In your WordPress dashboard go to Plugins > Add new. Search for Wordfence then install and activate it. Go to Wordfence > All Options. Scroll to Import/Export Options at the bottom and click the button.
Next copy and paste the following saved Wordfence configuration options as recommended by security specialists. Copy & Paste this configuration token and click Import Wordfence Options:
Next, in the top yellow bar click Resume Installation and enter the email where you want to receive security alerts from Wordfence, and click Continue. If you don’t have a Wordfence premium license, just click No Thanks on the Next Screen.
Next up, let’s enable the Firewall in Wordfence. In your WordPress dashboard, go to Wordfence > Firewall and click Enable Firewall. Now click Manage WAF :
Basic Firewall Options: Web Application Firewall Status – Set to Learning Mode and Automatically Enable On in 7 days.
Extended WordFence Protection
Finally, we’ll enable extended protection and have Wordfence load before WordPress does, so that no vulnerable or malicious code can run before the Wordfence firewall is loaded. If Wordfence presents you with a message to download a backup of your .htaccess file, simply do so and click Continue.
On the next screen, Wordfence will detect your server configuration and ask you to download backups of your .htaccess and .user.ini files in case anything goes wrong during the setup. Download the two files in a backup folder on your computer and click Continue.
Congratulations! You’re done installing and setting up Wordfence.
Few things about WordFence
Wordfence’s greatest strengths, among many, are its firewall and automatic scanner which will alert you if it finds anything out of the norm, including file changes, and notify you so you may investigate. You’ll get false positives like changes in style.css and readme.txt files, but once you’re sure there is nothing suspicious about the change you can set those to Always ignore so the false positives don’t keep coming back. Never ignore php files, though.
The files to watch are your php files, which is where hackers can insert malicious code that will do their bidding. You don’t have to do this every time, but if you feel suspicious that there’s been a breach, check out the modified files. Go to Wordfence > Scan and look at the list of warnings, click Details then View Differences.
This will show you a “before” (Left pane), and “after” (Right pane) view of the file, scroll and see the highlighted changes. What you’re looking for is added code on the right, where none was on the left, and which often contains “Eval” or “Base64” or “46esab” (base64 backwards), followed usually by a long string of letters and digits, which is the encoded string of malicious code. That’s the culprit.
If you do happen to find such a suspicious string inserted, you may use a base64 decoder online to see what it was programmed to do. If you’re no longer using the infected plugin or theme, just delete it. If you are, then go back to your Wordfence Scan screen and click Restore the original version of this file.
At this point, check whether the hacker was able to create a new admin user in your WordPress > Users menu, and regenerate new salts/keys in your wp-config.php file, you’ll find an official link to generate new ones in the comments of the section Authentication Unique Keys and Salts inside your wp-config.php file. Update plugins and themes if you haven’t already done so.
If you see that the change is just a trivial Date update or something similar, then you can safely click Ignore until the file changes.