How to Configure Wordfence plugin

Wordfence plugin

The Worfence plugin is a solid choice when it comes to protecting a website with WordPress and configuring Wordfence is less complicated than it seems.

Configure Wordfence plugin

Wordfence has several options and modules to configure the security of our website, but it should be noted that the main features are available for free.

If we want to have more control over the security of our website, we are given the option of opting for a premium account and enabling the extra modules.

It’s no wonder that since its appearance it has earned its reputation and space in the WordPress repository, surpassing even the veteran iTheme Security (formerly Better WP Security).

NOTE: If you already have another security plugin installed, I recommend you uninstall it and check your .htacces file to remove any remaining rules.

Wordfence Options

After installing and activating the plugin, we will be able to see the Wordfence icon and our first stop is in Wordfence >> Options


When the plugin is activated, a key will be generated that will identify our website on the Wordfence servers and will verify whether it is a free or premium account, in our case, a free account.

Basic Options

Enable firewall

Enabled by default, allows you to use Wordfence’s Firewall options.

Enable login security

Enabled by default, allows you to use the options for logon security.

Enable Live Traffic view

Allows you to see the live traffic that our website is receiving. Enabled by default, if you are hosting your website on a server with few resources, this function may cause some problems.

Advanced Comment Spam Filter

Available with premium subscription. It filters the comments we receive through known lists of spammers and infected machines, and blocks them.

Check if the website is being “Spamvertised”

Available with premium subscription. When scanning our website, Wordfence will check with anti-spam services that our domain name is not on their lists.

Check if this website IP is generating spam

Available with premium subscription. When scanning our website, Wordfence Wordfence will check with anti-spam services that our IP is not on their lists.

Enable automatic scheduled scans

Enabled by default. For free account users, these scans are performed at 24hr intervals.

Update Wordfence automatically when a new version is released?

We must check this option if we want Wordfence to update automatically within 24hrs as soon as a new version appears.

Where to email alerts

The email address to which Wordfence will send notifications.

Security Level

Wordfence comes with five (0 to 4) security levels. Level 0 simply disables Worfence security options. The recommended level for most websites is level 2, since level 3 is high security if we see that our website can be attacked. Level 4 directly blocks our website if we are under attack.

We can choose Custom settings and continue with the tutorial, the options that we will modify will start from Level 2.

How does Wordfence get IPs

Among the available options, “Let Wordfence use the most secure method to get visitor IP….” is the default option. If Wordfence cannot “see” the IPs of the traffic that enters our website, we will have to choose one of the other available options.

Advanced Options

This section allows you to configure the alerts that Wordfence sends when an incidence is generated.


Email me when Wordfence is automatically updated     

Activate this option if you want to receive notifications when Wordfecen is automatically updated.

Alert on critical problems   

Activated by default, we will receive notifications if Wordfence detects an urgent situation on our website.

Alert on warnings

Activated by default, we will receive notifications that require our attention.

Alert when an IP address is blocked

Activated by default, we will receive notifications when Wordfence has blocked a malicious IP.

Alert when someone is locked out from login   

Activated by default, we will receive notifications when someone has been blocked for trying to authenticate themselves on our website.

Alert when the “lost password” form is used for a valid user     

Activated by default, we will receive notifications when a user of our website has used the password recovery form.

Alert me when someone with administrator access signs in  

Activated by default, we will receive notifications when a user with administrator level logs in.

Alert me when a non-admin user signs in

We can leave this option unchecked. If activated, it will alert us when any user who is not an administrator logs in.

Live Traffic View

Don’t log signed-in users with publishing access

Do not register logged-in users if their user level allows them to publish (Editor and Author).

List of comma separated usernames to ignore

Enter a list of users separated by comma that will be excluded by Wordfence. For example, we may log in and avoid receiving notifications each time we log in.

List of comma separated IP addresses to ignore

Enter a list of IP addresses separated by comma, which will be excluded by Wordfence. We can enter our IP to avoid passing Wordfence filters and being blocked.

Browser user-agent to ignore

Here we can enter a list of Browser User Agents that will be excluded by Wordfence.

Scans to include

This section allows you to configure the file scanning module.

Scan public facing site for vulnerabilities?

Premium option. Enabling this option the HTLM code generated from WordPress is analyzed by the Wordfence servers. In this way, if the internal code scan fails something, with this addition we increase the possibilities of being able to detect any anomaly in our web.

