Introducing the Wordfence Login Security Plugin
Today we are excited to announce the release of a brand new plugin: Wordfence Login Security. This plugin is a completely standalone plugin and you don’t need to install the full version of Wordfence to take advantage of the specific security features included in it.
Wordfence Login Security is designed by our team to secure your login and authentication system. It’s worth noting that this plugin does not include the firewall, malware scanner and other features that the full Wordfence plugin comes with.
If you already have an alternative firewall solution in place and are covered for malware scanning, then this plugin is perfect for you because it secures your login system against several dangerous and targeted attacks.
Wordfence Login Security includes the following features:
- It provides robust two-factor authentication that is not vulnerable to cellphone SIM porting attacks.
- It includes a login page CAPTCHA that protects you from sophisticated credential stuffing attacks that use a wide range of IP addresses.
- It also includes XML-RPC protection.
These features are also included in the full Wordfence plugin. So if you are using Wordfence already, you don’t need to install this new plugin. You can learn more about how these features are available in Wordfence by checking out last week’s announcement post.
Why did we do this?
Over the last year we have spent a lot of time talking to WordPress users. One thing we learned, from larger companies especially, is that everyone’s situation is different. And that even means (gasp!) that some people can’t or don’t run Wordfence on some of their sites. The reasons vary, but in most cases there are many features they could benefit from using.
With that in mind, when we decided to completely rewrite our two-factor authentication feature we decided to also release it as a separate plugin. Our hope is that by making sets of related features available in “modular” plugins like this, that more websites will benefit from Wordfence protection. Our goal, after all, is to make the web safer. The more sites we can keep safe the better.
Do I need both plugins?
In a word, no. Wordfence Login Security and the full Wordfence plugin share the same code for these features. If you already have the full Wordfence plugin installed you already have all of the features available in Wordfence Login Security. If you try to install Wordfence Login Security, nothing will change.
Can I install the full Wordfence plugin if I have Wordfence Login Security installed?
Wordfence Login Security and Wordfence are built to play nicely together. They integrate seamlessly. If you are using Wordfence Login Security and then install the full version of Wordfence, all of your settings are preserved.
Once you install the full version of Wordfence, a new ‘Wordfence’ section will be added to your menu. The settings for Wordfence Login Security will appear in this area as one of the security features available to you.
Again, all your settings are preserved and you can continue knowing your site has the additional features that Wordfence includes like our firewall and malware scanner.
Do I need to upgrade to Premium to use Wordfence Login Security?
This plugin is free and you do not need to pay to use it. In addition, the features that are included in Wordfence Login Security are also available in the free version of the full Wordfence plugin.
The Wordfence team is committed to making the Web a safer place. We wanted to make these essential security features available to absolutely every WordPress site owner and user at no cost. We also built the plugin to be as widely compatible as possible so that there is no barrier to entry when it comes to securing your website against credential stuffing attacks and other attacks targeting your login system.
What’s next for Wordfence Login Security?
Our team spent the past year developing and testing Wordfence Login Security. Our team has taken the plugin through a rigorous QA process that ensures it is widely compatible, rock solid and ready for production. We have also performed a comprehensive security audit on it to ensure that there are no loopholes or issues that an attacker can exploit.
At this point, Wordfence Login Security is an extremely stable and robust security solution for your WordPress authentication system. Our intention is to set the standard for WordPress two-factor authentication with this product.
Our next steps are to listen to the community feedback while providing excellent support for our customers. This will help guide the product direction and our development team.
If you are not currently using the full version of Wordfence, we hope you will at the very least install Wordfence Login Security to protect your WordPress authentication system. Our team is installing this plugin on their own sites – in fact many have been running the beta version for months.
Wordfence Login Security is a huge step forward in helping secure WordPress and we hope you will help spread the word in the community that this plugin is available, completely free, and does an excellent job of improving the security posture of a WordPress website.
Wordfence/Defiant Founder and CEO
It looks very nice. Do you have any plans on adding a front-end activation feature so that the users can activate two-factor authentication without accessing the back-end? I’m using Simba 2FA at the moment for this particular reason. Theme My Login 2FA has the same feature as well but is otherwise very limited.
Hi Karl, we're glad you like the looks of it so far. Adding a front-end activation feature is not currently on our roadmap, but something we will definitely consider in the future.
Thanks for your quick reply and the information. I'll continue my customization development of Simba 2FA then. By the way: I love Wordfence. Such an amazing product! I recommend it highly to everyone in my community.
Thanks Karl, we really appreciate the kind words and recommendations!
Can we use this to manage logins for registered visitors and allow new users to register with our web site as well, or is this designed exclusively for managing administrators and contributors?
Hi Mark, you can enable two-factor authentication for any user role you like.
This is great! I've enjoyed the extra security and reliability of your 2FA features for some time. You didn't have to break 2FA into a separate plugin like this, but you did it anyway. Thank you for helping everyone protect us from ourselves!
Thanks for creating this plugin.. I'm looking forward to better login security on my site and my client sites as well!
I'm now testing reCaptcha v3 module and I think it works really well, before I was using miniOrange 2FA. Thanks so much Mark anf WF Team for help us keeping our sites more secure.
Security is extremely important, appreciate WordFence. I remember what it was like to get hacked, arghhhh
I already use the free version of WordFence on every site I build while staging and I usually aim to upgrade to premium when the site goes live for clients who are prepared to pay for the added features
Thanks for making the effort to release this FREE plugin and for spreading the peace-of-mind of a defended WP site!
All too rare nowadays...
Keep up the fantastic work
Peace & love
Nice plugin, well done. Any plan for HOTP/YubiKey support?
Thanks Diego! We're evaluating whether we want to support physical security keys, and if so which one(s). Keep an eye on our blog for updates. HOTP support isn't currently on our roadmap.
Buongiorno, in tutti i siti dei miei clienti utilizzo Wordfence Security e volevo solo ringraziarvi per le preziose informazioni che fornite e per l'ottimo lavoro che fate permettendo a noi web master di garantire la sicurezza dei siti dei nostri clienti. Buon lavoro. Tiziana
Question - I'm currently using a plugin where I append a word to my website name, which then takes me to the WP-login screen. That has worked for much of my screening because if someone types in /wp-login or /wp-admin (whatever it is) they are immediately sent to the 404 page. That being said, for some reason today four bots got through to the sign in page by typing in /xmlrpc.php
This has never happened before, which tells me my plug in no longer works?
Sorry, I know just enough to be dangerous running the back end of my site. So do I remove that old plug in and activate this WF plugin? Or is it automatically activated? I have Premium on two sites.
Hi Beth, XML-RPC is an interface that allows WordPress to communicate with other applications. The majority of malicious login attempts hit this, not your login page. That is one of the reasons we don't recommend moving your login page. If you're not using Jetpack or the Wordpress mobile app it is likely safe to disable XML-RPC, which both Wordfence and the new Wordfence Login Security plugins allow you to do. Help documentation for the feature: https://www.wordfence.com/help/login-security/#two-factor-authentication-options.