Introducing Wordfence Agency Solutions

Throughout 2018, we have had many conversations with agencies and other organizations protecting a large number of WordPress sites with Wordfence. You’ve told us what you need to be more successful, and we’ve responded with many changes to both our licensing and our capabilities.

This post is Copyright 2018 Defiant, Inc. and was published on the wordfence.com official blog. Republication of this post without permission is prohibited. You can find this post at: https://www.wordfence.com/blog/2018/10/introducing-wordfence-agency-solutions/

To start, we added the ability to secure your staging and development environments with a single Wordfence premium license, something you should take advantage of if you have not done so already.

Introducing Wordfence Agency Solutions

Then we changed the way we handle volume discounts to make managing a large number of sites easier. We have a few additional changes coming, one of which we’re happy to announce today: Wordfence Agency Solutions.

With the new Wordfence Agency Solutions program, our client partners are empowered to create custom solutions to meet your specific needs. Our goal is to provide you with what you need to keep your clients safe and grow your business. Some of the services they might offer in your custom security solution include:

  • Auditing WordPress site security to identify and mitigate risk factors on sites.
  • Optimizing Firewall and Malware Scanner attuned to the needs of your sites.
  • Onboarding and Training to help your agency make optimal use of Wordfence.
  • Proactively Mitigating emergent security threats to keep sites safe.
  • Incident Response and Forensic Investigation in the event of an attack to minimize downtime and prevent recurrence.
  • Premium Support from our team of experts.
  • and a Dedicated Agency Partner who understands the particulars of your business needs.

Depending on your situation, you may also qualify for additional discounts.

The initial agencies who have enrolled in Wordfence Agency Solutions each faced unique challenges, and together we identified and implemented a resolution for each case. For example, we started one customer’s engagement with a thorough security audit for 50 of his customer’s sites. In addition to a number of smaller issues we learned that his hosting environment was in need of security improvements.

Our security analysts worked with him as he implemented their recommendations, including changes to his hosting configuration and an optimized implementation of Wordfence Premium. His customers’ sites are now much more secure, and he has the Wordfence security team available to help with any future security incidents.

Partner with Your Security Team

Because no other agency is just like yours, you need a solution reflecting your unique needs. No matter your size, capabilities and requirements, you’ll get to work with a dedicated Client Partner to determine your perfect solution. Our Client Partners are technically adept, have worked in agency roles managing large numbers of sites, and they live up to their title as a Client Partner. Whether you’re facing immediate security challenges or just looking for a streamlined way to offer excellent security to your clients, we’re here to help.

Working together with Wordfence Agency Solutions will help you leverage all that Wordfence has to offer, allowing you to focus on growing your business with the knowledge that your clients’ security is in good hands. This means fewer headaches for you, while giving your current and future clients the assurance that the security of their sites is a priority for your agency.

Qualifying is easy: you just need 20 or more sites in your care.

Learn more about Wordfence Agency Solutions! A client partner is ready discuss your goals.

The post Introducing Wordfence Agency Solutions appeared first on Wordfence.

Read More

Optimizing Wordfence Security Settings: Brute Force Protection

As a part of the Wordfence Client Partner initiative, we’ve recently had some in depth conversations with organizations using Wordfence at scale. These conversations have been enlightening, and we wanted to share some of the stories we’ve heard about how different organizations use Wordfence.

This post is Copyright 2018 Defiant, Inc. and was published on the wordfence.com official blog. Republication of this post without permission is prohibited. You can find this post at: https://www.wordfence.com/blog/2018/07/optimizing-wordfence-security-settings-brute-force-protection/

Wordfence is the most robust security solution available for WordPress site owners, and the number of security features available is unparalleled. This ensures that Wordfence can be customized to be an optimal security solution for your specific environment and security needs.

Wordfence Brute Force Protection

Getting Started with Wordfence

When you install Wordfence for the first time, the plugin defaults to recommended settings that are a perfect starting place for customization. You won’t need to do much else. However, Wordfence is highly configurable, allowing you to tailor how it works to meet your needs.

