This guide explains how to use Defender’s security features to protect your WordPress sites from malicious attacks. Use the Index on the left to quickly locate usage guidance on specific features.
If you haven’t installed Defender yet, then you should visit the Defender Pro page where you can explore the plugin’s many features, download the free version, and where WPMU Dev members can install Defender Pro directly to any connected site.
6.1 Defender DashboardLink to chapter 1
6.2 Security TweaksLink to chapter 2
First up are Security Tweaks.
The first security check has already been run as soon as you activated the plugin. Clicking “View All” will take you to the full results screen.
Below this overview, you’ll see a detailed list of all the items that need your attention, and those that are already resolved.
Each of the items under the Issues tab can be expanded to see a detailed explanation of the issue, as well as a simple process for resolving the issues reported. Here’s a detailed look at the first item in the Issues list, “Disable trackbacks and pingbacks.”
To resolve this issue, you can simply click “Disable Pingbacks”. Every issue you might encounter will be as simple, if not more so, as this step to resolve; most only require the user to click a button.
Each of our recommendations and solutions will put an additional layer of protection between your site and those who might wish to harm it or your users.
6.3 Security ScansLink to chapter 3
Defender can also scan your site for malicious files and code, and report any suspicious files to you.
Back on the main Dashboard area you first saw, you will see this File Scanning section the first time you use the plugin. Click “Run Scan” to get started.
You’ll then be taken to the Scan section of Defender where you will be able to watch the progress of your scan. After your first scan is complete, you can then view the results here.
The free version of Defender only scans the WordPress core files for modifications and unexpected changes, but if you become a WPMU DEV member, Defender will also be able to scan your plugins, themes, and check for suspicious code throughout your site.
Let’s take a look at the specific items that Defender was able to identify:
To the left you will see 4 different sections:
We’ll cover the Issues tab first:
To the right of each reported issue, you’ll see a small wrench icon. If you click on this icon a popup will appear with a proposed solution.
The php_errorlog in this example is not a malicious file, so I’m able to ignore this one.
Under the Ignored tab you will then be able to find a complete list of all the Issues that you’ve chosen to Ignore. You can come back to this tab at any time and decide to take additional action to resolve these items and “Restore” them to the list of Issues.
To Restore an individual item, just click the blue “Restore” icon on the right hand side.
To Restore multiple items at once, click the check boxes to the left of each, and then click “Apply” next to “Restore”.
Under the Settings tab you’ll see several different options that allow you to control what’s scanned and how you’ll be notified.
Scan Types is where you can choose which type of files are to be scanned. As explained earlier, the free version of Defender only scans the WordPress Core files.
Further down the Settings section, you’ll find an option to adjust the maximum file size that Defender will include in its scans.
And at the bottom of this section, you’ll see the settings for the notification emails that Defender sends.
By default, Defender will only notify you when a problem is found, but you can enable “Optional emails” to be notified of the results every time a scan is completed.
You can also modify the email templates themselves to suit your needs. A different template is available for when an issue is found and when one is not found.
6.4 IP LockoutsLink to chapter 4
We can now configure the next feature – IP Lockouts.
Click on “Activate” to begin.
Here you’ll be able to view the quick stats on any IP Lockouts that occurred this week. Since we have only just activated this feature, there isn’t much to see.
Next, click on “View Logs” to see additional details regarding your lockouts, and make changes to the available settings.
There are a lot of different options here, so we’ll go through them one by one so you can get the most out of this feature.
The first option we want to configure is Login Protection.
Now you can configure the following settings:
Lockout threshold – define the number of failed attempts within a certain period of time that will trigger a lockout. The default setting is 5 failed attempts, within 300 seconds.
Lockout time – how long the lockout will last for, once triggered. You can also opt to permanently ban anyone that’s been locked for failed logins.
Lockout message – choose the message that will be displayed after a user has been locked out. You can also preview how the message will appear on your site by clicking the blue “here” link.
Automatically ban usernames – here you can opt to automatically ban any IPs that attempt to log into your site using certain usernames. We recommend adding “admin” and “administrator” to this list, which are usually the first things that hackers will try when attempting to access your site. It’s also a good idea to make sure the username for your administrator account is something unique; details on that (plus other tips) can be found on our blog here.
If you make any changes to this section, be sure to hit “Update Settings” before proceeding to the next section.
Next up is 404 Detection. This feature allows you ban IP addresses that repeatedly try to access pages that do not exist.
Lockout Threshold – just like with Login Protection, you can adjust how many events within a certain period of time will trigger a lockout. In this example, if a single IP address receives 20 404 errors within 300 seconds, then their IP will be temporarily locked out from your site.
Lockout Time – here you can indicate how long you would like the lockout to last for. And you can even permanently ban IP address that trigger your 404 lockout.
Lockout Message – in this section you can customize the message that will appear to your site visitors when they’ve been locked out after triggering a 404 Detection lockout.
Whitelist – in this section you can define any files or pages that you know are commonly searched for, but missing from your website. This will prevent your actual members from being locked out during their usual browsing.
