WPMU DEV Defender security plugin

Privacy Policy Information

Upon activation or when certain features are configured, this plugin may add cookies to the user’s browser, store personal information in your database, or integrate with 3rd-party applications. You may need to disclose this information to your site visitors. For details, see Our Plugins in our privacy policy documentation.

This guide explains how to use Defender’s security features to protect your WordPress sites from malicious attacks.

Once Defender is installed and activated, refer to this guide for assistance configuring and managing Defender. Use the index on the left to quickly access guidance on specific features.

If you haven’t installed Defender yet, then you should visit the Defender Pro page where you can explore the plugin’s many features and sign up for a free trial membership. Check out the video below for more information.

 

Checklist for Securing Your WordPress Site

We’ve put together a super-handy 16-Step Checklist for Securing Your WordPress Site to ensure you don’t overlook any essentials and help you to build up the most robust security for your site.

Quick & Easy Security Tips

If you’re looking for some simple and effective security tips for your WordPress site, we’ve got you covered. Check out 7 Quick & Easy Security Vulnerability Fixes for a concise guide to fixing any weak points in your site security.

DDoS Protection Guide

If you’ve ever had a site hit by a DDoS attack, you know how crippling it can be. If your site’s security isn’t as tight as it could be, check out our DDoS Protection Guide and learn How to Help Protect Your WordPress Site From Attacks.

Stop Hackers in Their Tracks

If you’re unfamiliar with security plugins it may be helpful to read our blog post, How to Stop Hackers in Their Tracks with Defender, before proceeding. The post discusses Defender’s features in a less technical manner than this guide and can help users formulate a plan to make the most of our premium website security plugin.

When you initially install and activate Defender, the Let’s get started popup modal will appear.

defender Get Started screen

You can select either the Activate & Configure option or you can opt to Start from scratch.

HOSTING WITH KINSTA?

If you are hosting with Kinsta, please note that opcache.save_comments must be enabled for Defender to function properly. If it is not enabled, you will see this notice on all Defender screens: Defender notice for Kinsta-hosted sites

Activate & Configure

The Activate & Configure option will enable all of Defender’s security modules by default. We recommend enabling all features and then configuring any security exceptions you require from within the individual modules. Disabling any feature creates a significant gap in your site’s security.

defender setup progress

Defender’s key modules include:

  • Firewall – Protect your site by identifying and blocking problem users by IP Address.
  • Recommendations – These are common security improvements that can be made to enhance your site’s security against hackers and bots.
  • Malware Scanning – Defender will run regular security scans and will notify admins if anything suspicious is discovered.
  • Audit Logging – Track and log all changes to a site, creating a database of critical information about events impacting your site.
  • Blocklist Monitor – Defender will monitor the Google blocklist and notify you if your site appears on the list.

Start from scratch

If you start from scratch, the setup will be skipped and you can start configuring Defender with a clean slate.

6.2 Defender Dashboard

Copy chapter anchor to clipboard

The Dashboard consists of the Overview and Quick Access panels for each Defender module. Admins, particularly those managing multiple sites, can use the Dashboard to determine if a website’s security configuration needs attention.

Expert Advice

Looking for some security tips from the experts? We recently interviewed some of our members to provide professional advice on WordPress security. For more information, read our blog, WordPress Security Expert Stories & Security Tips.

Recommended Reading

Looking for a concise guide to using Defender’s prime features to your advantage? Read our blog on how to Get the Most Out of Defender Security.

The tutorials banner in the dashboard provides quick links to various tutorials that may be of help to you. Click Read article to read the respective article or click View all to access all of our tutorial resources.

Prevent Hacking

Prevention is better than cure in many ways but it is crucial when talking about getting hacked – or rather, not getting hacked. For a full guide on how to protect your site from hackers, check out How Not To Get Hacked.

You can also remove the banner by clicking on the X icon. Even if you remove the banner of tutorials, you will still be able to access all of the quick-links to articles in the Tutorials tab.

Defender dashboard tutorials

Overview

The Overview panel provides a snapshot of Defender’s security configuration and activity. In the top right-hand corner, you can use the View Documentation button to access Defender documentation (this document). Use the Overview to quickly assess the site’s current security status:

  • Security Recommendations – The number of recommendations identified that have been actioned relative to the total number found.
  • Malware Scan Issues (Pro) – The number of instances of suspect PHP functions and suspicious code that have yet to be addressed. A green check mark indicates that no unaddressed issues exist.
  • Last Lockout (Pro) – The data and time a user was locked-out for exceeding the login attempt threshold.

defender-dashboard-overview

Quick Access

The Quick Access panels provide easy access to every Defender module, allowing admins to activate/deactivate modules, view logs, and generate reports.

  • Recommendations – Suggested actions that admins can take to address potential vulnerabilities identified during Malware Scanning. Click View All to access the Recommendations module.

defender-dashboard-recommendations

  • Malware Scanning – The process of checking a site for known vulnerabilities in code and configuration. Scanning is how Defender knows which Recommendations to suggest. Click View Report to access the Malware Scanning module.

defender-dashboard-malware

Malware Scanning for Pros

The free version of Defender scans a site’s WordPress core files for modifications and unexpected changes. Defender Pro– free to WPMU DEV members– also scans plugins and themes and searches the entire site for suspicious code. Visit the Defender Pro page where you can explore the plugin’s many features and sign up for a free trial membership.

  • Notifications – Configure this to automatically receive notifications and reports for various Defender modules. The status for each notification module will tell you whether or not it has been enabled. Click the plus icon to enable modules that are still disabled.

defender-dashboard-notifications

WAF & White-Labeling

Note that the Web Application Firewall module will not be visible or accessible if the White-Labeling option is enabled in the WPMU DEV Dashboard plugin. See White Label Plugins in WPMU DEV Dashboard documentation for more on that.

  • Blocklist Monitor – A recurring check to ensure a site has not been identified by Google as unsafe to visit. Click the toggle button to enable/disable the Blocklist Monitor.

defender-dashboard-blocklist

  • Advanced Tools – Use to enable Security Headers or to mask a site’s login area. Click the Activate buttons to enable and configure either security measure.

defender-dashboard-advanced

  • Preset configs – Allows you to bundle your Defender settings to download and apply them to your other sites.

defender-dashboard-configs

  • Firewall – Blocks IP addresses that repeatedly attempt to access a site with incorrect login credentials or pages that do not exist. Click View Logs to open the Firewall module.

defender-dashboard-firewall

  • Audit Logging – Track and generate reports regarding all security-related events on a given site. Click View Logs to access and configure a site’s audit logs.

defender-dashboard-audit

  • Two-Factor Authentication – Add an extra layer of security to your WordPress account to ensure that you’re the only person who can log in, even if someone else knows your password.

defender-dashboard-2fa

6.3 Recommendations

Copy chapter anchor to clipboard

Recommendations are, generally, common security vulnerabilities that can be addressed by applying security best practices to a site’s configuration wherever possible.

