This guide explains how to use Defender’s security features to protect your WordPress sites from malicious attacks.

Once Defender is installed and activated, refer to this guide for assistance configuring and managing Defender. Use the index on the left to quickly access guidance on specific features.

If you haven’t installed Defender yet, then you should visit the Defender Pro page where you can explore the plugin’s many features and sign up for a free trial membership.

6.1 Quick Setup

Link to chapter 1

The Quick Setup popup appears the first time the Defender Dashboard is accessed.

All of Defender’s security modules are enabled by default. We recommend enabling all features and then configuring any security exceptions you require within the individual modules. Disabling any feature creates a significant gap in your site’s security.

Click Get Started to proceed or click Skip to advance to the Dashboard with all modules disabled.

Defender’s key modules include:

  • Automatic File Scans and Reporting — Configure Defender to conduct regular security scans and to notify admins if anything suspicious is discovered
  • Audit Logging — Track and log all changes to a site, creating a database of critical information about events impacting your site
  • IP Lockouts — Protect you site by identifying and blocking problem users by IP Address
  • Blacklist Monitor — Defender will monitor the Google blacklist and notify you if your site appears on the list.

6.2 Defender Dashboard

Link to chapter 2

The Dashboard consists of the Overview and Quick Access panels for each Defender module. Admins, particularly those managing multiple sites, can use the Dashboard to determine if a website’s security configuration needs attention.

Use the View Documentation button to access Defender documentation (this document).

Overview

The Overview panel provides a snapshot of Defender’s security configuration and activity. Use the Overview to quickly assess the site’s current security status:

  • Security Tweaks Actioned — The number of tweaks identified that have been actioned relative to the total number found.
  • File Scan Issues (Pro) — The number of instances of suspect PHP functions and suspicious code that have yet to be addressed. A green check mark indicates that no unaddressed issues exist.
  • Last Lockout (Pro) — The data and time a user was lock-out for exceeding the login attempt threshold.

Quick Access

The Quick Access panels provide easy access to every Defender module, allowing admins to activate/deactivate modules, view logs, and generate reports.

  • Security Tweaks — Suggested actions admins can take to address potential vulnerabilities identified during File Scanning. Click View All to access the Security Tweaks module.
  • File Scanning — The process of checking a site for known vulnerabilities in code and configuration. Scanning is how Defender knows what Security Tweaks to suggest. Click View Report to access the File Scanning module.
File Scanning for Pros

The free version of Defender scans a site’s WordPress core files for modifications and unexpected changes. Defender Pro– free to WPMU DEV members– also scans plugins and themes and searches the entire site for suspicious code. Visit the Defender Pro page where you can explore the plugin’s many features and sign up for a free trial membership.

  • Blacklist Monitor — A recurring check to ensure a site has not been identified by Google as unsafe to visit. Click the toggle button to enable/disable the Blacklist Monitor.
  • IP Lockouts — Blocks IP addresses that repeatedly attempt to access a site with incorrect login credentials or pages that do not exist. Click View Logs to open the IP Lockout module.
  • Advanced Tools — Use to enable Two-Factor Authentication (2FA) or to mask a site’s login area. Click the Activate buttons to enable and configure either security measure.
  • Audit Logging — Track and generate reports regarding all security-related events on a given site. Click View Logs to access and configure a site’s audit logs.
  • Reporting — Configure and automatically export reports on the results of File Scanning, IP Lockouts, and Audits Logging. Reports are configured within the File Scanning, IP Lockouts, and Audit Logging modules.

6.3 Security Tweaks

Link to chapter 3

Security Tweaks Issues are, generally, common security vulnerabilities that can be addressed by applying security best practices to a site’s configuration wherever possible.

Overview

The Overview panel displays the number of tweaks in place and the number of potential vulnerabilities that have not been addressed. The current PHP version, server information, and WordPress version are also displayed.

The four tabs within the Security Tweaks module include:

  • Issues — Potential security vulnerabilities, along with suggested fixes.
  • Resolved — Issues for which a fix has been applied, along with the option to undo (Revert) that fix.
  • Ignored — Issues Defender will no longer identify as a potential vulnerability because the Ignore option has been selected in the Issues tab.
  • Notifications — Email alerts intended to warn admins of Issues that have remained unresolved for seven days or more.

