Wordfence is a powerful tool for protecting your WordPress site, particularly if it is self-managed. There are a lot of configuration options, however. Below I pull together some resources form the Wordfence website for optimizing your settings for best security. You can find the official help documents here.
WordPress General Options
- Hide WordPress version: enable
- Disable Code Execution for Uploads directory: enable
Brute Force Protection
- Enable Brute Force Protest: On
- Lock out after how many login failures: 20
- Lock out after how many forgot password attempts: 5
- Count failures over what time period: 5 minutes
- Amount of time a user is locked out: 60 minutes
- Immediately lock out invalid user name: Only turn on w/ sites with few users
- Immediately block the IP of users who try to sign in as these usernames: admin, [your domain name]
- Prevent the use of passwords leaked in data breaches: For admins only
- Enforce strong passwords: yes
- Don’t let WordPress reveal valid users in login errors: yes
- Prevent users registering ‘admin’ username if it doesn’t exist: yes
- Prevent discovery of usernames through ‘/?author=N’ scans, the oEmbed API, and the WordPress REST API: yes
- Block IPs who send POST requests with blank User-Agent and Referrer: yes
- Custom text shown on block pages: you can add some text locked out users will see, such as information about how long they will be locked out or an email address they can contact the admin at. This section does not accept HTML.
- Check password strength on profile update: yes
- Participate in the Real-Time Wordfence Security Network: no
- Enable Rate Limiting and Blocking: yes
- Immediately block fake Google crawlers: yes (however, enabling this may result in occasionally blocking actual visitors)
- How Should we Treat Google's Crawlers: Verified Google crawlers have unlimited access to this site
- If anyone's requests exceed: 240 per minute then throttle
- If a crawler's page views exceed: 240 per minute then throttle
- If a crawler's pages not found (404s) exceed: 15 or 30 per minute then block
- If a humans page views exceed: 240 per minute
- If a human's pages not found (404s) exceed: 15 or 30 per minute then then block.
- How long is an IP address blocked when it breaks a rule: Between 5 minutes and 1 hour.
It is OK to leave the default options under 'general options'.
Import and Export
If you run multiple WordPress sites, you can export or import your settings after configuration. Using the import and export function, Wordfence will provide a code which can be conveniently copy and pasted into other instances of Wordfence.
If you are interested in a more thorough guide, you can check out this Wordfence tutorial by wpbeginner. Also, please check back soon for our upcoming blog post on top WordPress privacy and security plugins.