---
title: "How to Install the Wordfence WordPress Security Plugin"
description: "There are many essential types of WordPress plugins for the best performance needed by small and mid-size businesses (SMBs). Below we'll focus on how to secure WordPress with the Wordfence security..."
url: https://www.inmotionhosting.com/support/edu/wordpress/plugins/wordfence/
date: 2020-10-28
modified: 2023-07-17
author: "InMotion Hosting Contributor"
categories: ["WordPress Plugins"]
type: post
lang: en
---

# How to Install the Wordfence WordPress Security Plugin

There are many [essential types of WordPress plugins](https://www.inmotionhosting.com/support/edu/wordpress/8-essential-types-of-wordpress-plugins/) for the best performance needed by small and mid-size businesses (SMBs). Below we’ll focus on how to [secure WordPress](https://www.inmotionhosting.com/support/edu/wordpress/10-ways-to-secure-wordpress/) with the Wordfence security plugin. Wordfence has been one of most popular WordPress security plugins for years because of its long list of features:

- Brute-force protection against bad bots and automated cyber attacks
- WordPress login security options including multi-factor authentication
- Consoles with verbose server related information for easier debugging
- Malware scanning for the website and child directories within the [website root directory](https://www.inmotionhosting.com/support/website/where-to-upload-files/)
- Some security information and event management (SIEM) features such as live traffic monitoring
- And much more

Below we’ll cover some free functions of the Wordfence security plugin:

- [Installing Wordfence](#install)
  - [Dashboard](#dashboard)
  - [WP-CLI](#wpcli)
  - [Manually](#manual)
- [Scan WordPress](#scan)
- [View Live Traffic](#traffic)
- [Whois Lookup](#whois)
- [WordPress Diagnostics](#diag)
- [Wordfence Security Options](#option)

Need better WordPress performance? Check out InMotion’s [WordPress Hosting](https://www.inmotionhosting.com/wordpress-hosting).

## Installing the Wordfence Plugin

You do not need to enter an API key for the free version.

### Install from the Dashboard

1. [Log into your WordPress dashboard](https://www.inmotionhosting.com/support/edu/wordpress/logging-into-wordpress-dashboard/).
2. [Install the Wordfence plugin](https://wordpress.org/plugins/wordfence/) and activate it.
3. On the left, select **Wordfence** to start hardening WordPress.

### Install via WP-CLI

1. [Log into SSH](https://www.inmotionhosting.com/support/server/ssh/do-you-provide-ssh-access/).
2. Install and activate Wordfence with [WP-CLI](https://www.inmotionhosting.com/support/edu/wordpress/wp-cli/install-a-plugin-using-wp-cli/) using the following command: wp plugin install wordfence --activate

### Install Manually

1. To install the plugin manually, download the plugin zip file from [WordPress.org/plugins](https://wordpress.org/plugins/wordfence/).
2. [Upload the zip file](https://www.inmotionhosting.com/support/edu/cpanel/how-to-upload-a-file-using-file-manager-in-cpanel/) and [extract the folder](https://www.inmotionhosting.com/support/edu/cpanel/compressing-uncompressing-files/#uncompress) to the website’s `wp-content/plugins` folder.
3. Log into your WordPress site or use the WP-CLI command to activate the plugin:wp plugin activate wordfence

After activating Wordfence, you will be prompted with a message stating “*You have successfully installed Wordfence.*” Enter your preferred email address for Wordfence emails notifications, agree to the Wordfence terms, and **Continue**. If you don’t have [Wordfence premium (paid) license](https://www.wordfence.com/wordfence-signup/), click **No Thanks** at the bottom.

![](https://www.inmotionhosting.com/support/wp-content/uploads/2020/10/wordfence-security-terms.png)

When you first visit some Wordfence pages, you’ll be prompted with pop-ups explaining notable features.

## Scan WordPress with Wordfence

We will now show you how to use Wordfence to **scan your WordPress site for malware**, weak passwords, and out-of-date plugins/themes, and more. Some scanning abilities require a premium Wordfence security license.

1. [Log into your WordPress dashboard](https://www.inmotionhosting.com/support/edu/wordpress/logging-into-wordpress-dashboard/).
2. On the left, click **Wordfence**, then **Scan**.
3. Select **Scan Options and Scheduling** on the right of the page to update your Wordfence scanner settings.
4. Make any desired changes to your Wordfence scanner settings.• *Scan Scheduling* – Toggle the option to let Wordfence choose when to scan or manually set the scan schedule (if you have a premium license)• *Basic Scan Type Options* – Select a scan preset for the *General Options* section• *General Options* – Specify what Wordfence scans and change the *Basic Scan Type Options* selection to Custom automatically• *Performance Options* – Configure lower resource scanning settings such as increasing scan duration and limiting memory usage• *Advanced Scan Options* – Exclude files from being scanned and add malware scan signatures in regex (one per line).
5. Select **Save Changes** in the top-right corner.
6. Select **Back to Scan** in the upper-left corner.
7. Select **Start New Scan** to start scanning your website. How long the scan takes depends on the size of your website. We recommend checking Wordfence every 30-60 minutes.

