

Link to chapter 3

Security Tweaks Issues are, generally, common security vulnerabilities that can be addressed by applying security best practices to a site’s configuration wherever possible.

Overview

The Overview panel displays the number of tweaks in place and the number of potential vulnerabilities that have not been addressed. The current PHP version, server information, and WordPress version are also displayed.

Security tweaks overview in Defender plugin

The four tabs within the Security Tweaks module include:

  • Issues — Potential security vulnerabilities, along with suggested fixes.
  • Resolved — Issues for which a fix has been applied, along with the option to undo (Revert) that fix.
  • Ignored — Issues Defender will no longer identify as a potential vulnerability because the Ignore option has been selected in the Issues tab.
  • Notifications — Email alerts intended to warn admins of Issues that have remained unresolved for seven days or more.

6.3.1 Issues - Security Tweaks

Link to chapter 3

Security Tweak Issues are, generally,opportunities to improve site security with relatively simple configuration changes. Each Issue is accompanied by a suggested solution, many of which require nothing more than a single click to implement.

We recommend applying every possible tweak; however, some fixes may not be practical for every site. Keep in mind that most tweaks can be easily undone using the Revert option available in the Resolved tab. The Revert option allows admins to temporarily disable a tweak to accomplish a task, then enable it again when the task is complete to maintain site security.

Ultimately, admins must determine for themselves which tweaks works for their sites and which do not.

Issues flagged in Defender security tweaks

Applying Fixes

Each item under the Issues tab can be expanded to see a detailed explanation of the issue, as well as our suggested fix. Click the arrow to the right of any issue to access the detailed explanation.

Each detailed explanation includes:

  • Overview — Explanation of the potential vulnerability
  • Status — The current state of a specific issue
  • How to fix — Our recommendation for addressing a specific issue
  • Ignore — Click Ignore to remove an issue from the Issues tab. Ignored issues will no longer appear in the Issues tab, but will appear in the Ignored tab, instead.
  • Action button — An action button unique to the suggested fix appears in the bottom right corner.

Issue details in Defender security tweaks

6.3.2 Opportunities Overview

Link to chapter 3

Below is a list of all the available Security Tweaks included with Defender:

  • Change default database prefix – When you first install WordPress on a new database, the default settings start with wp_ as the prefix to anything that gets stored in the tables. This makes it easier for hackers to perform SQL injection attacks if they find a code vulnerability.
  • Hide error reporting – Developers often use the built-in PHP and scripts error debugging feature, which displays code errors on the frontend of your website. It’s useful for active development, but on live sites provides hackers yet another way to find loopholes in your site’s security.
  • Update PHP to latest version – PHP is the software that powers WordPress. It interprets the WordPress code and generates web pages people view. Naturally, PHP comes in different versions and is regularly updated. As newer versions are released, WordPress drops support for older PHP versions in favour of newer, faster versions with fewer bugs.
  • Prevent PHP execution – By default, a plugin/theme vulnerability could allow a PHP file to get uploaded into your site’s directories and in turn execute harmful scripts that can wreak havoc on your website. Prevent this altogether by disabling direct PHP execution in directories that don’t require it.
  • Prevent information disclosure – Often servers are incorrectly configured, and can allow an attacker to get access to sensitive files like your config, .htaccess and backup files. Hackers can grab these files and use them to gain access to your website or database.
  • Change default admin user account – One of the most common methods of gaining access to websites is through brute force attacks on login areas using default/common usernames and passwords. If you’re using the default ‘admin’ username, you’re giving away an important piece of the puzzle hackers need to hijack your website.
  • Update WordPress to latest version – WordPress is an extremely popular platform, and with that popularity comes hackers that increasingly want to exploit WordPress based websites. Leaving your WordPress installation out of date is an almost guaranteed way to get hacked as you’re missing out on the latest security patches.
  • Disable the file editor – WordPress comes with a file editor built into the system. This means that anyone with access to your login information can further edit your plugin and theme files and inject malicious code.
  • Disable trackbacks and pingbacks – Pingbacks notify a website when it has been mentioned by another website, like a form of courtesy communication. However, these notifications can be sent to any website willing to receive them, opening you up to DDoS attacks, which can take your website down in seconds and fill your posts with spam comments.
  • Disable XML RPC – XML-RPC is a system that allows you to post on your WordPress blog using popular weblog clients like Windows Live Writer. Technically, it’s a remote procedure call which uses XML to encode its calls and HTTP as a transport mechanism. If you are using the WordPress mobile app, want to make connections to services like IFTTT, or want to access and publish to your blog remotely, then you need XML-RPC enabled, otherwise it’s just another portal for hackers to target and exploit.
  • Manage login duration – By default, users who select the ‘remember me’ option will stay logged in for 14 days. If you and your users don’t need to login to your website backend regularly, it’s good practice to reduce this default time to reduce the risk of someone gaining access to your automatically logged in account.
  • Prevent user enumeration – One of the more common methods for bots and hackers to gain access to your website is to find out login usernames and brute force the login area with tons of dummy passwords. The hope is that one the username and password combos will match, and viola – they have access (you’d be surprised how common weak passwords are!). This security tweak locks down your website by preventing the redirect, making it much harder for bots to get your usernames. We highly recommend actioning this tweak.
  • Update old security keys – WordPress uses security keys to improve the encryption of information stores in user cookies making it harder to crack passwords. A non-encrypted password like “username” or “wordpress” can be easily broken, but a random, unpredictable, encrypted password such as “88a7da62429ba6ad3cb3c76a09641fc” takes years to come up with the right combination.

