{"id":188839,"date":"2020-06-25T20:52:25","date_gmt":"2020-06-25T20:52:25","guid":{"rendered":"https:\/\/premium.wpmudev.org\/blog\/?p=188839"},"modified":"2020-06-16T19:00:13","modified_gmt":"2020-06-16T19:00:13","slug":"stop-hackers-with-defender-wordpress-security-plugin","status":"publish","type":"post","link":"https:\/\/wpmudev.com\/blog\/stop-hackers-with-defender-wordpress-security-plugin\/","title":{"rendered":"How to Stop Hackers in Their Tracks with Defender"},"content":{"rendered":"<p>Defender deters hackers with IP banning, login lockout, updating security keys, two-factor authorization, and more. Learn about Defender&#8217;s robust security features that prevent hackers from waltzing right into your WordPress site.<\/p>\n<p style=\"text-align: center;\"><video loop muted autoplay playsinline class='dev-html5-video'><source src=\"https:\/\/wpmudev.com\/blog\/wp-content\/uploads\/2020\/06\/Defender-600.webm\" type=\"video\/webm\"><source src=\"https:\/\/wpmudev.com\/blog\/wp-content\/uploads\/2020\/06\/Defender-600.mp4\" type=\"video\/mp4\"><\/video><\/p>\n<p style=\"text-align: center;\"><small>No hacker gets past Defender!<\/small><\/p>\n<p style=\"text-align: left;\"><a href=\"https:\/\/wordpress.org\/plugins\/defender-security\/\" rel=\"noopener\" target=\"_blank\">Defender<\/a> is WPMU DEV&#8217;s answer to WordPress security.<\/p>\n<p>Our powerful 5-star plugin provides complete security for your WordPress sites and brings you peace of mind by deterring brute force attacks, SQL injections, cross-site scripting XSS, and preventing hackers from exploiting WordPress vulnerabilities.<\/p>\n<blockquote><p>&#8220;Defender recently blocked over 3000 attacks in one week without any noticeable impact on the website. WPMUDEV knocking it out of the park on this one.&#8221; \u2013 <a href=\"https:\/\/wpmudev.com\/profile\/davidoswald\/\" target=\"_blank\" rel=\"noopener\">David Oswald<\/a><\/p><\/blockquote>\n<p>Defender adds the best in WordPress security to your website with just a few clicks.<\/p>\n<p><strong>In order to stop the hackers from getting in, Defender configures powerful security measures, including allowing you to easily:<\/strong><\/p>\n<ul>\n<li><a href=\"#security-tweaks\">Perform one-click security tweaks<\/a><\/li>\n<li><a href=\"#trackbacks\">Disable trackbacks and pingbacks<\/a><\/li>\n<li><a href=\"#default\">Check default database prefix<\/a><\/li>\n<li><a href=\"#file\">Disable file editor so that if they get in, they won&#8217;t get far<\/a><\/li>\n<li><a href=\"#error\">Hide error reporting so you don&#8217;t reveal your issues<\/a><\/li>\n<li><a href=\"#keys\">Update security keys<\/a><\/li>\n<li><a href=\"#disclosure\">Prevent information disclosure<\/a><\/li>\n<li><a href=\"#php\">Prevent PHP execution<\/a><\/li>\n<li><a href=\"#masking\">Change the location of WordPress&#8217;s default login area with login masking<\/a><\/li>\n<li><a href=\"#firewall\">Enable round-the-clock firewall protection<\/a><\/li>\n<li><a href=\"#lockout\">Set up login lockout<\/a><\/li>\n<li><a href=\"#404\">Automate blocking of bot IPS with 404 detention<\/a><\/li>\n<li><a href=\"#geo\">Block users based on location with geolocation IP lockout<\/a><\/li>\n<li><a href=\"#ip-banning\">Block or allow IPs with IP Banning<\/a><\/li>\n<li><a href=\"#waf\">Prevent hackers from reaching your site with WAF<\/a><\/li>\n<li><a href=\"#twofactor\">Enable two-factor authentication <\/a><\/li>\n<\/ul>\n<h2 id=\"security-tweaks\">Security Tweaks<\/h2>\n<p>Right off the bat, Defender provides a number of <strong>Security Tweaks<\/strong> in the dashboard, allowing you to easily fix any issues that can be exploited by hackers and compromise your site&#8217;s security with just one click.<\/p>\n<p>To help you stay on top of your security tweaks, Defender provides a checklist of all issues that need fixing and highlights these in yellow&#8230;<\/p>\n<figure id=\"attachment_189161\" class=\"wp-caption aligncenter\" data-caption=\"true\"><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-189161\" src=\"https:\/\/wpmudev.com\/blog\/wp-content\/uploads\/2020\/06\/defender-security-tweaks-issues.png\" alt=\"Defender - Security Tweaks - Issues\" width=\"600\" height=\"377\" \/><figcaption class=\"wp-caption-text\">Defender highlights all issues in yellow.