Ignore File Types – similar to the above section, you can define specific file types that you would like to be excluded from triggering a 404 Lockout.
Exclusions – this section is where you can choose whether or not to monitor the 404s that come from logged in users. If you would like these interactions monitored (and for the 404 Lockout rules to apply), then leave the box checked. If you would like to disable the monitoring of these interactions, then simply uncheck the box.
And finally, if you’ve made any changes at all to anything under the 404 Detection tab, be sure to click “Update Settings” before navigating to a new page.
From here, Defender allows you to permanently ban persistent troublemakers via IP their IP address. The IP addresses will remain banned until you manually choose to remove them from the list.
Blacklist – pretty self explanatory what goes here. Just list any IP addresses that you would like to have banned. One IP address per line in IPv4 format. You can also ban IP ranges in the format of xxx.xxx.xxx.xxx-xxx.xxx.xxx.xxx
Lockout Message – another opportunity to craft a custom lockout message to let those ne’er do wells know you’re onto them. This one is of course for those that you’ve personally banned by adding to the Blacklist above.
Whitelist – and what would a good security service be without a Whitelist to protect the innocent? :) Here you can add any domains that you would like to make sure are never locked out of your site. The accepted format is the same as for the Blacklist: One IP address per line in IPv4 format. You can also ban IP ranges in the format of xxx.xxx.xxx.xxx-xxx.xxx.xxx.xxx
Import & Export – these features are really nifty! If you ever need move your Blacklist & Whitelist to another website, instead of manually copy+pasting all those IP addresses, you can simply Export a CSV file with the complete record. Then all you need to do is Import the CSV file into Defender on your new site. How cool is that?
Under Logs you can view all Lockouts that have occurred within the past 30 days. You’ll be able to view the reason for the Lockout, the IP address that was locked out, and the date.
In my example above no Lockouts have occurred since this is a brand new site. But let’s take a look at an example from a live website that has had some activity this past week.
In this example, you can see that 8083 events have been recorded in the past 30 days.
In the top right hand corner I can choose whether I’d like to view all of the results, or filter by a specific Lockout type or event. I can also go through the pages and review all of the events in the log.
For each event you will be able to see what type of event it was (indicated by the small colored box on the left), the reason the event occurred, the IP address that triggered the event, and the date the event occurred.
To the right of each event you will also see two blue links – Ban & Whitelist. By clicking either of these links, you can automatically add the IP address to the respective list (Blacklist or Whitelist).
The section is also pretty self-explanatory. Here is where you are able to enable the email notifications you’d receive when a Lockout occurs.
You can also add additional email recipients if you would like someone other than the site admin to be notified. This is great if you have a team of folks helping you to manage your site that you would like to keep in the loop.
And of course, click “Update Settings” if you make any changes.
Under the Settings tab you can control for how long to store the Lockout logs for.
You can choose to increase or decrease the storage period, as well as delete the logs immediately if needed.
This is a Pro feature that allows for you to schedule a complete lockout report for your site.
From here you can select the frequency of the reports & schedule the time frame for them to be sent.
You can also add additional recipients to the list so that other specified users on your site will receive these emails too.
6.5 Advanced toolsLink to chapter 5
Defender uses the power of Google Authentication to provide 2-Factor Authentication to your site. This is an awesome feature that allows you to really beef up your site’s security by allowing users to log in with a 2nd passcode that is sent to their phones. This is especially helpful to enable for sites with very sensitive content, and can make a world of difference in protecting your site from brute force attacks.
To enable this feature, click on Advanced Tools in the WordPress admin menu, on the lefthand side.
You will then be taken to this tab where you can activate 2-Factor Authentication:
Just click on “Activate” to begin configuring your settings.
The first setting available for you to adjust is User Roles.
This setting allows for you to only have 2-Factor Authentication available for specific types of users on your site. In other words, you can set it so Administrators & Editors can use 2-Factor Authentication since they have considerable privileges throughout the site. But you can choose for regular Subscribers to be excluded from this.
By enabling this option you give your users a way to access their accounts, even if their phone has been misplaced & otherwise unavailable to them. (ie. they played Candy Crush for 7 hours straight and their phone died)
We have this setting enabled by default for your convenience.
If you need help finding the official Google Authenticator apps, we provide you with handy links to both the Apple App Store & to Google play.
Note: 2FA is designed to work with Google’s Auth App, but if any other app uses the same way to generate OTP, it should work as well.
Here is the list of some alternatives:
- https://www.hde.co.jp/otp/ (iOS/iPhone only)
You can follow this handy link to your Users list on your site.
Users who have enabled 2 Factor Authentication will have a green dot by their name, under the “2 Factor” column.
If you have chosen to keep 2-Factor Authentication optional, users can Enable that from their User Profile page (by following the same instructions as given in the Force Authentication below).
By default, two-factor authentication is optional for users. These settings force your users to activate two-factor on their next login and it will even redirect active sessions to it.
Once they login next time, these setting will re-directed them to their Profile Page/Two-Factor authentication.