Overview

The Overview panel displays the number of potential vulnerabilities that have not been addressed. The current PHP version and WordPress version are also shown.

security recommendations overview

The three tabs within the Recommendations module include:

  • Recommendations – Potential security vulnerabilities, along with suggested fixes.
  • Actioned – Issues for which a fix has been applied, along with the option to undo (Revert) that fix.
  • Ignored – Issues Defender will no longer identify as a potential vulnerability because the Ignore option has been selected in the Recommendations tab.

6.3.1 Security Recommendations

Link to chapter 3

Recommendations are, generally, opportunities to improve site security with relatively simple configuration changes. Each recommendation is accompanied by a suggested solution, many of which require nothing more than a single click to implement.

We recommend applying every possible tweak. However, some fixes may not be practical for every site. Keep in mind that most tweaks can easily be undone using the Revert option, available in the Actioned tab. The Revert option allows admins to temporarily disable a tweak to accomplish a task, then enable it again when the task is complete to maintain site security.

Ultimately, admins must determine for themselves which tweaks work for their sites and which do not.

You can also use the Bulk Actions feature to either Action or Ignore several recommendations at a time.

list of security recommendations

Applying Fixes

Each item under the Recommendations tab can be expanded to see a detailed explanation of the issue, as well as our suggested fix. Click the arrow to the right of any issue to access the detailed explanation.

Each detailed explanation includes:

  • Overview – An explanation of the potential vulnerability.
  • Status – The current state of a specific issue.
  • How to fix – Our recommendation for addressing a specific issue.
  • Ignore – Click Ignore to remove any issues from the Recommendations tab. Ignored issues will no longer appear in the Recommendations tab, but will appear in the Ignored tab, instead.
  • Action – An action button unique to the suggested fix appears in the bottom right corner.

recommendations details and actions

6.3.2 Opportunities Overview

Link to chapter 3

Below is a list of all the available Recommendations included with Defender:

  • Hide error reporting – Developers often use the built-in PHP and scripts error debugging feature, which displays code errors on the frontend of your website. It’s useful for active development, but on live sites provides hackers yet another way to find loopholes in your site’s security.
  • Update PHP to latest version – PHP is the software that powers WordPress. It interprets the WordPress code and generates web pages people view. Naturally, PHP comes in different versions and is regularly updated. As newer versions are released, WordPress drops support for older PHP versions in favour of newer, faster versions with fewer bugs.
  • Prevent PHP execution – By default, a plugin/theme vulnerability could allow a PHP file to get uploaded into your site’s directories and in turn execute harmful scripts that can wreak havoc on your website. Prevent this altogether by disabling direct PHP execution in directories that don’t require it.
  • Prevent information disclosure – Often servers are incorrectly configured, and can allow an attacker to get access to sensitive files like your config, .htaccess and backup files. Hackers can grab these files and use them to gain access to your website or database.
  • Change default admin user account – One of the most common methods of gaining access to websites is through brute force attacks on login areas using default/common usernames and passwords. If you’re using the default ‘admin’ username, you’re giving away an important piece of the puzzle hackers need to hijack your website.
  • Update WordPress to latest version – WordPress is an extremely popular platform, and with that popularity comes hackers that increasingly want to exploit WordPress based websites. Leaving your WordPress installation out of date is an almost guaranteed way to get hacked as you’re missing out on the latest security patches.
  • Disable the file editor – WordPress comes with a file editor built into the system. This means that anyone with access to your login information can further edit your plugin and theme files and inject malicious code.
  • Disable trackbacks and pingbacks – Pingbacks notify a website when it has been mentioned by another website, like a form of courtesy communication. However, these notifications can be sent to any website willing to receive them, opening you up to DDoS attacks, which can take your website down in seconds and fill your posts with spam comments.
  • Disable XML RPC – XML-RPC is a system that allows you to post on your WordPress blog using popular weblog clients like Windows Live Writer. Technically, it’s a remote procedure call which uses XML to encode its calls and HTTP as a transport mechanism. If you are using the WordPress mobile app, want to make connections to services like IFTTT, or want to access and publish to your blog remotely, then you need XML-RPC enabled, otherwise it’s just another portal for hackers to target and exploit.
  • Manage login duration – By default, users who select the ‘remember me’ option will stay logged in for 14 days. If you and your users don’t need to login to your website backend regularly, it’s good practice to reduce this default time to reduce the risk of someone gaining access to your automatically logged in account.
  • Prevent user enumeration – One of the more common methods for bots and hackers to gain access to your website is to find out login usernames and brute force the login area with tons of dummy passwords. The hope is that one the username and password combos will match, and voila – they have access (you’d be surprised how common weak passwords are!). This security tweak locks down your website by preventing the redirect, making it much harder for bots to get your usernames. We highly recommend actioning this tweak.
  • Update old security keys – WordPress uses security keys to improve the encryption of information stores in user cookies making it harder to crack passwords. A non-encrypted password like “username” or “wordpress” can be easily broken, but a random, unpredictable, encrypted password such as “88a7da62429ba6ad3cb3c76a09641fc” takes years to come up with the right combination.

6.3.3 Actioned

Link to chapter 3

The Actioned tab displays all potential security vulnerabilities that have been resolved.

actioned security recommendations

Issues can be resolved by applying the fix suggested in the Recommendations tab, but that is not the only way an issue is resolved. Hosting providers and other plugins may also action recommendations. In other words, user interaction within Defender is not always required for a recommendation to be actioned.

For example, the following issues will appear as actioned for all WPMU DEV hosted sites because our hosting applies the recommended fix by default:

  • Hide error reporting
  • Prevent PHP execution
  • Prevent Information Disclosure

Additionally, issues related to keeping files up-to-date will appear as resolved until an update is released, and then only become an issue if the file is not automatically updated.

Reverting/Modifying Issues

Each item under the Actioned tab can be expanded to see a detailed explanation of the issue (Overview), as well as its current state (Status).

Click the arrow to the right of any resolved issue to access the detailed explanation.

Some resolutions cannot be modified in any way, such as those mentioned above that are required for all WPMU DEV hosted sites. Other resolutions, on the other hand, can be modified or completely undone.

For example, if the file editor was disabled in the Recommendations tab, it will appear as an Actioned issue and will include a Revert button. Clicking Revert will re-enable the editor. This option is available for all user-enabled tweaks.

Revert a resolved security tweak in Defender

Other issues may allow modifications within the Actioned tab, as is the case with the Prevent PHP execution example below, which allows users to add exceptions to the PHP rule.

Modifying a security tweak in Defender

6.3.4 Ignored - Recommendations

Link to chapter 3

Ignored issues are those which Defender identified as possible security vulnerabilities and displayed in the Recommendations tab, after which a user admin selected the Ignore option.

Once an issue has been ignored, Defender will no longer identify it as a possible vulnerability, so it is wise to be sure an issue is harmless before clicking the ignore option.

Restoring Ignored Issues

Each ignored issue will be accompanied by a Restore button. Click Restore to return any ignored issue to the Recommendations tab where you can address it by following the How to fix guidance there.

Restore an ignored issue in Defender security tweaks

6.3.5 Manually Applying Recommendations

Link to chapter 3

In some site configurations, it may not be possible for Defender to automatically apply the code needed to resolve some security recommendations. So you may need to manually apply the code to the appropriate file to resolve the issue.