<\/figcaption><\/figure>\n<p>And marks all resolved issues in green&#8230;<\/p>\n<figure id=\"attachment_189160\" class=\"wp-caption aligncenter\" data-caption=\"true\"><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-189160\" src=\"https:\/\/wpmudev.com\/blog\/wp-content\/uploads\/2020\/06\/defender-security-tweaks-resolved.png\" alt=\"Defender Security Tweaks - Resolved\" width=\"600\" height=\"395\" \/><figcaption class=\"wp-caption-text\">Security tweaks resolved and no longer an issue.<\/figcaption><\/figure>\n<p>Let&#8217;s go through some of these one-click security tweaks&#8230;<\/p>\n<h3 id=\"trackbacks\">Disable Trackbacks and Pingbacks<\/h3>\n<p>Defender can\u00a0prevent trackbacks and pingbacks from causing <a href=\"https:\/\/en.wikipedia.org\/wiki\/Denial-of-service_attack\" target=\"_blank\">DDoS attacks<\/a> and spam comments.<\/p>\n<p>Just click the <strong>Disable Pingbacks<\/strong>\u00a0button.<\/p>\n<figure id=\"attachment_189162\" class=\"wp-caption aligncenter\" data-caption=\"true\"><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-189162\" src=\"https:\/\/wpmudev.com\/blog\/wp-content\/uploads\/2020\/06\/disable-trackbacks-and-pingbacks.png\" alt=\"Disable trackbacks and pingbacks.\" width=\"600\" height=\"512\" \/><figcaption class=\"wp-caption-text\">Disable trackbacks and pingbacks.<\/figcaption><\/figure>\n<h3 id=\"default\">Check Default Database Prefix<\/h3>\n<p>While Defender doesn&#8217;t change your default database prefix, it will detect whether it is using the default <code>wp_<\/code> database prefix that WordPress normally assigns to new installations.<\/p>\n<p>You can then change it and set a unique database prefix that will make it harder for hackers to perform <a href=\"https:\/\/wpmudev.com\/blog\/mysql-databases\/\" target=\"_blank\">SQL injection attacks<\/a> if they run across any code vulnerability on your site.<\/p>\n<p>This adds another layer of difficulty for hackers to overcome, further protecting your WordPress site.<\/p>\n<p>You can quickly see if this function is enabled or disabled in the <strong>Issues<\/strong> or <strong>Resolved<\/strong> section.<\/p>\n<figure id=\"attachment_188871\" class=\"wp-caption aligncenter\" data-caption=\"true\"><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-188871\" src=\"https:\/\/wpmudev.com\/blog\/wp-content\/uploads\/2020\/06\/change-default-database-prefix-1.png\" alt=\"Your default database prefix is resolved.\" width=\"600\" height=\"336\" \/><figcaption class=\"wp-caption-text\">Your default database prefix is resolved.<\/figcaption><\/figure>\n<h3 id=\"file\">Disable File Editor<\/h3>\n<p>As the file editor is built into WordPress, anyone with an admin account can edit your theme and plugin files and inject malicious code.<\/p>\n<p>Disabling the file editor helps prevent this and any security holes in your admin that could become a problem.<\/p>\n<figure id=\"attachment_188872\" class=\"wp-caption aligncenter\" data-caption=\"true\"><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-188872\" src=\"https:\/\/wpmudev.com\/blog\/wp-content\/uploads\/2020\/06\/disable-file-editor.png\" alt=\"Disable file editor.\" width=\"600\" height=\"324\" \/><figcaption class=\"wp-caption-text\">Disable the file editor is seen as a security issue. That can be done with a click of a button.<\/figcaption><\/figure>\n<p>If it\u2019s an issue, just click <strong>Disable the File Editor<\/strong>\u00a0in the <strong>Issues<\/strong> section.<\/p>\n<figure id=\"attachment_188873\" class=\"wp-caption aligncenter\" data-caption=\"true\"><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-188873\" src=\"https:\/\/wpmudev.com\/blog\/wp-content\/uploads\/2020\/06\/disable-file-editor-button.png\" alt=\"Disable file editor button.\" width=\"600\" height=\"337\" \/><figcaption class=\"wp-caption-text\">Disable file editor button.<\/figcaption><\/figure>\n<p>The problem will be fixed and marked as <strong>Resolved<\/strong>.<\/p>\n<figure id=\"attachment_188874\" class=\"wp-caption aligncenter\" data-caption=\"true\"><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-188874\" src=\"https:\/\/wpmudev.com\/blog\/wp-content\/uploads\/2020\/06\/disable-file-editor-accomplished.png\" alt=\"Disabled file editor.\" width=\"600\" height=\"256\" \/><figcaption class=\"wp-caption-text\">And now it&#8217;s disabled.<\/figcaption><\/figure>\n<h3 id=\"error\">Hide Error Reporting<\/h3>\n<p>With Defender&#8217;s one-click security tweaks, you can make your site less prone to malicious attacks by disabling the built-in PHP and scripts error debugging feature of WordPress.<\/p>\n<p>This feature displays code errors on the frontend of your website, allowing hackers to find loopholes in your site\u2019s security.