How to Configure the WordFence Plugin
WordFence is a fantastic plugin for WordPress that will dramatically increase the security of your WordPress blog. It is our recommended plugin for any WordPress site - with WordFence properly installed and configured, the likelihood of your blog being hacked is dramatically reduced.
However, WordFence has a lot of configuration options. The following article outlines how we would recommend that you configure WordFence.
Once you have installed WordFence as a plugin in WordPress, click on WordFence > All Options in the side menu. On this page, configure the settings as follows:
- Under Tool Options > Live Traffic Options make sure that Traffic logging mode is on "Security Only". Live traffic view is a nice feature that lets you see realtime activity on your site, but it causes a slow down in speed, particularly on high traffic sites. It is not essential and we strongly recommend that you turn this feature off.
- Under General Wordfence Options > How does WordFence Get IPs select "Use PHP's Built In REMOTE_ADDR".
- Under Wordfence Global Options > Email Alert Preferences, select all options except "Alert me when someone with administrator access signs in". This is probably over the top for most web sites, and will result in unnecessary email flow if you are regularly logging in ayway.
- Under Scan Options > General Options select all scans.
- Under Firewall Options > Basic Firewall Options click on "Optimize the Wordfence firewall" and follow its intructions to add the needed rules to the site's .htaccess file.
- Under Firewall Options > Advanced Firewall Options enter your public IP at "Allowlisted IP addresses that bypass all rules". This will ensure that your own connection is excluded from any firewall processes. If you are unsure of your IP, click this link to discover what it is.
Finally, click on Save Changed. Once saved, it's usually a good idea to run a WordFence scan on your site now. To do this, under the WordFence menu on the left, click 'Scan' and then on the page that loads, click 'Start a new scan'.
If problems are found, you will be alerted in the bottom. For instance, the scan may show that a plugin needs updating. You should follow the advice of the scan report.