6.3.3 Resolved

Link to chapter 3

The Resolved tab displays all potential security vulnerabilities that have been resolved.

Resolved issues in Defender security tweaks

Issues can be resolved by applying the fix suggested in the Issues tab, but that is not the only way an issue becomes resolved. Hosting providers and other plugins may also resolve issues. In other words, user action within Defender is not always required for an issue to be resolved.

For example, the following issues will appear as resolved for all WPMU DEV hosted sites because our hosting applies the recommended fix by default:

  • Change default database prefix
  • Hide error reporting
  • Prevent PHP execution
  • Prevent Information Disclosure

Additionally, issues related to keeping files up-to-date will appear as resolved until an update is released, and then only become an issue if the file is not automatically updated.

Reverting/Modifying Issues

Each item under the Resolved tab can be expanded to see a detailed explanation of the issue (Overview), as well as its current state (Status).

Click the arrow to the right of any resolved issue to access the detailed explanation.

Some resolutions cannot be modified in any way, such as those mentioned above that are required for all WMPU DEV hosted sites. Other resolutions, on the other hand, can be modified or completely undone.

For example, if the file editor was disabled in the Issues tab, it will appear as a Resolved issue and will include a Revert button. Clicking Revert will re-enable the editor. The Revert option is available for all user-enabled tweaks.

Revert a resolved security tweak in Defender

Other issues may allow modifications within the Resolved tab, as is the case with the Prevent PHP execution example below, which allows users to add exceptions to the PHP rule.

Modifying a security tweak in Defender

See the Issue Details section below for detailed guidance regarding applying, modifying, and reverting issue fixes.

6.3.4 Ignored - Security Tweaks

Link to chapter 3

Ignored issues are those which Defender identified as possible security vulnerabilities and displayed in the Issues tab, after which a user admin selected the Ignore option.

Once an issue has been ignored, Defender will no longer identify it as a possible vulnerability, so it is wise to be sure an issue is harmless before clicking the ignore option.

Restoring Ignored Issues

Each ignored issue will be accompanied by a Restore button. Click Restore to return any ignored issue to the Issues tab where you can address it by following the How to fix guidance there.

Restore an ignored issue in Defender security tweaks

6.3.5 Notifications - Security Tweaks

Link to chapter 3

Notifications can be configured to alert admins when a potential security issue has not been addressed for seven days.

Notifications are enabled for the site admin, by default, but can be disabled by clicking the Off toggle button.

Enable notifications in Defender security tweaks

To add a recipient to the notifications list, click Add Recipient. Then enter a name, email address, and click Add to complete the process.

Add recipient to notifications in Defender security tweaks

6.4 Malware Scanning

Link to chapter 4

Defender scans WordPress core files for modifications and unexpected changes. The Pro version also scans plugins, themes, and the entire site for suspicious code. See Settings – Malware Scanning for more info.

Hacked or not hacked?

Defender’s malware scanning features can help you determine if you’ve been hacked, and our blog post Find Out if You’re Hacked: How to Find and Delete Suspicious Code with Defender can help you understand how to get the most from these features.

The results of all scans can be viewed from the Dashboard, in both the Overview panel and Quick Access panels. Click View Report in the Malware Scanning Quick Access Panel to access details and suggested fixes for each potential issue.

6.4.1 Issues - Malware Scanning

Link to chapter 4

Malware Scan Issues are, generally, suspicious PHP functions or known issues that Defender has discovered within a site’s code.

Defender scans WordPress core files for modifications and unexpected changes, while Defender Pro also scans plugins and themes, and scans the entire site for suspicious code.

Issues are displayed in a list in the Issues tab. Drop-down menus allow you to filter results by area. The available filters are:

  • All
  • Core
  • Plugins/Themes/Vulnerability
  • Suspicious code

filter types for issues list

You can also bulk Ignore or bulk Delete selected issues.

bulk ignore and bulk delete feature

Issue Details

Each item under the Issues tab can be expanded to see a detailed explanation of the issue, as well as our suggested fix. Click the arrow to the right of any issue to access the detailed explanation.

Issue details in Defender malware scanning

Each detailed explanation includes:

  • Issue Details — A brief explanation of the issue
  • Error— A snippet of the suspicious code. The questionable code in its current state appears in red, and the same code cleaned up to replace or remove the questionable function(s) appears in green.
  • Location — The issue’s file path
  • Size — The suspicious file’s size
  • Date added — The date and time the code was added to the site.
  • Ignore — Click Ignore to remove a specific issue from the Issues tab. Ignored issues will no longer appear in the Issues tab, but will appear in the Ignored tab, instead.
CAUTION

Once an Issue has been ignored, Defender will no longer identify the issue as a potential risk in future scans, so we strongly recommend being sure something is harmless before choosing to ignore it.

  • Delete — Click Delete to delete the suspicious code.

Resolving Issues

Defender flags PHP functions and code as suspicious when they vary from what is expected or when they match known issues.

YOU ARE NOT ALONE

We know that seeing a flagged function or suspicious code notification can be alarming, but do not worry, our Support Team can help you quickly determine the appropriate action for each Issue.