<\/p>\n<figure id=\"attachment_188875\" class=\"wp-caption aligncenter\" data-caption=\"true\"><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-188875\" src=\"https:\/\/wpmudev.com\/blog\/wp-content\/uploads\/2020\/06\/hide-error-reporting.png\" alt=\"Hide error reporting is now resolved.\" width=\"600\" height=\"333\" \/><figcaption class=\"wp-caption-text\">Hide error reporting is now resolved.<\/figcaption><\/figure>\n<h3 id=\"keys\">Update Security Keys<\/h3>\n<p>As WordPress uses security keys to enhance the encryption of information, having a random, unpredictable encrypted password (e.g. 89080a8908908b098903c) can make it near impossible for hackers to come up with the right combination.<\/p>\n<p>Defender&#8217;s <strong>Update old security keys <\/strong>feature lets you update these keys regularly and set a reminder for how often ut should notify the admin to regenerate these.<\/p>\n<figure id=\"attachment_188876\" class=\"wp-caption aligncenter\" data-caption=\"true\"><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-188876\" src=\"https:\/\/wpmudev.com\/blog\/wp-content\/uploads\/2020\/06\/update-old-security-keys.png\" alt=\"Where you'll regenerate the keys.\" width=\"600\" height=\"325\" \/><figcaption class=\"wp-caption-text\">Where you&#8217;ll regenerate the keys.<\/figcaption><\/figure>\n<p>Once your security keys have been regenerated, the update is then automatically marked as <strong>Resolved<\/strong>.<\/p>\n<figure id=\"attachment_188877\" class=\"wp-caption aligncenter\" data-caption=\"true\"><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-188877\" src=\"https:\/\/wpmudev.com\/blog\/wp-content\/uploads\/2020\/06\/updated-security-keys.png\" alt=\"Post image\" aria-hidden=\"true\" width=\"600\" height=\"225\" \/><figcaption class=\"wp-caption-text\">Where it shows security keys are updated. Also, you can set a reminder here to reset again in the future.<\/figcaption><\/figure>\n<h3 id=\"disclosure\">Prevent Information Disclosure<\/h3>\n<p>Another of Defender&#8217;s automated one-click <strong>Security Tweaks <\/strong>is to prevent the <a href=\"https:\/\/www.netsparker.com\/blog\/web-security\/information-disclosure-issues-attacks\/\" rel=\"noopener\" target=\"_blank\">disclosure of sensitive files<\/a> in servers that have been misconfigured, allowing malicious users to access your WordPress site or database.<\/p>\n<figure id=\"attachment_188878\" class=\"wp-caption aligncenter\" data-caption=\"true\"><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-188878\" src=\"https:\/\/wpmudev.com\/blog\/wp-content\/uploads\/2020\/06\/Prevent-information-disclosure.png\" alt=\"Prevent information disclosure.\" width=\"600\" height=\"216\" \/><figcaption class=\"wp-caption-text\">The status of the Prevent Information Disclosure security feature.<\/figcaption><\/figure>\n<h3 id=\"php\">Prevent PHP Execution<\/h3>\n<p>Defender lets you disable direct PHP execution in directories that don\u2019t require it, preventing plugin or theme vulnerabilities from allowing a harmful PHP file to be uploaded to your WordPress site\u2019s directories.<\/p>\n<figure id=\"attachment_188879\" class=\"wp-caption aligncenter\" data-caption=\"true\"><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-188879\" src=\"https:\/\/wpmudev.com\/blog\/wp-content\/uploads\/2020\/06\/prevent-PHP-execution.png\" alt=\"Resolved Prevent PHP Execution.\" width=\"600\" height=\"136\" \/><figcaption class=\"wp-caption-text\">Resolved Prevent PHP Execution.<\/figcaption><\/figure>\n<p>You can also add exceptions to PHP files that you want to run and bypass Defender&#8217;s protection measures.<\/p>\n<figure id=\"attachment_188880\" class=\"wp-caption aligncenter\" data-caption=\"true\"><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-188880\" src=\"https:\/\/wpmudev.com\/blog\/wp-content\/uploads\/2020\/06\/allowed-PHP-files.png\" alt=\"Where exempt PHP files can be placed.\" width=\"600\" height=\"312\" \/><figcaption class=\"wp-caption-text\">Where exempt PHP files can be placed.<\/figcaption><\/figure>\n<h2 id=\"firewall\">Firewall<\/h2>\n<p>Defender&#8217;s Firewall adds a hardened layer of protection against a hacker&#8217;s attempts to gain entry to your site through brute force attacks.<\/p>\n<p>It comprises a number of security measures, including:<\/p>\n<h3 id=\"lockout\">Login Lockout<\/h3>\n<p>Defender locks out any user who tries to log in and fails repeatedly to get the credentials right.