How our Customers Use Brute Force Protection:

Wordfence includes a number of powerful brute force protection features that can be used to prevent malicious bots from gaining access to your site, including the integration with Troy Hunt’s version 2 of the Pwned Passwords API that prevents access using passwords previously seen in a breach. In this post we will focus on Brute Force Protection and how our customers can customize this feature, based on their security needs.

Factors to consider when modifying your site’s Brute Force Protection settings include:

  1. How adept are your users? Do you have users that forget their passwords often? Are they logging in sporadically and have a high probability of losing their passwords? You’ll want to take them into consideration and allow room for user error.
  2. Is this a high traffic, high profile site that often experiences hacking attempts?
  3. Is your site under repeated attack from brute force attempts?

The following customer scenarios serve as great real-world examples of how Wordfence can be customized to meet specific needs.

Kyle’s Agency Customer Site

One of our agency partners, Kyle, manages a number of WordPress installations for his customers. His customers rarely perform any administrative tasks, but they have editor access in order to add and modify new content. The agency has administrator access, and they have set up Wordfence Premium to protect the site. In addition to the premium features of country blocking and two-factor authentication for administrators only, he has tightened Brute Force Protection. Some of his customers often forget their passwords, and he wants to ensure they can still access the site to post content without causing too much administrative work for his team.

Kyle sets up his sites so that failed logins lockout after 5 attempts, forgot password attempts are set to 10 and a user is locked out for 24 hours. He does not set the site to immediately lock out invalid usernames, but he immediately blocks anyone who uses ‘admin’, ‘administrator’, or any other failed logins he sees. He routinely audits his site’s failed logins and adjusts this setting accordingly.

brute force protection

Maria’s Membership Site

Maria uses Wordfence on a WordPress membership site. She has a team of publishers and administrators and a large number of members who need to login in order to access content. Some of them use good password hygiene, but others do not. Maria’s site is also protected by Wordfence Premium, and she has made some adjustments to her brute force protection settings.

Maria has set her failed logins lockout to 5 attempts, forgot password attempts are set to 10, and a user is locked out for 24 hours. She does not set the site to immediately lock out invalid usernames because she has a large user base. She immediately blocks anyone who uses ‘admin’ or ‘administrator’, but does not go further than that. She uses Wordfence Premium’s two-factor authentication and some minor country blocking to augment her site’s security.

brute force protection

Dave’s Personal Site

Dave has a personal blog. He has one login for himself and no other users. He knows his password, and also has access to FTP in order to easily deactivate Wordfence if he ever locks himself out. He has tightened his Brute Force Protection settings because he’s quite confident in his ability to store his password safely.

Dave sets up his sites so that failed logins lockout after 2 attempts, forgot password attempts are set to 3, and IP addresses that reach these limits are locked out for one month. He immediately locks out any invalid users and also immediately blocks anyone who uses ‘admin’, ‘administrator’, or any other failed logins he sees.

He also uses two-factor authentication to ensure that logging in is difficult for anyone other than himself should his credentials ever be discovered.

brute force protection

Sam’s Small e-commerce Site

Sam has a small e-commerce site that is growing rapidly. He has a number of contractors on the site updating product information. He has users that need to login for various business functions and needs to ensure that everyone can log in, but doesn’t want to risk his site’s security given how sensitive e-commerce data is. He’s invested in Wordfence Premium and requires his administrators to use two-factor authentication for logging in.

Sam sets up his sites so that failed logins lockout after 5 attempts, forgotten password attempts are set to 5, and a user is locked out for 4 hours. He does not set the site to immediately lock out invalid usernames. He has set his Wordfence installation to block any passwords from data breaches to anyone who can publish as well as administrators because of the turnover in the contractors he is using to update product information.

brute force protection

How are you using Brute Force Protection?

We hope this deeper look at our Brute Force Protection settings has been helpful. If you’ve been using Wordfence for a while, how are you using Brute Force Protection? Are there rules you’ve set that work well for your unique site requirements?

