Wordfence is my favorite single WordPress Security Plugin. Wordfence acts as a Firewall, malware scanner, login security & more. It is a freemium Plugin meaning that you can use it absolutely free, but if you’d like to add some of the additional features, you can upgrade to the Premium Version.
Do keep in mind that if you are a premium WordPress managed service like WPEngine, they don’t allow this particular Plugin as it conflicts with some of the security software that they already have running on their servers. Most hosting accounts don’t have that problem however.
LET’S GET STARTED
After activating the Plugin, you’ll get a pop-up modal. Add your email and join the security list. Feel free to take a minute going through the tour.
Let’s Configure Our Options
In your WordPress Admin area, navigate to WORDFENCE > OPTIONS.
- Wordfence is one of the few plugins I actually prefer to have update on it’s own, so it’s a good idea to check that box.
- Next, ensure that your email where you would like to get notified is there. You can add additional emails separated by commas if needed.
I typically will only leave “Alert on critical problems” checked so as not to get too many emails. This notifies you when there are any updates that need to be managed or if it finds any files that don’t appear correct. If you need to know when certain users login to the site, you can leave those on, however I find that in most cases, I’d rather let an alternate program handle who’s logging-in and doing what. I like Activity Log for this.
The only other alert I generally leave is to be notified in the event that there is a large increase in site attacks so that I can see who’s attempting it and what they are attempting.
Configuring What Wordfence Scans
I tend to have everything checked here. Doesn’t hurt to have it scan Themes & Plugins for version changes and even look for potential malicious files outside of the WordPress directories. The only thing I’ll generally disable is “Enable HIGH SENSITIVITY scanning.” Like it says, it may give false positives and it does a good enough job without I feel.
Rate Limiting Rules
These are standard settings for a lot of my set-ups depending on a particular site and server resources where I might choose to lower the numbers depending on server resources. The one I really nail is “If 404s for known vulnerable URLs exceed”. I feel that if something requesting a known vulnerable URL, then they are up to no good and I’m happy to block them right then and there. Finally, I’ll have 1 month set for “How long is an IP address blocked when it breaks a rule” as it’s the longest setting available.
Login Security Options
There are a few user names that a lot of bots tend to try, so by default, I’ll add the following few.
In addition, many bots attempt the site name, so I’ll generally add that as well. So for this website, I’ll add “wpdoityourself” as a user name to immediately block if someone attempts it.
Depending on how active your site is and if users are allowed to have accounts on your site will determine the number of login failures. If it’s for a site that only I will be logging into, I’ll set the number all the way down to 1 since I use LastPass to manage my passwords and I also have my IP whitelisted, so even in the event I did get it wrong, Wordfence won’t count it against me at that IP. For sites that have other users, I’ll be more lienient on how many failed attempts they can have. Usually 8 failed attempts within 6 hours will get the person or bot blocked for 60 days.
Under Other Options, I always add my IP to the Whitelisted IP fields. Replace your actual IP with the 184.108.40.206 fields below. If you don’t know your IP, you can Google simply “IP” and it will tell you the IP of the computer you made the request from or just click here.
Here’s where I tend to get really aggressive. In the field labeled Immediately block IPs that access these URLs”, I have a whole bunch of paths that I’ve been watching hackers attempt to test over the years. My personal one can be a little too aggressive for a standard list to share since I specifically block some Plugin and Theme URL’s that I know I never use. However if you were to use any of those, you could inadvertently block out nearly everyone coming to your site. A lesser version of my standard file will available below.
Other Options – Continued
Only a few things get changed here. Make sure the following get checked.
- Hide WordPress version
- Block IPs who send POST requests with blank User-Agent and Referer
- Disable Code Execution for Uploads directory
Immediately block IPs that access these URLs:
Here’s the condensed version of what I use. I removed all of the Theme and Plugin specific ones to make it more site-friendly. Do use at your own risk, however it should be safe for most sites.