George Lerner – Website Tech

For coaches who want to create and sell online courses, but struggle with the technical aspects

Optimizing Wordfence Settings for Enhanced WordPress Security: A Configuration Guide

Introduction to Wordfence

As a WordPress website owner, one of your top priorities is ensuring the security of your site. This is where Wordfence comes in.

Wordfence is a comprehensive security plugin for WordPress that provides a range of features designed to protect your website from hacks and malware. It offers a Web Application Firewall (WAF) that identifies and blocks malicious traffic, a malware scanner that checks core files, themes, and plugins for malware, bad URLs, backdoors, SEO spam, malicious redirects, and code injections, and a suite of additional features like live traffic monitoring and login security.

Wordfence is designed to be user-friendly, even for those who aren’t tech-savvy. It’s easy to install and set up, and once it’s running, it works in the background to keep your site secure, giving you peace of mind and letting you focus on what you do best – creating great content and engaging with your audience.

Now, let’s dive into how to access and navigate through the Wordfence settings to ensure optimal security for your WordPress site.

Accessing Wordfence Settings

To access the Wordfence settings page, follow these steps:

  1. In your WordPress dashboard, locate the main menu on the left-hand side.
  2. Click on “Wordfence”. This will open a sub-menu.
  3. In the sub-menu that appears, click on “All Options”.

And there you have it! You’re now on the Wordfence settings page, where you can configure Wordfence to best protect your site.

Wordfence License

No configuration needed.

View Customization

  • Check the box for “All Options” menu item for easy access.
  • Disable “Blocking” or “Live Traffic” menu items as they are not frequently used.

General Wordfence Options

  • Update Wordfence automatically: Enable this for automatic updates.
    Note: If you’re using a LiteSpeed server, you will get a message to ensure the “noabort” environmental variable is set. Ask your website hosting company how you should (or better still, how they should) configure this.
  • Where to email alerts: Enter the email address of your webmaster or whoever should receive technical emails about security issues and plugin updates. You can add multiple email addresses separated by commas.
  • How does Wordfence get IPs: Use the recommended setting. If there’s a discrepancy between the “Detected IP(s)” and “Your IP with this setting”, contact your hosting company or technical person.
  • Look up visitor IP locations via Wordfence servers: Keep this enabled.
  • Hide WordPress version: Keep this enabled to make it harder for hackers to know your WordPress version.
  • Disable Code Execution for Uploads directory: This is crucial for security. It prevents anything in your uploads directory from being executed, protecting against potential malware uploads.
  • Pause live updates when window loses focus: Enable this to conserve server resources.
  • Update interval in seconds: A setting of 2 is good, but longer might be better.
  • Bypass the LiteSpeed “noabort” check: This is only needed if your server uses the LiteSpeed cache. Check with your hosting company about the LiteSpeed settings.
  • Delete Wordfence tables and data on deactivation: Leave this unchecked unless you’re deleting the Wordfence plugin and want to delete the data. (No, you don’t want to delete the Wordfence plugin!)

Dashboard Notification Options

  • Updates Needed (Plugin, Theme, or Core): Enable this to stay informed.
  • Scan Status: Enable this to stay informed.

Email Alert Preferences

  • Email me when Wordfence is automatically updated: Uncheck this unless you want to be notified.
  • Email me if Wordfence is deactivated: Check this. WordFence should never be deactivated without your knowledge.
  • Email me if the Wordfence Web Application Firewall is turned off: Check this. The firewall should always be active.
  • Alert me with scan results of this severity level or greater: Set this to Medium to avoid an overload of low-level alerts.
  • Alert when an IP address is blocked: Don’t enable this as your website likely blocks several IP addresses every hour.
  • Alert when someone is locked out from login: Enable this. It could be a customer who forgot their password or a hacker.
  • Alert when someone is blocked from logging in for using a password found in a breach: Enable this. It could be a customer who needs to be informed about the importance of using unique passwords.
  • Alert when the “lost password” form is used for a valid user: Enable this. It’s a common hacker trick to request a password reset.
  • Alert me when someone with administrator access signs in: Disable this if you regularly check for unauthorized administrator access.
  • Only alert me when that administrator signs in from a new device: Enable this. A new device in a different part of the world could indicate a stolen password.
  • Alert me when a non-admin user signs in: Disable this. You want people to be able to sign in.
  • Only alert me when that user signs in from a new device: Disable this unless you know your users well enough to tell if this is from a different part of the world.
  • Maximum email alerts to send per hour: Set this to 2. You don’t want to be overwhelmed with emails.