Are you seeing any new brute force attack patterns that concern you? Let us know in the comments.

We’ll be covering more ways that our customers use Wordfence in upcoming posts.

The post Optimizing Wordfence Security Settings: Brute Force Protection appeared first on Wordfence.

Read More

Optimizing Wordfence Security Settings: Brute Force Protection

As a part of the Wordfence Client Partner initiative, we’ve recently had some in depth conversations with organizations using Wordfence at scale. These conversations have been enlightening, and we wanted to share some of the stories we’ve heard about how different organizations use Wordfence.

This post is Copyright 2018 Defiant, Inc. and was published on the wordfence.com official blog. Republication of this post without permission is prohibited. You can find this post at: https://www.wordfence.com/blog/2018/07/optimizing-wordfence-security-settings-brute-force-protection/

Wordfence is the most robust security solution available for WordPress site owners, and the number of security features available is unparalleled. This ensures that Wordfence can be customized to be an optimal security solution for your specific environment and security needs.

Wordfence Brute Force Protection

Getting Started with Wordfence

When you install Wordfence for the first time, the plugin defaults to recommended settings that are a perfect starting place for customization. You won’t need to do much else. However, Wordfence is highly configurable, allowing you to tailor how it works to meet your needs.

How our Customers Use Brute Force Protection:

Wordfence includes a number of powerful brute force protection features that can be used to prevent malicious bots from gaining access to your site, including the integration with Troy Hunt’s version 2 of the Pwned Passwords API that prevents access using passwords previously seen in a breach. In this post we will focus on Brute Force Protection and how our customers can customize this feature, based on their security needs.

Factors to consider when modifying your site’s Brute Force Protection settings include:

  1. How adept are your users? Do you have users that forget their passwords often? Are they logging in sporadically and have a high probability of losing their passwords? You’ll want to take them into consideration and allow room for user error.
  2. Is this a high traffic, high profile site that often experiences hacking attempts?
  3. Is your site under repeated attack from brute force attempts?

The following customer scenarios serve as great real-world examples of how Wordfence can be customized to meet specific needs.

Kyle’s Agency Customer Site

One of our agency partners, Kyle, manages a number of WordPress installations for his customers. His customers rarely perform any administrative tasks, but they have editor access in order to add and modify new content. The agency has administrator access, and they have set up Wordfence Premium to protect the site. In addition to the premium features of country blocking and two-factor authentication for administrators only, he has tightened Brute Force Protection. Some of his customers often forget their passwords, and he wants to ensure they can still access the site to post content without causing too much administrative work for his team.

Kyle sets up his sites so that failed logins lockout after 5 attempts, forgot password attempts are set to 10 and a user is locked out for 24 hours. He does not set the site to immediately lock out invalid usernames, but he immediately blocks anyone who uses ‘admin’, ‘administrator’, or any other failed logins he sees. He routinely audits his site’s failed logins and adjusts this setting accordingly.

brute force protection

Maria’s Membership Site

Maria uses Wordfence on a WordPress membership site. She has a team of publishers and administrators and a large number of members who need to login in order to access content. Some of them use good password hygiene, but others do not. Maria’s site is also protected by Wordfence Premium, and she has made some adjustments to her brute force protection settings.

Maria has set her failed logins lockout to 5 attempts, forgot password attempts are set to 10, and a user is locked out for 24 hours. She does not set the site to immediately lock out invalid usernames because she has a large user base. She immediately blocks anyone who uses ‘admin’ or ‘administrator’, but does not go further than that. She uses Wordfence Premium’s two-factor authentication and some minor country blocking to augment her site’s security.

brute force protection

Dave’s Personal Site

Dave has a personal blog. He has one login for himself and no other users. He knows his password, and also has access to FTP in order to easily deactivate Wordfence if he ever locks himself out. He has tightened his Brute Force Protection settings because he’s quite confident in his ability to store his password safely.