False Positives

Given WordPress’s virtually unlimited potential for customization, occasionally, legitimate code will be flagged as suspicious because it resembles malicious code. This can happen, for example, when a function is modified by a plugin or multiple plugins, by a theme, or when a user (admin or developer) edits site code directly in the file or theme editor.

Defender is designed to minimize the occurrence of false positives, but since malicious code is almost always written to resemble legitimate code, it is impossible to completely avoid them.

Consider the following code, which was flagged as potentially harmful because it employs the eval() function in a way similar to how it is used in malware.

Function flagged as suspicious in Defender malware scanning

The eval() function executes a value from string, which became problematic when malware developers began using it to insert malicious code. The eval() function still has valid uses, however, so Defender flags the function wherever it appears so admins can verify it’s use as harmless.

Verifying suspicious code

As always, advanced users familiar with code have an advantage when it comes to verifying code as safe. However, there are things any user can do to determine the best response to suspect functions and code.

  1. Verify custom edits — Verify that the code in question wasn’t edited by an admin user or developer. Often, if the code was manually edited, the person who performed the edit is in the best position to verify the code in question. This is one reason why it’s important to keep track of the custom edits we make to our sites.
  2. Contact WPMU DEV Support — Our support team is better acquainted with Defender than anyone, and should be your first call if you are confronted with a Malware Scanning issue you do not understand.
  3. Contact Developer — If Defender flags code within a plugin or theme and you didn’t add the code yourself, it’s a good idea to share the issue details, including the code snippet, with the original developer and request guidance.

Once flagged functions or suspicious code has been verified as safe or malicious, click Ignore or Delete, as appropriate.

Choose to ignore or delete issues flagged in Defender malware scanning

6.4.2 Ignored - Malware Scanning

Link to chapter 4

Ignored issues are those which Defender identified as suspicious and displayed in the Issues tab, after which a user admin selected the Ignore option.

Once an issue has been ignored, Defender will no longer identify it as a possible vulnerability, so it is wise to be sure an issue is harmless before clicking the Ignore option.

Restoring Ignored Issues

Each ignored issue will be accompanied by a Restore button. Click Restore to return any ignored issue to the Issues tab, where it can be addressed as necessary.

Restore an ignored issue in Defender malware scanning

Use the Bulk Action option to restore multiple selected items at once.

6.4.3 Settings - Malware Scanning Pro

Link to chapter 4

Use the Malware Scan Settings to control what files are scanned.

  • WordPress Core — Both Defender free and Pro will scan for modifications or additions to WordPress core files.
  • Plugins & Themes — Defender Pro can also scan plugins and themes for known, publicly-reported vulnerabilities.
  • Suspicious Code — Defender Pro can also scan all site files for suspicious PHP functions and code.

Malware scan settings in Defender Pro

The Plugins & Themes and Suspicious Code options are only available in the Pro version. In the free version, those options are disabled and look like this:

Malware scan settings in Defender

Maximum File Size

If you wish to exclude files from scanning, you can set the maximum file size (in Mb) in the field provided. Defender will not scan files larger than the indicated size.

Set max file size in Defender malware scanning

6.4.4 Notifications - Malware Scanning

Link to chapter 4

Notifications can be configured to alert admins when a potential security issue has not been addressed for seven days.

Notifications are enabled for the site admin, by default, but can be disabled by clicking the Off toggle button.

Enable notifications in Defender malware scanning

To add a recipient to the notifications list, click Add Recipient. Then enter a name, email address and click Add to complete the process.

Add recipient to notifications in Defender malware scanning

By default, Defender will only send notifications when a problem is found, but enable the toggle and Defender will Also send notifications when no issues are detected.

Email Templates

You can modify the contents of the email notifications sent following scans.

Naturally, emails sent when an issue(s) is found and when no issue is found are slightly different. Both default email templates can be edited.

DID YOU KNOW?

WPMU DEV members are authorized up to 10 free email accounts that can be configured in minutes to display the member’s domain in the email address. See our Email Hosting product page for details.

Click the pencil icon next to either template to view and edit its contents.

Edit email template for Defender malware scanning notifications

Use the available variables, listed near the bottom of the template, to insert scan data into the email. Click Save Changes to save and begin using your custom email notification.

6.4.5 Reporting & Scheduling

Link to chapter 4

The Reporting tab is where automatic Malware Scans and the reports that follow them are configured.

Reporting is off, by default. Click the toggle to turn On reporting.

Enable reporting in Defender malware scanning

By default, Defender will only send reports when a problem is found, but enable the toggle and Defender will Also send notifications when no issues are detected.

Add Recipient

To add a recipient to the list, click Add Recipient. Then enter a name, email address and click Add to complete the process.

Add recipient to reports in Defender malware scanning

Scheduling Scans

To schedule a scan that will occur automatically at regular intervals, use the drop-down menus to select the frequency (Daily, Weekly, or Monthly) and the time of day at which it should occur, then click Save Changes.

Schedule malware scans in Defender

6.5 Audit Logging Pro

Link to chapter 5

With Audit Logging activated, Defender displays a log of events recorded by the system that can be extremely helpful when trying to determine what event(s) triggered unwanted behavior on a site.