6.3.1 Issues - Security Tweaks

Link to chapter 3

Security Tweak Issues are, generally,opportunities to improve site security with relatively simple configuration changes. Each Issue is accompanied by a suggested solution, many of which require nothing more than a single click to implement.

We recommend applying every possible tweak; however, some fixes may not be practical for every site. Keep in mind that most tweaks can be easily undone using the Revert option available in the Resolved tab. The Revert option allows admins to temporarily disable a tweak to accomplish a task, then enable it again when the task is complete to maintain site security.

Ultimately, admins must determine for themselves which tweaks works for their sites and which do not.

Applying Fixes

Each item under the Issues tab can be expanded to see a detailed explanation of the issue, as well as our suggested fix. Click the arrow to the right of any issue to access the detailed explanation.

Each detailed explanation includes:

  • Overview — Explanation of the potential vulnerability
  • Status — The current state of a specific issue
  • How to fix — Our recommendation for addressing a specific issue
  • Ignore — Click Ignore to remove an issue from the Issues tab. Ignored issues will no longer appear in the Issues tab, but will appear in the Ignored tab, instead.
  • Action button — An action button unique to the suggested fix appears in the bottom right corner.

6.3.2 Opportunities Overview

Link to chapter 3

Below is a list of all the available Security Tweaks included with Defender::

  • Change default database prefix – When you first install WordPress on a new database, the default settings start with wp_ as the prefix to anything that gets stored in the tables. This makes it easier for hackers to perform SQL injection attacks if they find a code vulnerability.
  • Hide error reporting – Developers often use the built-in PHP and scripts error debugging feature, which displays code errors on the frontend of your website. It’s useful for active development, but on live sites provides hackers yet another way to find loopholes in your site’s security.
  • Update PHP to latest version – PHP is the software that powers WordPress. It interprets the WordPress code and generates web pages people view. Naturally, PHP comes in different versions and is regularly updated. As newer versions are released, WordPress drops support for older PHP versions in favour of newer, faster versions with fewer bugs.
  • Prevent PHP execution – By default, a plugin/theme vulnerability could allow a PHP file to get uploaded into your site’s directories and in turn execute harmful scripts that can wreak havoc on your website. Prevent this altogether by disabling direct PHP execution in directories that don’t require it.
  • Prevent information disclosure – Often servers are incorrectly configured, and can allow an attacker to get access to sensitive files like your config, .htaccess and backup files. Hackers can grab these files and use them to gain access to your website or database.
  • Change default admin user account – One of the most common methods of gaining access to websites is through brute force attacks on login areas using default/common usernames and passwords. If you’re using the default ‘admin’ username, you’re giving away an important piece of the puzzle hackers need to hijack your website.
  • Update WordPress to latest version – WordPress is an extremely popular platform, and with that popularity comes hackers that increasingly want to exploit WordPress based websites. Leaving your WordPress installation out of date is an almost guaranteed way to get hacked as you’re missing out on the latest security patches.
  • Disable the file editor – WordPress comes with a file editor built into the system. This means that anyone with access to your login information can further edit your plugin and theme files and inject malicious code.
  • Disable trackbacks and pingbacks – Pingbacks notify a website when it has been mentioned by another website, like a form of courtesy communication. However, these notifications can be sent to any website willing to receive them, opening you up to DDoS attacks, which can take your website down in seconds and fill your posts with spam comments.
  • Disable XML RPC – XML-RPC is a system that allows you to post on your WordPress blog using popular weblog clients like Windows Live Writer. Technically, it’s a remote procedure call which uses XML to encode its calls and HTTP as a transport mechanism. If you are using the WordPress mobile app, want to make connections to services like IFTTT, or want to access and publish to your blog remotely, then you need XML-RPC enabled, otherwise it’s just another portal for hackers to target and exploit.
  • Manage login duration – By default, users who select the ‘remember me’ option will stay logged in for 14 days. If you and your users don’t need to login to your website backend regularly, it’s good practice to reduce this default time to reduce the risk of someone gaining access to your automatically logged in account.
  • Prevent user enumeration – One of the more common methods for bots and hackers to gain access to your website is to find out login usernames and brute force the login area with tons of dummy passwords. The hope is that one the username and password combos will match, and viola – they have access (you’d be surprised how common weak passwords are!). This security tweak locks down your website by preventing the redirect, making it much harder for bots to get your usernames. We highly recommend actioning this tweak.
  • Update old security keys – WordPress uses security keys to improve the encryption of information stores in user cookies making it harder to crack passwords. A non-encrypted password like “username” or “wordpress” can be easily broken, but a random, unpredictable, encrypted password such as “88a7da62429ba6ad3cb3c76a09641fc” takes years to come up with the right combination.
  • X-Content-Type-Options Security Header – The X-Content-Type-Options header is used to protect against MIME sniffing attacks. The most common example of this is when a website allows users to upload content to a website, however the user disguises a particular file type as something else. This can give them the opportunity to perform cross-site scripting and compromise the website.
  • Feature-Policy Security Header – The Feature-Policy response header provides control over what browser features can be used when web pages are embedded in iframes.
  • Referrer Policy Security Header – The Referrer-Policy HTTP header tells web-browsers how to handle referrer information that is sent to websites when a user clicks a link that leads to another page or website link. Referrer headers tell website owners inbound visitors came from (like Google Analytics Acquisition Reports), but there are cases where you may want to control or restrict the amount of information present in this header.
  • Strict Transport Security Header – The HTTP Strict-Transport-Security response header (HSTS) lets a web site tell browsers that it should only be accessed using HTTPS, instead of using HTTP. This is extremely important for websites that store and process sensitive information like ECommerce stores and helps prevent Protocol Downgrade and Clickjacking attacks.
  • X-Frame-Options Security Header – The X-Frame-Options HTTP response header controls whether or not a browser can render a webpage inside a <frame>, <iframe>, or <object> tag. Websites can avoid clickjacking attacks by ensuring that their content isn’t embedded into other websites.
  • X-XSS-Protection Security Header – The HTTP X-XSS-Protection response header that stops pages from loading when they detect reflected cross-site scripting (XSS) attacks on Chrome, IE and Safari. These headers are largely unnecessary in modern browsers when websites have a strong Content-Security-Policy that disables the use of inline JavaScript. However, this header still provides protection for users of older web browsers that don’t support CSP.

