Wordfence is a powerful tool for protecting your WordPress site, particularly if it is self-managed. There are a lot of configuration options, however. Below I pull together some resources form the Wordfence website for optimizing your settings for best security.
Wordpress General Options
- Hide WordPress version: enable
- Disable Code Execution for Uploads directory: enable
Brute Force Protection
- Enable Brute Force Protest: On
- Lock out after how many login failures: 20
- Lock out after how many forgot password attempts: 5
- Count failures over what time period: 5 minutes
- Amount of time a user is locked out: 60 minutes
- Immediately lock out invalid user name: Only turn on w/ sites with few users
- Immediately block the IP of users who try to sign in as these usernames: admin, [your domain name]
- Prevent the use of passwords leaked in data breaches: For admins only
- Enforce strong passwords: yes
- Don’t let WordPress reveal valid users in login errors: yes
- Prevent users registering ‘admin’ username if it doesn’t exist: yes
- Prevent discovery of usernames through ‘/?author=N’ scans, the oEmbed API, and the WordPress REST API: yes
- Block IPs who send POST requests with blank User-Agent and Referer: yes
- Custom text shown on block pages: you can add some text locked out users will see, such as information about how long they will be locked out or an email address they can contact the admin at. This section does not accept HTML.
- Check password strength on profile update: yes
- Participate in the Real-Time Wordfence Security Network: no
- Enable Rate Limiting and Blocking: yes
- Immediately block fake Google crawlers: yes (however, enabling this may result in ocassionally blocking actual visitors)
- How Should we Treat Google's Crawlers: Verified Google crawlers have unlimited access to this site
- If anyone's requests exceed: 240 per minute then tbhrottle
- If a crawler's page views exceed: 240 per minute then throttle
- If a crawler's pages not found (404s) exceed: 15 or 30 per minute then block
- If a humans page views exceed: 240 per minute
- If a human's pages not found (404s) exceed: 15 or 30 per minute then then block.
- How long is an IP addres blocked when it breaks a rule: Between 5 minutes and 1 hour.
It is OK to leave the default options under 'general options'.