Audit logging dashboard in Defender

6.5.1 Event Logs

Link to chapter 5

The Event Log tab displays a site’s Event Log with the following filtering options:

  • Export CSV — Exports a CSV file of the current event log to your local computer’s Downloads folder.
  • Date Range — A calendar tool that determines the time period displayed in the current event log
  • Event Chooser — The numbers in the Event Chooser correspond with the events as listed in the log. Click a number or use the arrows to display a specific event at the top of the list.
  • Name/IP Filter — Click the filter icon to access a filter that allows admins to search for events by Username or IP Address, and within those categories, to target or remove specific types of events.

Event log options in Defender audit logging

Event Details

Each event can be expanded by clicking the arrow to its right to reveal a summary of the event that includes the following information:

  • Context — Where the event originated, such as during a user/visitor session, in a plugin or theme, in a post, etc.
  • Type — Refines the Context by identifying the type of session as a user or visitor session
  • IP Address — The IP address of the user/visitor referred to in the Context column
  • User — If the user/visitor involved in the event is a registered with your site, that person’s username will appear here
  • Date/Time — The date and time of the event

Event log details in Defender audit logging

6.5.2 Settings - Audit Logging

Link to chapter 5

Audit Logging Settings is where you set how long Defender should store your event logs before it begins replacing the oldest log with the newest. Use the drop-down menu to choose the storage period.

Audit logging settings in Defender

Click Save Changes to save your configuration. Click Deactivate to stop Defender from creating new event logs.

6.5.3 Reports

Link to chapter 5

Audit Log Reports are disabled, by default. When enabled, recipients will receive email notifications containing a summery of website events similar to those in the Events Log. Click the toggle to enable regular email reports.

Schedule audit logging reports in Defender

Add Recipient

To add a recipient to the list, click Add Recipient. Then enter a name, email address and click Add to complete the process.

Add recipient to reports in Defender audit logging

Scheduling Reports

To schedule a report, select the Frequency (Daily, Weekly, or Monthly), Day of the Week and the Time of day when the report should be generated and emailed, then click Save Changes.

6.6 Firewall

Link to chapter 6

The Firewall feature protects against brute force attacks wherein a hacker attempts to gain entry to a site by bombarding it with ad hoc login credentials.

Firewall module in Defender

Recommended Reading

Our blog post, How to Create a Powerful and Secure Customized Firewall with Defender, discusses how to get the most out of the plugin’s firewall feature.

6.6.1 Login Protection

Link to chapter 6

You can configure the following settings:

Threshold

This setting defines the number of failed attempts within a certain period of time that will trigger a lockout. The default setting is 5 failed attempts, within 300 seconds.

Login protection threshold in Defender firewall

Duration

This setting defines how long the lockout will last, once triggered. You can also opt to permanently ban anyone that’s been locked for failed logins.

Lockout duration in Defender firewall

Message

If you wish, create a custom message that will be displayed after a user has been locked out. You can also preview how the message will appear on your site by clicking the blue “here” link.

Lockout message in Defender firewall

Banned Usernames

Automatically ban any IPs that attempt to log into your site using certain usernames. We recommend adding “admin” and “administrator” to this list,  which are usually the first things that hackers will try when attempting to access your site. It’s also a good idea to make sure the username for your administrator account is something unique; details on that (plus other tips) can be found on our blog here.

Banned usernames in Defender firewall

Click Save Changes to save your configuration. Click Deactivate to disable the Login Protection module and all its features.

6.6.2 404 Detection

Link to chapter 6

404 Detection allows admins to ban IP addresses that repeatedly try to access pages that do not exist.

404 detection in Defender firewall

Threshold

You can adjust how many events within a certain period of time will trigger a lockout. In this example, if a single IP address receives 20 404 errors within 300 seconds, then their IP will be temporarily locked out from your site.

Threshold for 404 detection in Defender firewall

Duration

Here you can indicate how long you would like the lockout to last for. And you can even permanently ban IP address that trigger your 404 lockout.

Lockout duration in Defender 404 detection

Message

In this section you can customize the message that will appear to your site visitors when they’ve been locked out after triggering a 404 Detection lockout. Enter the message you wish to appear into the field provided.

404 lockout message in Defender firewall

Files and Folders

Create custom white and black lists using the fields provided.

  • Blocklist — Protect specific files or folders by adding their paths here. Users who attempt to access these files or folders will be served a 404 screen once. Users who attempt to access Blocklisted files or folders twice will be locked out of the site.
  • Allowlist — In this section you can define any files or pages that you know are commonly searched for, but missing from your website. This will prevent your actual members from being locked out during their usual browsing.

Blocklist files and folders in Defender firewall

Filetypes & Extensions

Similar to the above section, you can define specific file types that will either trigger an immediate 404 lockout or, conversely, be excluded from triggering a lockout.

  • Blocklist — Add filetype extensions that will trigger a 404 error and then a lockout for users who attempt to access these filetypes. Add as many filetypes as you wish, using commas to separate the extensions.
  • Allowlist — Add filetype extensions that you do not wish to trigger a 404 lockout when accessed. Add as many filetypes as you wish, using commas to separate the extensions.

Blocklist filetypes and extensions in Defender firewall

Exclusions

This section is where you can choose whether or not to monitor the 404s that come from logged in users. If you would like these interactions monitored (and for the 404 Lockout rules to apply), then leave the box checked. If you would like to disable the monitoring of these interactions, then simply uncheck the box.