Scan for the HeartBleed vulnerability?

If you have an SSL certificate on your domain, this option checks its integrity to detect the HeartBleed vulnerability.

Scan core files against repository versions for changes     

When scanning the WordPress installation makes a comparison with the official files. If Wordfence detects a change, it will show you the difference between the original and the version with the change of your installation.

Scan theme files against repository versions for changes

Like the previous point, this option is used to compare the files of our theme with the official version. You can choose to activate it, as it only applies to non-commercial themes.

Scan plugin files against repository versions for changes   

Same as the two previous options, but for plugins. Like the previous case, it will only be effective if the plugin is not commercial, since the files are in the WordPress repository.

Scan for signatures of known malicious files     

Wordfence will match the scanned files to your database of malicious files. We will be notified of any anomalies.

Scan file contents for backdoors, trojans and suspicious code   

Wordfence compares our files with their list of patterns and code found, often in files infected with malicious code,

Scan posts for known dangerous URLs and suspicious content  

It scans all published entries directly accessing the database and verifies that they do not contain a link to a dangerous destination. It also looks for content that may be suspicious or generated by an infection or hack.

Scan comments for known dangerous URLs and suspicious content

Performs the same checks as for entries.

Scan for out of date plugins, themes and WordPress versions   

Wordfence will notify us by email that there is a new version of a plugin or theme and suggest that we do the corresponding update.

Check the strength of passwords   

Check that passwords for administrators and users are not easy or susceptible to cracking.

Scan options table   

Verify that the options table in our database does not contain patterns that indicate an infection.

Disk space monitor

He’ll notify us if we’re close to running out of space. You can enable or disable this option, as it is up to your hosting company to notify you when this happens, but in cases such as installations without a control panel, such as in an unmanaged VPS, it can be very helpful.

Scan for unauthorized DNS changes     

Check that there is no unauthorized change in the DNS of our domain, as this may be an indication that our account where we have our domain (GoDaddy, Namecheap, etc) has been hacked.

Scan files outside your WordPress installation  

It will scan files for other directories outside the WordPress installation, although it is recommended not to activate this option, as depending on the amount of files, scanning these directories may increase the consumption of our server resources.

Scan image files as if they were executable   

It analyzes images to detect if there is any script camouflaged as an image, i.e., that only the extension has been changed, but actually contains code that can be malicious.

Enable HIGH SENSITIVITY scanning. May give false positives.     

Activate various filters in Wordfence, filters that can give “false positives”. It is recommended not to activate this option.

Exclude files from scan that match these wildcard patterns. Comma separated.

You can use this section to exclude files with certain extensions (.xls, .pdf, etc). In case we detect that Wordfence takes a long time with large files that we know are not malicious, such as backup files, we can exclude them here as well.

Firewall Rules

This section allows you to configure the Firewall module included in Wordfence. Firewalls work through rules, we enter rules for the type of traffic that comes to our website and if they do not comply with these rules, an action is taken. Wordfence has two actions “throttle it” and “block it”. The throttle it action is less aggressive, as it is a block per range, i.e. it is activated if a certain range is exceeded and the connection is limited. The actionblock it directly blocks the user whose traffic has broken the firewall rule.

Immediately block fake Google crawlers

Selecting this option we block traffic that tries to access our web pretending to be the bot of Google crawling our web.

How should we treat Google’s crawlers

Seleccionar: “Verified Google crawlers have unlimited access to this site”

If anyone’s requests exceed

Seleccionar: “4 per minute (1 every 15 seconds) then throttle it”

If a crawler’s page views exceed

Seleccionar: “240 per minute (4 per second) the throttle it”

If a crawler’s pages not found (404s) exceed

Seleccionar: “15 per minute (1 every 4 seconds) then block it

If a human’s page views exceed

Seleccionar: “10 per minute (1every 6 seconds) then throttle it”

If a human’s pages not found (404s) exceed

Seleccionar: “30 per minute (1 every 2 seconds) then block it”

If 404’s for known vulnerable URL’s exceed

Seleccionar: “15 per minute (1 every 4 seconds) then block it”

How long is an IP address blocked when it breaks a rule

30 minutes

Login Security Options

This section contains settings for securing logins.

Enforce strong passwords?   

