The Worfence plugin is a solid choice when it comes to protecting a website with WordPress and configuring Wordfence is less complicated than it seems.
Wordfence has several options and modules to configure the security of our website, but it should be noted that the main features are available for free.
If we want to have more control over the security of our website, we are given the option of opting for a premium account and enabling the extra modules.
It’s no wonder that since its appearance it has earned its reputation and space in the WordPress repository, surpassing even the veteran iTheme Security (formerly Better WP Security).
NOTE: If you already have another security plugin installed, I recommend you uninstall it and check your .htacces file to remove any remaining rules.
After installing and activating the plugin, we will be able to see the Wordfence icon and our first stop is in Wordfence >> Options
When the plugin is activated, a key will be generated that will identify our website on the Wordfence servers and will verify whether it is a free or premium account, in our case, a free account.
Enabled by default, allows you to use Wordfence’s Firewall options.
Enable login security
Enabled by default, allows you to use the options for logon security.
Enable Live Traffic view
Allows you to see the live traffic that our website is receiving. Enabled by default, if you are hosting your website on a server with few resources, this function may cause some problems.
Advanced Comment Spam Filter
Available with premium subscription. It filters the comments we receive through known lists of spammers and infected machines, and blocks them.
Check if the website is being “Spamvertised”
Available with premium subscription. When scanning our website, Wordfence will check with anti-spam services that our domain name is not on their lists.
Check if this website IP is generating spam
Available with premium subscription. When scanning our website, Wordfence Wordfence will check with anti-spam services that our IP is not on their lists.
Enable automatic scheduled scans
Enabled by default. For free account users, these scans are performed at 24hr intervals.
Update Wordfence automatically when a new version is released?
We must check this option if we want Wordfence to update automatically within 24hrs as soon as a new version appears.
Where to email alerts
The email address to which Wordfence will send notifications.
Wordfence comes with five (0 to 4) security levels. Level 0 simply disables Worfence security options. The recommended level for most websites is level 2, since level 3 is high security if we see that our website can be attacked. Level 4 directly blocks our website if we are under attack.
We can choose Custom settings and continue with the tutorial, the options that we will modify will start from Level 2.
How does Wordfence get IPs
Among the available options, “Let Wordfence use the most secure method to get visitor IP….” is the default option. If Wordfence cannot “see” the IPs of the traffic that enters our website, we will have to choose one of the other available options.
This section allows you to configure the alerts that Wordfence sends when an incidence is generated.
Email me when Wordfence is automatically updated
Activate this option if you want to receive notifications when Wordfecen is automatically updated.
Alert on critical problems
Activated by default, we will receive notifications if Wordfence detects an urgent situation on our website.
Alert on warnings
Activated by default, we will receive notifications that require our attention.
Alert when an IP address is blocked
Activated by default, we will receive notifications when Wordfence has blocked a malicious IP.
Alert when someone is locked out from login
Activated by default, we will receive notifications when someone has been blocked for trying to authenticate themselves on our website.
Alert when the “lost password” form is used for a valid user
Activated by default, we will receive notifications when a user of our website has used the password recovery form.
Alert me when someone with administrator access signs in
Activated by default, we will receive notifications when a user with administrator level logs in.
Alert me when a non-admin user signs in
We can leave this option unchecked. If activated, it will alert us when any user who is not an administrator logs in.
Live Traffic View
Don’t log signed-in users with publishing access
Do not register logged-in users if their user level allows them to publish (Editor and Author).
List of comma separated usernames to ignore
Enter a list of users separated by comma that will be excluded by Wordfence. For example, we may log in and avoid receiving notifications each time we log in.
List of comma separated IP addresses to ignore
Enter a list of IP addresses separated by comma, which will be excluded by Wordfence. We can enter our IP to avoid passing Wordfence filters and being blocked.
Browser user-agent to ignore
Here we can enter a list of Browser User Agents that will be excluded by Wordfence.
Scans to include
This section allows you to configure the file scanning module.
Scan public facing site for vulnerabilities?
Premium option. Enabling this option the HTLM code generated from WordPress is analyzed by the Wordfence servers. In this way, if the internal code scan fails something, with this addition we increase the possibilities of being able to detect any anomaly in our web.
