Table of contents

Intro

I had the “pleasure” of dealing with malware attacks in the past and during those, I played a lot with Wordfence to create a strict setup.

In this article, I’ll try to focus on a more strict setup approach for Wordfence and not the default one-click install.

It will be a step-by-step set-up, but I’ll skip some of the obvious settings or the ones that Wordfence enables by default.

Good Practices

Just to get it out of the way I’ll list a few things that you should do on every WordPress install and they are not 100% related to Wordfence, more like the title says Good Practices.

  • Don’t use “admin”, “administrator”, “admin1”, “theSiteName”, or similar ones as username. These are the first that will be used when bots are spamming the login form.
  • Set a strong password. WordPress already provides you with the option to generate one. If you don’t want an ‘ugly’ password make your own, but make sure it’s a strong one (long, symbols, numbers, uppercase, lowercase).
  • Remove any unused administrator accounts from your WP, or change them to a lower user role.
  • Keep your plugins and WP updated, this is one of the most common ways to get backdoor access to your site.
  • Don’t install any shady plugins. Look in the WP Plugin directory and see the ratings and reviews for a plugin, it’s easy to spot if something is wrong (low rating, low number of installs, discussions with problems).
  • Delete deactivated plugins. Even if the plugin is deactivated, it still can be targeted for backdoor access. If you don’t use it, delete it.

General Settings

In Wordfence > All Options section we’re going to find most of the settings from today’s article. Let’s start with the General Settings.

I recommend setting Wordfence to automatically update, hide the WordPress version, and Disable Code Execution for Uploads.

Firewall

By default the Firewall Status will be in “Learning Mode” and it will stay like that for a week. It’s meant to do that in order to learn what you’re doing on the site and mark as white flags certain actions that are no a threat to the security of your WordPress install.

You can switch it to “Enabled and Protecting” if you want to have a more strict approach from the start.

The Advanced section of the Firewall will allow you to implement restrictions based on IPs. You can allow certain IPs to bypass all rules, block IPs or block an IP if it tries to access a certain URL.

The last one is very efficient when you’re dealing with malware that creates files on your server and uses those files to execute unwanted code.

If you’re able to track down via the logs what files are created and that they shouldn’t exist, you can add those paths to Wordfence and have those IPs blocked the moment they try to access the files.

The Brute Force Protection is a very important section, it’s the first one that I go to whenever I install Wordfence. I think this is one of the settings that have the most effect with little effort.

My approach is to limit the number of tries and increase the locked-out period to a maximum.

Other useful settings here are the “Immediately lock out invalid usernames” and “Immediately block the IP of users who try to sign in as these usernames”.

The first one is really strict since someone might mistype their user name, the second one is a good one to use in combination with the statics from the Firewall tab where you get a list of failed login attempts along with the user name tried. If the username from those failed attempts is not real, you can add them to the list so whoever is trying them gets blocked instantly.

Rate Limiting is turned on in most cases, but there are no restrictions on the number of requests or page views per minute. You can control this and Wordfence provides you with some documentation on how to do it.

In the screenshot below are some of the settings that I used when I wanted to set a very strict environment.

Allowlisted URLs is a section that I recommend monitoring from time to time. Usually, here you will see whitelisted URLs that you added whenever Wordfence popped with a notification asking you if the action you’re about to do is ok, or not. But there are cases where some URL with parameter gets whitelisted and it’s acting like a backdoor.

Blocking

The free version of Wordfence will allow you to block IPs or custom patterns (IP address range, hostnames, or a referrer). If you want to block a country you will need the Premium version.

During attacks on your website, you will be able to identify the IPs or the network from where the attacks come. Once you do that you can go to the Blocking section and add the settings that will help you deal with the attacker.

Scan

Let Wordfence decide when it’s the best time to scan your website files.

Set the Scan Type to be “High Sensitivity”.

Scan General Option just check everything from the list. You can read and see all the details around them, since we’re doing a strict Wordfence setup I’d go with enabling everything for scan.

Performance Options can be left as they are at the beginning, you can increase the memory if you have more to spare.

Live Traffic

Set Live Traffic for Security Only, if you want to be extra careful you can also uncheck the “Don’t log signed-in users with publishing access”.

The Live Traffic tab will be a good place to check what is happening on the site when you’re under attack. See who is logging in, who tries to access certain addresses, and more, all that in real time.

As you can see here on the Live Traffic tab, you get a lot of information on visitors and potential threats. You can easily block an IP from here when you see that they are trying to access all sorts of files.

Login security

We arrived at the Login Security Settings where I recommend 2 things:

  • Disable XML-RPC authentication
  • Enable 2FA login for all users that have publishing rights. Set a grace period of 2 days and inform all users to go and activate their 2FA. This way you’re adding an extra layer of protection to your site. This can be very useful when there is a password leak for one of your users. Even with the correct password, the 2FA will still be in place and no login is possible.

Conclusion

The steps described above might be overkill for some, but in the end, this was aimed to provide a more strict setup in Wordfence. Based on your traffic, the number of users, and understanding of how Wordfence works, you can adjust those settings to better fit your needs.

Even if you don’t use these exact settings, you can still use this article as a checklist for your own settings.

Also, you can’t ignore the good practice section at the beginning. Sometimes a little common sense will help you stay safe online.