<\/p>\n<figure id=\"attachment_189083\" class=\"wp-caption aligncenter\" data-caption=\"true\"><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-189083\" src=\"https:\/\/wpmudev.com\/blog\/wp-content\/uploads\/2020\/06\/login-lockouts.png\" alt=\"Login Lockouts dashboard.\" width=\"694\" height=\"244\" \/><figcaption class=\"wp-caption-text\">Defender&#8217;s Login lockouts dashboard.<\/figcaption><\/figure>\n<p>You can configure login lockout options such as the lockout time, lockout message, and ban usernames.<\/p>\n<p>Adjusting the <strong>threshold<\/strong> lets you specify how many failed login attempts defender will allow in a given time period before triggering a lockout.<\/p>\n<figure id=\"attachment_189087\" class=\"wp-caption aligncenter\" data-caption=\"true\"><img loading=\"lazy\" decoding=\"async\" class=\"wp-image-189087 size-full\" src=\"https:\/\/wpmudev.com\/blog\/wp-content\/uploads\/2020\/06\/login-lockout-threshold.png\" alt=\"Login lockout threshold\" width=\"600\" height=\"280\" \/><figcaption class=\"wp-caption-text\">In this example, Defender will ban users with 5 failed login attempts within a 5-minute period.<\/figcaption><\/figure>\n<p>You can set the <strong>duration<\/strong> of the lockout or permanently lock out offending users.<\/p>\n<figure id=\"attachment_189088\" class=\"wp-caption aligncenter\" data-caption=\"true\"><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-189088\" src=\"https:\/\/wpmudev.com\/blog\/wp-content\/uploads\/2020\/06\/lockout-duration.png\" alt=\"Login lockout duration.\" width=\"600\" height=\"190\" \/><figcaption class=\"wp-caption-text\">Ban users temporarily or permanently.<\/figcaption><\/figure>\n<p>Like most of Defender&#8217;s features, you can customize the message that will be displayed to locked out users.<\/p>\n<figure id=\"attachment_189089\" class=\"wp-caption aligncenter\" data-caption=\"true\"><img loading=\"lazy\" decoding=\"async\" class=\"wp-image-189089 size-full\" src=\"https:\/\/wpmudev.com\/blog\/wp-content\/uploads\/2020\/06\/login-lockout-message.png\" alt=\"Customizable login lockout message.\" width=\"600\" height=\"275\" \/><figcaption class=\"wp-caption-text\">Customize your message to locked out users.<\/figcaption><\/figure>\n<p>You can also automatically lockout and ban users if they attempt to log in using common usernames (e.g. admin).<\/p>\n<figure id=\"attachment_189091\" class=\"wp-caption aligncenter\" data-caption=\"true\"><img loading=\"lazy\" decoding=\"async\" class=\"wp-image-189091 size-full\" src=\"https:\/\/wpmudev.com\/blog\/wp-content\/uploads\/2020\/06\/banner-username.png\" alt=\"Banned username message.\" width=\"600\" height=\"623\" \/><figcaption class=\"wp-caption-text\">Defender locks out and bans users attempting to log in using a banned username.<\/figcaption><\/figure>\n<h3 id=\"404\">404 Detection<\/h3>\n<p>Defender keeps an eye out for repeat offenders. These are usually <a href=\"https:\/\/en.wikipedia.org\/wiki\/Web_crawler\" rel=\"noopener\" target=\"_blank\">bots that crawl every link on your site<\/a> trying to find a back-end admin area so they can wreak havoc or requests from the same IP addresses for pages on your WordPress site that don\u2019t exist.<\/p>\n<p>If this happens too frequently, Defender will block users from accessing your site.<\/p>\n<p>You can specify how many 404 errors within a specific period will trigger a lockout and choose the ban duration for offending users, either for a specific timeframe (in seconds, minutes, or hours) or permanently.<\/p>\n<figure id=\"attachment_189117\" class=\"wp-caption aligncenter\" data-caption=\"true\"><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-189117\" src=\"https:\/\/wpmudev.com\/blog\/wp-content\/uploads\/2020\/06\/404-detection.png\" alt=\"Defender Firewall - 404 Detection.\" width=\"600\" height=\"609\" \/><figcaption class=\"wp-caption-text\">Defender Firewall &#8211; 404 Detection.<\/figcaption><\/figure>\n<p>You can also customize the message displayed to locked out users.<\/p>\n<figure id=\"attachment_188854\" class=\"wp-caption aligncenter\" data-caption=\"true\"><img loading=\"lazy\" decoding=\"async\" class=\"wp-image-188854 size-full\" src=\"https:\/\/wpmudev.com\/blog\/wp-content\/uploads\/2020\/06\/defender-blocked-message.png\" alt=\"Blocked message.\" width=\"600\" height=\"210\" \/><figcaption class=\"wp-caption-text\">Don&#8217;t leave hackers guessing why they&#8217;ve been locked out.<\/figcaption><\/figure>\n<p>Defender&#8217;s <strong>Blocklist<\/strong> automatically bans users and bots from accessing any files and folders you specify.