Exclude logged-in users from 404 detection in Defender firewall

Remember to click Update Settings if you make any changes or Deactivate to disable the 404 Detection module.

6.6.3 IP Banning

Link to chapter 6

Defender allows you to permanently ban persistent troublemakers by blocking their IP addresses. The IP addresses will remain banned until you manually choose to remove them from the banned list.

IP Addresses

Create a custom list of banned IP addresses by adding them here.

  • Blocklist — Enter IP addresses or address ranges that should be blocked from accessing a site. List one IP address per line in IPv4 format. You can also ban IP ranges by entering the IP addresses that begin and end the range separated by a hyphen, as in xxx.xxx.xxx.xxx-xxx.xxx.xxx.xxx
  • Allowlist — Add IP addresses that should be exempt from all ban rules. List one IP address per line in IPv4 format. You can also ban IP ranges by entering the IP addresses that begin and end the range separated by a hyphen, as in xxx.xxx.xxx.xxx-xxx.xxx.xxx.xxx.
NOTE

We recommend Allowlisting your own IP address to avoid becoming locked out, accidentally. Your IP address is displayed beneath the Allowlist field, for convenient access.

Active Lockouts

IP Addresses that have been temporarily banned, per the feature’s configuration, will be displayed here.

Click Unlock IPS to display the lockout list.

Active IP lockouts in Defender firewall

Click the padlock on the right to unblock any IP address. Use the arrows to navigate through the pages of your banned IP addresses.

Unblock blocked IP addresses in Defender firewall

Locations

Location banning, using the lastest GEO IP Database, allows admins to ban all traffic from an entire nation. You may consider banning any nation from which you do not expect or desire traffic. Doing so can be a highly effective security measure, if you are certain you don’t need the traffic.

Geo IP Banning requires users sign up for GeoLite2 Downloadable Databases, which is free, although paid services are available.

To sign up, click the Sign up link in the Defender IP Banning Location module.

Enable location banning in Defender firewall

Complete the MaxMind GeoLite Sign Up form, then click Continue.

Get MaxMind database for location banning in Defender firewall

MaxMind will send an email containing verification information. Follow the directions in the email to verify and activate the account.

MacMind account info for location banning in Defender firewall

The next series of steps will generate the License Key needed to connect the service to your site. In the menu on the left, click My License Key.

Then click Generate new license key.

MaxMind license key for location banning in Defender firewall

Give the License Key a name and select the No option regarding GeoIP Update, then click Confirm.

Confirm MaxMind license key for location banning in Defender firewall

The License Key required to download the GeoLite2 database to your site will be generated and displayed.

Copy MaxMind license key for location banning in Defender firewall

Copy and paste the License Key into the field provided in the Locations module, then click Download.

Paste MaxMind license key for location banning in Defender firewall

The GeoLite2 database will download and activate, automatically. When the database is properly connected, use the drop-down menus to ban entire nations from accessing your site, or exclude entire nations from any geo-bans.

Nations allowlisted here will still be subject to the 404 lockout rules configured in the 404 Detection module.

Location banning blocklist in Defender firewall

Message

Craft a custom lockout message for users you have personally added to the Blocklist.

Location banning message in Defender firewall

Import & Export

If you ever need to move your Blocklist & Allowlist to another website, instead of copying and pasting all those IP addresses, simply Export a CSV file and then import it into Defender on your new site.

Import or export IP blocklist in Defender firewall

6.6.4 Logs

Link to chapter 6

Under Logs, you can view all Lockouts that have occurred on your site since activating Defender. You’ll be able to view the reason for the Lockout, the IP address that was locked out, and the date.

Firewall logs overview in Defender

The image above shows a new site that hasn’t recorded any lockouts yet. The image below shows a site where a login lockout has been triggered after 5 failed login attempts from the same IP address.

Lockout logged in Defender firewall logs

Use the Sort filter in the top right hand corner to view lockouts sorted by latest, oldest or IP address. Click the Export CSV button to export the logs as a .csv file if you need to use the info any in any spreadsheet app.

Sort or download firewall logs in Defender

Use the Date Range filter to view logs only for the selected date range.

Sort firewall logs by date range in Defender

Click the funnel icon to open additional filtering options where you can select to view only a certain type of log, or logs from a specific IP address.

Filter Defender firewall logs by type or IP address

Click any event in the log to view details for that event. Click either the Add Allowlist or Ban IP buttons if you wish to add the IP address to the allowlist or blocklist in Firewall > IP Banning.

Allow or ban IP in Defender firewall logs

6.6.5 Notifications

Link to chapter 6

Enabling lockout notifications will allow Defender to notify admin users by email whenever a lockout occurs. Click the toggle to enable email notifications.

Email Notifications

  • Login Protection Lockout – Enable this to be notified whenever a user or IP is locked out for failed login attempts.
  • 404 Detection Lockout – Enable this to be notified when a user or IP is locked out due to trying to repeatedly access non-existent files.

Email notification options in Defender firewall

Email Recipients

This is the list of users who will receive notifications per your settings above. Note that you are not limited here to only users of your site; you can use any valid email address for a recipient.

To add a recipient to the list, click Add Recipient. Then enter a name, email address and click Add to complete the process.

