How to Configure Wordfence Security Plugin for WordPress

WordPress websites are being attacked every day. Statistics show that more than 70% of WordPress sites are vulnerable to attack. There are several security measures and tweaks one can implement to protect his site. Installing a security plugin can help protect your blog in a great way.  In this article we will discuss one such security plugin Wordfence: Wordfence security plugin is the most downloaded(8,918,933 times at the time of writing this article)  security plugin for WordPress websites.  Let’s see some of its salient features-

• offers Brute-force login protection
• Scans files inside and outside WordPress installation for the known viruses, malware, trojan, and backdoor.
• Compare plugins and open source themes and WordPress core files against WordPress.org originals.
• Prevent Double Dos attacks and scan your site for HeartBleed vulnerability
• Offers firewall and checks for weak passwords

Read How to install a plugin in WordPress (A pictorial guide for beginners)

Setting Up Wordfence Security Options

After installing the Wordfence plugin Go to Dashboard>>Wordfence>>Options. You will get 2 types of options there – Basic Options and Advanced Options

Basic Options

• The first option is Enable firewall: Make sure the box is checked otherwise you will not get crucial functions of this plugin like brute force protection and two-factor authentication.
• Enable Login Security: Make sure the box is checked. It enables all security options such as locking users out after a defined number of login failures.
• Enable Live Traffic View: If you have a low-cost hosting plan and don’t have sufficient resources, Uncheck the box as it might affect the loading speed of the page. I have enabled it on my site as my server has sufficient resources.
• Enable automatic scheduled scans: Disable it as it’s better to perform such actions manually. You can scan manually whenever you want. 
• Update Wordfence automatically when a new version is released.: Keeping Wordfence updated is important as it makes sure that your site is protected from the latest web threats. It’s better to update manually if you often log into the dashboard.
• Where to email alerts: Very important basic option. Enter the email address that you most often use. You can enter multiple email addresses separated using commas. You will get a notification when someone logs into your Dashboard.
• Security Level: The drop-down list has different 5 security levels. Recommended is LEVEL 2 security i.e. Medium protection. This setting will be automatically labeled as Custom Settings when you make changes in advanced login security options.
• How Wordfence gets IPs: Let Wordfence decide it. Select option 1 because it makes a good combination of security and compatibility.

Advanced Options

Advance options are to provide more control over basic options.

• Alerts: Check all the options as shown in the picture below.

• Email Summary and Live Traffic View: No change
• Scans to include: Uncheck the 3rd option i.e. Scan theme files against repository versions for changes because it makes no sense when you are using a commercial theme and have edited it. The same goes for plugins. Also, uncheck the box where it says –Scan files outside your WordPress installation Because it may take a long time to scan files outside the WordPress installation. It may affect your website and user experience very badly.  See recommended scan setting in the picture below.

• Firewall rules:  No change
• Login Security options: These settings are crucial for WordPress site security. See the settings below in the picture and understand these options.

1. Enforce strong password – It’s pretty self-explanatory.
2. Lock out after how many failures – It is the number of login retries you want to offer to the user. Suppose you set it to 5, then a user can attempt up to 5 login failures and after 5 failed login attempts the Wordfence will lock out his IP address. It’s common to forget passwords so set it at least 4-5 so that you don’t get locked out yourself. This option prevents Brute force attacks.
3. Lock out after how many forgot password attempts-  It is the number of times a user can use forgot password form. 5 is sufficient for most sites.
4. Amount of time a user is locked out This indicates how long an IP address will stay locked out when Wordfence locks them out. This option can drastically reduce the number of brute-force attacks.
5. Immediately lock out invalid usernames – This can be a great security option. It will immediately lock out the IP address of someone trying to log in with an invalid username. Remember that It can cause inconvenience because even a real user may miss-type the username. So don’t get locked out yourself by checking this checkbox.

• Other options: No change

So these were some important Wordfence security settings. As Wordfence is a complete security package, there are some other advanced Wordfence features you might like –

Advance blocking

Using this feature, you can block a range of IP addresses by entering the IP address range and the reason you are blocking as shown in the picture below.

Country Blocking

This option can be used when you know from which specific region the attackers are compromising the security of your WordPress website. You can block out any country.

Cell Phone Sign-in (Two-factor authentication)

It’s the same as we use in banking. The Wordfence will send a unique code on your cell phone and only you will be able to get in as you have the code to verify. To avail of this feature go to Dasboard>>Wordfence>>Cellphone Sign-in and activate cellphone sign-in.

This was all for this article. Thanks for visiting my blog. Share it if you find it useful.