Free WordPress Defense — Wordfence’s Free Tier and the Premium Trap
Self-Hosting Build Guide, Part 11. The bots already arrived back in Part 8. Now we post a guard at the door.
← Previous: Part 10 — What Not to Publish (Privacy Review)
→ Next: Part 12 — Backing Up to a NAS (tar+ssh)
TL;DR
- WordPress runs over 40% of the web — which makes it the No.1 target for automated attack bots
- Wordfence’s free tier gives you a firewall (WAF), two-factor auth (2FA), and a malware scanner — cost $0
- The trap: after install, the screen hides the free option and pushes the paid plan ($149/yr) — the free key hides in a small underlined link
- The only real free-vs-paid difference is “firewall rules arrive 30 days later” — irrelevant for a personal blog
- The extended firewall must sit in front of PHP to truly block — one line in
.htaccess, and back it up first
1. Why WordPress is a Target
WordPress powers more than 40% of all websites. High market share means that, from an attacker’s view, a single vulnerability can hit tens of millions of sites.
As we saw in Part 8, the moment you publish a domain, brute-force attempts hit the login page within 24 hours — not humans, but automated bots. They also constantly probe known holes in plugins and themes. So WordPress is a system where “if it’s up, a guard goes up immediately.”
2. What the Free Tier Gives You
| Feature | Free tier | Notes |
|---|---|---|
| Firewall (WAF) | Yes | Blocks known attack patterns at the gate |
| Two-factor auth (2FA) | Yes | One more layer if a password leaks — first defense against brute force |
| Malware scanner | Yes | Detects tampered files and planted backdoors |
| Real-time bad-IP list | 30-day delay | Paid is instant; free arrives 30 days later |
What a personal blog actually needs is the first three (firewall, 2FA, scan) — all free. The real-time IP list only matters for large, high-value targets.
3. Finding the Free Key — the Store’s Paid Trap
After installing, a “get your license” screen sends you to the Wordfence store. This is where it gets confusing.
- The big blue button = “real-time protection” = paid ($149/yr). Sometimes two items are pre-added to the cart so it looks even pricier.
- The free key hides below in a small underlined link:
I'm OK waiting 30 days for protection updates. - Click that and a free license key arrives by email. Paste it into the plugin. Done. Cost $0.
It looks like a checkout page, but you never have to pay. The whole task is finding that one sentence about waiting 30 days.
4. Real Defense Sits in Front of PHP — the Extended Firewall
In its default state the firewall runs inside WordPress (PHP). That means an attack request has already reached PHP before it gets inspected. One step too late.
Turning on “Optimize the Firewall” adds one line to the web server config (.htaccess) so requests are checked before PHP runs:
php_value auto_prepend_file '/var/www/html/wordfence-waf.php'
flowchart LR
V[Visitor/Bot] --> W[Extended firewall
before PHP]
W -->|clean| P[PHP / WordPress]
W -->|attack| X[Blocked]
⚠️ Back up .htaccess before enabling this. Depending on your server, that one line can throw a 500 error — and the fix is to restore the backed-up .htaccess. Also, start in “learning mode” for a day or two so it learns your normal traffic, then it switches to protection automatically.
5. Hide the Login Itself (Bonus)
/wp-login.php is an address the whole world knows. A separate plugin lets you move the login to a different path, so the door bots keep knocking on simply disappears. Where you moved it stays secret, of course — that’s the whole point.
Add 2FA on top, with a “remember this device for 7 days” option, and you keep the security without typing a code every time.
In One Line
The free Wordfence tier is enough to defend a personal blog. On the paid-nudge screen, just find the small “OK waiting 30 days” link and it’s $0. Back up .htaccess before the extended firewall, hide the login path, turn on 2FA. It’s not about money — it’s a few clicks.
Leave a Reply