Hi @niksap, thanks for your question.
If there are any Premium-specific questions you wish to ask, please contact our excellent team at presales @ wordfence . com. As these forums are kindly provided for our free product by www.ads-software.com, we can’t discuss any perceived benefits or go into its features in more detail here.
I can mention that the WAF on Wordfence Free protects against XSS vulnerabilities amongst other things like malicious file uploads and directory traversal: https://www.wordfence.com/help/firewall/
wp-config.php can be moved outside of your site’s public folder, although Wordfence looks at the intent of a human/bot interaction with your site, so may block suspicious or excessive requests to a page like this. A normal request to this page should show a blank page for this file when requested in a browser anyway.
Although it is something that many people swear by, and can help a little in certain situations, we don’t find hiding the login URL to be particularly beneficial. Over half of all login attempts that are made on WordPress sites are made via xmlrpc.php.
Those requests will not be stopped by changing your admin URL. Our Wordfence Login Security and Wordfence plugins offer the option to block XML-RPC or at least require 2FA with authentication requests using XML-RPC on the Login Security > Settings page.
What we recommend as a basic means of reducing login attempts is to use Wordfence > All Options > Brute Force Protection settings and by blocking XML-RPC (as above.) Also using 2FA functionality that’s available in Wordfence and other plugins will greatly reduce the risk of a compromize.
We don’t encourage DISALLOW_FILE_MODS as we recommend plugins, themes and WordPress itself are always up-to-date with their latest security updates. Enabling this would remove the plugin update/installation links.
Thanks,
Peter.
