Defender deters hackers with IP banning, login lockout, updating security keys, two-factor authorization, and more. Learn about Defender’s robust security features that prevent hackers from waltzing right into your WordPress site.
No hacker gets past Defender!
Defender is WPMU DEV’s answer to WordPress security.
Our powerful 5-star plugin provides complete security for your WordPress sites and brings you peace of mind by deterring brute force attacks, SQL injections, cross-site scripting XSS, and preventing hackers from exploiting WordPress vulnerabilities.
“Defender recently blocked over 3000 attacks in one week without any noticeable impact on the website. WPMUDEV knocking it out of the park on this one.” – David Oswald
Defender adds the best in WordPress security to your website with just a few clicks.
In order to stop the hackers from getting in, Defender configures powerful security measures, including allowing you to easily:
Right off the bat, Defender provides a number of Security Tweaks in the dashboard, allowing you to easily fix any issues that can be exploited by hackers and compromise your site’s security with just one click.
To help you stay on top of your security tweaks, Defender provides a checklist of all issues that need fixing and highlights these in yellow…
Defender highlights all issues in yellow.
And marks all resolved issues in green…
Security tweaks resolved and no longer an issue.
Let’s go through some of these one-click security tweaks…
Disable Trackbacks and Pingbacks
Defender can prevent trackbacks and pingbacks from causing DDoS attacks and spam comments.
Just click the Disable Pingbacks button.
Disable trackbacks and pingbacks.
Change Default Database Prefix
With one click, you can change the default
wp_ database prefix that WordPress normally assigns to many new installations.
This lets you set a unique database prefix that will make it harder for hackers to perform SQL injection attacks if they run across any code vulnerability on your site.
It also adds another layer of difficulty for hackers to overcome, further protecting your WordPress site.
You can quickly see if this function is enabled or disabled in the Issues or Resolved section.
Your default database prefix is resolved.
Disable File Editor
As the file editor is built into WordPress, anyone with an admin account can edit your theme and plugin files and inject malicious code.
Disabling the file editor helps prevent this and any security holes in your admin that could become a problem.
Disable the file editor is seen as a security issue. That can be done with a click of a button.
If it’s an issue, just click Disable the File Editor in the Issues section.
Disable file editor button.
The problem will be fixed and marked as Resolved.
And now it’s disabled.
Hide Error Reporting
With Defender’s one-click security tweaks, you can make your site less prone to malicious attacks by disabling the built-in PHP and scripts error debugging feature of WordPress.
This feature displays code errors on the frontend of your website, allowing hackers to find loopholes in your site’s security.
Hide error reporting is now resolved.
Update Security Keys
As WordPress uses security keys to enhance the encryption of information, having a random, unpredictable encrypted password (e.g. 89080a8908908b098903c) can make it near impossible for hackers to come up with the right combination.
Defender’s Update old security keys feature lets you update these keys regularly and set a reminder for how often ut should notify the admin to regenerate these.
Where you’ll regenerate the keys.
Once your security keys have been regenerated, the update is then automatically marked as Resolved.
Where it shows security keys are updated. Also, you can set a reminder here to reset again in the future.
Prevent Information Disclosure
Another of Defender’s automated one-click Security Tweaks is to prevent the disclosure of sensitive files in servers that have been misconfigured, allowing malicious users to access your WordPress site or database.
The status of the Prevent Information Disclosure security feature.
Prevent PHP Execution
Defender lets you disable direct PHP execution in directories that don’t require it, preventing plugin or theme vulnerabilities from allowing a harmful PHP file to be uploaded to your WordPress site’s directories.
Resolved Prevent PHP Execution.
You can also add exceptions to PHP files that you want to run and bypass Defender’s protection measures.
Where exempt PHP files can be placed.
Defender’s Firewall adds a hardened layer of protection against a hacker’s attempts to gain entry to your site through brute force attacks.
It comprises a number of security measures, including:
Defender locks out any user who tries to log in and fails repeatedly to get the credentials right.
Defender’s Login lockouts dashboard.
You can configure login lockout options such as the lockout time, lockout message, and ban usernames.
Adjusting the threshold lets you specify how many failed login attempts defender will allow in a given time period before triggering a lockout.
In this example, Defender will ban users with 5 failed login attempts within a 5-minute period.
You can set the duration of the lockout or permanently lock out offending users.
Ban users temporarily or permanently.
Like most of Defender’s features, you can customize the message that will be displayed to locked out users.
Customize your message to locked out users.
You can also automatically lockout and ban users if they attempt to log in using common usernames (e.g. admin).
Defender locks out and bans users attempting to log in using a banned username.
Defender keeps an eye out for repeat offenders. These are usually bots that crawl every link on your site trying to find a back-end admin area so they can wreak havoc or requests from the same IP addresses for pages on your WordPress site that don’t exist.
If this happens too frequently, Defender will block users from accessing your site.
You can specify how many 404 errors within a specific period will trigger a lockout and choose the ban duration for offending users, either for a specific timeframe (in seconds, minutes, or hours) or permanently.
Defender Firewall – 404 Detection.
You can also customize the message displayed to locked out users.
Don’t leave hackers guessing why they’ve been locked out.
Defender’s Blocklist automatically bans users and bots from accessing any files and folders you specify.
If a common file or folder in your website is missing, you can record it in the Allowlist area. Any attempts to access these won’t count toward a lockout.