Notification email recipients in Defender firewall

Repeat Lockouts

If you’re getting too many emails about repeated lockouts for the same IP addresses, you can disable those emails for a defined period of time.

  • Threshold – Choose how many lockouts should occur before emails are disabled.
  • Cool Off Period – Choose for how long emails should be disabled.

Manage repeat lockout notification emails in Defender firewall

Remember to click Save Changes if you make any changes.

6.6.6 Firewall Settings

Link to chapter 6

Under the Settings tab you can control for how long to store the Lockout logs. You can choose to increase or decrease the storage period, or delete the logs altogether.

  • Storage – Choose how many days of event logs you wish to keep in local storage.
  • Delete Logs – Click this button to delete all logs permanently.

Firewall settings in Defender

6.6.7 Reporting Pro

Link to chapter 6

This is a Pro feature that allows for you to schedule a complete lockout report for your site.

From here you can select the frequency of the reports & schedule the time frame for them to be sent.

You can also add additional recipients to the list so that other specified users will receive these emails too.

Lockout reporting in Defender firewall

6.7 Web Application Firewall (WAF)

Link to chapter 7
WPMU DEV hosted sites only

This feature is only available for sites hosted with WPMU DEV. Don’t have your sites hosted here yet? Get started today with a free hosting trial and explore all the awesome features on us!

The Web Application Firewall (WAF) from WPMU DEV is a first layer of protection to block hackers and bot attacks before they ever reach your site. The WAF filters requests against our highly optimized managed ruleset covering common attacks (OWASP top ten) and performs virtual patching of WordPress core, plugin, and theme vulnerabilities.

Activate WPMU DEV WAF in Defender

Clicking the Activate WAF button will direct you to the Tools menu for your site in your Hub, and the WAF activation modal will open automatically for you. For more info on configuring the WAF for your site, see the Web Application Firewall (WAF) section in the WPMU DEV Hosting docs.

Activate-hosting-waf

Once activated, the WAF module in Defender will display a Settings screen with confirmation that it is enabled. At this time, the configuration of the WAF must be done in your Hosting Hub for your site. To quickly access the configuration modal there, click the Manage Rules button.

WPMU DEV WAF settings screen in Defender

6.8 Two-Factor Authentication

Link to chapter 8

Defender uses the power of Google Authentication to provide two-factor authentication to your site. This feature enhances site’s security by requiring users to log in with a passcode sent via text to their cell phones. Two-factor authentication is an extremely effective tool against brute force attacks.

2-Factor-Authentication in Defender

User Roles

User Roles allows you to require two-factor authentication for some users on your site, but not others. For example, you can require Administrators & Editors to use two factor authentication because they have considerable privileges throughout the site, but not require subscribers to use it because, typically, their access is very limited.

User roles requiring 2 factor authentication in Defender

Lost Phone

This features provides a backup plan for those times users need to access a site but cannot access the required phone. When enabled, Defender will send the passcode via email instead.

Lost phone password reset option in Defender 2 factor authentication

Force Authentication

By default, two-factor authentication is optional for users, meaning even if it’s enabled, users can disable it within their Profile. Force Authentication, on the other hand, makes two-factor authentication mandatory by removing the option to disable it.

Select the user roles for whom 2FA should be forced, and optionally enter a custom message that will be shown to them if they have not yet enabled it.

Force 2 factor authentication in Defender

The first time a user logs in after 2FA has been enabled they will re-directed to their Profile page where they must configure 2FA before they can proceed to do anything else on the site.

2 factor authentication forced in Defender

After pressing Enable, users will be prompted to download the Google Authenticator app and scan the QR code with it so they can login to this specific site, although multiple sites can be added to the app.

Download and install the Google Authenticator app

Once the QR code is scanned, the application will show a 6 digit passcode. Users then must enter the passcode into the field (Step 3), and click Verify.

For future logins

Google Authenticator generates a new code every 30 seconds and it looks something like this on the phone. Note that different code is generated for each connected site, meaning the code for Site A will not work to authenticate any other site except Site A.

2 factor authentication code on phone

On their next login, users will be given a new login screen where they need to add the 6 digit code:

Enter 2 factor authentication code in login screen on site

If you left the “Lost phone” feature enabled, users can also click on the “Lost your device?” link and the One-Time-Pass (OTP) code will be sent to their email (which they set for their account on your site):

OTP code sent via email for 2 factor authentication

Users can always disable 2-Factor-Authentication in their admin profile, but if the force option above is enabled, they’ll have to re-enable it again the next time they login.

Disable 2 factor authentication in user profile

Custom Graphic

Add a custom graphic to replace the Defender icon that appears on your login page above the login fields by default. Use the media uploader to add your custom graphic.

Add custom graphic to Defender 2FA

Emails

You can customize the default content of the Lost Phone emails sent to users when an authentication code is sent via email, instead of by SMS.

Customize 2FA email in Defender

Click the pencil icon on the right to edit the default email. Customize the content as you choose, using the Available variables near the bottom of the template to insert the authentication data where you want.

Customize 2FA email content in Defender

App Downloads

Use the link that corresponds with your operating system to download the official Google Authenticator app for the that system.

Download app for 2FA in Defender

Note: 2FA is designed to work with Google’s Auth App, but if any other app uses the same way to generate OTP, it should work as well. Here is a list of some alternatives:

Active Users

Click View users to see a list of all users who have enabled two-factor authentication.

