How to Migrate From Wordfence to Asteris

Should you migrate from Wordfence to Asteris? Honest answer: probably not entirely. Security is one of the few WordPress categories where redundancy is a feature, not a problem. Most security-conscious sites run two layers: a WAF (Cloudflare, Sucuri at DNS, host WAF) + a WordPress-layer plugin. Wordfence is one of the best WordPress-layer plugins; you can absolutely keep it and add Asteris alongside for passkey 2FA + the other 10 modules.

This guide is structured around three paths, depending on what you actually need:

1. Add Asteris alongside Wordfence (most common) — get passkey 2FA + the other 10 modules; keep Wordfence’s WAF + malware scanner
2. Replace Wordfence with Asteris + Cloudflare/host WAF — if Wordfence’s footprint is hurting performance and you already have a WAF
3. Replace Wordfence entirely (uncommon but valid) — for sites where Wordfence is overkill

See the full Asteris vs Wordfence comparison →

Path 1: Add Asteris alongside Wordfence (recommended for most)

This is what we recommend for most paid Wordfence users. You keep Wordfence’s WAF and malware scanner; you get Asteris’s passkey 2FA + the other 10 modules.

Step-by-step

1. Install Asteris for WordPress (free or paid). Both plugins can be active simultaneously without conflict.
2. Activate the Security + Login + 2FA module in Asteris.
3. Disable Asteris’s brute-force protection — Wordfence is already doing this. Running both creates duplicate lockout logic. WP Admin → Asteris → Security → Brute Force → set to “Disabled (handled by other plugin)”.
4. Disable Wordfence’s 2FA — you’re going to use Asteris’s instead (because passkeys). WP Admin → Wordfence → Login Security → Disable 2FA enforcement.
5. Set up Asteris 2FA — TOTP + WebAuthn passkey. Per-role enforcement if you have multiple users.
6. Leave Wordfence’s file-change monitoring on — Asteris also has it; one or the other is fine. They don’t conflict, just generate duplicate alerts. Pick one.
7. Verify the stack — try a login, get a 2FA challenge from Asteris (the passkey prompt). Confirm Wordfence’s malware scanner is still scheduled. Confirm Wordfence’s WAF is still blocking blocked-IP traffic.

That’s it. ~20 minutes. You now have a layered security stack.

Path 2: Replace Wordfence with Asteris + WAF you already have

Pick this if Wordfence’s WordPress-layer footprint is causing performance issues (Wordfence is heavy) and you already have a WAF in front of WordPress — Cloudflare WAF (even free tier covers most of Wordfence’s WAF use cases), your host’s WAF, or Sucuri at DNS.

Step-by-step

1. Verify your existing WAF is doing its job — check Cloudflare Security Events, host WAF dashboard, or Sucuri reports. If you see attack traffic being blocked, your perimeter is real.
2. Install Asteris and activate Security + Login + 2FA.
3. Configure Asteris to match Wordfence’s settings — brute-force lockout thresholds, IP allow/block lists, country geofence, login hardening.
4. Set up Asteris 2FA — passkey + TOTP, per-role enforcement.
5. Run Asteris’s file-change scan — confirm baseline (no malware in the wild before switching).
6. Disable Wordfence’s blocking features (don’t deactivate yet) — WP Admin → Wordfence → All Options → set Live Traffic to off, Firewall to “Learning Mode”, brute-force off.
7. Wait 24 hours with Asteris’s protections active and Wordfence’s disabled. Watch logs.
8. Deactivate Wordfence in WP Admin → Plugins.
9. Keep Wordfence installed-but-inactive for 30 days as insurance. After 30 days of clean operation, delete.

Path 3: Replace Wordfence entirely (no separate WAF)

Don’t do this without a WAF in front of WordPress. Wordfence’s WAF is the value you’re losing; you need to replace it with another WAF (Cloudflare WAF free tier is the easiest swap).

Step-by-step

1. Set up Cloudflare (or another WAF) in front of your WordPress site. If your DNS is on Cloudflare, enabling the WAF takes ~10 minutes. (Documenting Cloudflare setup is out of scope here; their docs cover it.)
2. Verify Cloudflare WAF is blocking malicious traffic — Security Events panel in the Cloudflare dashboard should show blocked requests.
3. Then follow Path 2 above — replace Wordfence with Asteris + your new WAF.

If you don’t want to set up Cloudflare WAF: don’t deactivate Wordfence. Path 1 (run both) is the safer answer for you.

What you can’t replicate (and how Asteris handles each)

Frequently asked questions

Should I migrate from Wordfence to Asteris? Probably not entirely — security benefits from redundancy. The more common (and recommended) pattern is to add Asteris alongside Wordfence: keep Wordfence’s WAF + malware scanner, gain Asteris’s passkey 2FA + the other 10 modules. Disable Asteris’s brute-force protection (Wordfence is doing it) and Wordfence’s 2FA (use Asteris’s because passkeys).

Can I run Asteris and Wordfence together long-term? Yes. They don’t conflict at the plugin level. Most paid Wordfence users add Asteris alongside for passkey 2FA + the bundled modules. The one rule: don’t enable both plugins’ brute-force protection (pick one). Full hybrid setup guide →

Will I lose Wordfence’s malware scanner if I switch entirely? Yes — Asteris doesn’t ship a malware signature scanner at v1.0 (we have file-change monitoring, which catches malware after it lands but doesn’t proactively scan for known signatures). If proactive malware scanning matters to you, keep Wordfence (run both) or use Patchstack or a host-level scanner.

Will switching break my site? The login hardening migration won’t, if done in the order above (set up Asteris 2FA first, verify, then disable Wordfence’s). The WAF migration could — if you replace Wordfence’s WAF without adding another, attackers can hit your origin. Make sure you have Cloudflare or another WAF live before disabling Wordfence’s WAF.

See the Security module → · Asteris vs Wordfence → · Pricing →