How to Stop Hackers in Their Tracks with Defender
Defender deters hackers with IP banning, login lockout, updating security keys, two-factor authorization, and more. Learn about Defender’s robust security features that prevent hackers from waltzing right into your WordPress site.
No hacker gets past Defender!
Defender is WPMU DEV’s answer to WordPress security.
Our powerful 5-star plugin provides complete security for your WordPress sites and brings you peace of mind by deterring brute force attacks, SQL injections, cross-site scripting XSS, and preventing hackers from exploiting WordPress vulnerabilities.
“Defender recently blocked over 3000 attacks in one week without any noticeable impact on the website. WPMUDEV knocking it out of the park on this one.” – David Oswald
Defender adds the best in WordPress security to your website with just a few clicks.
In order to stop the hackers from getting in, Defender configures powerful security measures, including allowing you to easily:
- Perform one-click security tweaks
- Disable trackbacks and pingbacks
- Check default database prefix
- Disable file editor so that if they get in, they won’t get far
- Hide error reporting so you don’t reveal your issues
- Update security keys
- Prevent information disclosure
- Prevent PHP execution
- Change the location of WordPress’s default login area with login masking
- Enable round-the-clock firewall protection
- Set up login lockout
- Automate blocking of bot IPS with 404 detention
- Block users based on location with geolocation IP lockout
- Block or allow IPs with IP Banning
- Prevent hackers from reaching your site with WAF
- Enable two-factor authentication
Right off the bat, Defender provides a number of Security Tweaks in the dashboard, allowing you to easily fix any issues that can be exploited by hackers and compromise your site’s security with just one click.
To help you stay on top of your security tweaks, Defender provides a checklist of all issues that need fixing and highlights these in yellow…
And marks all resolved issues in green…
Let’s go through some of these one-click security tweaks…
Disable Trackbacks and Pingbacks
Defender can prevent trackbacks and pingbacks from causing DDoS attacks and spam comments.
Just click the Disable Pingbacks button.
Check Default Database Prefix
While Defender doesn’t change your default database prefix, it will detect whether it is using the default
wp_ database prefix that WordPress normally assigns to new installations.
You can then change it and set a unique database prefix that will make it harder for hackers to perform SQL injection attacks if they run across any code vulnerability on your site.
This adds another layer of difficulty for hackers to overcome, further protecting your WordPress site.
You can quickly see if this function is enabled or disabled in the Issues or Resolved section.
Disable File Editor
As the file editor is built into WordPress, anyone with an admin account can edit your theme and plugin files and inject malicious code.
Disabling the file editor helps prevent this and any security holes in your admin that could become a problem.
If it’s an issue, just click Disable the File Editor in the Issues section.
The problem will be fixed and marked as Resolved.
Hide Error Reporting
With Defender’s one-click security tweaks, you can make your site less prone to malicious attacks by disabling the built-in PHP and scripts error debugging feature of WordPress.
This feature displays code errors on the frontend of your website, allowing hackers to find loopholes in your site’s security.
Update Security Keys
As WordPress uses security keys to enhance the encryption of information, having a random, unpredictable encrypted password (e.g. 89080a8908908b098903c) can make it near impossible for hackers to come up with the right combination.
Defender’s Update old security keys feature lets you update these keys regularly and set a reminder for how often ut should notify the admin to regenerate these.
Once your security keys have been regenerated, the update is then automatically marked as Resolved.
Prevent Information Disclosure
Another of Defender’s automated one-click Security Tweaks is to prevent the disclosure of sensitive files in servers that have been misconfigured, allowing malicious users to access your WordPress site or database.
Prevent PHP Execution
Defender lets you disable direct PHP execution in directories that don’t require it, preventing plugin or theme vulnerabilities from allowing a harmful PHP file to be uploaded to your WordPress site’s directories.
You can also add exceptions to PHP files that you want to run and bypass Defender’s protection measures.
Defender’s Firewall adds a hardened layer of protection against a hacker’s attempts to gain entry to your site through brute force attacks.
It comprises a number of security measures, including:
Defender locks out any user who tries to log in and fails repeatedly to get the credentials right.
You can configure login lockout options such as the lockout time, lockout message, and ban usernames.
Adjusting the threshold lets you specify how many failed login attempts defender will allow in a given time period before triggering a lockout.
You can set the duration of the lockout or permanently lock out offending users.
Like most of Defender’s features, you can customize the message that will be displayed to locked out users.
You can also automatically lockout and ban users if they attempt to log in using common usernames (e.g. admin).
Defender keeps an eye out for repeat offenders. These are usually bots that crawl every link on your site trying to find a back-end admin area so they can wreak havoc or requests from the same IP addresses for pages on your WordPress site that don’t exist.