View users who have activated 2FA

Users who have enabled two-factor authentication will have a green dot by their name, under the “2 Factor” column.

Users with 2 factor authentication enabled

If you have chosen to keep two-factor authentication optional, users can still enable it from their User Profile page.

Save/Deactivate

Click Save Changes to save your configuration. Click Deactivate to disable the module and all of its features.

6.9 Advanced tools

Link to chapter 9

Defender offers two Advanced Tools to enhance site security:

  • Masked Login Area – Changes the URL path to your login screen to something other than the default wp-admin.
  • Security Headers – Enable security headers to add an extra layer of security to your website.

6.9.1 Mask Login Area

Link to chapter 9

Defender allows you to change the location of WordPress’s default wp-admin and wp-login slugs to make it harder for hackers and bad bots to find.

Navigate to Defender > Advanced Tools > Mask login section and activate the module by clicking Activate.

Activate Mask Login feature in Defender

Masking URL

This feature lets you create a custom slug for your login page, replacing the default wp-admin or wp-login. In this way, hackers and bad bots looking for your login page won’t be able to find it, because they’ll be looking for the wp-admin or wp-login slug. The slug must be unique (unlike any others on your site) and you can only create a custom slug, not an entirely new URL.

Click New login URL line and enter the slug for you new login page.

Enter custom login slug in Defender

After you save the settings, the mysite.com/wp-admin and mysite.com/wp-login pages will be disabled and the login functionality moved to the new page.

Note that the wp-admin links in your Hub will also respect your new login slug as long as you have logged in at that new URL at least once.

Logging in from Hub with Mask Login enabled in Defender

Redirect traffic

With the default login screens disabled, bots attempting to locate it will generate 404 responses – possibly at lot of them – and that is not good. Therefore, this feature allows you to redirect these misguided users to another page, either an existing page or one created especially for them.

Activate the feature and add a URL slug to the Redirection URL field.

404 redirect in Defender Mask Login

Note can add a new slug to the URL, but not an entirely new URL. In other words, you cannot redirect these users to a completely different domain.

Click Deactivate to disable this module and its features.

6.9.2 Security Headers

Link to chapter 9

Security headers protect your site against the most likely types of attacks like XSS, code injection, clickjacking, etc. Defender enables you to follow best practices by enabling the following headers. For more info on security headers, see https://owasp.org/www-project-secure-headers/

X-Frame-Options

This header tells browsers whether or not your pages can be embedded on other sites in frame, iframe or object tags.

  • Sameorigin – This option allows content embedding only on the same site as the source of the content: your site.
  • Allow-from – This option allows you to specify exactly which domains are allowed to embed your content.
  • Deny – Select this option to disallow embedding your content anywhere.

Enable X-Frame security header in Defender

For more info on this security header, see https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options

X-XSS-Protection

This header tells browsers how to handle the loading of pages if a cross-site-scripting attack is detected.

  • Sanitize – This option will remove any unsafe parts from the page before rendering it in the browser if a cross-site-scripting attack is detected.
  • Block – Select this option to prevent the page from rendering at all if an attack is detected.

Enable X-XSS security header in Defender

For more info on this security header, see https://owasp.org/www-community/attacks/xss/

X-Content-Type-Options

Enabling this security header reduces the opportunities to perform cross-site scripting attacks and compromise the website by preventing any asset from loading on your pages unless its MIME type matches the file type. This can be especially important if you allow users to upload files through a contact form for example as it prevents disguising malicious executable files as images.

Enable X-Content-Type security header in Defender

For more info on this security header, see https://msdn.microsoft.com/en-us/library/gg622941%28v=vs.85%29.aspx

Strict Transport

This header tells browsers your pages can only be loaded over secure HTTPS instead of plain HTTP. If you run an e-commerce site for example, this is especially important to help prevent sensitive user information from from being intercepted.

  • HSTS Preload – With this option enabled, you can submit your site to Google to ensure browsers load your site over HTTPS only.
  • Browser Caching – This option sets the time for which the HSTS policy should be cached in browsers. The recommended minimum here is 30 days, but note that if you also enable the HSTS Preload option above, Google requires this to be set to at least 1 year.

Enable HSTS security header in Defender

For more info on this security header, see https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security

Referrer Policy

Enable this security header and select the desired option to control what information is included in the referrer header when a user clicks a link that leads to another page or website.

  • no-referrer – The Referer header will be omitted entirely. No referrer information is sent along with requests.
  • no-referrer-when-downgrade – This is the default behavior if no policy is specified, or if the provided value is invalid. The origin, path, and querystring of the URL are sent as a referrer when the protocol security level stays the same (HTTP→HTTP, HTTPS→HTTPS) or improves (HTTP→HTTPS), but isn’t sent to less secure destinations (HTTPS→HTTP).
  • origin – Only send the origin of the document as the referrer. For example, a document at https://example.com/page.html will send the referrer https://example.com/.
  • origin-when-cross-origin – Send the origin, path, and query string when performing a same-origin request, but only send the origin of the document for other cases.
  • same-origin – A referrer will be sent for same-site origins, but cross-origin requests will send no referrer information.
  • strict-origin – Only send the origin of the document as the referrer when the protocol security level stays the same (HTTPS→HTTPS), but don’t send it to a less secure destination (HTTPS→HTTP).
  • strict-origin-when-cross-origin – Send the origin, path, and querystring when performing a same-origin request, only send the origin when the protocol security level stays the same while performing a cross-origin request (HTTPS→HTTPS), and send no header to any less-secure destinations (HTTPS→HTTP).
  • unsafe-url – Send the origin, path, and query string when performing any request, regardless of security. (This policy will leak potentially-private information from HTTPS resource URLs to insecure origins. Carefully consider the impact of this setting.)