To do that, access your site’s files & folders via FTP or a File Manager. Locate the file mentioned in the following recommendations and select to edit it.

Disable the file editor

If you get an error message when trying to action this recommendation, look for this line in the wp-config.php file:
define( 'DISALLOW_FILE_EDIT', false );

Change that line to this instead:
define( 'DISALLOW_FILE_EDIT', true );

If that line does not yet exist in your wp-config.php file, add it just above the line that says “That’s all, stop editing”

If you get an error message when trying to revert this recommendation, change the value of that line from true to false instead.

Hide error reporting

If you get an error message when trying to action this recommendation, look for these lines in the wp-config.php file:
define( 'WP_DEBUG', true );
define( 'WP_DEBUG_DISPLAY', true );
define( 'WP_DEBUG_LOG', true );

Change the value in each of those lines from true to false

If you get an error message when trying to revert this recommendation, change the value of those lines from false to true instead.

Prevent PHP Execution / Prevent Information Disclosure

If your server type is Apache or Litespeed, both of these security recommendations can be configured manually in case the Automatic option fails for any reason.

Click the Manual tab on either recommendation as needed to open the instructions. Create an .htaccess file in the wp-content directory if it doesn’t already exist. Then copy the code shown, paste it into that file and save it. Then click the Re-Check Status button in the recommendation.

The image below shows the instructions for the Prevent PHP Execution recommendation.

defender-security-apache-manual

6.4 Malware Scanning

Copy chapter anchor to clipboard

Defender scans WordPress core files for modifications and unexpected changes. The Pro version also scans plugins, themes, and the entire site for suspicious code. See Settings – Malware Scanning for more info.

Hacked or not hacked?

Defender’s malware scanning features can help you determine if you’ve been hacked, and our blog post Find Out if You’re Hacked: How to Find and Delete Suspicious Code with Defender can help you understand how to get the most from these features.

Clean Up a Hacked Site

So, you’ve been hacked! As terrible as this is, there is something you can do about it. Check out our blog for a full guide on how to Clean Up a Hacked WordPress Site.

Test Your Site Security

Defender is a fantastic tool that can be used to scan your WordPress site security, and we stand by that. However, there is no harm in being extra secure by working additional tests into your security routine. If you are interested in using other free scanners, check out our blog on 6 Free WordPress Security Scanners.

The results of all scans can be viewed from the Dashboard, in both the Overview panel and Quick Access panels.

Click View Report in the Malware Scanning Quick Access Panel to access details and suggested fixes for each potential issue.

defender-dashboard-malware

The overview panel in the Malware Scanning tab gives you a breakdown of essential statistics. From here you can see:

  • Malware scanning issues – The total number of issues detected by Defender.
  • Last scan – Date and time of the last scan performed.
  • File change detection – Number of issues detected in WordPress core, plugin, and theme files.
  • Known vulnerabilities – Number of published vulnerabilities found in plugins & themes files.
  • Suspicious code – Number of files with suspicious code found by Defender.
  • Scheduled Scanning – Status and the current schedule for regular malware scans. Click the pencil icon to edit your existing schedule.

defender-malware-scan-dashboard

If any of the Malware Scanning options are net yet enabled, a Disabled button will be displayed. Click that button to be redirected to the corresponding settings screen to configure the feature.

defender-malware-scan-dashboard-disabled

6.4.1 Issues - Malware Scanning

Link to chapter 4

Malware Scan Issues are, generally, suspicious PHP functions or known issues that Defender has discovered within a site’s code.

The free version of Defender scans WordPress core, plugin & theme files for modifications and unexpected changes, while Defender Pro also scans for published vulnerabilities in your plugins and themes, and scans the entire site for suspicious code.

Issues are displayed in a list in the Issues tab. Drop-down menus allow you to filter results by area. The available filters are:

  • All
  • Core files
  • Theme files
  • Plugin files
  • Known vulnerabilities
  • Suspicious code

You can also bulk Ignore or bulk Delete selected issues.

bulk ignore and bulk delete feature

Issue Details

Each item under the Issues tab can be expanded to see a detailed explanation of the issue, as well as our suggested fix. Click the arrow to the right of any issue to access the detailed explanation. In cases where suspicious code has been detected, it will be highlighted in red in the code segment.

malware scanning issues details

For issues of a core file change, you will see a side-by-side view of the current code in red and the original code in green. The green content is what the code will be changed to if the suggested fix is applied.

malware scanning issues edited code compare

Each detailed explanation includes:

  • Issue Details — A brief explanation of the issue
  • Error— A snippet of the suspicious code. The questionable code in its current state appears in red, and the same code cleaned up to replace or remove the questionable function(s) appears in green.
  • Location — The issue’s file path
  • Size — The suspicious file’s size
  • Date added — The date and time the code was added to the site.
  • Ignore — Click Ignore to remove a specific issue from the Issues tab. Ignored issues will no longer appear in the Issues tab, but will appear in the Ignored tab, instead.
CAUTION

Once an Issue has been ignored, Defender will no longer identify the issue as a potential risk in future scans, so we strongly recommend being sure something is harmless before choosing to ignore it.

  • Delete — Click Delete to delete the suspicious code.

Resolving Issues

Defender flags PHP functions and code as suspicious when they vary from what is expected or when they match known issues.

YOU ARE NOT ALONE

We know that seeing a flagged function or suspicious code notification can be alarming, but do not worry, our Support Team can help you quickly determine the appropriate action for each Issue.

False Positives

Given WordPress’s virtually unlimited potential for customization, occasionally, legitimate code will be flagged as suspicious because it resembles malicious code. This can happen, for example, when a function is modified by a plugin or multiple plugins, by a theme, or when a user (admin or developer) edits site code directly in the file or theme editor.

Defender is designed to minimize the occurrence of false positives, but since malicious code is almost always written to resemble legitimate code, it is impossible to completely avoid them.

Consider the following code, which was flagged as potentially harmful because it employs the eval() function in a way similar to how it is used in malware.

Function flagged as suspicious in Defender malware scanning

The eval() function executes a value from string, which became problematic when malware developers began using it to insert malicious code. The eval() function still has valid uses, however, so Defender flags the function wherever it appears so admins can verify it’s use as harmless.

Verifying suspicious code

As always, advanced users familiar with code have an advantage when it comes to verifying code as safe. However, there are things any user can do to determine the best response to suspect functions and code.

  1. Verify custom edits — Verify that the code in question wasn’t edited by an admin user or developer. Often, if the code was manually edited, the person who performed the edit is in the best position to verify the code in question. This is one reason why it’s important to keep track of the custom edits we make to our sites.
  2. Contact WPMU DEV Support — Our support team is better acquainted with Defender than anyone and should be your first call if you are confronted with a Malware Scanning issue you do not understand.
  3. Contact Developer — If Defender flags code within a plugin or theme and you didn’t add the code yourself, it’s a good idea to share the issue details, including the code snippet, with the original developer and request guidance.

Once flagged functions or suspicious code has been verified as safe or malicious, click Ignore or Delete, as appropriate.