6.3.3 Resolved

Link to chapter 3

The Resolved tab displays all potential security vulnerabilities that have been resolved.

Issues can be resolved by applying the fix suggested in the Issues tab, but that is not the only way an issue becomes resolved. Hosting providers and other plugins may also resolve issues. In other words, user action within Defender is not always required for an issue to be resolved.

For example, the following issues will appear as resolved for all WPMU DEV hosted sites because our hosting applies the recommended fix by default:

  • Change default database prefix
  • Hide error reporting
  • Prevent PHP execution
  • Prevent Information Disclosure

Additionally, issues related to keeping files up-to-date will appear as resolved until an update is released, and then only become an issue if the file is not automatically updated.

Reverting/Modifying Issues

Each item under the Resolved tab can be expanded to see a detailed explanation of the issue (Overview), as well as its current state (Status).

Click the arrow to the right of any resolved issue to access the detailed explanation.

Some resolutions cannot be modified in any way, such as those mentioned above that are required for all WMPU DEV hosted sites. Other resolutions, on the other hand, can be modified or completely undone.

For example, if the file editor was disabled in the Issues tab, it will appear as a Resolved issue and will include a Revert button. Clicking Revert will re-enable the editor. The Revert option is available for all user-enabled tweaks.

Other issues may allow modifications within the Resolved tab, as is the case with the Prevent PHP execution example below, which allows users to add exceptions to the PHP rule.

See the Issue Details section below for detailed guidance regarding applying, modifying, and reverting issue fixes.

6.3.4 Ignored - Security Tweaks

Link to chapter 3

Ignored issues are those which Defender identified as possible security vulnerabilities and displayed in the Issues tab, after which a user admin selected the Ignore option.

Once an issue has been ignored, Defender will no longer identify it as a possible vulnerability, so it is wise to be sure an issue is harmless before clicking the ignore option.

Restoring Ignored Issues

Each ignored issue will be accompanied by a Restore button. Click Restore to return any ignored issue to the Issues tab where you can address it by following the How to fix guidance there.

6.3.5 Notifications - Security Tweaks

Link to chapter 3

Notifications can be configured to alert admins when a potential security issue has not been addressed for seven days.

Notifications are enabled for the site admin, by default, but can be disabled by clicking the Off toggle button.

To add a recipient to the notifications list, click Add Recipient. Then enter a name, email address, and click Add to complete the process.

6.4 File Scanning Pro

Link to chapter 4

Defender scans WordPress core files for modifications and unexpected changes. The Pro version also scans plugins, themes, and the entire site for suspicious code.