Enable referrer policy security header in Defender

For more info on this security header, see https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy

Feature-Policy

This header tells browsers which domains are allowed to use features that the browser supports. For example, Chrome supports the following features: accelerometer, ambient-light-sensor, autoplay, camera, encrypted-media, fullscreen, geolocation, gyroscope, magnetometer, microphone, midi, payment, picture-in-picture, speaker, usb, vr

  • On site & iframe – This option will only allow browsers features to be used on the same domain as the page itself: your site.
  • All – This option will allow browser features to be used on any domain.
  • Specific Origins – This option allows you to specify on which domains browsers are allowed to use their supported features.
  • None – This option disables all browser features on all domains.

Enable feature policy security header in Defender

For more info on this security header, see https://w3c.github.io/webappsec-feature-policy/

6.10 Settings

Link to chapter 10

The Settings module is where preferences are set for translations, usage tracking and data retention

6.10.1 General

Link to chapter 10

Translations

Defender will use the language set in your WordPress Admin Settings if a matching translation exists. You can view the current available translations on the Defender translation page.

Usage Tracking

Enable Usage Tracking to help our developers improve Defender. We only track what features are or are not being used. No identifying data is collected.

6.10.2 Configs

Link to chapter 10

The configs module allows you to save your Defender configurations to reapply them to your other sites in just a few clicks.

Just note that that there are a few settings that cannot be exported or imported. The settings that cannot be migrated are the High Contrast Mode under Settings and the following Security Tweaks:

  • Change default admin user account
  • Prevent information disclosure
  • Prevent PHP execution
  • Update WordPress to latest version
  • Update PHP to latest version

Save a Configuration

To save your current configuration, click Save New.

save new configuration

Then type in the name you want to use to identify your configuration and click Save New or click Cancel to exit without saving.

name your current config

You can save an unlimited number of configurations so there is no need to be frugal with how many configurations you save for your sites. Any configurations that you save will be listed under the Basic config.

NOTE: The Basic config is the default configuration and cannot be deleted or renamed.

list of saved configs

If you want to view more information about your saved configuration, click the arrow to reveal a list showing you which modules are active for that configuration.

dropdown menu arrow

You can also click on the three-dot icon to reveal a list of actions. These actions are:

  • Apply – Apply the settings of the selected configuration to Defender on your current site.
  • Download – Download the Defender configuration as a .json file.
  • Rename – Choose a different name for your saved settings.
  • Delete – Permanently delete this configuration.

configuration actions list

Apply a Configuration

If you have downloaded a configuration from another site and you want to apply it to your current one, click the Upload button. Select the relevant .json file and Defender will import your settings. These settings can now be applied to your site by clicking on the Apply button next to the three-dot icon or by clicking on the three-dot icon and then selecting Apply.

You will be asked to confirm the configuration application to the site. Click Apply once again to follow through with applying the chosen configuration or click Cancel to exit without changing any of your current Defender settings.

apply config confirmation

The final step is to log into your site again and just like that, your site will now run seamlessly with the new imported Defender settings.

6.10.3 Data & Settings

Link to chapter 10

Uninstallation

These settings determine how your Defender settings and other data are handled when you export or uninstall the plugin. Settings refer to the module configurations, while Data includes transient bits created over time, such as logs, frequently used modules, last import/export time, and other pieces of information.

In the event you want to uninstall Defender it’s a good idea to save your settings in case you want to reinstall it at a later time. To do so, click the Preserve button to save your configurations, so they may be quickly reapplied when you reinstall the plugin.

Reset Settings

If you wish to reset all configurations to their default state, click the Reset Settings button.

6.10.4 Accessibility

Link to chapter 10

From the accessibility tab you can enable High Contrast mode. After enabling this option, the plugin will increase the visibility and accessibility of elements and components to meet WCAG AAA requirements.

Accessibility settings in Defender

6.11 Blocklist Monitor Pro

Link to chapter 11

WPMU DEV members and users of Defender Pro have access to the Blocklist Monitor feature, which allows Defender to check Google’s blocklist multiple times each day to see if there is your site has been flagged for some reason.

Click the toggle on the Defender > Dashboard screen to enable the Blocklist monitor. This feature has no options or settings, just enable and it will alert you via email if your site ever winds up on Google’s blocklist.

Enable Google blocklist monitor in Defender

6.12 Tutorials

Link to chapter 12

This section holds a collection of tutorials that you can access at any time. Click on the Read article link to jump to the blog or click on the View All button to check out all of our tutorial articles.

Access tutorials from Defender

6.13 Get Support

Link to chapter 13

After reading this guide, if you still have questions regarding how to secure a site or network, don’t hesitate to start a live chat with our support Superheroes or submit a support ticket using the Support tab of your WPMU Dev Dashboard.

Navigate to WPMU DEV DASHBOARD > SUPPORT > NEW TICKET to submit a support ticket.