Choose to ignore or delete issues flagged in Defender malware scanning

Note that if a plugin is currently active on the site, the Delete button will be disabled for issues of the Suspicious function found type, and a notice will appear in the issue details to remind you to deactivate the plugin before deleting the file.

defender-malware-scan-active-notice

6.4.2 Ignored - Malware Scanning

Link to chapter 4

Ignored issues are those which Defender identified as suspicious and displayed in the Issues tab, after which a user admin selected the Ignore option.

Once an issue has been ignored, Defender will no longer identify it as a possible vulnerability, so it is wise to be sure an issue is harmless before clicking the Ignore option.

Restoring Ignored Issues

Each ignored issue will be accompanied by a Restore button. Click Restore to return any ignored issue to the Issues tab, where it can be addressed as necessary.

Restore an ignored issue in Defender malware scanning

Use the Bulk Action option to restore multiple selected items at once.

6.4.3 Settings - Malware Scanning Pro

Link to chapter 4

Use the Malware Scan Settings to control what files are scanned.

defender-malware-scan-settings

  • File change detection – According to the options you select here, Defender will check your WordPress core, plugin, and theme files against the official WP repository, and alert you to any modifications or additions to those files it may find.
  • Known vulnerabilities – With this option enabled, Defender will look for any published vulnerabilities in your installed plugins and themes.
  • Suspicious code – If you think your site may be compromised, enable this option to scan for any suspicious or potentially malicious code. Note that some themes & plugins may use risky code, so we recommend consulting with the plugin or theme developers before deleting any suspicious files found.

Note that the Known Vulnerabilities and Suspicious Code options are only available in the Pro version. In the free version, those options are disabled and look like this:

defender-malware-scan-settings-free

NEW SITES

Please note that the Suspicious Files scan type is disabled by default on brand-new installs of WordPress. If you wish to scan core WordPress files on a new install, please be sure to enable this option first.

Maximum File Size

If you wish to exclude files from scanning, you can set the maximum file size (in Mb) in the field provided. Defender will not scan files larger than the indicated size.

defender-malware-scan-settings-max

6.5 Audit Logging Pro

Copy chapter anchor to clipboard

With Audit Logging activated, Defender displays a log of events recorded by the system that can be extremely helpful when trying to determine what event(s) triggered unwanted behavior on a site.

Audit logging dashboard in Defender

6.5.1 Event Logs

Link to chapter 5

The Event Log tab displays a site’s Event Log with the following filtering options:

  • Export CSV — Exports a CSV file of the current event log to your local computer’s Downloads folder.
  • Date Range — A calendar tool that determines the time period displayed in the current event log
  • Event Chooser — The numbers in the Event Chooser correspond with the events as listed in the log. Click a number or use the arrows to display a specific event at the top of the list.
  • Name/IP Filter — Click the filter icon to access a filter that allows admins to search for events by Username or IP Address, and within those categories, to target or remove specific types of events.

event-logs

Event Details

Each event can be expanded by clicking the arrow to its right to reveal a summary of the event that includes the following information:

  • Context — Where the event originated, such as during a user/visitor session, in a plugin or theme, in a post, etc.
  • Type — Refines the Context by identifying the type of session as a user or visitor session
  • IP Address — The IP address of the user/visitor referred to in the Context column
  • User — If the user/visitor involved in the event is a registered with your site, that person’s username will appear here
  • Date/Time — The date and time of the event

Event log details in Defender audit logging

6.5.2 Settings - Audit Logging

Link to chapter 5

Audit Logging Settings is where you set how long Defender should store your event logs before it begins replacing the oldest log with the newest. Use the drop-down menu to choose the storage period.

Audit logging settings in Defender

Click Save Changes to save your configuration. Click Deactivate to stop Defender from creating new event logs.

The Firewall feature protects against brute force attacks wherein a hacker attempts to gain entry to a site by bombarding it with ad hoc login credentials.

defender-firewall

Recommended Reading

Our blog post, How to Create a Powerful and Secure Customized Firewall with Defender, discusses how to get the most out of the plugin’s firewall feature.

6.6.1 Login Protection

Link to chapter 6

You can configure the following settings:

Threshold

This setting defines the number of failed attempts within a certain period of time that will trigger a lockout. The default setting is 5 failed attempts, within 300 seconds.

Login protection threshold in Defender firewall

Duration

This setting defines how long the lockout will last, once triggered. You can also opt to permanently ban anyone that’s been locked for failed logins.

Lockout duration in Defender firewall

Message

If you wish, create a custom message that will be displayed after a user has been locked out. You can also preview how the message will appear on your site by clicking the blue “here” link.

Lockout message in Defender firewall

Banned Usernames

Automatically ban any IPs that attempt to log into your site using certain usernames. We recommend adding “admin” and “administrator” to this list,  which are usually the first things that hackers will try when attempting to access your site. It’s also a good idea to make sure the username for your administrator account is something unique; details on that (plus other tips) can be found on our blog here.

Banned usernames in Defender firewall

Click Save Changes to save your configuration. Click Deactivate to disable the Login Protection module and all its features.

Note that the Banned Usernames box accepts regex patterns. So you can ban usernames that match patterns like ^admin or master$.

To use pattern matching, first add any usernames you want to ban, like Admin or user. Then add the regex patterns you want to match to those usernames.

For example, the following would ban the base usernames Admin and user, as well as any username that matches the regex patterns: Adminadmin, useradmin, masterAdmin and masteruser.

Admin
user
^admin
master$

6.6.2 404 Detection

Link to chapter 6

404 Detection allows admins to ban IP addresses that repeatedly try to access pages that do not exist.

404 detection in Defender firewall

Threshold

You can adjust how many events within a certain period of time will trigger a lockout. In this example, if a single IP address receives 20 404 errors within 300 seconds, then their IP will be temporarily locked out from your site.

Threshold for 404 detection in Defender firewall

Duration

Here you can indicate how long you would like the lockout to last for. And you can even permanently ban IP address that trigger your 404 lockout.

Lockout duration in Defender 404 detection

Message

In this section you can customize the message that will appear to your site visitors when they’ve been locked out after triggering a 404 Detection lockout. Enter the message you wish to appear into the field provided.

404 lockout message in Defender firewall

Files and Folders

Create custom allow and block lists using the fields provided.

  • Blocklist — Protect specific files or folders by adding their paths here. Users who attempt to access these files or folders will be served a 404 screen once. Users who attempt to access Blocklisted files or folders twice will be locked out of the site.
  • Allowlist — In this section you can define any files or pages that you know are commonly searched for, but missing from your website. This will prevent your actual members from being locked out during their usual browsing.

Blocklist files and folders in Defender firewall

Filetypes & Extensions

Similar to the above section, you can define specific file types that will either trigger an immediate 404 lockout or, conversely, be excluded from triggering a lockout.

  • Blocklist — Add filetype extensions that will trigger a 404 error and then a lockout for users who attempt to access these filetypes. Add as many filetypes as you wish, using commas to separate the extensions.
  • Allowlist — Add filetype extensions that you do not wish to trigger a 404 lockout when accessed. Add as many filetypes as you wish, using commas to separate the extensions.