Go Pro!

You can upgrade to Defender Pro for free with a free trial membership or visit the Defender Pro page to explore the plugin’s features and learn more about that free trial membership.

The results of all scans can be viewed from the Dashboard, in both the Overview panel and Quick Access panels. Click View Report in the File Scanning Quick Access Panel to access details and suggested fixes for each potential issue.

6.4.1 Issues - File Scanning

Link to chapter 4

File Scan Issues are, generally, suspicious PHP functions or known issues that Defender has discovered within a site’s code.

Defender scans WordPress core files for modifications and unexpected changes, while Defender Pro also scans plugins and themes, and scans the entire site for suspicious code.

Issues are displayed in a list in the Issues tab. Drop-down menus allow you to filter results by area (Core, Plugins/Themes, or Suspicious code) and to bulk ignore selected issues.

Issue Details

Each item under the Issues tab can be expanded to see a detailed explanation of the issue, as well as our suggested fix. Click the arrow to the right of any issue to access the detailed explanation.

Each detailed explanation includes:

  • Issue Details — A brief explanation of the issue
  • Error— A snippet of the suspicious code. The questionable code in its current state appears in red, and the same code cleaned up to replace or remove the questionable function(s) appears in green.
  • Location — The issue’s file path
  • Size — The suspicious file’s size
  • Date added — The date and time the code was added to the site.
  • Ignore — Click Ignore to remove a specific issue from the Issues tab. Ignored issues will no longer appear in the Issues tab, but will appear in the Ignored tab, instead.
  • CAUTION

    Once an Issue has been ignored, Defender will no longer identify the issue as a potential risk in future scans, so we strongly recommend being sure something is harmless before choosing to ignore it.

  • Delete — Click Delete to delete the suspicious code.

Resolving Issues

Defender flags PHP functions and code as suspicious when they vary from what is expected or when they match known issues.

YOU ARE NOT ALONE

We know that seeing a flagged function or suspicious code notification can be alarming, but do not worry, our Support Team can help you quickly determine the appropriate action for each Issue.

False Positives

Given WordPress’s virtually unlimited potential for customization, occasionally, legitimate code will be flagged as suspicious because it resembles malicious code. This can happen, for example, when a function is modified by a plugin or multiple plugins, by a theme, or when a user (admin or developer) edits site code directly in the file or theme editor.

Defender is designed to minimize the occurrence of false positives, but since malicious code is almost always written to resemble legitimate code, it is impossible to completely avoid them.

Consider the following code, which was flagged as potentially harmful because it employs the eval() function in a way similar to how it is used in malware.

The eval() function executes a value from string, which became problematic when malware developers began using it to insert malicious code. The eval() function still has valid uses, however, so Defender flags the function wherever it appears so admins can verify it’s use as harmless.

Verifying suspicious code

As always, advanced users familiar with code have an advantage when it comes to verifying code as safe. However, there are things any user can do to determine the best response to suspect functions and code.

  1. Verify custom edits — Verify that the code in question wasn’t edited by an admin user or developer. Often, if the code was manually edited, the person who performed the edit is in the best position to verify the code in question. This is one reason why it’s important to keep track of the custom edits we make to our sites.
  2. Contact WPMU DEV Support — Our support team is better acquainted with Defender than anyone, and should be your first call if you are confronted with a File Scanning issue you do not understand.
  3. Contact Developer — If Defender flags code within a plugin or theme and you didn’t add the code yourself, it’s a good idea to share the issue details, including the code snippet, with the original developer and request guidance.

Once flagged functions or suspicious code has been verified as safe or malicious, click Ignore or Delete, as appropriate.

6.4.2 Ignored - File Scanning

Link to chapter 4

Ignored issues are those which Defender identified as suspicious and displayed in the Issues tab, after which a user admin selected the Ignore option.

Once an issue has been ignored, Defender will no longer identify it as a possible vulnerability, so it is wise to be sure an issue is harmless before clicking the Ignore option.

Restoring Ignored Issues

Each ignored issue will be accompanied by a Restore button. Click Restore to return any ignored issue to the Issues tab, where it can be addressed as necessary.

Use the Bulk Action option to restore multiple selected items at once.

6.4.3 Settings - File Scanning

Link to chapter 4

Use the File Scan Settings to control what files are scanned.