If this happens too frequently, Defender will block users from accessing your site.
You can specify how many 404 errors within a specific period will trigger a lockout and choose the ban duration for offending users, either for a specific timeframe (in seconds, minutes, or hours) or permanently.
You can also customize the message displayed to locked out users.
Defender’s Blocklist automatically bans users and bots from accessing any files and folders you specify.
If a common file or folder in your website is missing, you can record it in the Allowlist area. Any attempts to access these won’t count toward a lockout.
Specifying file types and extensions to auto-ban or allow is as simple as entering these into the plugin’s fields.
Defender monitors all interactions on your website. However, with the click of a button, you can also choose to include or exclude monitoring 404s from logged-in users.
Geolocation IP Lockout
Defender lets you ban traffic from any location–even an entire nation– if you don’t want traffic coming to your site from certain places. Geolocation IP lockout is a great added security bonus that prevents users in undesirable locations from getting anywhere near your site.
IP Banning inside Defender’ Firewall stops unwelcome visitors with just a few clicks.
You will need to sign up for a free account with MaxMind to get access to the free GeoLite2 Database.
After confirming your account and creating a password, you can generate a license key.
Adding this license key to Defender lets you download, add, and access the GeoLite 2 database.
After successful license activation, the Location section will let you specify countries to block or let traffic through from a drop-down menu.
You can block IP addresses by adding these to Defender’s Blocklist. Users with those IP addresses won’t be able to visit your WordPress site and will be greeted instead with a customizable message.
Defender lets you add any addresses you want to ban into its Blocklisted IPs section and supports both IPv4 and IPv6 formats.
Alternatively, you can allow IP addresses and exempt users from the ban rules for login protection, 404 detection, or IP ban lists.
Once you have added an active list, Defender monitors these IPs. It also lets you release any blocked IPs that were inadvertently banned.
Additionally, you can easily import and export any list data you have already compiled to and from Defender with just one click.
Web Application Firewall (WAF)
If you’re hosting your website with WPMU DEV, a Web Application Firewall is enabled via Defender adding an initial layer of protection against hackers and bots before they can even reach your site.
If any vulnerabilities match our WAF filters ruleset covering common attacks, any vulnerable files in your WordPress core, plugins, or themes will be virtually patched, while also respecting any rules set in Defender’s firewall.
Two Factor Authentication (2FA)
Defender enhances your WordPress site’s security by adding an extra step in the login process with two-factor authentication. This makes it extremely difficult for a hacker to login to your account.
With a click of the Activate button, you can configure authentication settings. All the recommended settings are on by default and you’ll have plenty of options.
You can assign User Roles that will require 2FA by clicking on each one.
If you have a Lost Phone, you can enable this setting to send the authentication code to the user’s email instead. You can also Force Authentication that will force users to activate 2FA and create Custom Graphics instead of using the default Defender icon.
Defender uses the Google Authenticator app. Download and set up instructions are in the User Profile dashboard, allowing you to easily install the app on your device from the App Store or Google Play.
2FA functions by scanning the barcode and entering the 6-digit passcode shown on your device.
Defender’s 2FA feature adds the first impenetrable layer of security and protection against hackers.
Defender provides two Advanced Tools to enhance site security and thwart hackers from accessing your site:
- Masked Login Area: Change the URL path to your login screen to something other than the default
- Security Headers: Enable security headers to add an extra layer of security to your website.
Let’s take a quick look at how easy it is to make it hard for hackers to find your login screen:
With Defender, you can easily change your default URL to mask (hide) your login area, preventing hackers and bots from locating and accessing your login URL.
You can choose your own mask login URL and enter any slug you like (e.g. ‘my-awesome-login’). We recommend choosing a login URL that bots will find almost impossible to guess.
Setting up your new beefed-up secure login URL is as easy as entering a new slug and clicking Save Changes.
Defender Makes It Harder To Hack WordPress And Easier For Hackers To Go Elsewhere
With Defender monitoring your WordPress site 24/7, hackers have no reason to stick around.
Defender amps your security and stops Hackers in their tracks. In fact, Defender automatically resolves many common security issues as soon as you activate the plugin.
Defender protects your site against hackers and malicious bots before they even visit your site with WAF, lets you perform one-click security tweaks, and then continuously guards and monitors the perimeter with advanced security hardening features like login masking, two-factor authentication, malware scanning, audit logging, and firewall protection.
To learn more about WordPress security, check out our Ultimate Guide to WordPress Security.
For more information on how Defender works, be sure to view the plugin’s documentation.
Also, keep an eye on our roadmap for all the exciting new features coming soon to Defender, the ultimate WordPress security plugin.