cropped-phoenixignitedlogo1.png

Configuring WordFence for WordPress Security

Configuring WordFence for WordPress Security

June 2024

  • June 25, 2024

WordFence is a long-standing and powerful WordPress security plugin / solution. Protecting over 5 million sites, WordFence’s web-app firewall includes 467 firewall rules and it’s scanner includes 4,929 malware signatures. WordFence also offers 2FA for your WordPress site, numerous security settings, logging capabilities, and brute-force protection. The free version is an essential in WordPress security.

Installing WordFence

Via the WordPress Plugin directory: Search for “WordFence” click install and activate. 

Via manual upload: Go to Wordfence.com download the plugin then go to your WordPress admin dashboard > go to plugins > add new > upload, and upload the zip file you just downloaded, install it and activate it.

After you activate WordFence you will need to install a WordFence license, the Free License will work, but you can get a paid license for immediate protection from new threats, and support for if your site get’s hacked etc.

Configuring the WordFence Firewall

Basic Firewall Configuration

Once you install WordFence we will configure the WordFence firewall. Go to the WordFence dashboard and select manage firewall.

Once in the WordFence Firewall dashboard we will set the WordFence Firewall to active and protecting. By default it is set to Learning Mode, this is usually unnecessary for most use cases and should be changed to actually activate the firewall. Learning Mode sets the firewall to a sort of stand-by mode and adds allow-listed URLs etc. to the firewall configuration to prevent conflicts with themes and plugins. From my experience conflicts do happen, but on a basic wordpress setup are very rare, and as leaving the firewall in Learning Mode could potentially allow threats to be allowed and white-listed, I immediately activate the firewall. Once you set the firewall to active and protecting be sure to save your changes in the right hand corner of the screen.

Enhanced Firewall Configuration

Once you have set the firewall to active and protecting, you will want to enable enhanced firewall protection, select the “Optimize the WordFence Firewall’ button, you will see a warning regarding backing-up your .htaccess file, just download the backup and proceed (it is quite rare that optimizing the firewall will crash your site).

Advanced Firewall Options

Once we have optimized the firewall we will proceed to configure any advanced firewall settings. Open the advanced settings drop-down.

Here you can set several settings related to the firewall configuration such as:

  • Delaying IP & Country blocking until after WordPress & plugins have loaded (this just won’t enforce IP and Country blocking rules until after your entire WordPress install has loaded, I would generally leave that alone).
  • Allowlisting IPs: You are more likely to need to whitelist IP’s in more advanced WordPress setups such as where you have other apps or programs communicating with your wordpress site. 
  • Allowlisted services: Generally I leave this alone, however feel free to modify these settings. If checked WordFence allows these services to access your site without getting blocked due to the firewall settings. (For instance it prevents facebook’s crawler from being blocked if you have stricter rate limits in place.) 
  • Immediately block IP’s that access these urls: Set this if you have strict off-limits pages or url endpoints you need to protect (just be sure your IP is set in the allowlisted IPs section!)
  • Ignored IP address for Wordfence Web Application Firewall alerting: This would come in handy if you are using a static IP to access the site or if you have another service with a static IP that accesses the site and you are tired of the IP showing in logs etc.
  • Rules: Turn these On / Off according to your needs.

Brute Force Protection

In the Brute Force Protection drop-down you can set multiple settings to protect against brute-force attacks including how many login attempts before an IP is blocked and for how long the IP is blocked, etc.

Rate Limiting

In the rate limiting drop-down you can set the maximum number of requests that bots and humans can make to your site over a defined amount of time before being limited (blocked). 

Allowlisted URLs

In this section you can allowlist urls and their params. This is helpful in multi-user setups where certain urls / url-endpoints may trigger the wordfence firewall to block legit requests for non-admin users. I’ve seen this especially in scenarios where a plugin allows a user to upload .csv’s and other executable file types. Allowlisting URLs is rather complex and I intend to make a separate tutorial on it in the future, the best way to debug those issues is to temporarily put the firewall in Learning Mode, go do the action that the firewall was blocking and then re-enable the firewall, you will see that the firewall has automatically added those urls / url-endpoints to the allowlisted urls section here.

Configuring the WordFence Scanner and Scanning Your WordPress Site

Next we will configure the scanner settings and schedule a run a first a scan on our site. Go to WordFence > Scan, once you are at the scan dashboard click “Manage Scan” or “Scan Options & Scheduling”.

Now that you are at the Manage Scan dashboard we can go through the basic scanner settings.

Scan Dashboard

From the scan dashboard you can see the Scan Type, the Malware Signatures Type, and your site’s Reputation. With the Free License you get the community malware signatures version and no reputation checks. For our purposes it is good enough. 

Basic Scan Type Options

In the Basic Scan Type Options drop-down we can change the scan type that we will run according to our scan schedule, you can change this between Limited, Standard, High, and Custom. The dashboard explains fairly well what each scan does, I recommend leaving it at Standard, unless you think you may have been hacked.