  • WordPress Core — Defender will scan for modifications or additions to WordPress core files.
  • Plugins & Themes — Defender scans plugins and themes for known, publicly-reported vulnerabilities.
  • Suspicious Code — Defender Pro scans all site files for suspicious PHP functions and code.

Maximum File Size

If you wish to exclude files from scanning, you can set the maximum file size (in Mb) in the field provided. Defender will not scan files larger than the indicated size.

6.4.4 Notifications - File Scanning

Link to chapter 4

Notications can be configured to alert admins when a potential security issue has not been addressed for seven days.

Notifications are enabled for the site admin, by default, but can be disabled by clicking the Off toggle button.

To add a recipient to the notifications list, click Add Recipient. Then enter a name, email address and click Add to complete the process.

By default, Defender will only send notifications when a problem is found, but enable the toggle and Defender will Also send notifications when no issues are detected.

Email Templates

You can modify the contents of the email notifications sent following scans.

Naturally, emails sent when an issue(s) is found and when no issue is found are slightly different. Both default email templates can be edited.

Click the pencil icon next to either template to view and edit its contents.

Use the available variables, listed near the bottom of the template, to insert scan data into the email. Click Save Changes to save and begin using your custom email notification.

6.4.5 Reporting & Scheduling

Link to chapter 4

The Reporting tab is where automatic File Scans and the reports that follow them are configured.

Reporting is off, by default. Click the toggle to turn On reporting.

By default, Defender will only send reports when a problem is found, but enable the toggle and Defender will Also send notifications when no issues are detected.

Add Recipient

To add a recipient to the list, click Add Recipient. Then enter a name, email address and click Add to complete the process.

Scheduling Scans

To schedule a scan that will occur automatically at regular intervals, use the drop-down menus to select the frequency (Daily, Weekly, or Monthly) and the time of day at which it should occur, then click Save Changes.

6.5 Audit Logging Pro

Link to chapter 5

With Audit Logging activated, Defender displays a log of events recorded by the system that can be extremely helpful when trying to determine what event(s) triggered unwanted behavior on a site.

audit logging

6.5.1 Event Logs

Link to chapter 5

The Event Log tab displays a site’s Event Log with the following filtering options:

  • Export CSV — Exports a CSV file of the current event log to your local computer’s Downloads folder.
  • Date Range — A calendar tool that determines the time period displayed in the current event log
  • Event Chooser — The numbers in the Event Chooser correspond with the events as listed in the log. Click a number or use the arrows to display a specific event at the top of the list.
  • Name/IP Filter — Click the filter icon to access a filter that allows admins to search for events by Username or IP Address, and within those categories, to target or remove specific types of events.

Event Details

Each event can be expanded by clicking the arrow to its right to reveal a summary of the event that includes the following information:

  • Context — Where the event originated, such as during a user/visitor session, in a plugin or theme, in a post, etc.
  • Type — Refines the Context by identifying the type of session as a user or visitor session
  • IP Address — The IP address of the user/visitor referred to in the Context column
  • User — If the user/visitor involved in the event is a registered with your site, that person’s username will appear here
  • Date/Time — The date and time of the event

6.5.2 Settings - Audit Logging

Link to chapter 5

Audit Logging Settings is where you set how long Defender should store your event logs before it begins replacing the oldest log with the newest. Use the drop-down menu to choose the storage period.

Click Save Changes to save your configuration. Click Deactivate to stop Defender from creating new event logs.

6.5.3 Reports

Link to chapter 5

Audit Log Reports are disabled, by default. When enabled, recipients will receive email notifications containing a summery of website events similar to those in the Events Log. Click the toggle to enable regular email reports.

Add Recipient

To add a recipient to the list, click Add Recipient. Then enter a name, email address and click Add to complete the process.

Scheduling Reports

To schedule a report, select the Frequency (Daily, Weekly, or Monthly), Day of the Week and the Time of day when the report should be generated and emailed, then click Save Changes.

6.6 IP Lockouts

Link to chapter 6

IP Lockouts protect against brute force attacks wherein a hacker attempts to gain entry to a site by bombarding it with ad hoc login credentials.

6.6.1 Login Protection

Link to chapter 6

Login protection is automatically enabled when the IP Banning module is activated.

IP Lockout settings

You can configure the following settings:

Threshold

This setting defines the number of failed attempts within a certain period of time that will trigger a lockout. The default setting is 5 failed attempts, within 300 seconds.