Activity Report

  • Enable email summary: Set this to “Once a week” and review it every time. Get to know what a “normal” one looks like so you can spot anything unusual.
  • List of directories to exclude from recently modified file list: Exclude directories that you know are okay, such as those used by a plugin for its CSS files.
  • Enable activity report widget on the WordPress dashboard: Enable this on most sites, but disable it on sites where you want to minimize plugin resources.

Basic Firewall Options

These sometimes require account-level changes. Work with your technical support person and hosting company.

  • Web Application Firewall Status: When first installing Wordfence, set this to “Learning Mode”. After a learning period, Wordfence switches to “Enabled and Protecting”. Set this to the default that Wordfence suggests, most likely 7 days from now.
  • Protection Level: Enable Extended Protection.
  • Real-Time IP Blocklist: This is a premium feature. Free accounts have an IP Blocklist from the Wordfence network that is not updated as frequently.

Advanced Firewall Options

  • Delay IP and Country blocking until after WordPress and plugins have loaded (only process firewall rules early): Leave this un-set.
  • Allowlisted IP addresses that bypass all rules: You shouldn’t need to bypass all rules for any IP addresses. If necessary, you can bypass a specific rule.
  • Allowlisted services: Enable for Sucuri and Facebook. Also enable for Uptime Robot, StatusCake, and ManageWP if you use these services. Enable for Seznam Search Engine if desired.
  • Immediately block IPs that access these URLs: You likely won’t need to specify any URLs here. Let Wordfence block via its normal methods. Keep these IP lists short, if not empty.
  • Ignored IP addresses for Wordfence Web Application Firewall alerting: This could be your IP address, but only while you are testing something on your site.
  • Rules: Leave all rules turned on unless advised otherwise by a Wordfence support person.
  • MANUALLY REFRESH RULES: This lets you get the latest rule set, even if you have the free version of Wordfence. Do this before running a manual scan.

Brute Force Protection

  • Enable brute force protection: Always enable this.
  • Lock out after how many login failures: Lower this to 10. If you can’t get your password right in 10 tries, you’re doing it wrong.
  • Lock out after how many forgot password attempts: Set this at 5. This is how many times your “Forgot password?” form can be used.
  • Count failures over what time period: Set this to 4 hours. Some hackers try to fool website security by spreading out their attempts, so increasing this to 1 day is fine too.
  • Amount of time a user is locked out: Set this to 12 hours. Some hackers will try passwords rapidly, so this really thwarts them.
  • Immediately lock out invalid usernames: Enable this. The list of “invalid usernames” should include “admin”, “administrator”, “webmaster”.
  • Prevent the use of passwords leaked in data breaches: Set this to ‘For all users with “publish posts” capability’.
  • Enforce strong passwords: Set to ‘Force admins and publishers to use strong passwords’.
  • Don’t let WordPress reveal valid users in login errors: Enable this to make guessing your login much harder.
  • Prevent users registering ‘admin’ username if it doesn’t exist: Enable this to avoid confusion and potential security issues.
  • Prevent discovery of usernames through ‘/?author=N’ scans, the oEmbed API, the WordPress REST API, and WordPress XML Sitemaps: Enable this to make password crackers have to guess your login name.
  • Disable WordPress application passwords: Enable this. Application passwords allow a third-party site or application to access your site as your own login, but with a separate password.
  • Block IPs who send POST requests with blank User-Agent and Referer: Enable this. All web browsers and services are supposed to say “who they are” and what URL they are referred by.
  • Custom text shown on block pages: Leave this blank unless you want to give some message when a visitor gets blocked.
  • Check password strength on profile update: Enable this. This notifies you if someone is using a weak password. You can then train them to use strong passwords.
  • Participate in the Real-Time Wordfence Security Network: Enable this. This lets Wordfence on your site take advantage of knowledge from the entire network, especially bad IP addresses and malware detection.

Posted

in

,

by

George – WordPress Support & Marketing Coaching

Tags:

Comments

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.