<\/p>\n<p>If a common file or folder in your website is missing, you can record it in the <strong>Allowlist <\/strong>area. Any attempts to access these won\u2019t count toward a lockout.<\/p>\n<figure id=\"attachment_189149\" class=\"wp-caption aligncenter\" data-caption=\"true\"><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-189149\" src=\"https:\/\/wpmudev.com\/blog\/wp-content\/uploads\/2020\/06\/defender-firewall-files-folders-1.png\" alt=\"Defender Firewall - 404 Detection - Files &amp; Folders section\" width=\"600\" height=\"758\" \/><figcaption class=\"wp-caption-text\">Ban or allow users to access files and folders.<\/figcaption><\/figure>\n<p>Specifying file types and extensions to auto-ban or allow is as simple as entering these into the plugin&#8217;s fields.<\/p>\n<figure id=\"attachment_189151\" class=\"wp-caption aligncenter\" data-caption=\"true\"><img loading=\"lazy\" decoding=\"async\" class=\"wp-image-189151 size-full\" src=\"https:\/\/wpmudev.com\/blog\/wp-content\/uploads\/2020\/06\/defender-filetypes-extensions.png\" alt=\"Defender Firewall - 404 Detection - Filetypes &amp; Extensions section.\" width=\"600\" height=\"792\" \/><figcaption class=\"wp-caption-text\">Auto-ban or allow access to filetypes and extensions.<\/figcaption><\/figure>\n<p>Defender monitors all interactions on your website. However, with the click of a button, you can also choose to include or exclude monitoring 404s from logged-in users.<\/p>\n<figure id=\"attachment_188857\" class=\"wp-caption aligncenter\" data-caption=\"true\"><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-188857\" src=\"https:\/\/wpmudev.com\/blog\/wp-content\/uploads\/2020\/06\/monitor-404s.png\" alt=\"Click to monitor 404s from logged in users.\" width=\"600\" height=\"187\" \/><figcaption class=\"wp-caption-text\">Click to monitor 404s from logged-in users.<\/figcaption><\/figure>\n<h3 id=\"geo\">Geolocation IP Lockout<\/h3>\n<p>Defender lets you ban traffic from any location&#8211;even an entire nation&#8211; if you don&#8217;t want traffic coming to your site from certain places. Geolocation IP lockout is <a href=\"https:\/\/blog.maxmind.com\/2015\/06\/26\/how-to-use-geolocation-to-identify-higher-risk-transactions\/\" rel=\"noopener\" target=\"_blank\">a great added security bonus<\/a> that prevents users in undesirable locations from getting anywhere near your site.<\/p>\n<p><strong>IP Banning <\/strong>inside Defender&#8217;<strong> Firewall <\/strong>stops unwelcome visitors with just a few clicks.<\/p>\n<figure id=\"attachment_189126\" class=\"wp-caption aligncenter\" data-caption=\"true\"><img loading=\"lazy\" decoding=\"async\" class=\"wp-image-189126 size-full\" src=\"https:\/\/wpmudev.com\/blog\/wp-content\/uploads\/2020\/06\/locations-1.png\" alt=\"Defender - Firewall - IP Banning - Locations section.\" width=\"600\" height=\"510\" \/><figcaption class=\"wp-caption-text\">Ban countries you don&#8217;t want traffic coming from to protect your site from hackers in that location.<\/figcaption><\/figure>\n<p>You will need to <a href=\"https:\/\/www.maxmind.com\/en\/geolite2\/signup\" rel=\"noopener\" target=\"_blank\">sign up for a free account with MaxMind<\/a> to get access to the free GeoLite2 Database.<\/p>\n<p>After confirming your account and creating a password, you can generate a license key.<\/p>\n<figure id=\"attachment_189153\" class=\"wp-caption aligncenter\" data-caption=\"true\"><img loading=\"lazy\" decoding=\"async\" class=\"wp-image-189153 size-full\" src=\"https:\/\/wpmudev.com\/blog\/wp-content\/uploads\/2020\/06\/maxmind-license-key-1.png\" alt=\"Maxmind - Generate license key\" width=\"600\" height=\"619\" \/><figcaption class=\"wp-caption-text\">Generate a license key to access the GeoIP database.<\/figcaption><\/figure>\n<p>Adding this license key to Defender lets you download, add, and access the GeoLite 2 database.<\/p>\n<figure id=\"attachment_189154\" class=\"wp-caption aligncenter\" data-caption=\"true\"><img loading=\"lazy\" decoding=\"async\" class=\"wp-image-189154 size-full\" src=\"https:\/\/wpmudev.com\/blog\/wp-content\/uploads\/2020\/06\/locations-license-key.png\" alt=\"Defender - Locations section - GeoIP database license\" width=\"673\" height=\"395\" \/><figcaption class=\"wp-caption-text\">Add your GeoIP database license key to download the list of countries.<\/figcaption><\/figure>\n<p>After successful license activation, the Location section will let you specify countries to block or let traffic through from a drop-down menu.