Blocklist filetypes and extensions in Defender firewall

Note: On WPMU DEV hosting, requests for specific files bypass PHP, which means that the Allowlist/Blocklist for files will not apply. A file request is first made on a server level, where our hosting provides protection against injecting code and a shield against the execution of masked code. In addition, the WAF feature offers further protection by banning IP ranges.

Exclusions

This section is where you can choose whether or not to monitor the 404s that come from logged in users. If you would like these interactions monitored (and for the 404 Lockout rules to apply), then leave the box checked. If you would like to disable the monitoring of these interactions, then simply uncheck the box.

Exclude logged-in users from 404 detection in Defender firewall

Remember to click Update Settings if you make any changes or Deactivate to disable the 404 Detection module.

6.6.3 IP Banning

Link to chapter 6

Defender allows you to permanently ban persistent troublemakers by blocking their IP addresses. The IP addresses will remain banned until you manually choose to remove them from the banned list.

IP Addresses

Create a custom list of banned IP addresses by adding them here.

  • Blocklist — Enter IP addresses or address ranges that should be blocked from accessing a site. List one IP address per line in IPv4 format. You can also ban IP ranges by entering the IP addresses that begin and end the range separated by a hyphen, as in xxx.xxx.xxx.xxx-xxx.xxx.xxx.xxx
  • Allowlist — Add IP addresses that should be exempt from all ban rules. List one IP address per line in IPv4 format. You can also ban IP ranges by entering the IP addresses that begin and end the range separated by a hyphen, as in xxx.xxx.xxx.xxx-xxx.xxx.xxx.xxx.
NOTE

We recommend Allowlisting your own IP address to avoid becoming locked out, accidentally. Your IP address is displayed beneath the Allowlist field, for convenient access.

Active Lockouts

IP Addresses that have been temporarily banned, per the feature’s configuration, will be displayed here.

Click Unlock IPS to display the lockout list.

defender-lockouts-active

Click the padlock on the right of any IP address to unblock it, or click the Unblock All button at the bottom to unblock them all with a single click. Use the search filter at the top to find any specific IPs.

defender-lockouts-active-unblock

Locations

Location banning, using the lastest GEO IP Database, allows admins to ban all traffic from an entire nation. You may consider banning any nation from which you do not expect or desire traffic. Doing so can be a highly effective security measure, if you are certain you don’t need the traffic.

Geo IP Banning requires users sign up for GeoLite2 Downloadable Databases, which is free, although paid services are available.

To sign up, click the Sign up link in the Defender IP Banning Location module.

Enable location banning in Defender firewall

Complete the MaxMind GeoLite Sign Up form, then click Continue.

Get MaxMind database for location banning in Defender firewall

MaxMind will send an email containing verification information. Follow the directions in the email to verify and activate the account.

MacMind account info for location banning in Defender firewall

The next series of steps will generate the License Key needed to connect the service to your site. In the menu on the left, click My License Key.

Then click Generate new license key.

MaxMind license key for location banning in Defender firewall

Give the License Key a name and select the No option regarding GeoIP Update, then click Confirm.

Confirm MaxMind license key for location banning in Defender firewall

The License Key required to download the GeoLite2 database to your site will be generated and displayed.

Copy MaxMind license key for location banning in Defender firewall

Copy and paste your License Key into the field provided in the Locations module.

A notice will pop up to remind you that it takes up to 5 minutes for Maxmind to activate your new key. So if you get a message saying that “The license key you entered is not valid”, please wait a few minutes and try again.

defender-firewall-maxmind

Once you have clicked the Download button and the GeolLte2 database has activated, use the drop-down menus to ban entire nations from accessing your site, or exclude entire nations from any geo-bans.

Nations allowlisted here will still be subject to the 404 lockout rules configured in the 404 Detection module.

Location banning blocklist in Defender firewall

Message

Craft a custom lockout message for users you have personally added to the Blocklist.

Location banning message in Defender firewall

Import & Export

If you ever need to move your Blocklist & Allowlist to another website, instead of copying and pasting all those IP addresses, simply Export a CSV file and then import it into Defender on your new site.

Import or export IP blocklist in Defender firewall

6.6.4 Logs

Link to chapter 6

Under Logs, you can view all Lockouts that have occurred on your site since activating Defender. You’ll be able to view the reason for the Lockout, the IP address that was locked out, and the date.

Firewall logs overview in Defender

The image above shows a new site that hasn’t recorded any lockouts yet. The image below shows a site where a login lockout has been triggered after 5 failed login attempts from the same IP address.

Lockout logged in Defender firewall logs

Use the Sort filter in the top right hand corner to view lockouts sorted by latest, oldest or IP address. Click the Export CSV button to export the logs as a .csv file if you need to use the info any in any spreadsheet app.

Sort or download firewall logs in Defender

Use the Date Range filter to view logs only for the selected date range.

Sort firewall logs by date range in Defender

Use the Pagination option to display 20, 50 or 100 results per page.

Pagination in Defender lockout logs

Click the funnel icon to open additional filtering options where you can select to view only a certain type of log, or logs from a specific IP address.

Filter Defender firewall logs by type or IP address

Click any event in the log to view details for that event. Click either the Add Allowlist or Ban IP buttons if you wish to add the IP address to the allowlist or blocklist in Firewall > IP Banning.

Allow or ban IP in Defender firewall logs

6.6.5 Firewall Settings

Link to chapter 6

Under the Settings tab you can control for how long to store the Lockout logs. You can choose to increase or decrease the storage period, or delete the logs altogether.

  • Storage – Choose how many days of event logs you wish to keep in local storage.
  • Delete Logs – Click this button to delete all logs permanently.

Firewall settings in Defender

6.7 Web Application Firewall (WAF)

Copy chapter anchor to clipboard
WPMU DEV hosted sites only

This feature is only available for sites hosted with WPMU DEV. Don’t have your sites hosted here yet? Get started today with a free hosting trial and explore all the awesome features on us!

The Web Application Firewall (WAF) from WPMU DEV is a first layer of protection to block hackers and bot attacks before they ever reach your site. The WAF filters requests against our highly optimized managed ruleset covering common attacks (OWASP top ten) and performs virtual patching of WordPress core, plugin, and theme vulnerabilities.

Activate WPMU DEV WAF in Defender

Clicking the Activate WAF button will direct you to the Tools menu for your site in your Hub, and the WAF activation modal will open automatically for you. For more info on configuring the WAF for your site, see the Web Application Firewall (WAF) section in the WPMU DEV Hosting docs.

Activate-hosting-waf

Once activated, the WAF module in Defender will display a Settings screen with confirmation that it is enabled. At this time, the configuration of the WAF must be done in your Hosting Hub for your site. To quickly access the configuration modal there, click the Manage Rules button.

WPMU DEV WAF settings screen in Defender

6.8 Two-Factor Authentication

Copy chapter anchor to clipboard

Defender uses the power of Google Authentication to provide two-factor authentication to your site. This feature enhances site’s security by requiring users to log in with a passcode sent via text to their cell phones. Two-factor authentication is an extremely effective tool against brute force attacks.

2-Factor-Authentication in Defender

User Roles

User Roles allows you to require two-factor authentication for some users on your site, but not others. For example, you can require Administrators & Editors to use two factor authentication because they have considerable privileges throughout the site, but not require subscribers to use it because, typically, their access is very limited.

