Overview

This article aims to guide you through Installing and configuring WordFence with Conetix recommended settings. WordFence adds an additional layer of security for your website to help keep it secure through features such as brute force detection and malware scanning of your WordPress based website.

Instructions

  1. Login to WordPress as an Administrator user.
  2. Go to Plugins -> Add New.
  3. Using the search bar on the right search for ‘Wordfence’.
  4. Click “Install Now” and “Activate” when finished.
  5. Once WordFence is installed a new option for WordFence will appear:
  6. Conetix suggest the below settings to Maximize efficiency and our systems

Configure Email Alert Preferences

  1. Expand Email Alert Preferences
  2. Disable the below options:
    • Email me when Wordfence is automatically updated
    • Alert me with scan results of this severity level or greater
    • Alert when an IP address is blocked
    • Alert when someone is locked out from login
    • Alert when someone is blocked from logging in for using a password found in a breach
    • Alert when the “lost password” form is used for a valid user
    • Alert me when someone with administrator access signs in
    • Alert me when a non-admin user signs in
    • Alert me when there’s a large increase in attacks detected on my site
  3. Enable the below options:
    • Email me if Wordfence is deactivated
    • Email me if the Wordfence Web Application Firewall is turned off
  4. Click “Save Changes”

Configure Activity Report

  1. Expand Activity Report
  2. Disable “Enable email summary”

Configure Advanced Firewall Options

  1. Expand Advanced Firewall Options
  2. Under “Whitelisted services” Enable “ManageWP”
  3. Click “Save Changes”

Configure Brute Force Protection

  1. Expand Brute Force Protection
  2. Enable Brute Force Protection
  3. Set “Lock out after how many login failures” to 5
  4. Set “Lock out after how many forgot password attempts” to 5
  5. Set “Count failures over what time period” to 5 Minutes
  6. Set “Amount of time a user is locked out” to 1 Hour
  7. Set “Immediately lock out invalid usernames” to Off
  8. Enable “Prevent the use of passwords leaked in data breaches” and set to “For admins only”
  9. Enable “Enforce strong passwords” and set to “Force admins and publishers to use strong passwords”
  10. Enable “Don’t let WordPress reveal valid users in login errors”
  11. Enable “Prevent users registering ‘admin’ username if it doesn’t exist”
  12. Enable “Prevent discovery of usernames through ‘/?author=N’ scans, the oEmbed API, and the WordPress REST API”
  13. Disable “Block IPs who send POST requests with blank User-Agent and Referer”
  14. Enable “Check password strength on profile update”
  15. Enable “Participate in the Real-Time Wordfence Security Network”
  16. Click “Save Changes”

Configure Rate Limiting

  1. Expand Rate Limiting
  2. Enable Rate Limiting
  3. Set “Immediately block fake Google crawlers” to Off
  4. Set “How should we treat Google’s crawlers” to “Verified Google crawlers have unlimited access to this site”
  5. Set all throttle options to “Unlimited then throttle it”
  6. Set “How long is an IP address blocked when it breaks a rule” to 5 Minutes
  7. Click “Save Changes”

Configure Scanning

  1. Expand Scan Scheduling
  2. Enable Scan Scheduling
  3. Expand “Basic Scan Type Options”
  4. Set to “Standard Scan”
  5. Expand General Options
  6. Ensure all options are enabled except those listed below
    • Scan theme files against repository versions for changes
    • Scan plugin files against repository versions for changes
    • Scan files outside your WordPress installation
    • Enable HIGH SENSITIVITY scanning (may give false positives)
  7. Expand “Performance Options”
  8. Ensure “Use low resource scanning” is off
  9. Leave all other options as the default value
  10. Click “Save Changes”Default ValuesLimit the number of issues sent in the scan results email – 1000
    Time limit that a scan can run in seconds – <blank>
    How much memory should Wordfence request when scanning – 256
    Maximum execution time for each scan stage – 0

Configure Live Traffic Options

  1. Expand Live Traffic Options
  2. Set Traffic Logging Mode to “Security Only”
  3. Enable “Don’t log signed-in users with publishing access”
  4. Leave all other options as default
  5. Click “Save Changes”Default Values
    • List of comma separated usernames to ignore – <blank>
    • List of comma separated IP addresses to ignore – <blank>
    • Browser user-agent to ignore – <blank>
    • Amount of Live Traffic data to store (number of rows) – 1000
    • Maximum days to keep Live Traffic data (minimum: 1) – 30

Was this article helpful?

Related Articles