How to Configure the WordFence Plugin

Knowledgebase Article

How to Configure the WordFence Plugin

WordFence is a fantastic plugin for WordPress that will dramatically increase the security of your WordPress blog. It is our recommended plugin for any WordPress site - with WordFence properly installed and configured, the likelihood of your blog being hacked is dramatically reduced.

However, WordFence has a lot of configuration options. The following article outlines how we would recommend that you configure WordFence.

Once you have installed WordFence as a plugin in WordPress, click on WordFence > Options in the side menu. On this page, configure the settings as follows:

Basic Options

Uncheck "Live Traffic View". Live traffic view is a nice feature that lets you see realtime activity on your site, but it causes a slow down in speed, particularly on high traffic sites. It is not essential and we strongly recommend that you turn this feature off.
How does WordFence Get IPs: From the drop-down menu, select "Use PHP's Built In REMOTE_ADDR".

Advanced Options: Alerts

Under Alerts, select all options except "Alert me when someone with administrator access logs in". This is probably over the top for most web sites, and will result in unnecessary email flow if you are regularly logging in ayway.

Advanced Options: Live Traffic View

No changes

Advanced Options: Scans to Include

Select All Options

Advanced Options: Firewall Rules

The Firewall Rules are an important part of protecting your site. This controls how quickly various activity can take place on your blog and will ensure that a) your site is protected from malicious traffic that might be trying to 'brute force' attack your site. It also controls how quickly bots and other traffic can access your site - generally this traffic is best throttled if too aggressive to ensure that your site operates without interruption.

The following screenshot shows how we would recommend that you set this up. These are guidelines only, if your site is being adversely affected by bot traffic (i.e. we have notified you of such traffic or your site has been 'temporarily limited' by our resource managemnet systems, then you may wish to lower these limits.

Advanced Options: Login Security Options

These settings will ensure that any brute force login attempts on your WordPress installation are restricted. When setting these options, it's important that you ensure that you use the correct admin username, and that you remember your password so you don't lock yourself out. We'd therefore also recommend that you follow the next step to whitelist your own IP address as well, to help ensure you don't get locked out yourself.

Advanced Options: Other Options

Enter your IP address in the first box. If you have multiple admins, enter each of their IP addresses in this box. This will ensure that your own connection is excluded from any firewall processes. If you are unsure of your IP, click this link to discover what it is.
Ensure all the other boxes outlined in red below are checked.
In "Maximum execution time for each scan stage" - enter 30

Click on Save Changes

Once saved, it's usually a good idea to run a WordFence scan on your site now. To do this, under the WordFence menu on the left, click 'Scan' and then on the page that loads, click 'Start a WordFence Scan'.

If problems are found, you will be alerted in the bottom. For instance, the scan may show that a plugin needs updating, as shown in the example below. You should follow the advice of the scan report.