When the Wordfence scan finishes you will see a “Scan Complete” message with your results below. You can click the **Show Log** link to see details about the scan.

![Wordfence scan in progress](https://www.inmotionhosting.com/support/wp-content/uploads/2018/05/edu_wordpress_205_wordfence-plugin_how-to-scan_wordfence-scan-in-progress-1024x225.png)

Get more information in your WordPress security scans for free with [WPScan](https://www.inmotionhosting.com/support/edu/wordpress/wordpress-vulnerabilities-wpscan/).

## View Live Traffic in Wordfence

Viewing your live traffic can provide valuable insight into how, when, and why people visit your website. This is helpful when [targeting ad campaigns](https://www.inmotionhosting.com/blog/email-marketing-basics-tips-to-launching-a-successful-campaign/), improving [search engine optimization (SEO)](https://www.inmotionhosting.com/support/edu/wordpress/measuring-for-keyword-relevance-wordpress-seo/), or trying to troubleshoot some anomalies in your website performance without a separate [web analytics application](https://www.inmotionhosting.com/support/website/analytics/choose-the-best-analytics-tool/).

1. [Log into your WordPress dashboard](https://www.inmotionhosting.com/support/edu/wordpress/logging-into-wordpress-dashboard/).
2. On the left, select **Wordfence** and **Tools**.
3. You’ll be redirected to the **Live Traffic** logging visits to your site. It will include the traffic type (human, bot, warning, or blocked), location, page visited, time, IP, hostname, response, and view setting. Click one of the listings to see additional details.
4. Toggle the **Expand All Results** switch to open all of the listings for viewing along with options to *Block IP*, *Run WHOIS*, or See *Recent* Traffic of the visitor.
5. By default, Wordfence only logs security-related events (e.g. login attempts and blocked requests). This requires much less server resources. To log all traffic (not recommended for an extended period of time on Shared Hosting), select **Live Traffic Options** at the top of the screen and **ALL TRAFFIC**. Then **Save Changes** above.
6. Here you can also specify WordPress usernames, IP addresses, and [user-agents](https://www.inmotionhosting.com/support/edu/wordpress/customize-wordpress-content-useragent-content-switcher/) to ignore when logging and how much live traffic data to store for how long.
7. If you make any updates, **Save Changes**.
8. In the traffic results, you can click the filter drop-down menu to view traffic from a specific source. Available options are: All Hits, Humans, Registered Users, Crawlers, Google Crawlers, Pages Not Found, Logins and Logouts, Locked Out, Blocked, and Blocked By Firewall.
9. Check the **Show Advanced Filters** option to filter traffic by date, group similar traffic, and use additional filters.

![Example live traffic in Wordfence](https://www.inmotionhosting.com/support/wp-content/uploads/2018/06/edu_wordpress_205_wordfence-plugin_view-live-traffic_view-live-traffic-1024x777.png)

## Whois Lookup in Wordfence

The Wordfence security plugin allows you to do a [WHOIS lookup](https://www.inmotionhosting.com/support/domain-names/how-to-look-up-domain-whois/) in WordPress without a network node being in your traffic log. The WHOIS record lets you view publicly displayed information about domains or IP addresses. This is helpful when trying to view details about the registrar, owner, authoritative [nameservers](https://www.inmotionhosting.com/support/domain-names/dns-nameserver-changes/complete-guide-to-dns-records/), abuse contact address, etc.

1. [Log into your WordPress dashboard](https://www.inmotionhosting.com/support/edu/wordpress/logging-into-wordpress-dashboard/).
2. On the left, select **Wordfence**, then **Tools**.
3. Select the **Whois Lookup** tab.
4. Enter the domain you want to look up and click **LOOK UP IP OR DOMAIN**.

![Example Wordfence Whois Lookup](https://www.inmotionhosting.com/support/wp-content/uploads/2018/06/edu_wordpress_205_wordfence-plugin_whois-lookup_whois-lookup.png)

## View WordPress Diagnostics in Wordfence

Here you can see information about your server environment and installation of WordPress. This can be a helpful tool when troubleshooting issues with WordPress or the web server.