Ban or allow users to access files and folders.
Specifying file types and extensions to auto-ban or allow is as simple as entering these into the plugin’s fields.
Auto-ban or allow access to filetypes and extensions.
Defender monitors all interactions on your website. However, with the click of a button, you can also choose to include or exclude monitoring 404s from logged-in users.
Click to monitor 404s from logged-in users.
Geolocation IP Lockout
Defender lets you ban traffic from any location–even an entire nation– if you don’t want traffic coming to your site from certain places. Geolocation IP lockout is a great added security bonus that prevents users in undesirable locations from getting anywhere near your site.
IP Banning inside Defender’ Firewall stops unwelcome visitors with just a few clicks.
Ban countries you don’t want traffic coming from to protect your site from hackers in that location.
You will need to sign up for a free account with MaxMind to get access to the free GeoLite2 Database.
After confirming your account and creating a password, you can generate a license key.
Generate a license key to access the GeoIP database.
Adding this license key to Defender lets you download, add, and access the GeoLite 2 database.
Add your GeoIP database license key to download the list of countries.
After successful license activation, the Location section will let you specify countries to block or let traffic through from a drop-down menu.
Block or allow traffic from selected countries.
You can block IP addresses by adding these to Defender’s Blacklist. Users with those IP addresses won’t be able to visit your WordPress site and will be greeted instead with a customizable message.
Defender lets you add any addresses you want to ban into its Blocklisted IPs section and supports both IPv4 and IPv6 formats.
Enter banned IPs you want to block.
Alternatively, you can allow IP addresses and exempt users from the ban rules for login protection, 404 detection, or IP ban lists.
Add allowed IPs.
Once you have added an active list, Defender monitors these IPs. It also lets you release any blocked IPs that were inadvertently banned.
Unblock banned IP addresses.
Additionally, you can easily import and export any list data you have already compiled to and from Defender with just one click.
Import and export IP address lists easily.
Web Application Firewall (WAF)
If you’re hosting your website with WPMU DEV, a Web Application Firewall is enabled via Defender adding an initial layer of protection against hackers and bots before they can even reach your site.
If any vulnerabilities match our WAF filters ruleset covering common attacks, any vulnerable files in your WordPress core, plugins, or themes will be virtually patched, while also respecting any rules set in Defender’s firewall.
WAF blocks hackers and bot attacks before they ever reach your site!
Two Factor Authentication (2FA)
Defender enhances your WordPress site’s security by adding an extra step in the login process with two-factor authentication. This makes it extremely difficult for a hacker to login to your account.
Enable Two-factor Authentication
With a click of the Activate button, you can configure authentication settings. All the recommended settings are on by default and you’ll have plenty of options.
You can assign User Roles that will require 2FA by clicking on each one.
Defender lets you specify which user roles require 2FA.
If you have a Lost Phone, you can enable this setting to send the authentication code to the user’s email instead. You can also Force Authentication that will force users to activate 2FA and create Custom Graphics instead of using the default Defender icon.
Set up Lost Phone, Force Authentication, and Custom Graphic options.
Defender uses the Google Authenticator app. Download and set up instructions are in the User Profile dashboard, allowing you to easily install the app on your device from the App Store or Google Play.
Enable 2FA on your User Profile to access setup instructions.
2FA functions by scanning the barcode and entering the 6-digit passcode shown on your device.
Google authenticator screen.
Defender’s 2FA feature adds the first impenetrable layer of security and protection against hackers.
No passcode, no access.
Defender provides two Advanced Tools to enhance site security and thwart hackers from accessing your site:
- Masked Login Area: Change the URL path to your login screen to something other than the default
- Security Headers: Enable security headers to add an extra layer of security to your website.
Let’s take a quick look at how easy it is to make it hard for hackers to find your login screen:
With Defender, you can easily change your default URL to mask (hide) your login area, preventing hackers and bots from locating and accessing your login URL.
You can choose your own mask login URL and enter any slug you like (e.g. ‘my-awesome-login’). We recommend choosing a login URL that bots will find almost impossible to guess.
Create a new login URL that bots won’t be able to guess.
Setting up your new beefed-up secure login URL is as easy as entering a new slug and clicking Save Changes.
Your WordPress site now has a new login URL.
Defender Makes It Harder To Hack WordPress And Easier For Hackers To Go Elsewhere
With Defender monitoring your WordPress site 24/7, hackers have no reason to stick around.
Defender amps your security and stops Hackers in their tracks. In fact, Defender automatically resolves many common security issues as soon as you activate the plugin.
Defender protects your site against hackers and malicious bots before they even visit your site with WAF, lets you perform one-click security tweaks, and then continuously guards and monitors the perimeter with advanced security hardening features like login masking, two-factor authentication, malware scanning, audit logging, and firewall protection.
To learn more about WordPress security, check out our Ultimate Guide to WordPress Security.
For more information on how Defender works, be sure to view the plugin’s documentation.
Also, keep an eye on our roadmap for all the exciting new features coming soon to Defender, the ultimate WordPress security plugin.
Free Video Why 100 is NOT a Perfect Google PageSpeed Score (*5 Min Watch) Learn how to use Google PageSpeed Insights to set realistic goals, improve site speed, and why aiming for a perfect 100 is the WRONG goal.