User roles requiring 2 factor authentication in Defender

Lost Phone

This features provides a backup plan for those times users need to access a site but cannot access the required phone. When enabled, Defender will send the passcode via email instead.

Lost phone password reset option in Defender 2 factor authentication

Force Authentication

By default, two-factor authentication is optional for users, meaning even if it’s enabled, users can disable it within their Profile. Force Authentication, on the other hand, makes two-factor authentication mandatory by removing the option to disable it.

Select the user roles for whom 2FA should be forced, and optionally enter a custom message that will be shown to them if they have not yet enabled it.

Force 2 factor authentication in Defender

The first time a user logs in after 2FA has been enabled they will re-directed to their Profile page where they must configure 2FA before they can proceed to do anything else on the site. In this example, we have used Google Authenticator to give you an idea of how the process goes.

2 factor authentication forced in Defender

After pressing Enable, users will be prompted to download the Google Authenticator app and scan the QR code with it so they can login to this specific site, although multiple sites can be added to the app.

Download and install the Google Authenticator app

Once the QR code is scanned, the application will show a 6 digit passcode. Users then must enter the passcode into the field (Step 3), and click Verify.

For future logins

Google Authenticator generates a new code every 30 seconds and it looks something like this on the phone. Note that different code is generated for each connected site, meaning the code for Site A will not work to authenticate any other site except Site A.

2 factor authentication code on phone

On their next login, users will be given a new login screen where they need to add the 6 digit code:

Enter 2 factor authentication code in login screen on site

If you left the “Lost phone” feature enabled, users can also click on the “Lost your device?” link and the One-Time-Pass (OTP) code will be sent to their email (which they set for their account on your site):

OTP code sent via email for 2 factor authentication

Users can always disable 2-Factor-Authentication in their admin profile, but if the force option above is enabled, they’ll have to re-enable it again the next time they login.

Disable 2 factor authentication in user profile

Custom Graphic

Add a custom graphic to replace the Defender icon that appears on your login page above the login fields by default. Use the media uploader to add your custom graphic.

Add custom graphic to Defender 2FA

Emails

You can customize the default content of the Lost Phone emails sent to users when an authentication code is sent via email, instead of by SMS.

Customize 2FA email in Defender

Click the pencil icon on the right to edit the default email. Customize the content as you choose, using the Available variables near the bottom of the template to insert the authentication data where you want.

Customize 2FA email content in Defender

App Downloads

Use the link that corresponds with your operating system to download one of the three authenticator options available. Use the dropdown menu to choose between:

  • Google Authenticator
  • Microsoft Authenticator
  • Authy

app download for 2fa

Note: 2FA is designed to work with Google’s Auth App, Microsoft Authenticator, and Authy but if any other app uses the same way to generate OTP, it should work as well. Here is a list of some alternatives:

Active Users

Click View users to see a list of all users who have enabled two-factor authentication.

View users who have activated 2FA

Users who have enabled two-factor authentication will have a green dot by their name, under the “2 Factor” column.

Users with 2 factor authentication enabled

If you have chosen to keep two-factor authentication optional, users can still enable it from their User Profile page.

Save/Deactivate

Click Save Changes to save your configuration. Click Deactivate to disable the module and all of its features.

Defender offers two Advanced Tools to enhance site security:

  • Masked Login Area – Changes the URL path to your login screen to something other than the default wp-admin.
  • Security Headers – Enable security headers to add an extra layer of security to your website.

6.9.1 Mask Login Area

Link to chapter 9

Defender allows you to change the location of WordPress’s default wp-admin and wp-login slugs to make it harder for hackers and bad bots to find.

Navigate to Defender > Advanced Tools > Mask login section and activate the module by clicking Activate.

Activate Mask Login feature in Defender

Masking URL slug

This feature lets you create a custom slug for your login page, replacing the default wp-admin or wp-login. In this way, hackers and bad bots looking for your login page won’t be able to find it, because they’ll be looking for the wp-admin or wp-login slug. The slug must be unique (unlike any others on your site) and you can only create a custom slug, not an entirely new URL.

Click the new-login-slug line and enter the slug for you new login page.

After you save the settings, the mysite.com/wp-admin and mysite.com/wp-login pages will be disabled and the login functionality moved to the new page.

Note that the wp-admin links in your Hub will also respect your new login slug as long as you have logged in at that new URL at least once.

Logging in from Hub with Mask Login enabled in Defender

You can use any custom slug you like, and it can include uppercase letters, but please note that the following slugs are reserved by WordPress and cannot be used for this feature:

  • wp-admin
  • wp-login.php
  • login
  • dashboard
  • admin
  • wp-signup.php

Redirect traffic

With the default login screens disabled, bots attempting to locate it will generate 404 responses – possibly at lot of them – and that is not good. Therefore, this feature allows you to redirect these misguided users to another page, either an existing page or one created especially for them.

Choose Off to leave this feature inactive or you can click Choose redirect page to select an existing page. You can also select Custom URL and then enter your unique URL in the space below.

redirect traffic feature

Note can add a new slug to the URL, but not an entirely new URL. In other words, you cannot redirect these users to a completely different domain.

Click Deactivate to disable this module and its features.

6.9.2 Security Headers

Link to chapter 9

Security headers protect your site against the most likely types of attacks like XSS, code injection, clickjacking, etc. Defender enables you to follow best practices by enabling the following headers. For more info on security headers, see OWASP Secure Headers Project.

X-Frame-Options

This header tells browsers whether or not your pages can be embedded on other sites in frame, iframe or object tags.

  • Sameorigin – This option allows content embedding only on the same site as the source of the content: your site.
  • Allow-from – This option allows you to specify exactly which domains are allowed to embed your content.
  • Deny – Select this option to disallow embedding your content anywhere.

Enable X-Frame security header in Defender

For more info on this security header, see X-Frame-Options.

X-XSS-Protection

This header tells browsers how to handle the loading of pages if a cross-site-scripting attack is detected.

  • Sanitize – This option will remove any unsafe parts from the page before rendering it in the browser if a cross-site-scripting attack is detected.
  • Block – Select this option to prevent the page from rendering at all if an attack is detected.

Enable X-XSS security header in Defender

For more info on this security header, see Cross Site Scripting (XSS).

X-Content-Type-Options

Enabling this security header reduces the opportunities to perform cross-site scripting attacks and compromise the website by preventing any asset from loading on your pages unless its MIME type matches the file type. This can be especially important if you allow users to upload files through a contact form for example as it prevents disguising malicious executable files as images.

Enable X-Content-Type security header in Defender

For more info on this security header, see Reducing MIME type security risks.

Strict Transport

This header tells browsers your pages can only be loaded over secure HTTPS instead of plain HTTP. If you run an e-commerce site, for example, this is especially important to help prevent sensitive user information from being intercepted.

  • HSTS Preload – With this option enabled, you can submit your site to Google to ensure browsers load your site over HTTPS only.
  • Browser Caching – This option sets the time for which the HSTS policy should be cached in browsers. The recommended minimum here is 30 days, but note that if you also enable the HSTS Preload option above, Google requires this to be set to at least 1 year.

