How to Configure Wordfence Security for WordPress

Wordfence Security is one of the most popular security plugins for WordPress. It comes with a diverse range of options to help you enhance the overall security of your WordPress site.

However, the plugin comes with so many options that the beginners often get confused about how to get started. If you are feeling the same, you have come to the right place. In today’s post, I will show you how to configure the Wordfence Security plugin for your website.

First of all, install and activate the plugin. You will be prompted to participate in a getting started tour to check out the basic features. You can join the tour or skip it by clicking the “Close” button.

Now you are ready to explore the settings options of the plugin.

Setting up Wordfence

You will find the setting options in the Wordfence > Options page. Let’s check out the various sections and find out how to configure these.

Basic Options

This section allows you to enable the limiting and blocking features, login security, live traffic view, scheduled scans, provide the email address to receive alerts, and so on.

Advanced Options

As you can guess, this section includes the advanced options for the plugin. It is divided into several sub-sections.


Here, you can choose to receive alerts for various events like Wordfence activated, deactivated, critical problem occurred, warnings, an IP address is blocked, someone is locked out from login, when the lost password feature is used, when an admin signs in, when there is a large increase in login attempts, and so on. There is also an option to define the maximum number of email alerts per hour.

Email Summary

This section allows you to enable an email summary, choose the frequency of the summary email, exclude specific directories from the recently modified file list, etc.

Live Traffic View

Here, you can define specific usernames, IP addresses, and browser user-agents that should be ignored in the live traffic view. You can also define the amount of live traffic data that should be stored for later inspection.

Scans to Include

This section allows you to enable scanning for the publicly available configuration, backup, log, and quarantined files, compare the core WordPress, theme, and plugin files against their repository version for changes, check the wp-admin and wp-includes folders for unknown files, track the signatures for known malicious files, backdoors, Trojans, scan the comments for suspicious URL or content, track abandoned, out of date, or vulnerable themes, plugins, WordPress version.

You will also find options to scan for admin users created outside of the site, the password strength, disk space, unauthorized DNS changes, etc. If the scanning takes too much resource on your server, you can enable the low resource scanning mode or limit how many scans you want.

Rate Limiting Rules

This is the section where you can define the limiting rules for your site. First of all, you can choose to block the fake Google crawlers right away.

There are more options to choose the action for various events like the number of requests, page views of a crawler, 404’s created by a crawler, page views of a human, 404’s coming from a human visitor, and so on. For each of these events, you can choose a trigger and either throttle or block it.

Login Security Options

As you can guess, this section helps you to manage the login options for your site. The various options will let you choose the maximum number of failed login attempts, forgot password attempts before applying the lockout. You can define the time period to count these attempts and select the lockout period.

It is also possible to block the IP addresses of the visitors who want to log in with specific usernames.

Other Options

Here, you will find options to whitelist IP address that will bypass all the security rules, block IP addresses that access specific URLs, whitelist some special 404 URLs, hide the WordPress version details, hold, filter anonymous comments for moderation, check password strength when updating profile, the maximum amount of memory for scanning, disable code execution for the uploads directory, and so on.

Wordfence Dashboard

You can check out the Wordfence dashboard from the Wordfence > Dashboard page. It will inform you about the last scan, notifications, currently active features, firewall summary, top blocked IP addresses, successful and failed login attempts, and various other security information for your website.

Wordfence Scan

Go to Wordfence > Scan to initiate a security scan. Once you start a scan, the “Scan Summary” section will keep you updated with the key steps, while “Scan Detailed Activity” will display more information.

Check out the “Option” tab to set up the scan options. Don’t forget to click the “Save Options” to save your changes.

Other Wordfence Features

There are some additional features to help you check out the live traffic, block status, firewall, and so on. Let’s take a minute to check out these features too.

Live Traffic

Go to Wordfence > Live Traffic to view the live visitor activity on your site. As the traffic is color-coded, you will find it a lot easier to detect the human, bot, suspicious, and blocked visitors.

Block Status

Wordfence will continue monitoring your website traffic and block the suspicious visitors according to your chosen options. You will find a list of the blocked IP addresses in the Wordfence > Blocking page.

It is also possible to block visitors manually from the “Advanced Blocking” tab. You can provide a range of IP address, host name, browser name, referrer website, etc.


Wordfence comes with a built-in firewall that you can access from the Wordfence > Firewall page. The default settings will put the firewall in learning mode, and schedule a date when the firewall will be activated. Below, you can set the rules or whitelist URLs that will not be tested by the firewall.

Final Words

Ensuring the proper security is a crucial task for any WordPress site. You can make it a lot easier by using the Wordfence Security plugin. Now that you have read this in-depth tutorial, you know how to configure the plugin for your website. However, if you still need any help, let me know by leaving a comment below. I will try my best to help you out.


I started this tech blog back in 2011 as a place to write down processes I took to fix my client systems and network. Now I write some tips and tricks to help others with the tech issues that one might encounter.

You may also like...