Dave sets up his sites so that failed logins lockout after 2 attempts, forgot password attempts are set to 3, and IP addresses that reach these limits are locked out for one month. He immediately locks out any invalid users and also immediately blocks anyone who uses ‘admin’, ‘administrator’, or any other failed logins he sees.

He also uses two-factor authentication to ensure that logging in is difficult for anyone other than himself should his credentials ever be discovered.

brute force protection

Sam’s Small e-commerce Site

Sam has a small e-commerce site that is growing rapidly. He has a number of contractors on the site updating product information. He has users that need to login for various business functions and needs to ensure that everyone can log in, but doesn’t want to risk his site’s security given how sensitive e-commerce data is. He’s invested in Wordfence Premium and requires his administrators to use two-factor authentication for logging in.

Sam sets up his sites so that failed logins lockout after 5 attempts, forgotten password attempts are set to 5, and a user is locked out for 4 hours. He does not set the site to immediately lock out invalid usernames. He has set his Wordfence installation to block any passwords from data breaches to anyone who can publish as well as administrators because of the turnover in the contractors he is using to update product information.

brute force protection

How are you using Brute Force Protection?

We hope this deeper look at our Brute Force Protection settings has been helpful. If you’ve been using Wordfence for a while, how are you using Brute Force Protection? Are there rules you’ve set that work well for your unique site requirements?

Are you seeing any new brute force attack patterns that concern you? Let us know in the comments.

We’ll be covering more ways that our customers use Wordfence in upcoming posts.

The post Optimizing Wordfence Security Settings: Brute Force Protection appeared first on Wordfence.

Read More

New Feature: Custom Premium Development Subdomains

Two weeks ago we announced the release of a new Wordfence feature that automatically allows Wordfence Premium customers to use their premium license key to secure a specific list of staging, development or test subdomains. This week we’ve taken that a step further, releasing a feature to allow your Wordfence Premium license to secure custom staging, development and staging domains.

This post is Copyright 2018 Defiant, Inc. and was published on the wordfence.com official blog. Republication of this post without permission is prohibited. You can find this post at: https://www.wordfence.com/blog/2018/06/new-feature-custom-premium-development-subdomains/

Custom Premium Development Subdomains

We designed our premium licensing to secure one site for each license key. Of course, each site may have several copies for testing and development. In response to your feedback, we’ve made it possible for Wordfence premium license keys to be reused across custom staging and development environments.

To enable these custom staging environments, you’ll need to contact premium support with a link to your staging and/or development environment. We’ll review the site to ensure it matches the production environment currently protected by Wordfence Premium. If it matches, we will enable those environments to use the production premium license key.

Examples of Staging Environments

The standard staging and development environments listed in the previous blog post will work automatically. However, there are a number of custom staging environments that don’t match predictable patterns. Some of our beta testers had environments such as:

  • sandbox.domainname.com
  • staging12.domainname.com
  • www.domainname.com/staging/
  • a05.xx.domainname.com

Our premium support team can assist in ensuring Wordfence Premium is enabled, no matter how unique your secondary environment is, as long as it matches your production site.

More features coming

This is the first of many new features we’re working on to make it easier for our more advanced customers to manage Wordfence. Stay tuned for more exciting announcements in the months to come.

Are there other features we could add to Wordfence that would make managing your site’s security easier? Need help managing Wordfence at scale? Let us know!


The post New Feature: Custom Premium Development Subdomains appeared first on Wordfence.

Read More

New Feature: Custom Premium Development Subdomains

Two weeks ago we announced the release of a new Wordfence feature that automatically allows Wordfence Premium customers to use their premium license key to secure a specific list of staging, development or test subdomains. This week we’ve taken that a step further, releasing a feature to allow your Wordfence Premium license to secure custom staging, development and staging domains.

This post is Copyright 2018 Defiant, Inc. and was published on the wordfence.com official blog. Republication of this post without permission is prohibited. You can find this post at: https://www.wordfence.com/blog/2018/06/new-feature-custom-premium-development-subdomains/

Custom Premium Development Subdomains

We designed our premium licensing to secure one site for each license key. Of course, each site may have several copies for testing and development. In response to your feedback, we’ve made it possible for Wordfence premium license keys to be reused across custom staging and development environments.