Enable HSTS security header in Defender

For more info on this security header, see Strict-Transport-Security.

Referrer Policy

Enable this security header and select the desired option to control what information is included in the referrer header when a user clicks a link that leads to another page or website.

  • no-referrer – The Referer header will be omitted entirely. No referrer information is sent along with requests.
  • no-referrer-when-downgrade – This is the default behavior if no policy is specified, or if the provided value is invalid. The origin, path, and querystring of the URL are sent as a referrer when the protocol security level stays the same (HTTP→HTTP, HTTPS→HTTPS) or improves (HTTP→HTTPS), but isn’t sent to less secure destinations (HTTPS→HTTP).
  • origin – Only send the origin of the document as the referrer. For example, a document at https://example.com/page.html will send the referrer https://example.com/.
  • origin-when-cross-origin – Send the origin, path, and query string when performing a same-origin request, but only send the origin of the document for other cases.
  • same-origin – A referrer will be sent for same-site origins, but cross-origin requests will send no referrer information.
  • strict-origin – Only send the origin of the document as the referrer when the protocol security level stays the same (HTTPS→HTTPS), but don’t send it to a less secure destination (HTTPS→HTTP).
  • strict-origin-when-cross-origin – Send the origin, path, and querystring when performing a same-origin request, only send the origin when the protocol security level stays the same while performing a cross-origin request (HTTPS→HTTPS), and send no header to any less-secure destinations (HTTPS→HTTP).
  • unsafe-url – Send the origin, path, and query string when performing any request, regardless of security. (This policy will leak potentially-private information from HTTPS resource URLs to insecure origins. Carefully consider the impact of this setting.)

Enable referrer policy security header in Defender

For more info on this security header, see Referrer Policy.

Feature-Policy

This header tells browsers which domains are allowed to use features that the browser supports. For example, Chrome supports the following features: accelerometer, ambient-light-sensor, autoplay, camera, encrypted-media, fullscreen, geolocation, gyroscope, magnetometer, microphone, midi, payment, picture-in-picture, speaker, usb, vr

  • On site & iframe – This option will only allow browsers features to be used on the same domain as the page itself: your site.
  • All – This option will allow browser features to be used on any domain.
  • Specific Origins – This option allows you to specify on which domains browsers are allowed to use their supported features.
  • None – This option disables all browser features on all domains.

Enable feature policy security header in Defender

For more info on this security header, see Permissions Policy.

The Notifications tab is where you can manage all of your reports and notifications for each security module.

6.10.1 Overview

Link to chapter 10

At the top of the Notifications module, you will have access to a short Overview of your scheduled reports for each Defender feature.

defender notifications overview

The two metrics shown are:

  • Active notifications – The number of security modules that have notifications active.
  • Next scheduled notifications – The date and time of the next notification that has been scheduled.

6.10.2 Configure

Link to chapter 10

You can configure your notifications so that you receive regular updates, without needing to constantly check-in, and you can do it all from one place.

Manage several modules at the same time by using the Bulk Actions feature. Simply check the boxes of the modules you want to manage, or check the All box to manage every module, and select the relevant bulk action.

bulk actions filter

You can perform the following actions:

  • Enable
  • Disable
  • Update

When you’re ready, click Apply to complete the bulk action.

While viewing the Configure area, you will notice that each security module provides a few distinct details in its row. Every module is accompanied by the following information:

  • Status – This shows you whether this module is enabled or disabled.
  • Recipients – A gravatar is displayed for each recipient with an icon depending on whether the subscription has been accepted by the invited recipient.
  • Frequency – The current schedule that is set for the report or notification.
  • Configure/Enable – Click the plus icon to enable the feature or click the gear icon to configure it.

notification module configurations

Defender’s notifications feature enables you to manage both your notifications as well as your reports. The following security modules can be configured:

Security Recommendations – Notification

Click the plus icon to enable this module and a configuration modal will pop up. This popup will walk you through setting up your recipients and adjusting your settings for the notification.

Recipients

The Recipients tab is where you can manage the users that appear in the recipient’s list and who will receive the notifications. You have the option of including recipients, as per usual, or you can choose to not include recipients. In that case, it means that checks will run as normal but no one will be notified.

Include recipients

When choosing to include recipients, you can add existing users or invite new users by email.

include recipients tab

Add Users

Search for the username of the member you want to add in the search bar and click on the correct name. This will add them as a recipient of the notifications. But wait, there’s still one more step before they will start receiving notifications. Any added user must confirm their subscription by clicking the confirmation link in a subscription email that will be sent to them after being added as a recipient. Once the subscription has been confirmed, they’re good to go.

By default, the administrator is already added as a subscribed user but they can be removed by clicking on the trashcan icon next to the email address, as can any other user.

remove recipient button

Underneath the search area for users is a list of site users and their roles. This gives you quick access to members that you may want to add without going through the trouble of searching for their username. Add anyone from that list by simply clicking the plus icon next to the username.

Invite By Email

invite new recipients by email

To add a recipient by email, fill in the First Name and Email Address fields. You can go ahead and invite more users by clicking the Add Another button or continue configuring the Settings.

Don’t include recipients

don't include recipients tab

When you opt to not include recipients, your reports will still run as scheduled but notifications won’t be sent. Jump to The Hub if you want to view the schedules you have set up.

Settings

In the Settings tab of Security Recommendations Notifications, you can set a reminder for unactioned recommendations. Select either a Daily, Weekly, or Monthly reminder to receive a notification when there are any security recommendations that still need to be addressed. Note that you will only receive a notification if the security recommendation hasn’t been actioned for more than seven days.

security recommendations notifications settings

Click Activate to enable this module.

The Recipients and Settings can be adjusted at any time by clicking the gear icon to configure the features.

Malware Scanning – Notification

Click the plus icon to enable this module and a configuration screen will pop up. This popup will walk you through setting up your recipients and adjusting your settings for the notification.

Recipients

This Recipients section functions exactly as explained above in Security Recommendations – Notifications.

Settings

Configure your general settings for Malware Scanning by adjusting the following aspects of the module:

  • Send notifications when no issues are detected – By default, we only send an email when an issue is detected but if this is enabled, you will receive a notification even when there aren’t any issues.
  • Send notifications when Defender couldn’t scan files – When this is enabled, you will receive a notification if Defender fails to trigger a scheduled scan.

malware scanning notification settings

Email report templates

Here you can adjust your email templates for these reports:

  • When an issue is found
  • When no issues are found
  • When failed to scan

malware scanning notification email templates

Personalize your subject and body with the available variables to create a custom report for yourself and your recipients.

When you are finished with your adjustments, click the Activate button to complete the setup of the notification module. You can go back and make changes by clicking the gear icon.

Firewall – Notification

Click the plus icon to enable this module and a configuration screen will pop up. This popup will walk you through setting up your recipients and adjusting your settings for the notification.

Recipients

This Recipients section functions exactly as explained above in Security Recommendations – Notifications.

