Installing a Free WordPress security system

Free WordPress security system
Share with friends

Table of Contents

Web Hosting from £19.95
Hosting plans come with enhanced server security and 24h automatic backups. Lightening fast speeds with SSL certificates included free with all our plans.
Written by Simon

Last Updated 16/12/2023

Installing a Free WordPress security system

In this article, we will cover firewalls, malware, and how to set up a free security system for your WordPress website. There are many options out there, but we will be looking at a plugin called WordFence. PODTech will take you step-by-step through the setup process. It is important to note that this is a free plugin and for 100% protection, we recommend using companies such as Sucuri for a more secure security system.

How to install WordFence, a free WordPress security system for your website.

Free WordPress security system

What is a Firewall?

firewall is a network security device that monitors incoming and outgoing traffic to your website’s server. Its primary role is to restrict access to data packets based on a pre-determined set of security rules. By doing this, it can establish a barrier between your internal network and incoming traffic from external sources on the Internet. As a result, it can block malicious traffic like hackers and viruses.

Firewall illustration

WordFence Setup

In this section, we will be discussing how to set up your WordFence firewall. WordFence is a free firewall and malware scanner with paid-for upgrades.

Before you begin, download the WordFence plugin from your website’s back office.

Recommended Reading: How to install a plugin

Wordfence Plugin screenshot


Straight out of the box, WordFence gives you some basic security. Let’s do the final configurations to get it optimised for your site.

After installing your WordFence plugin, assign an email address to receive alerts. Scroll down and locate the WordFence icon on your back office sidebar; a pop-up window should appear.

Screenshot showing the WordFence signup panel

Fill in your email, and your marketing preference and also read and agree to their T&Cs. Click Continue and if you have purchased Pro you can add your Pro Key here. If you haven’t purchased Pro, click No Thanks.

Navigate to your WordFence Dashboard (sidebar) and at the top click Yes, enable auto-update>Click Here to Configure.

Screenshot of the WordFence Configuration popup

The configuration process is all automated, click to download the file (.htaccess). This is just as a precaution, and if the config fails, you will have a backup you can restore. Click Download .htaccess>Continue>Close and store the file somewhere safe on your computer. 

Brute Force Attacks

Congratulations – your website now has a basic firewall and can protect you from Brute Force Attacks. Brute force attacks are when bots try to identify your usernames and passwords by continuously guessing until they get it right. Let’s change our settings so that we can protect ourselves further from brute-force attacks. We can do this using three ways:

  1. Limiting the number of incorrect password tries before we blacklist (Block) an IP address 
  2. Blacklisting attempted sign-ins by accounts that don’t exist
    • Bots will guess user names like ‘Admin’ or your site name as usernames. Avoid using these as your usernames and we will auto-block anyone trying to sign in with these names
  3. Forcing strong passwords with our admin accounts
    • These are longer more complex passwords that are harder to guess

Scroll down to Brute Force Protection>Lock out after how many login failures change the value from 20 to 5 and do the same with Lock out after how many forgot password attempts. Next, tick Immediately lock out invalid usernames. You can add any usernames you would like to block in the box here.

For now, keep it blank as Prevent users registering ‘admin’ username if it doesn’t exist is activated. However, if you keep getting notifications from WordFence informing you a hacker keeps trying to use a specific name, you can add that username here.

Firewall & Learning Mode

Next, let’s look at the firewall itself. If we scroll back to the top, we can see Web Application Firewall Status. This has three modes:

  1. Enabled Protecting
  2. Learning Mode
  3. Disabled 

Select one which suits you best, We would recommend Learning Mode.

Activating Wordfence Learning Mode

Learning mode, as the name suggests, will learn how your visitors interact with your site and adjust its settings accordingly. The downside is that it takes a couple of weeks for it to ‘learn’ your site’s needs. If you need your firewall enabled straight away, go for Enabled and Protecting.

In the firewall settings, you can add the IP address that you would like to ‘whitelist‘. This is when you give a specific computer access to your site and can bypass all the rules. This can be handy if your home computer keeps getting locked out for some reason.

Finally Rate Limiting. Here we want to allow ‘Verified Google Crawlers’  and change How long is an IP address blocked when it breaks a rule value to 1h. 

Important: If you become blacklisted due to multiple incorrect password attempts, you can undo it here.

Now we need to change the notification alert level. As default it is set to low, this means you will receive an email notification when minor security issues occur such as a plugin that needs updating. As plugin updates are pushed regularly, this can get quite annoying. To adjust the sensitivity of email alerts navigate to All Options>Email Alert Preferences>Alert me with scan results of this severity level or greater and change the value to High before Save Changes.

What is Malware?

Malware is short for malicious software and is a blanket term for viruses, trojan, worms and other programmes that can infect your website.

“[Malware] is a catch-all term to refer to any software designed to cause damage to a single computer, server, or computer network.” – Microsoft

Source Link:

This means that malware is defined by its purpose rather than how it is built. As a result, anything that is installed on your network that is malicious is considered malware. Because of this, there are numerous types of malware and here are the most common ones:

  • Worm – a standalone piece of malicious software that reproduces itself and spreads from computer to computer
  • Virus – a piece of code that inserts itself into another standalone program and forces it to take malicious action before replicating
  • Trojan – a programme that cannot replicate itself, but enters your system discussed as another programme 

Scanning for Malware?

Scanning for malware is simple and automatically scheduled by WordFence. You can also easily run a manual scan. You might feel malware circumvented your firewall between scheduled scans and want to run a manual one. 

Head to your WordFence Dashboard>Scan>Start New Scan and this will begin a new scan of your website. It can take some time, so just let the programme run. After the scan, you will have sections that have been ticked and possible areas to improve. Here, WordFence will give you instructions on how to resolve these issues.

In the screenshot below, we can see there is a ‘Vulnerability Scan’ issue. These are very common and tend to be plugins or themes that need updating, as is the case here. It is important to keep your themes and plugins updated as new updates may resolve weaknesses in the developer’s code that may be a backdoor for hackers. You should fully update your site at least once a month.

Malware-Scan using wordfence

Web Hosting

From £19.95 /mo