Wordfence Security is one of the most popular security plugins for WordPress. It comes with a diverse range of options to help you enhance the overall security of your WordPress site.
However, the plugin comes with so many options that the beginners often get confused about how to get started. If you are feeling the same, you have come to the right place. In today’s post, I will show you how to configure the Wordfence Security plugin for your website.
First of all, install and activate the plugin. You will be prompted to participate in a getting started tour to check out the basic features. You can join the tour or skip it by clicking the “Close” button.
Now you are ready to explore the settings options of the plugin.
Setting up Wordfence
You will find the setting options in the Wordfence > Options page. Let’s check out the various sections and find out how to configure these.
This section allows you to enable the limiting and blocking features, login security, live traffic view, scheduled scans, provide the email address to receive alerts, and so on.
As you can guess, this section includes the advanced options for the plugin. It is divided into several sub-sections.
Here, you can choose to receive alerts for various events like Wordfence activated, deactivated, critical problem occurred, warnings, an IP address is blocked, someone is locked out from login, when the lost password feature is used, when an admin signs in, when there is a large increase in login attempts, and so on. There is also an option to define the maximum number of email alerts per hour.
This section allows you to enable an email summary, choose the frequency of the summary email, exclude specific directories from the recently modified file list, etc.
Live Traffic View
Here, you can define specific usernames, IP addresses, and browser user-agents that should be ignored in the live traffic view. You can also define the amount of live traffic data that should be stored for later inspection.
Scans to Include
This section allows you to enable scanning for the publicly available configuration, backup, log, and quarantined files, compare the core WordPress, theme, and plugin files against their repository version for changes, check the wp-admin and wp-includes folders for unknown files, track the signatures for known malicious files, backdoors, Trojans, scan the comments for suspicious URL or content, track abandoned, out of date, or vulnerable themes, plugins, WordPress version.
You will also find options to scan for admin users created outside of the site, the password strength, disk space, unauthorized DNS changes, etc. If the scanning takes too much resource on your server, you can enable the low resource scanning mode or limit how many scans you want.
Rate Limiting Rules
This is the section where you can define the limiting rules for your site. First of all, you can choose to block the fake Google crawlers right away.
There are more options to choose the action for various events like the number of requests, page views of a crawler, 404’s created by a crawler, page views of a human, 404’s coming from a human visitor, and so on. For each of these events, you can choose a trigger and either throttle or block it.
Login Security Options
As you can guess, this section helps you to manage the login options for your site. The various options will let you choose the maximum number of failed login attempts, forgot password attempts before applying the lockout. You can define the time period to count these attempts and select the lockout period.
It is also possible to block the IP addresses of the visitors who want to log in with specific usernames.
Here, you will find options to whitelist IP address that will bypass all the security rules, block IP addresses that access specific URLs, whitelist some special 404 URLs, hide the WordPress version details, hold, filter anonymous comments for moderation, check password strength when updating profile, the maximum amount of memory for scanning, disable code execution for the uploads directory, and so on.
You can check out the Wordfence dashboard from the Wordfence > Dashboard page. It will inform you about the last scan, notifications, currently active features, firewall summary, top blocked IP addresses, successful and failed login attempts, and various other security information for your website.
Go to Wordfence > Scan to initiate a security scan. Once you start a scan, the “Scan Summary” section will keep you updated with the key steps, while “Scan Detailed Activity” will display more information.
Check out the “Option” tab to set up the scan options. Don’t forget to click the “Save Options” to save your changes.
Other Wordfence Features
There are some additional features to help you check out the live traffic, block status, firewall, and so on. Let’s take a minute to check out these features too.
Go to Wordfence > Live Traffic to view the live visitor activity on your site. As the traffic is color-coded, you will find it a lot easier to detect the human, bot, suspicious, and blocked visitors.
Wordfence will continue monitoring your website traffic and block the suspicious visitors according to your chosen options. You will find a list of the blocked IP addresses in the Wordfence > Blocking page.
It is also possible to block visitors manually from the “Advanced Blocking” tab. You can provide a range of IP address, host name, browser name, referrer website, etc.
Wordfence comes with a built-in firewall that you can access from the Wordfence > Firewall page. The default settings will put the firewall in learning mode, and schedule a date when the firewall will be activated. Below, you can set the rules or whitelist URLs that will not be tested by the firewall.
Ensuring the proper security is a crucial task for any WordPress site. You can make it a lot easier by using the Wordfence Security plugin. Now that you have read this in-depth tutorial, you know how to configure the plugin for your website. However, if you still need any help, let me know by leaving a comment below. I will try my best to help you out.