Duration

This setting defines how long the lockout will last, once triggered. You can also opt to permanently ban anyone that’s been locked for failed logins.

Message

If you wish, create a custom message that will be displayed after a user has been locked out. You can also preview how the message will appear on your site by clicking the blue “here” link.

Banned Usernames

Automatically ban any IPs that attempt to log into your site using certain usernames. We recommend adding “admin” and “administrator” to this list,  which are usually the first things that hackers will try when attempting to access your site. It’s also a good idea to make sure the username for your administrator account is something unique; details on that (plus other tips) can be found on our blog here.

Click Save Changes to save your configuration. Click Deactivate to completely disable the IP Lockout module and all its features.

6.6.2 404 Detection

Link to chapter 6

404 Detection allows admins to ban IP addresses that repeatedly try to access pages that do not exist.

Threshold

You can adjust how many events within a certain period of time will trigger a lockout. In this example, if a single IP address receives 20 404 errors within 300 seconds, then their IP will be temporarily locked out from your site.

Duration

Here you can indicate how long you would like the lockout to last for. And you can even permanently ban IP address that trigger your 404 lockout.

Message

In this section you can customize the message that will appear to your site visitors when they’ve been locked out after triggering a 404 Detection lockout. Enter the message you wish to appear into the field provided.

Files and Folders

Create custom white and black lists using the fields provided.

  • Blacklist — Protect specific files or folders by adding their paths here. Users who attempt to access these files or folders will be served a 404 screen once. Users who attempt to access Blacklisted files or folders twice will be locked out of the site.
  • Whitelist — In this section you can define any files or pages that you know are commonly searched for, but missing from your website. This will prevent your actual members from being locked out during their usual browsing.

Filetypes & Extensions

Similar to the above section, you can define specific file types that will either trigger an immediate 404 lockout or, conversely, be excluded from triggering a lockout.

  • Blacklist — Add filetype extensions that will trigger a 404 error and then a lockout for users who attempt to access these filetypes. Add as many filetypes as you wish, using commas to separate the extensions.
  • Whitelist — Add filetype extensions that you do not wish to trigger a 404 lockout when accessed. Add as many filetypes as you wish, using commas to separate the extensions.

Exclusions

This section is where you can choose whether or not to monitor the 404s that come from logged in users. If you would like these interactions monitored (and for the 404 Lockout rules to apply), then leave the box checked. If you would like to disable the monitoring of these interactions, then simply uncheck the box.

Remember to click Update Settings if you make any changes.

6.6.3 IP Banning

Link to chapter 6

Defender allows you to permanently ban persistent troublemakers by blocking their IP addresses. The IP addresses will remain banned until you manually choose to remove them from the banned list.

IP Addresses

Create a custom list of banned IP addresses by adding them here.

  • Blacklist — Enter IP addresses or address ranges that should be blocked from accessing a site. List one IP address per line in IPv4 format. You can also ban IP ranges by entering the IP addresses that begin and end the range separated by a hyphen, as in xxx.xxx.xxx.xxx-xxx.xxx.xxx.xxx
  • Whitelist — Add IP addresses that should be exempt from all ban rules. List one IP address per line in IPv4 format. You can also ban IP ranges by entering the IP addresses that begin and end the range separated by a hyphen, as in xxx.xxx.xxx.xxx-xxx.xxx.xxx.xxx.
NOTE

We recommend Whitelisting your own IP address to avoid becoming locked out, accidentally. Your IP address is displayed beneath the Whitelist field, for convenient access.

Active Lockouts

IP Addresses that have been temporarily banned, per the feature’s configuration, will be displayed here.

Click Unlock IPS to display the lockout list.

Click the padlock on the right to unblock any IP address. Use the arrows to navigate through the pages of your banned IP addresses.

Locations

Location banning, using the lastest GEO IP Database, allows admins to ban all traffic from an entire nation. You may consider banning any nation from which you do not expect or desire traffic. Doing so can be a highly effective security measure, if you are certain you don’t need the traffic.

Geo IP Banning requires users sign up for GeoLite2 Downloadable Databases, which is free, although paid services are available.

To sign up, click the Sign up link in the Defender IP Banning Location module.

Complete the MaxMind GeoLite Sign Up form, then click Continue.

MaxMind will send an email containing verification information. Follow the directions in the email to verify and activate the account.