After pressing Enable, users will be prompted to download the Google Authenticator application (from its respective app store) and to scan the QR code with it so they can login to this specific site (they can add as many sites as needed)
Once the QR code is scanned, the application will show a 6 digit passcode. Users then need to enter the passcode into the box on step 3, and click on “Verify”. If they’ve entered the code correctly, then that’s it! They’re all set.
For future logins
Google Authenticator generates a new code every 30 seconds and it looks something like this on the phone (one code for each site connected):
On their next login, users will be given a new login screen where they need to add the 6 digit code:
If you left the “Lost phone” feature enabled, users can also click on the “Lost your device?” link and the OTP code will be sent to their email (which they set for their account on your site):
In case you have chosen not to force Two-Factor authentication all user can return to their profile page at any time & disable 2 Factor Authentication (this option is, of course, not available for the Forced authentication).
And finally, at the very bottom of this tab, you’ll see the option to disable 2 Factor Authentication entirely if you would prefer not to use this feature any longer on your site.
Just make sure you click Save Settings if you make any changes to this page.
Mask Login Area
Defender allows you to change the location of WordPress’s default wp-admin and wp-login URLs to make it harder for automated bots to find, and more convenient for your users.
Go to Defender/Advanced Tools/Mask login area and activate the module by pressing the “Activate” button:
This feature lets you add a new URL slug where users of your website will now navigate to log in, register or administrate. The slug must be unique (so you can’t use current post/page slug) and you can’t put full domain URLs.
Click on the “New login URL” line and write your desired URL slug – something like “myloginpage”.
After you save the settings, mysite.com/wp-admin and mysite.com/wp-login will be disabled and all logins must be done via the entered URL slug, in this example mysite.com/myloginpage.
To put an extra touch on your login screen and to create an awesome, truly unique login page, check out our Ultimate Branding plugin https://premium.wpmudev.org/blog/ultimate-branding-custom-login-screens/.
Note: After you enable this feature, “WP ADMIN” button, located at https://premium.wpmudev.org/hub/my-websites/, will no longer lead you to your site back end as the Hub links to /wp-admin, not to the login screen.
It does obey any admin_url() changes though so as long as you use your masked login screen to login first, wp-admin links from Hub will still work.
With this feature, you can send visitors and bots who try to visit the default WordPress login URLs to a separate URL to avoid 404s.
Activate the feature and add a URL slug to the “Redirection URL” line,
You can use any combination of a-z, 0-9 or add a slug of your Page.
Note: You can’t add full URLs here (so you don’t send out your 404 errors to another domain).
6.6 Blacklist Monitor - ProLink to chapter 6
As a WPMU DEV member, you can choose to enable the “Blacklist Monitor” feature.
This feature allows for Defender to automatically check Google’s blacklist to see if there is any trouble for your site.
All you need to do is click “Activate” to get things up and running.
Just click on the blue switch to disable this feature in the future, should you choose.
6.7 Audit Logging - ProLink to chapter 7
Beneath Blacklist Monitoring and Automatic Scans, you’ll find the Audit Logging section.
Select “Activate” to get started. When you do, you’ll be taken to the Audit Logging section of Defender.
The first tab that is opened is the Event Log. This is where you’re able to search for a specific user’s activity, filter by date range, and show/hide what events you are interested in seeing.
Immediately beneath that, is where your Event Log results will appear. And you can even click the “Export CSV” button on the top right to export your full Event Log for safe keeping.
Below is an example of what you may see when you go to check your Log.
From this screen you can see a brief summary of the event, the time the event occurred, and the IP Address where the change/request was made.
In the screenshot, you can see that I just successfully logged into my website 1 hour ago. You’re also able to see that someone tried to log into my site using “admin” as their username (this was malicious activity that Defender was able to protect me from).
You’re also able to see some activity from Hummingbird as old minify groups were deleted.
If you click the black arrow on the right of each row, you will then see some additional information regarding the event.
Here you’ll see the context (session, plugin, theme, post etc.), the type (user or visitor), the IP address, the User profile (if they are a member of your site), and the Date/Time the event occurred.
If you click on one of the blue links, then the page will reload and you’ll be shown the Event Log for all of the same type of trait. For example, if I click on my name under “User” then I will be provided with a list of all the activity in the Event Log that is attributed to myself.
You can also choose to ban an IP from this screen if you see some activity that you do not like and has not been banned already. (Don’t accidentally ban yourself!)
Pretty nifty, ya? I think so! :)
From here you can choose to disable Audit Logging if you no longer wish to track this information.
As with IP Lockouts, you can control when you receive a full report of the activity on your website that is recorded in your Event Log.
And you can even add additional email recipients if there are others whom you feel would benefit from receiving a copy of your Event Log. (Great if you have a team of folks working on your site!)
6.8 Reporting - ProLink to chapter 8
And last but not least, you can find a Reporting section on the main Defender Dashboard which contains quick links to the File Scanning, Audit Logging, and IP Lockout reports.
This section also allows for you to see at a glance at what frequency you receive these various reports so you can quickly determine if you’d like to make any adjustments.