<\/p>\n<figure id=\"attachment_189155\" class=\"wp-caption aligncenter\" data-caption=\"true\"><img loading=\"lazy\" decoding=\"async\" class=\"wp-image-189155 size-full\" src=\"https:\/\/wpmudev.com\/blog\/wp-content\/uploads\/2020\/06\/locations-dropdown-menu.png\" alt=\"Defender Locations - GeoIP database dropdown menu\" width=\"600\" height=\"469\" \/><figcaption class=\"wp-caption-text\">Block or allow traffic from selected countries.<\/figcaption><\/figure>\n<h3 id=\"ip-banning\">IP Banning<\/h3>\n<p>You can block IP addresses by adding these to Defender&#8217;s Blocklist. Users with those IP addresses won&#8217;t be able to visit your WordPress site and will be greeted instead with a customizable message.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-188911 aligncenter\" src=\"https:\/\/wpmudev.com\/blog\/wp-content\/uploads\/2020\/06\/IP-block-message.png\" alt=\"IP block message.\" width=\"600\" height=\"292\" \/><\/p>\n<p>Defender lets you add any addresses you want to ban into its <strong>Blocklisted IPs<\/strong> section and supports both IPv4 and <a href=\"https:\/\/wpmudev.com\/blog\/ipv4-vs-ipv6\/\" target=\"_blank\" rel=\"noopener\">IPv6<\/a> formats.<\/p>\n<figure id=\"attachment_189157\" class=\"wp-caption aligncenter\" data-caption=\"true\"><img loading=\"lazy\" decoding=\"async\" class=\"wp-image-189157 size-full\" src=\"https:\/\/wpmudev.com\/blog\/wp-content\/uploads\/2020\/06\/blocklisted-ip-addresses.png\" alt=\"Blocklisted IP addresses\" width=\"600\" height=\"410\" \/><figcaption class=\"wp-caption-text\">Enter banned IPs you want to block.<\/figcaption><\/figure>\n<p>Alternatively, you can allow IP addresses and exempt users from the ban rules for login protection, 404 detection, or IP ban lists.<\/p>\n<figure id=\"attachment_189158\" class=\"wp-caption aligncenter\" data-caption=\"true\"><img loading=\"lazy\" decoding=\"async\" class=\"wp-image-189158 size-full\" src=\"https:\/\/wpmudev.com\/blog\/wp-content\/uploads\/2020\/06\/allowlisted-ip-addresses.png\" alt=\"Allowlisted IP addresses.\" width=\"600\" height=\"430\" \/><figcaption class=\"wp-caption-text\">Add allowed IPs.<\/figcaption><\/figure>\n<p>Once you have added an active list, Defender monitors these IPs. It also lets you release any blocked IPs that were inadvertently banned.<\/p>\n<figure id=\"attachment_189133\" class=\"wp-caption aligncenter\" data-caption=\"true\"><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-189133\" src=\"https:\/\/wpmudev.com\/blog\/wp-content\/uploads\/2020\/06\/active-lockouts.png\" alt=\"Defender - Firewall - IP Banning - Active lockouts.\" width=\"600\" height=\"158\" \/><figcaption class=\"wp-caption-text\">Unblock banned IP addresses.<\/figcaption><\/figure>\n<p>Additionally, you can easily import and export any list data you have already compiled to and from Defender with just one click.<\/p>\n<figure id=\"attachment_189130\" class=\"wp-caption aligncenter\" data-caption=\"true\"><img loading=\"lazy\" decoding=\"async\" class=\"wp-image-189130 size-full\" src=\"https:\/\/wpmudev.com\/blog\/wp-content\/uploads\/2020\/06\/import-export-lists.png\" alt=\"Defender - Firewall - IP Banning - Import and export IP address lists.\" width=\"600\" height=\"280\" \/><figcaption class=\"wp-caption-text\">Import and export IP address lists easily.<\/figcaption><\/figure>\n<h2 id=\"waf\">Web Application Firewall (WAF)<\/h2>\n<p>If you&#8217;re <a href=\"https:\/\/wpmudev.com\/hosting\/\" target=\"_blank\" rel=\"noopener\">hosting your website with WPMU DEV<\/a>, a Web Application Firewall is enabled via Defender adding an initial layer of protection against hackers and bots before they can even reach your site.<\/p>\n<p>If any vulnerabilities match our <a href=\"https:\/\/owasp.org\/www-project-top-ten\/\" rel=\"noopener\" target=\"_blank\">WAF filters ruleset covering common attacks<\/a>, any vulnerable files in your WordPress core, plugins, or themes will be virtually patched, while also respecting any rules set in Defender&#8217;s firewall.<\/p>\n<figure id=\"attachment_189173\" class=\"wp-caption aligncenter\" data-caption=\"true\"><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-189173\" src=\"https:\/\/wpmudev.com\/blog\/wp-content\/uploads\/2020\/06\/defender-waf.png\" alt=\"Defender Web Application Firewall\" width=\"600\" height=\"484\" \/><figcaption class=\"wp-caption-text\">WAF blocks hackers and bot attacks before they ever reach your site!<\/figcaption><\/figure>\n<h2 id=\"2fa\">Two Factor Authentication (2FA)<\/h2>\n<p>Defender enhances your WordPress site\u2019s security by adding an extra step in the login process with two-factor authentication. This makes it extremely difficult for a hacker to login to your account.