The next series of steps will generate the License Key needed to connect the service to your site. In the menu on the left, click My License Key.

Then click Generate new license key.

Give the License Key a name and select the No option regarding GeoIP Update, then click Confirm.

The License Key required to download the GeoLite2 database to your site will be generated and displayed.

Copy and paste the License Key into the field provided in the Locations module, then click Download.

The GeoLite2 database will download and activate, automatically. When the database is properly connected, use the drop-down menus to ban entire nations from accessing your site, or exclude entire nations from any geo-bans.

Nations whitelisted here will still be subject to the 404 lockout rules configured in the 404 Detection module.

Message

Craft a custom lockout message for users you have personally added to the Blacklist.

Import & Export

If you ever need to move your Blacklist & Whitelist to another website, instead of copying and pasting all those IP addresses, simply Export a CSV file and then import it into Defender on your new site.

6.6.4 Logs

Link to chapter 6

Under Logs you can view all Lockouts that have occurred within the past 30 days. You’ll be able to view the reason for the Lockout, the IP address that was locked out, and the date.

list of lockout logs

The image above shows a new site that hasn’t recorded any lockouts yet. The image below shows a site with moderately heavy traffic that blocked more 8,000 IPs in a single month.

Use the Filter in the top right hand corner to view lockouts by type or event.The numbers in the carousel correspond with log events. Click a number or use the arrows to indicate a specific event and that event will appear at the top of the list.

For each event you will be able to see what type of event it was (indicated by the small colored box on the left), the reason the event occurred, the IP address that triggered the event, and the date the event occurred.

defender lockout activity log

To the right of each event you will also see two blue links – Ban & Whitelist. By clicking either of these links, you can automatically add the IP address to the respective list (Blacklist or Whitelist).

6.6.5 Notifications

Link to chapter 6

Enabling lockout notifications will allow Defender to notify by email admin users by email whenever a lockout occurs. Click the toggle to enable email notifications.

IP lockout email notifications

Add Recipient

To add a recipient to the list, click Add Recipient. Then enter a name, email address and click Add to complete the process.

Remember to click Update Settings if you make any changes.

6.6.6 Settings

Link to chapter 6

Under the Settings tab you can control for how long to store the Lockout logs.

lockout log settings

You can choose to increase or decrease the storage period, or delete the logs altogether.

6.6.7 Reporting Pro

Link to chapter 6

This is a Pro feature that allows for you to schedule a complete lockout report for your site.

lockout report settings

From here you can select the frequency of the reports & schedule the time frame for them to be sent.

You can also add additional recipients to the list so that other specified users on your site will receive these emails too.

6.7 Advanced tools

Link to chapter 7

Defender offers two Advanced Tools to enhance site security:

  • Two-factor authentication — Requires users to verify their login attempts using the Google Authenticator app
  • Masked Login Area — Changes the URL path to your login screen to something other than the default wp-admin.

6.7.1 Two-Factor Authentication

Link to chapter 7

Defender uses the power of Google Authentication to provide two-factor authentication to your site. This feature enhances site’s security by requiring users to log in with a passcode sent via text to their cell phones. Two-factor authentication is an extremely effective tool against brute force attacks.

User Roles

User Roles allows you to require two-factor authentication for some users on your site, but not others. For example, you can require Administrators & Editors to use two factor authentication because they have considerable privileges throughout the site, but not require subscribers to use it because, typically, their access is very limited.

user roles requiring 2 factor authentication
Lost Phone

This features provides a backup plan for those times users need to access a site but cannot access the required phone. When enabled, Defender will send the passcode via email, instead.

lost phone password reset option
Force Authentication

By default, two-factor authentication is optional for users, meaning even if it’s enabled, users can disable it within their Profile. Force Authentication, on the other hand, makes two-factor authentication mandatory by removing the option to disable it.

2FA-Force-activation

The first time users log in after 2FA has been enabled they will re-directed to their Profile pages where they must configure 2FA before they can log in.

2FA force

After pressing Enable, users will be prompted to download the Google Authenticator app and scan the QR code with it so they can login to this specific site, although multiple sites can be added to the app.

Enable-2FA

Once the QR code is scanned, the application will show a 6 digit passcode. Users then must enter the passcode into the field (Step 3), and click Verify.

For future logins

Google Authenticator generates a new code every 30 seconds and it looks something like this on the phone. Note that different code is generated for each connected site, meaning the code for Site A will not work to authenticate any other site except Site A.