1. In the navigation menu, click **Wordfence**, then **Tools**.
2. Select the **Diagnostics** tab on the right.
3. You will then see the Diagnostics report for your website, click the **Expand All Stats** button to open all the sections. Below is a description of the information included in each section of the report provided by Wordfence.• *Wordfence Status* – General information about the Wordfence installation• *Filesystem* – Ability to read/write various files• *Wordfence Config* – Ability to save Wordfence settings to the database• *Wordfence Firewall* – Current WAF configuration• *MySQL* – Database version and privileges• *PHP Environment* – PHP version, important PHP extensions, and process owner (e.g. [cPanel username](https://www.inmotionhosting.com/support/amp/viewing-account-technicial-information-in-amp/))• *Connectivity* – Ability to connect to Wordfence, servers, your own site, and your [server IP address](https://www.inmotionhosting.com/support/edu/cpanel/how-to-find-your-shared-ip-address-of-your-server-in-cpanel/)• *Time* – Server time accuracy and applied offsets• *IP Detection* – Methods of detecting a visitor’s IP address• *WordPress Settings* – WordPress version and internal settings/constants• *WordPress Plugins* – Status of installed plugins• *Must-Use WordPress Plugins* – [WordPress “mu-plugins”](https://www.inmotionhosting.com/support/amp/viewing-account-technicial-information-in-amp/) that are always active, including those provided by hosts• *Drop-In WordPress Plugins* – WordPress “drop-in” plugins (which replace WordPress functionality) that are active• *Themes* – Status of installed themes• *Cron Jobs* – List of WordPress cron jobs scheduled by WordPress, plugins, or themes• *Database Tables* – Database table names, sizes, timestamps, and other metadata• *Log Files* – PHP error logs generated by your site, if enabled by your host• *Other Tests* – System configuration, memory test, send test email from this server (e.g. phpinfo page)• *Debugging Options* – Toggle WordPress debugging options for your site
4. At the bottom, **Save Changes**.
5. At the top, click **Send Report by Email** to email the report to Wordfence support or others.

## Wordfence Security Options

The Wordfence *All Options* page includes all available configurations within the plugin. This can be easier for experienced users to configure everything without bouncing around menu options.

1. [Log into your WordPress dashboard](https://www.inmotionhosting.com/support/edu/wordpress/logging-into-wordpress-dashboard/).
2. On the left, select **Wordfence**, then **All Options**. Below is an outline of the available Wordfence security options.

| Wordfence Global Options |
| --- |
| Wordfence License | View your free license or enter a premium license to upgrade. |
| View Customization | Choose if you want to display menu items for *All Options*, *Blocking*, or *Live Traffic*. These will show up in the main dashboard menu under “Wordfence”. |
| General Wordfence Options | Set if you want Wordfence to update automatically, view/change your email address for alerts, choose how Wordfence gets IP addresses, hide your WordPress version, disable Wordfence cookies, pause live updates when window loses focus, set update interval, bypass the LiteSpeed “noabort” check, and delete Wordfence tables and data on deactivation. |
| Dashboard Notification Options | Choose if you want to receive dashboard notifications for updates and scan status. |
| Email Alert Preferences | Specify preferred email alerts from the options list. |
| Activity Report | Set if you want to receive a regular email summary or enable an activity report widget in the dashboard. |
| Firewall Options |
| Basic Firewall Options | Set your firewall status and protection level. |
| Advanced Firewall Options | Delay IP/Country blocking, whitelist IP’s, block IP’s that access specific URL’s, or ignore IP’s. |
| Brute Force Protection | Set your brute force protection rules here such as lock out options. |
| Rate Limiting | Choose your rate-limiting settings here, for example you can set rules for bots or throttle specific visitors by behavior. |
| Whitelisted URLs | Whitelist known safe URL’s that are sending requests to your site. |
| Blocking Options |
| Advanced Country Blocking Options | Block specific countries here, this is a [premium Wordfence feature](https://www.wordfence.com/wordfence-signup/). |
| Scan Options |
| Scan Scheduling | Choose if you want to let Wordfence choose when to scan, or manually set the scan schedule if you have a premium license. |
| Basic Scan Type Options | Set if you want to perform a Limited, Standard, High, or Custom scan. |
| General Options | Choose what you want Wordfence to specifically scan for here. |
| Performance Options | Set if you want to use *low resource scanning*, or manually limit the scan options. |
| Advanced Scan Options | Exclude files from being scanned here, or add specific scan signatures. |
| Tool Options |
| Live Traffic Options | Enable live traffic logging, set how much live traffic data to store, and ignore specific users, IP addresses, or user agents. |
| Import/Export Options | Import or Export your Wordfence settings. |
| Login Security Options | Go to the Login security options page |

The *Filter Comment Spam* feature has been removed from the Wordfence security plugin.

Wordfence is a great WordPress security suite. However, there are other aspects to hardening WordPress. To compliment your security posture, install the [BBQ: Block Bad Queries](https://www.inmotionhosting.com/support/edu/wordpress/how-to-setup-bbq-block-bad-queries-on-wordpress/) and [HTTP Headers](https://www.inmotionhosting.com/support/edu/wordpress/plugins/http-headers-security/) security plugins.

Become a master of [WordPress plugins](https://www.inmotionhosting.com/support/edu/wordpress/plugins/)! Protect, optimize, secure, and expand the functionality of your website easily with the help of WordPress plugins!
