Overview

This article aims to guide you through Installing and configuring Wordfence with Conetix recommended settings. Wordfence adds an additional layer of security to your website to help keep it secure through features such as brute force detection and malware scanning of your WordPress based website.

Instructions

Installing Wordfence

  1. Login to WordPress as an Administrator user.
  2. Go to Plugins -> Add New:
    installing and configuring wordfence
  3. Using the search bar on the right search for ‘Wordfence’:
    installing and configuring wordfence
  4. Click Install Now:
    installing and configuring wordfence
    Once installed click Activate:
    installing and configuring wordfence
  5. Wordfence will ask you to get a license. If you already have a paid license you can use Install an existing license and install your paid license, otherwise click on Get Your Wordfence License:
    installing and configuring wordfence
  6. You will be taken to the Wordfence website to get a license. If you do want to get a paid licenses you can purchase one here however a Free license will do. Click Get a Free License:
    installing and configuring wordfence
    You will be asked to confirm you want the free license, click I’m OK waiting 30 days for protection from new threats to proceed.
  7. Enter in your email address, confirm if you would like WordPress security and vulnerability alerts emailed to you and Agree to the Wordfence Terms then click Register:
    installing and configuring wordfence
  8. Once completed an email will be sent to the email address provided with your license key:
    installing and configuring wordfence
  9. In the Email that is sent you will have the option to have the License installed Automatically, click this option:
    installing and configuring wordfence
  10. A new Tab will open and it will show your email and your License Key, Click Install License:
    installing and configuring wordfence
  11. Once the License has been installed you will get a popup letting you know:
    installing and configuring wordfence

Configure Wordfence Settings

Configure Email Alert Preferences

  1. Expand Email Alert Preferences
  2. Disable the below options:
    • Email me when Wordfence is automatically updated
    • Alert me with scan results of this severity level or greater
    • Alert when an IP address is blocked
    • Alert when someone is locked out from login
    • Alert when someone is blocked from logging in for using a password found in a breach
    • Alert when the “lost password” form is used for a valid user
    • Alert me when someone with administrator access signs in
    • Alert me when a non-admin user signs in
    • Alert me when there’s a large increase in attacks detected on my site
  3. Enable the below options:
    • Email me if Wordfence is deactivated
    • Email me if the Wordfence Web Application Firewall is turned off
  4. Click “Save Changes”

Configure Activity Report

  1. Expand Activity Report
  2. Disable “Enable email summary”

Configure Advanced Firewall Options

  1. Expand Advanced Firewall Options
  2. Under “Whitelisted services” Enable “ManageWP”
  3. Click “Save Changes”

Configure Brute Force Protection

  1. Expand Brute Force Protection
  2. Enable Brute Force Protection
  3. Set “Lock out after how many login failures” to 5
  4. Set “Lock out after how many forgot password attempts” to 5
  5. Set “Count failures over what time period” to 5 Minutes
  6. Set “Amount of time a user is locked out” to 1 Hour
  7. Set “Immediately lock out invalid usernames” to Off
  8. Enable “Prevent the use of passwords leaked in data breaches” and set to “For admins only”
  9. Enable “Enforce strong passwords” and set to “Force admins and publishers to use strong passwords”
  10. Enable “Don’t let WordPress reveal valid users in login errors”
  11. Enable “Prevent users registering ‘admin’ username if it doesn’t exist”
  12. Enable “Prevent discovery of usernames through ‘/?author=N’ scans, the oEmbed API, and the WordPress REST API”
  13. Disable “Block IPs who send POST requests with blank User-Agent and Referer”
  14. Enable “Check password strength on profile update”
  15. Enable “Participate in the Real-Time Wordfence Security Network”
  16. Click “Save Changes”

Configure Rate Limiting

  1. Expand Rate Limiting
  2. Enable Rate Limiting
  3. Set “Immediately block fake Google crawlers” to Off
  4. Set “How should we treat Google’s crawlers” to “Verified Google crawlers have unlimited access to this site”
  5. Set all throttle options to “Unlimited then throttle it”
  6. Set “How long is an IP address blocked when it breaks a rule” to 5 Minutes
  7. Click “Save Changes”

Configure Scanning

  1. Expand Scan Scheduling
  2. Enable Scan Scheduling
  3. Expand “Basic Scan Type Options”
  4. Set to “Standard Scan”
  5. Expand General Options
  6. Ensure all options are enabled except those listed below
    • Scan theme files against repository versions for changes
    • Scan plugin files against repository versions for changes
    • Scan files outside your WordPress installation
    • Enable HIGH SENSITIVITY scanning (may give false positives)
  7. Expand “Performance Options”
  8. Ensure “Use low resource scanning” is off
  9. Leave all other options as the default value
  10. Click “Save Changes”Default ValuesLimit the number of issues sent in the scan results email – 1000
    Time limit that a scan can run in seconds – <blank>
    How much memory should Wordfence request when scanning – 256
    Maximum execution time for each scan stage – 0

Configure Live Traffic Options

  1. Expand Live Traffic Options
  2. Set Traffic Logging Mode to “Security Only”
  3. Enable “Don’t log signed-in users with publishing access”
  4. Leave all other options as default
  5. Click “Save Changes”Default Values
    • List of comma separated usernames to ignore – <blank>
    • List of comma separated IP addresses to ignore – <blank>
    • Browser user-agent to ignore – <blank>
    • Amount of Live Traffic data to store (number of rows) – 1000
    • Maximum days to keep Live Traffic data (minimum: 1) – 30
Was this article helpful?

Related Articles