Wordfence is my favorite single WordPress Security Plugin. Wordfence acts as a Firewall, malware scanner, login security & more. It is a freemium Plugin meaning that you can use it absolutely free, but if you’d like to add some of the additional features, you can upgrade to the Premium Version.
Do keep in mind that if you are a premium WordPress managed service like WPEngine, they don’t allow this particular Plugin as it conflicts with some of the security software that they already have running on their servers. Most hosting accounts don’t have that problem however.
LET’S GET STARTED
After activating the Plugin, you’ll get a pop-up modal. Add your email and join the security list. Feel free to take a minute going through the tour.
Let’s Configure Our Options
In your WordPress Admin area, navigate to WORDFENCE > OPTIONS.
- Wordfence is one of the few plugins I actually prefer to have update on it’s own, so it’s a good idea to check that box.
- Next, ensure that your email where you would like to get notified is there. You can add additional emails separated by commas if needed.
I typically will only leave “Alert on critical problems” checked so as not to get too many emails. This notifies you when there are any updates that need to be managed or if it finds any files that don’t appear correct. If you need to know when certain users login to the site, you can leave those on, however I find that in most cases, I’d rather let an alternate program handle who’s logging-in and doing what. I like Activity Log for this.
The only other alert I generally leave is to be notified in the event that there is a large increase in site attacks so that I can see who’s attempting it and what they are attempting.
Configuring What Wordfence Scans
I tend to have everything checked here. Doesn’t hurt to have it scan Themes & Plugins for version changes and even look for potential malicious files outside of the WordPress directories. The only thing I’ll generally disable is “Enable HIGH SENSITIVITY scanning.” Like it says, it may give false positives and it does a good enough job without I feel.
Rate Limiting Rules
These are standard settings for a lot of my set-ups depending on a particular site and server resources where I might choose to lower the numbers depending on server resources. The one I really nail is “If 404s for known vulnerable URLs exceed”. I feel that if something requesting a known vulnerable URL, then they are up to no good and I’m happy to block them right then and there. Finally, I’ll have 1 month set for “How long is an IP address blocked when it breaks a rule” as it’s the longest setting available.
Login Security Options
There are a few user names that a lot of bots tend to try, so by default, I’ll add the following few.
In addition, many bots attempt the site name, so I’ll generally add that as well. So for this website, I’ll add “wpdoityourself” as a user name to immediately block if someone attempts it.
Depending on how active your site is and if users are allowed to have accounts on your site will determine the number of login failures. If it’s for a site that only I will be logging into, I’ll set the number all the way down to 1 since I use LastPass to manage my passwords and I also have my IP whitelisted, so even in the event I did get it wrong, Wordfence won’t count it against me at that IP. For sites that have other users, I’ll be more lienient on how many failed attempts they can have. Usually 8 failed attempts within 6 hours will get the person or bot blocked for 60 days.
Under Other Options, I always add my IP to the Whitelisted IP fields. Replace your actual IP with the 126.96.36.199 fields below. If you don’t know your IP, you can Google simply “IP” and it will tell you the IP of the computer you made the request from or just click here.
Here’s where I tend to get really aggressive. In the field labeled Immediately block IPs that access these URLs”, I have a whole bunch of paths that I’ve been watching hackers attempt to test over the years. My personal one can be a little too aggressive for a standard list to share since I specifically block some Plugin and Theme URL’s that I know I never use. However if you were to use any of those, you could inadvertently block out nearly everyone coming to your site. A lesser version of my standard file will available below.
Other Options – Continued
Only a few things get changed here. Make sure the following get checked.
- Hide WordPress version
- Block IPs who send POST requests with blank User-Agent and Referer
- Disable Code Execution for Uploads directory
Immediately block IPs that access these URLs:
Here’s the condensed version of what I use. I removed all of the Theme and Plugin specific ones to make it more site-friendly. Do use at your own risk, however it should be safe for most sites.
The plugin will secure WordPress for sure but will it block bots from attacking the Login System? I have heard of a Plugin which changes the login url to Blog’s backend and only the owner of blog knows about the url and able to access it. Also suggested is to install a plugin to control Blog Comment spam as when website becomes popular it get spam bot also which needs to be managed from Day 1.
Hi wqpasekw. Unfortunately, that’s one thing it doesn’t do. There are different ways to handle this depending on your site’s specific needs however. If only yourself or a small number of people should ever access the login page, you can block all IP’s to the login page and only allow the specific ones you want to allow through. This method isn’t very scalable though, so if you do want to allow visitors access to your login page, but just want to keep it from being an easy attack page, you can change the URL to the login page. You can use a Plugin like Custom Login URL, however it hasn’t been updated in a year. That doesn’t mean it won’t work, but there’s no telling if it’s going to continue being developed or not.
Another nice feature-rich security Plugin called iThemes Security allows for changing your Login URL. The thing to keep in mind is that if you allow your users the oportunity to login, they will be able to see the changed login URL and can then attack it the same as they would the normal login page. It will help reduce a lot of the bots that are only looking for the standard login address though.