To enable these custom staging environments, you’ll need to contact premium support with a link to your staging and/or development environment. We’ll review the site to ensure it matches the production environment currently protected by Wordfence Premium. If it matches, we will enable those environments to use the production premium license key.

Examples of Staging Environments

The standard staging and development environments listed in the previous blog post will work automatically. However, there are a number of custom staging environments that don’t match predictable patterns. Some of our beta testers had environments such as:

  • sandbox.domainname.com
  • staging12.domainname.com
  • www.domainname.com/staging/
  • a05.xx.domainname.com

Our premium support team can assist in ensuring Wordfence Premium is enabled, no matter how unique your secondary environment is, as long as it matches your production site.

More features coming

This is the first of many new features we’re working on to make it easier for our more advanced customers to manage Wordfence. Stay tuned for more exciting announcements in the months to come.

Are there other features we could add to Wordfence that would make managing your site’s security easier? Need help managing Wordfence at scale? Let us know!


The post New Feature: Custom Premium Development Subdomains appeared first on Wordfence.

Read More

New Feature: Premium Development Subdomains

For our premium customers using staging, development, or test subdomains for managing their site’s updates and development, we are happy to announce the ability to utilize premium licenses across subdomains for a premium installation of Wordfence.

This post is Copyright 2018 Defiant, Inc. and was published on the wordfence.com official blog. Republication of this post without permission is prohibited. You can find this post at: https://www.wordfence.com/blog/2018/06/new-feature-premium-development-subdomains/

Premium Development Subdomains

How it Works

When developing and testing a new WordPress website, many people will create a test or staging installation of WordPress. The goal is to ensure that the testing or staging environment has the same code base that the production or live site will be using. If new plugin or theme changes need to be deployed, testing to ensure there are no conflicts in a test environment ensures that the production site is never negatively affected.

Thanks to your feedback, we’ve made it possible for Wordfence premium license keys to be reused across these environments. You will be able to apply your premium license key to a number of common testing subdomains in addition to your production domain.

We are initially opening up this capability to the following common subdomains:

  • staging.yoursite.com
  • stage.yoursite.com
  • stg.yoursite.com
  • new.yoursite.com
  • dev.yoursite.com
  • test.yoursite.com

Allowing for premium license keys to be utilized on these subdomains will help you implement:

Better Testing Environments

The goal of any test environment is to ensure that it closely matches the production environment, allowing you to test changes without impacting your production website. When testing new features and capabilities for a site in development, it will make it easier to ensure that the premium features unlocked on your production sites are also applied in development. If you’re using country blocking for your production site, for example, replicating that exact configuration in your testing environments ensures you can isolate issues and fix them more rapidly.

Better Security

While your primary site may be the ultimate prize, staging, demonstration, or development environments are often targeted, too. Intruders may be looking for similar credentials or data in staging or development environments that might allow them to attack your primary site. Ensuring that all of your environments are well protected and maintained is an important part of any security strategy. For example, using two-factor authentication in a staging environment is often just as important as using it in production. Wordfence Premium can now help you meet that need.

Easier Launches

If you’ve purchased a license for yoursite.com, it will work on any of the above subdomains associated with the primary root domain. When launching a new site from a development or staging environment, you won’t have to downgrade or upgrade Wordfence Premium. Wordfence will recognize the relationship between your different environments for your root domains, making deploying and testing changes much easier.

Managing Your WordPress Sites

Managing a large installation base of WordPress sites has its own set of challenges. Depending on the number of sites you have, it can be a full time job just to maintain your sites and keep them secure. We’re looking to make that job easier for you, your customers and other stakeholders.

Do you manage a large number of sites and would like a consultation on your organization’s specific needs? We’d love to hear from you. Please complete the form below and we’ll be in touch.