Phone

On their next login, users will be given a new login screen where they need to add the 6 digit code:

Code

If you left the “Lost phone” feature enabled, users can also click on the “Lost your device?” link and the OTP code will be sent to their email (which they set for their account on your site):

OTP code

If forced authentication is not enabled, users can disable it in their profiles.

disable 2 factor
Custom Graphic

Add a custom graphic to replace the Defender icon that appears on your login page above the login fields by default. Use the media uploader to add your custom graphic.

Emails

You can customize the default content of the Lost Phone emails sent to users when an authentication code is sent via email, instead of by SMS.

Click the pencil icon on the right to edit the default email. Customize the content as you choose, using the Available variables near the bottom of the template to insert the authentication data where you want.

App Downloads

Use the link that corresponds with your operating system to download the official Google Authenticator app for the that system.

Active Users

Click View users to see a list of all users who have enabled two-factor authentication.

Users who have enabled two-factor authentication will have a green dot by their name, under the “2 Factor” column.

users with 2 factor enabled

If you have chosen to keep two-factor authentication optional, users can Enable that from their User Profile page.

Save/Deactivate

Click Save Changes to save your configuration. Click Deactivate to disable the module and all of its features.

6.7.2 Mask Login Area

Link to chapter 7

Defender allows you to change the location of WordPress’s default wp-admin and wp-login slugs to make it harder for hackers and bad bots to find.

Navigate to Defender > Advanced Tools > Mask login section and activate the module by clicking Activate.

Activate
Masking URL

This feature lets you create a custom slug for your login page, replacing the default wp-admin or wp-login. In this way, hackers and bad bots looking for your login page won’t be able to find it, because they’ll be looking for the wp-admin or wp-login slug. The slug must be unique (unlike any others on your site) and you can only create a custom slug, not an entirely new URL.

Click New login URL line and enter the slug for you new login page.

Login-slug-change

After you save the settings, the mysite.com/wp-admin and mysite.com/wp-login pages will be disabled and the login functionality moved to the new page.

WPADMIN

It does obey any admin_url() changes though so as long as you use your masked login screen to login first, wp-admin links from Hub will still work.

Redirect traffic

With the default login screens disabled, bots attempting to locate it will generate 404 responses– possibly at lot of them– and that is not good. Therefore, this feature allows you to redirect these misguided users to another page, either an existing page or one created especially for them.

Activate the feature and add a URL slug to the Redirection URL field.

Be aware that you can add a new slug to the URL, but not an entirely new URL. This is so that, no matter how much we may want to, we cannot redirect these users to a completely different domain.

6.8 Blacklist Monitor Pro

Link to chapter 8

WPMU DEV members and users of Defender Pro have access to the Blacklist Monitor feature, which allows Defender to check Google’s blacklist multiple times each day to see if there is your site has been flagged for some reason.

Click the toggle to enable the Blacklist monitor.

blacklist monitor

6.9 Settings

Link to chapter 9

The Settings module is where preferences are set for translations, usage tracking and data retention

6.9.1 General

Link to chapter 9

Translations

Defender will use the language set in your WordPress Admin Settings if a matching translation exists. You can view the current available translations on the Defender translation page.

Usage Tracking

Enable Usage Tracking to help our developers improve Defender. We only track what features are or are not being used. No identifying data is collected.

Data & Settings

Uninstallation – These settings determine how your Defender settings and other data are handled when you export or uninstall the plugin. Settings refer to the module configurations, while Data includes transient bits created over time, such as logs, frequently used modules, last import/export time, and other pieces of information.

In the event you want to uninstall Defender it’s a good idea to save your settings in case you want to reinstall it at a later time. To do so, click the Preserve button to save your configurations, so they may be quickly reapplied when you reinstall the plugin. If you wish to reset all configurations to their default state, click the Reset Settings button.

Accessibility

From the accessibility tab you can enable High Contrast mode. After enabling this option, the plugin will increase the visibility and accessibility of elements and components to meet WCAG AAA requirements.

6.10 Get Support

Link to chapter 10

After reading this guide, if you still have questions regarding how to secure a site or network, don’t hesitate to start a live chat with our support Superheroes or submit a support ticket using the Support tab of your WPMU Dev Dashboard.

Navigate to WPMU DEV DASHBOARD > SUPPORT > NEW TICKET to submit a support ticket.