Scan Scheduling

If you go to the Scan Scheduling drop-down you can select whether or not to run scheduled scans, in the Free Version, WordFence schedules the scans, but if you upgrade you can schedule the scans yourself. 

General Scan Options

In  the General Options drop-down we can adjust various scan settings such as scanning file contents for malicious URLs, checking password strength etc. Feel free to go through these settings one-by-one and adjust to your  needs, however the default settings should be good for most use cases.

Performance Options

In the Performance Options tab we can set various settings related to the scans impact on server resources. I usually leave these as is and for most sites you are probably fine to do the same, however you may need to reduce these limits if you are running on a very small server setup.

Advanced Scan Options

If you  have specific files to exclude from the scan you can include these in the Advanced Scan Options tab. You can also include custom malware signatures to scan against here along with how many times to attempt to resume each stage of the scan, and whether or not to only use IPv4 to start scans.

Run the Scan

Now that you have run through all of the scan settings, feel free to run your first scan. It will take a little while depending on your sites size, on average I would give it 15 mins to half an hour to run through everything, after the scan runs, you can look over the results, expect to see a notice about paths skipped due to scan settings, this is a default setting in WordFence that skips certain file paths due to known looping of certain file types that will make the scan continue endlessly, (I have seen this in my experience and I recommend leaving the scanner set to the default settings, unless you think you may have been hacked etc.). Review the scan results and correct anything that needs to be corrected. 

Ok that’s way too broad, if any files show up as containing malware or suspicious you can manually review the file. See my article here on manually reviewing WordPress files 101. (LINK COMING SOON).

WordFence Live Traffic

WordFence Live Traffic is an interesting and useful tool for viewing attacks and requests to your site, if you need to allowlist urls, ips, etc. the Live Traffic tool is going to be your best friend. The Live Traffic tool has two logging modes: security, and all. The security mode records all security related traffic and all records all traffic, although I’ve never tried using the “All” mode as a complete log replacement of WP Activity Log, it does record more traffic then you will want to filter through for analyzing security related traffic, I often leave it set to “security only” mode, unless I am really wanting to analyze traffic.

You can see the request type (bot, human, allowed, blocked, warning), location of the visitor, the page visited, time the request took place, visitor’s IP, hostname, and server response. You can view details regarding specific requests by clicking anywhere on the request. In the details you will see additional info such as Browser type etc. you will also see options to block / allow the IP that made the request, run a who-is lookup on the IP, view recent traffic from the IP, etc. Here you will also see an option to allowlist actions / urls if applicable. 

When you select “See Recent Traffic” and “Who-is” a slide-out panel will display recent traffic from that IP and additional info regarding the IP respectively.

WordFence Who-is

WordFence Who-is is a cool tool that looks up a visitor’s IP and displays additional info related to the IP such as hostname, contact info, etc.

WordFence Import/Export

The WordFence Import/ Export dashboard allows you to import WordFence settings from another site to save you the time it would take to manually configure those WordFence settings again. The Export feature allows you to export your sites WordFence settings so you can import them into another site.

WordFence Diagnostics

In the WordFence Diagnostics tab you can view tons of information related to your site from the WordFence version installed to the MySQL version of your WordPress database. 

WordFence 2FA

WordFence also includes the ability to require 2FA authentication of your site’s users. Go to the WordFence > Login Settings > 2FA page to enable 2FA. Here you can set 2FA policies such as by enforcing 2FA by user role (for instance admins or editors) and by user. You can also set how long a user has to activate 2FA and other settings such as whether or not you want to enable a frontend page for users to configure 2FA. Setting up 2FA for a user is extremely simple, the user just needs to navigate to their profile in the wp-admin area and click enable 2FA, it will walk them through scanning the QR code, generating recovery codes, etc. 

General WordFence Login Security Settings

In the Settings page under >WordFence > Login > Settings you can manage numerous settings related to user and application authentication, settings include: 

  • Enforcing 2FA by Role
  • 2FA Grace Period
  • Allow remembering device for 30 days on user login
  • Disable XML-RPC for application authentication
  • Require 2FA for XML-RPC authentication
  • WooCommerce Integration
  • 2FA Management Shortcode
  • Allowlisted IPs that bypass 2FA authentication
  • reCaptcha integration
  • NTP integration (I highly recommend to leave this as is, otherwise you could lock yourself out of your site potentially).
  • Etc.

All Options

You can also view all WordFence settings all at once from the “All Options” tab. 

That's a Wrap!

This has been a lengthy tutorial, but I hope it proved extremely easy to follow and helped you optimize WordFence for your WordPress site’s security!

Walter Miely is a tech entrepreneur and CEO of Phoenix Ignited Tech You can find him on Linkedin. This material is licensed under the CC BY 4.0 License LEGAL DISCLAIMER: The content provided here is provided AS IS, and part of, or the entirety of this content may be incorrect. Please read the entireLegal Disclaimer here.

IONOS - Official Partner
Github Codepen Linkedin X-twitter Flickr Medium

+ Ave Maria +