<\/p>\n<h3><a name=\"twofactor\" target=\"_blank\"><\/a>Enable Two-factor Authentication<\/h3>\n<p>With a click of the <strong>Activate<\/strong> button, you can configure authentication settings. All the recommended settings are on by default and you\u2019ll have plenty of options.<\/p>\n<p>You can assign <strong>User Roles<\/strong> that will require 2FA by clicking on each one.<\/p>\n<figure id=\"attachment_189075\" class=\"wp-caption aligncenter\" data-caption=\"true\"><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-189075\" src=\"https:\/\/wpmudev.com\/blog\/wp-content\/uploads\/2020\/06\/user-roles.png\" alt=\"2FA-User roles section\" width=\"600\" height=\"513\" \/><figcaption class=\"wp-caption-text\">Defender lets you specify which user roles require 2FA.<\/figcaption><\/figure>\n<p>If you have a <strong>Lost Phone<\/strong>, you can enable this setting to send the authentication code to the user&#8217;s email instead.\u00a0 You can also <strong>Force Authentication<\/strong> that will force users to activate 2FA and create <strong>Custom Graphics<\/strong> instead of using the default Defender icon.<\/p>\n<figure id=\"attachment_189077\" class=\"wp-caption aligncenter\" data-caption=\"true\"><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-189077\" src=\"https:\/\/wpmudev.com\/blog\/wp-content\/uploads\/2020\/06\/2FA-phone.png\" alt=\"Lost Phone, Force Authentication, and Custom Graphic options.\" width=\"600\" height=\"457\" \/><figcaption class=\"wp-caption-text\">Set up Lost Phone, Force Authentication, and Custom Graphic options.<\/figcaption><\/figure>\n<p>Defender uses the <a href=\"https:\/\/play.google.com\/store\/apps\/details?id=com.google.android.apps.authenticator2&amp;hl=en_US\" target=\"_blank\">Google Authenticator<\/a> app. Download and set up instructions are in the User Profile dashboard, allowing you to easily install the app on your device from the App Store or Google Play.<\/p>\n<figure id=\"attachment_189062\" class=\"wp-caption aligncenter\" data-caption=\"true\"><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-189062\" src=\"https:\/\/wpmudev.com\/blog\/wp-content\/uploads\/2020\/06\/2fa-google-authenticator.png\" alt=\"2FA Setup instructions.\" width=\"600\" height=\"746\" \/><figcaption class=\"wp-caption-text\">Enable 2FA on your User Profile to access setup instructions.<\/figcaption><\/figure>\n<p>2FA functions by scanning the barcode and entering the 6-digit passcode shown on your device.<\/p>\n<figure id=\"attachment_188844\" class=\"wp-caption aligncenter\" data-caption=\"true\"><img loading=\"lazy\" decoding=\"async\" class=\"wp-image-188844 size-full\" src=\"https:\/\/wpmudev.com\/blog\/wp-content\/uploads\/2020\/06\/Google-Authenticator.png\" alt=\"Google authenticator. \" width=\"600\" height=\"473\" \/><figcaption class=\"wp-caption-text\">Google authenticator screen.<\/figcaption><\/figure>\n<p>Defender&#8217;s 2FA feature adds the first impenetrable layer of security and protection against hackers.<\/p>\n<figure id=\"attachment_188845\" class=\"wp-caption aligncenter\" data-caption=\"true\"><img loading=\"lazy\" decoding=\"async\" class=\"wp-image-188845 size-full\" src=\"https:\/\/wpmudev.com\/blog\/wp-content\/uploads\/2020\/06\/Defender-2fa-login.png\" alt=\"Two way authentication area for Defender.\" width=\"600\" height=\"320\" \/><figcaption class=\"wp-caption-text\">No passcode, no access.<\/figcaption><\/figure>\n<h2 id=\"advanced-tools\">Advanced Tools<\/h2>\n<p>Defender provides two Advanced Tools to enhance site security and thwart hackers from accessing your site:<\/p>\n<ul>\n<li><strong>Masked Login Area<\/strong>: Change the URL path to your login screen to something other than the default <code>wp-admin<\/code>.<\/li>\n<li><strong>Security Headers<\/strong>: Enable security headers to add an extra layer of security to your website.<\/li>\n<\/ul>\n<p>Let&#8217;s take a quick look at how easy it is to make it hard for hackers to find your login screen:<\/p>\n<h3 id=\"masking\">Login Masking<\/h3>\n<p>With Defender, you can easily change your default URL to mask (hide) your login area, preventing hackers and bots from locating and accessing your login URL.<\/p>\n<p>You can choose your own mask login URL and enter any slug you like (e.g. \u2018my-awesome-login&#8217;). We recommend choosing a login URL that bots will find almost impossible to guess.