Scan for the HeartBleed vulnerability?
If you have an SSL certificate on your domain, this option checks its integrity to detect the HeartBleed vulnerability.
Scan core files against repository versions for changes
When scanning the WordPress installation makes a comparison with the official files. If Wordfence detects a change, it will show you the difference between the original and the version with the change of your installation.
Scan theme files against repository versions for changes
Like the previous point, this option is used to compare the files of our theme with the official version. You can choose to activate it, as it only applies to non-commercial themes.
Scan plugin files against repository versions for changes
Same as the two previous options, but for plugins. Like the previous case, it will only be effective if the plugin is not commercial, since the files are in the WordPress repository.
Scan for signatures of known malicious files
Wordfence will match the scanned files to your database of malicious files. We will be notified of any anomalies.
Scan file contents for backdoors, trojans and suspicious code
Wordfence compares our files with their list of patterns and code found, often in files infected with malicious code,
Scan posts for known dangerous URLs and suspicious content
It scans all published entries directly accessing the database and verifies that they do not contain a link to a dangerous destination. It also looks for content that may be suspicious or generated by an infection or hack.
Scan comments for known dangerous URLs and suspicious content
Performs the same checks as for entries.
Scan for out of date plugins, themes and WordPress versions
Wordfence will notify us by email that there is a new version of a plugin or theme and suggest that we do the corresponding update.
Check the strength of passwords
Check that passwords for administrators and users are not easy or susceptible to cracking.
Scan options table
Verify that the options table in our database does not contain patterns that indicate an infection.
Disk space monitor
He’ll notify us if we’re close to running out of space. You can enable or disable this option, as it is up to your hosting company to notify you when this happens, but in cases such as installations without a control panel, such as in an unmanaged VPS, it can be very helpful.
Scan for unauthorized DNS changes
Check that there is no unauthorized change in the DNS of our domain, as this may be an indication that our account where we have our domain (GoDaddy, Namecheap, etc) has been hacked.
Scan files outside your WordPress installation
It will scan files for other directories outside the WordPress installation, although it is recommended not to activate this option, as depending on the amount of files, scanning these directories may increase the consumption of our server resources.
Scan image files as if they were executable
It analyzes images to detect if there is any script camouflaged as an image, i.e., that only the extension has been changed, but actually contains code that can be malicious.
Enable HIGH SENSITIVITY scanning. May give false positives.
Activate various filters in Wordfence, filters that can give “false positives”. It is recommended not to activate this option.
Exclude files from scan that match these wildcard patterns. Comma separated.
You can use this section to exclude files with certain extensions (.xls, .pdf, etc). In case we detect that Wordfence takes a long time with large files that we know are not malicious, such as backup files, we can exclude them here as well.
This section allows you to configure the Firewall module included in Wordfence. Firewalls work through rules, we enter rules for the type of traffic that comes to our website and if they do not comply with these rules, an action is taken. Wordfence has two actions “throttle it” and “block it”. The throttle it action is less aggressive, as it is a block per range, i.e. it is activated if a certain range is exceeded and the connection is limited. The actionblock it directly blocks the user whose traffic has broken the firewall rule.
Immediately block fake Google crawlers
Selecting this option we block traffic that tries to access our web pretending to be the bot of Google crawling our web.
How should we treat Google’s crawlers
Seleccionar: “Verified Google crawlers have unlimited access to this site”
If anyone’s requests exceed
Seleccionar: “4 per minute (1 every 15 seconds) then throttle it”
If a crawler’s page views exceed
Seleccionar: “240 per minute (4 per second) the throttle it”
If a crawler’s pages not found (404s) exceed
Seleccionar: “15 per minute (1 every 4 seconds) then block it
If a human’s page views exceed
Seleccionar: “10 per minute (1every 6 seconds) then throttle it”
If a human’s pages not found (404s) exceed
Seleccionar: “30 per minute (1 every 2 seconds) then block it”
If 404’s for known vulnerable URL’s exceed
Seleccionar: “15 per minute (1 every 4 seconds) then block it”
How long is an IP address blocked when it breaks a rule
Login Security Options
This section contains settings for securing logins.
Enforce strong passwords?