Settings

Configure your general settings for the Firewall by adjusting the following aspects of the module:

  • Login Protection Lockout – Enable this to be notified whenever a user or IP is locked out for failed login attempts.
  • 404 Detection lockout – Enable this to be notified when a user or IP is locked out due to trying to repeatedly access non-existent files.

firewall notifications settings email notifs

Repeat Lockouts

If you’re getting too many emails about repeated lockouts for the same IP addresses, you can disable those emails for a defined period of time.

  • Threshold – Choose how many lockouts should occur before emails are disabled.
  • Cool Off Period – Choose a cool off period for how long emails should be disabled.

firewall notifications settings repeat lockouts

When you are finished with your adjustments, click the Activate button to complete the setup of the notification module. You can go back and make changes by clicking the gear icon.

Malware Scanning – Reporting

Click the plus icon to enable this module and a configuration screen will pop up. This popup will walk you through setting up your frequency, recipients, and general settings.

Frequency

Use the Frequency settings to decide how often you want the notifications to run.

malware scanning reports frequency

You can choose a schedule based on the following options:

  • Daily – Select the time of day that the report notification will run.
  • Weekly – Decide on the day of the week as well as the time of day for your notifications.
  • Monthly – Choose the day of the month and the time of the day for your notifications to be sent.

Recipients

This Recipients section functions exactly as explained above in Security Recommendations – Notifications.

Settings

malware scanning report settings

By default, we only send notifications when an issue is detected from a file scan. However, you can change this by ticking the Send notifications when no issues are detected box which will ensure that a notification is sent according to your schedule regardless of whether any issues are found.

Firewall – Reporting

To enable this reporting module, click the plus icon and a configuration modal will popup. This popup will walk you through setting up your frequency and recipients.

Frequency

The Frequency settings here function in the same way as detailed above in Malware Scanning – Reporting.

Recipients

This Recipients section functions exactly as explained above in Security Recommendations – Notifications.

Audit Logging – Reporting

To activate your Audit Logging reports, click the plus icon and a configuration modal will popup. This popup will walk you through setting up your frequency and recipients.

Frequency

The Frequency settings here function in the same way as detailed above in Malware Scanning – Reporting.

Recipients

This Recipients section functions exactly as explained above in Security Recommendations – Notifications.

The Settings module is where preferences are set for translations, usage tracking and data retention

6.11.1 General

Link to chapter 11

Translations

Defender will use the language set in your WordPress Admin Settings if a matching translation exists. You can view the currently available translations on the Defender translation page.

Usage Tracking

Enable Usage Tracking to help our developers improve Defender. We only track what features are or are not being used. No identifying data is collected.

defender general settings

6.11.2 Configs

Link to chapter 11

The configs module allows you to save your Defender configurations to reapply them to your other sites in just a few clicks.

Save a Configuration

To save your current configuration, click Save New.

save new configuration

Then type in the name and optional description you want to use to identify your configuration and click Save or click Cancel to exit without saving.

You can save an unlimited number of configurations so there is no need to be frugal with how many configurations you save for your sites. All configurations will be listed alphabetically according to the names you set.

If you want to view more information about your saved configuration, click the arrow to reveal a list showing you which modules are active for that configuration.

defender-configs-contents

You can also click on the gear icon to reveal a list of actions. These actions are:

  • Apply – Apply the settings of the selected configuration to Defender on your current site.
  • Download – Download the Defender configuration as a .json file.
  • Name & Description – Choose a different name and/or description for your saved settings.
  • Delete – Permanently delete this configuration.

defender-configs-options

Apply a Configuration

If you have downloaded a configuration from another site and you want to apply it to your current one, click the Upload button at the top of the Configs screen, and select the relevant .json file from your computer. Defender will import your settings and add the imported config to your list of Preset Configs.

defender-configs-upload

You will be asked to confirm the configuration application to the site. Click Apply once again to follow through with applying the chosen configuration or click Cancel to exit without changing any of your current Defender settings.

apply config confirmation

You can apply any config to your site by clicking on the Apply button next to the gear icon or by clicking on the gear icon and then selecting Apply from the options menu.

Once you have applied a config, it will appear as Active in your list of Preset Configs.

defender-configs-active

Syncing configs with your Hub

Any config you create in Defender will be automatically synced with your Hub, and vice-versa. They can be accessed & applied to any site from the Configs or Security sections in your Hub, or applied directly on a site in Defender.

If you have just created a new config in your Hub, and you don’t see it showing yet in Defender on a site, click the Check Again link at the bottom of your Configs list in Defender to refresh the data there.

defender-configs-check

Exceptions

It’s important to note that the following settings & options cannot be exported or imported from one site to another with a custom config as they must be configured individually on each site.

Two-Factor Authentication

This must be enabled and configured manually on each site.

Security tweaks

  • Update WordPress to the latest version – A WordPress update needs to be a manual action made by a user. Defender can’t update WP when applying the config.
  • Change default admin user account – Requires a manual action from a user to assign a new username.
  • Update PHP to the latest version – This is an action  that a plugin cannot do. PHP version needs to be configured on the server itself.
  • Prevent Information Disclosure – Defender does not know in advance on which server a site is running, or where this config setting needs to be applied. So this would need to be enabled manually per site even if included in an exported config.
  • Prevent PHP Execution – Same as above.
  • Hide error reporting – This depends on the server type and settings. Some hosts do not allow plugins to make changes to the wp-config.php file. Applying these recommendations would trigger errors.
  • Disable file editor – Same as above.

6.11.3 Data & Settings

Link to chapter 11

Uninstallation

These settings determine how your Defender settings and other data are handled when you export or uninstall the plugin. Settings refer to the module configurations, while Data includes transient bits created over time, such as logs, frequently used modules, last import/export time, and other pieces of information.

In the event you want to uninstall Defender it’s a good idea to save your settings in case you want to reinstall it at a later time. To do so, click the Preserve button to save your configurations, so they may be quickly reapplied when you reinstall the plugin.

Reset Settings

If you wish to reset all configurations to their default state, click the Reset Settings button.

defender-data-and-settings

6.11.4 Accessibility

Link to chapter 11

From the accessibility tab you can enable High Contrast mode. After enabling this option, the plugin will increase the visibility and accessibility of elements and components to meet WCAG AAA requirements.

Accessibility settings in Defender

6.12 Blocklist Monitor Pro

Copy chapter anchor to clipboard

WPMU DEV members and users of Defender Pro have access to the Blocklist Monitor feature, which allows Defender to check Google’s blocklist multiple times each day to see if there is your site has been flagged for some reason.

Click the toggle on the Defender > Dashboard screen to enable the Blocklist monitor. This feature has no options or settings, just enable and it will alert you via email if your site ever winds up on Google’s blocklist.

Enable Google blocklist monitor in Defender

This section holds a collection of tutorials that you can access at any time. Click on the Read article link to jump to the blog or click on the View All button to check out all of our tutorial articles.

Access tutorials from Defender

After reading this guide, if you still have questions regarding how to secure a site or network, don’t hesitate to start a live chat with our support Superheroes or submit a support ticket using the Support tab of your WPMU Dev Dashboard.

Navigate to WPMU DEV DASHBOARD > SUPPORT > NEW TICKET to submit a support ticket.