<\/p>\n<figure id=\"attachment_189079\" class=\"wp-caption aligncenter\" data-caption=\"true\"><img loading=\"lazy\" decoding=\"async\" class=\"wp-image-189079 size-full\" src=\"https:\/\/wpmudev.com\/blog\/wp-content\/uploads\/2020\/06\/mask-login-area.png\" alt=\"Mask Login Area - Masking Inactive.\" width=\"600\" height=\"387\" \/><figcaption class=\"wp-caption-text\">Create a new login URL that bots won&#8217;t be able to guess.<\/figcaption><\/figure>\n<p>Setting up your new beefed-up secure login URL is as easy as entering a new slug and clicking <strong>Save Changes<\/strong>.<\/p>\n<figure id=\"attachment_189080\" class=\"wp-caption aligncenter\" data-caption=\"true\"><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-189080\" src=\"https:\/\/wpmudev.com\/blog\/wp-content\/uploads\/2020\/06\/mask-login-on.png\" alt=\"Mask Login Area - Masking Active.\" width=\"600\" height=\"387\" \/><figcaption class=\"wp-caption-text\">Your WordPress site now has a new login URL.<\/figcaption><\/figure>\n<h3>Defender Makes It Harder To Hack WordPress And Easier For Hackers To Go Elsewhere<\/h3>\n<p>With Defender monitoring your WordPress site 24\/7, hackers have no reason to stick around.<\/p>\n<p>Defender amps your security and stops Hackers in their tracks. In fact, Defender automatically resolves many common security issues as soon as you activate the plugin.<\/p>\n<p>Defender protects your site against hackers and malicious bots before they even visit your site with WAF, lets you perform one-click security tweaks, and then continuously guards and monitors the perimeter with advanced security hardening features like login masking, two-factor authentication, malware scanning, audit logging, and firewall protection.<\/p>\n<p>To learn more about WordPress security, check out our <a href=\"https:\/\/wpmudev.com\/blog\/ultimate-guide-wordpress-security\/\" target=\"_blank\" rel=\"noopener\">Ultimate Guide to WordPress Security<\/a>.<\/p>\n<p>For more information on how Defender works, be sure to <a href=\"https:\/\/wpmudev.com\/docs\/wpmu-dev-plugins\/defender\/\" target=\"_blank\" rel=\"noopener\">view the plugin&#8217;s documentation<\/a>.<\/p>\n<p>Also, keep an eye on our <a href=\"https:\/\/wpmudev.com\/roadmap\/\" target=\"_blank\" rel=\"noopener\">roadmap<\/a> for all the exciting new features coming soon to Defender, the ultimate WordPress security plugin.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Defender deters hackers with IP banning, login lockout, updating security keys, two-factor authorization, and more. Learn about Defender&#8217;s robust security features that prevent hackers from waltzing right into your WordPress site. No hacker gets past Defender! Defender is WPMU DEV&#8217;s answer to WordPress security. Our powerful 5-star plugin provides complete security for your WordPress sites [&hellip;]<\/p>\n","protected":false},"author":811449,"featured_media":188882,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"blog_reading_time":"11","wds_primary_category":0,"wds_primary_tutorials_categories":0,"footnotes":""},"categories":[4,263,11260,11259],"tags":[],"tutorials_categories":[11231],"class_list":["post-188839","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-plugins","category-tutorials","category-wpmu-dev-products","category-wpmudev-tutorials","tutorials_categories-defender-pro"],"_links":{"self":[{"href":"https:\/\/wpmudev.com\/blog\/wp-json\/wp\/v2\/posts\/188839","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/wpmudev.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/wpmudev.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/wpmudev.com\/blog\/wp-json\/wp\/v2\/users\/811449"}],"replies":[{"embeddable":true,"href":"https:\/\/wpmudev.com\/blog\/wp-json\/wp\/v2\/comments?post=188839"}],"version-history":[{"count":84,"href":"https:\/\/wpmudev.com\/blog\/wp-json\/wp\/v2\/posts\/188839\/revisions"}],"predecessor-version":[{"id":189132,"href":"https:\/\/wpmudev.com\/blog\/wp-json\/wp\/v2\/posts\/188839\/revisions\/189132"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/wpmudev.com\/blog\/wp-json\/wp\/v2\/media\/188882"}],"wp:attachment":[{"href":"https:\/\/wpmudev.com\/blog\/wp-json\/wp\/v2\/media?parent=188839"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/wpmudev.com\/blog\/wp-json\/wp\/v2\/categories?post=188839"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/wpmudev.com\/blog\/wp-json\/wp\/v2\/tags?post=188839"},{"taxonomy":"tutorials_categories","embeddable":true,"href":"https:\/\/wpmudev.com\/blog\/wp-json\/wp\/v2\/tutorials_categories?post=188839"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}