This is the first of many new features we’re working on to make it easier for our more advanced customers to manage Wordfence. Stay tuned for more exciting announcements in the months to come. As always, we’d love to hear your feedback in the comments.

The post New Feature: Premium Development Subdomains appeared first on Wordfence.

Read More

Getting the Most From Wordfence Premium

If your WordPress site matters, upgrading to Wordfence Premium gives you the best protection available. And at $99 per year, it is incredibly affordable. Once you’ve made this great investment, there are a few things you can do to optimize your site’s security.

This post is Copyright 2018 Defiant, Inc. and was published on the wordfence.com official blog. Republication of this post without permission is prohibited. You can find this post at: https://www.wordfence.com/blog/2018/04/wordfence-premium/

Install Your Premium License Key

Do you have the free version of Wordfence installed? You probably see that your site security status circles are not fully 100%. You can quickly change that after you purchase your premium license.

Your Premium license key is available on the API Keys page at Wordfence.com. To install it, simply go to either the Global Options or All Options page within the plugin on your site, and paste the license key into the ‘License Key’ box in the Wordfence License section. Hit the ‘Install License’ button and you’re all set!

That one step enables these important Premium features:

  • The Real-time IP Blacklist blocks all requests from the most malicious IPs, protecting your site while reducing load.
  • Real-time firewall rule updates protect you from the latest threats
  • Real-time malware signature updates provide malware blocking within the firewall and malware scanning features with the latest threat intelligence
  • Site reputation checks tell you if your IP has been blacklisted for malicious activity, generating spam or other security issues.
  • Premium support from our amazing team of Senior Support Engineers

 

 

There are just a few more steps to make sure you site is locked down.

Optimize the Firewall

Your Wordfence firewall should be in extended protection mode, which means the Wordfence firewall will execute before any other PHP code on your server. There’s no better protection available than the Wordfence firewall when it’s optimized and armed with the Premium firewall rules, malware signatures and malicious IPs.

You can learn more about optimizing the Wordfence firewall in our help section.

Enable Two-Factor Authentication

Two factor is one of the most secure forms of remote system authentication available. We support both text messages to your cell phone or Google Authenticator as second authentication methods. If a password is ever stolen somehow, this extra layer of protection ensures your WordPress site remains secure.

Configure Country Blocking

If you’re experiencing malicious activity from a country that you’re not doing business in, you can block it with Wordfence Premium. Be judicious in your blocking, however. Make sure you don’t block countries that may affect your site’s functionality (e.g., don’t block the United States and inadvertently block Google and PayPal).

You can also use country blocking to secure your login page only. If you know you’ll only be logging in from one location, secure your login page from being accessed from other locations.

Customize Your Scan Schedule

With Wordfence Premium, a full scan runs every 24 hours by default, which should be fine for most sites. You can specify which hour or hours of the day you’d like scans to run. We recommend looking at your site traffic patterns and selecting times when traffic is generally the lowest for the day. If you’d like to increase the frequency, you can schedule them to run as often as every hour.

Managing a Large Number of Sites?

We’re doing something new for those of you tasked with securing a large number of WordPress web sites. The Wordfence Client Partner initiative gives agencies, educational institutions, and other large scale users of WordPress a dedicated technical partner to assist with Wordfence at scale. Does this sound like you? Let us know. We’re here to help.


Get Support From Our Senior Support Engineers

The comprehensive capabilities of Wordfence give you tools and features that provide a level of security for WordPress you won’t see elsewhere. But when you’re just getting started, it all may seem overwhelming at first. With Wordfence Premium, you have access to the best WordPress security support team in the world. Our awesome team of Sr. Support Engineers can assist you with any Wordfence- or site security-related question you may have. Just enter a ticket here and they will respond within a few hours on average.

Conclusion

We hope this article helped get your started with Wordfence Premium. To learn more about Wordfence please check out our great help content, or our learning center to learn more about WordPress security in general.

The post Getting the Most From Wordfence Premium appeared first on Wordfence.

Read More