Seleccionar: “Force admins and publishers to use strong passwords (recommended)”

Lock out after how many login failures     

Select: 3

Lock out after how many forgot password attempts  

Select: 2

Count failures over what time period     

Select: 5 minutes

Amount of time a user is locked out

Select: 10 minutes

Immediately lock out invalid usernames     

Select this option, so if someone tries to log in with a non-existent user, they will be blocked immediately.

Don’t let WordPress reveal valid users in login errors  

Select this option to prevent WordPress from hinting that the username or password have been wrong.

Prevent users registering ‘admin’ username if it doesn’t exist  

Select subtract option to prevent any user from registering using ‘admin’ as user name.

Prevent discovery of usernames through ‘?/author=N’ scans  

Select this option to avoid user searches through the search string ‘?/author=N‘.

Immediately block the IP of users who try to sign in as these usernames

Immediately block anyone who attempts to log in with the specified usernames. For example, we can add admin.

Other Options

Whitelisted IP addresses that bypass all rules

Here you can enter your IP address to prevent Wordfence from blocking your computer. To find out what your IP is, you can visit this What’s My IP page

Immediately block IP’s that access the URLs

We can block those who try to directly access certain areas of our website. For example: /no-access/here, /blocked.html. Otherwise, you can leave this box blank.

Hide WordPress version

Select this option not to display the WordPress version.

Block IP’s who send POST requests with blank User-Agent and Referer   

Useful for blocking scripts that attempt to log in or send spam comments.

Hold anonymous comments using member emails for moderation   

If Wordfence detects that someone sends a comment using the email address of a registered user on our website, it will put this comment in moderation automatically.

Filter comments for malware and phishing URL’s     

Wordfence will filter comments through the Google Safe Browsing list, which is a list that Google uses to let users sleep on a web that is not safe to browse.

Check password strength on profile update   

Checks the security/password strength when a user updates their profile. This functionality goes hand-in-hand with “forcing the use of strong passwords”. The user will simply receive a notification that their password is ‘easy’ or ‘weak’.

Participate in the Real-Time WordPress Security Network     

If we enable this option we will be sharing information anonymously with Wordfence. What information? Information about attempts to infringe our website. Being a real-time communication, the Wordfence network will maintain a list of IPs and regions where these attacks are taking place and will send this list to the websites that are participating. If you do not enable this option, your website will not receive this information.

How much memory should Wordfence request when scanning

This number depends on your server: 256

Maximum execution time for each scan stage

Leave blank.

Update interval in seconds (2 is default)

Leave with default setting (2).

Enable debugging mode

Enable this option if you have detected a problem with Wordfence and want more information. Remember to use it for short periods of time as it consumes a lot of server resources.

Delete Wordfence tables and data on deactivation?     

Leave unmarked.

Disable Wordfence Cookies  

Leave unmarked. If you select this option, Worfence will be affected in three ways:

  • All page views in the Live Traffic section will look like new visits.
  • Falcon engine (Wordfence cache module) can start showing cache pages to previously authenticated users.
  • The country blocking function when visiting a special URL on our website may not work properly.

Start all scans remotely     

Enable this option if we detect that Wordfence has problems running the scan on our server.

Disable config caching  

Leave unmarked. Select if you are within the exceptions where Wordfence cannot save the configuration.

Add a debugging comment to HTML source of cached pages

Wordfence will add an HTML comment to all pages that have been generated by the cacée. Useful if you use the cache options included in Wordfence. It is recommended to leave it unmarked.

Disable Code Execution for Uploads directory

Select this option. Wordfence create a .htaccess file in the /wp-content/uploads directory to prevent PHP code from being executed.

Click to test connectivity to the Wordfence API servers

Perform a connectivity test between our website and the Wordfence server.

Click to view your system’s configuration in a new window

Shows the configuration of our PHP version. Very useful to know which version we have, how much memory we have available, etc.

Click to view your systems scheduled jobs in a new window

It shows us the tasks scheduled in the WordPress Cron.

Click to see a list of your system’s database tables in a new window

It shows the WordPress database tables and additional information about each table.

Test your WordPress host’s available memory

Runs a test to check available memory. If this test fails, you should contact your hosting company and ask for more memory or a plan that has more resources, since the test is executed using as parameter the minimum required for the operation of Wordfence.

So far we have configured the entire Wordfence Options. But there’s more.

You may be interested:

How to use Google Analytics, step by step 

Configure router security : configure it correctly 

How to record a call with your mobile phone step by step in an easy way 

Format fat32 on Windows and Mac step by step 

Facebook Comments