Seleccionar: “Force admins and publishers to use strong passwords (recommended)”
Lock out after how many login failures
Lock out after how many forgot password attempts
Count failures over what time period
Select: 5 minutes
Amount of time a user is locked out
Select: 10 minutes
Immediately lock out invalid usernames
Select this option, so if someone tries to log in with a non-existent user, they will be blocked immediately.
Don’t let WordPress reveal valid users in login errors
Select this option to prevent WordPress from hinting that the username or password have been wrong.
Prevent users registering ‘admin’ username if it doesn’t exist
Select subtract option to prevent any user from registering using ‘admin’ as user name.
Prevent discovery of usernames through ‘?/author=N’ scans
Select this option to avoid user searches through the search string ‘?/author=N‘.
Immediately block the IP of users who try to sign in as these usernames
Immediately block anyone who attempts to log in with the specified usernames. For example, we can add admin.
Whitelisted IP addresses that bypass all rules
Here you can enter your IP address to prevent Wordfence from blocking your computer. To find out what your IP is, you can visit this What’s My IP page
Immediately block IP’s that access the URLs
We can block those who try to directly access certain areas of our website. For example: /no-access/here, /blocked.html. Otherwise, you can leave this box blank.
Hide WordPress version
Select this option not to display the WordPress version.
Block IP’s who send POST requests with blank User-Agent and Referer
Useful for blocking scripts that attempt to log in or send spam comments.
Hold anonymous comments using member emails for moderation
If Wordfence detects that someone sends a comment using the email address of a registered user on our website, it will put this comment in moderation automatically.
Filter comments for malware and phishing URL’s
Wordfence will filter comments through the Google Safe Browsing list, which is a list that Google uses to let users sleep on a web that is not safe to browse.
Check password strength on profile update
Checks the security/password strength when a user updates their profile. This functionality goes hand-in-hand with “forcing the use of strong passwords”. The user will simply receive a notification that their password is ‘easy’ or ‘weak’.
Participate in the Real-Time WordPress Security Network
If we enable this option we will be sharing information anonymously with Wordfence. What information? Information about attempts to infringe our website. Being a real-time communication, the Wordfence network will maintain a list of IPs and regions where these attacks are taking place and will send this list to the websites that are participating. If you do not enable this option, your website will not receive this information.
How much memory should Wordfence request when scanning
This number depends on your server: 256
Maximum execution time for each scan stage
Update interval in seconds (2 is default)
Leave with default setting (2).
Enable debugging mode
Enable this option if you have detected a problem with Wordfence and want more information. Remember to use it for short periods of time as it consumes a lot of server resources.
Delete Wordfence tables and data on deactivation?
Disable Wordfence Cookies
Leave unmarked. If you select this option, Worfence will be affected in three ways:
- All page views in the Live Traffic section will look like new visits.
- Falcon engine (Wordfence cache module) can start showing cache pages to previously authenticated users.
- The country blocking function when visiting a special URL on our website may not work properly.
Start all scans remotely
Enable this option if we detect that Wordfence has problems running the scan on our server.
Disable config caching
Leave unmarked. Select if you are within the exceptions where Wordfence cannot save the configuration.
Add a debugging comment to HTML source of cached pages
Wordfence will add an HTML comment to all pages that have been generated by the cacée. Useful if you use the cache options included in Wordfence. It is recommended to leave it unmarked.
Disable Code Execution for Uploads directory
Select this option. Wordfence create a .htaccess file in the /wp-content/uploads directory to prevent PHP code from being executed.
Click to test connectivity to the Wordfence API servers
Perform a connectivity test between our website and the Wordfence server.
Click to view your system’s configuration in a new window
Shows the configuration of our PHP version. Very useful to know which version we have, how much memory we have available, etc.
Click to view your systems scheduled jobs in a new window
It shows us the tasks scheduled in the WordPress Cron.
Click to see a list of your system’s database tables in a new window
It shows the WordPress database tables and additional information about each table.
Test your WordPress host’s available memory
Runs a test to check available memory. If this test fails, you should contact your hosting company and ask for more memory or a plan that has more resources, since the test is executed using as parameter the minimum required for the operation of Wordfence.
So far we have configured the entire Wordfence Options. But there’s more.