If you’re reading this, the chances are you’ve heard of WordFence and maybe even have it installed – but how do you know that the settings are right for your site? I’m going to show you how to set up WordFence with tight but manageable security so you can have peace of mind that your site is secure against hackers but accessible to your users.
Why you need a security plugin
WordPress is the most popular CMS on the planet with almost half of all websites built on its platform (source: http://trends.builtwith.com/cms). Being that big attracts a lot of attention, especially from hackers.
The most common route hackers use to access a WordPress site is via the admin login. A security plugin helps to prevent unauthorised access by increasing the security of the login process – #5 in our recent post, 5 Ways to Stop Your WordPress Site Being Hacked.
Of the security plugins listed in the WordPress repository, WordFence seems to be the most popular and it’s the one we’ve been using on our own site for a while now.
In fact, we now routinely install it on our customer’s sites because it helps to prevent:
- Unauthorised access to your site via the admin login.
- Access to your site through security flaws in out-of-date core, theme and plugin files.
- Hacked files going undetected on your site.
WordFence has quite a lot of technical settings but comes with five pre-determined security levels to make the set up much easier. We tried all five levels and found them to be too restrictive in some areas and not tight enough in others so we came up with our own settings, which have proven to work well for us and our customers.
There are two versions of WordFence: free and premium. So far we’ve been using the free version and have been impressed with the features and overall performance. For $39 USD (October 2014), you can upgrade to the pro version, which has additional features such as advanced spam filtering and country blocking, but we haven’t found this to be necessary so far.
As we’ve been using the free version, I’m going to show you how to set that one up. Also, most of the pro features are self explanatory or don’t have many options so this will pretty much cover everything you need to know.
How to set up WordFence
Before we get into it, there’s just one thing I want to mention: we can’t guarantee these settings will be the optimum ones for your site or that your site won’t be hacked by using them. Every site has its own requirements so we recommend using our settings as a starting point and fine tuning from there.
If you haven’t done so already, first install the plugin from the WordPress repository (Plugins > Add New) and activate it.
WordFence will ask you to enter your email for alerts – we strongly suggest you do this, as well as subscribing to their mailing list so you can stay up-to-date with the latest news about WordPress security.
Then, go to the WordFence options page in the WordPress admin, select Security Level 2 from the drop-down menu and adjust the settings as detailed in the image below.
The settings we suggest you fine tune to your requirements are:
- Alerts – these are useful but can be annoying so rather than delete the plugin, we disable all alerts except critical problems and warnings.
- Scan theme/plugin files against repository versions for changes – we like to scan these but there can be false positives if vendors don’t release their updates properly so we only turn this on for manual scans.
- Scan files outside your WordPress installation – we only use this if we suspect a site has been hacked and we’re looking for infected files. It can cause scans to get stuck in a loop or be killed by the server so you should only use it when you can monitor the process.
- Exclude files from scan that match these wildcard patterns – scanning large archive files or documents such as PDF’s, can use a lot of memory and prevent the scan from finishing. Enable debugging mode to identify the problem file types and add them to this list.
- If a crawler’s/human’s pages not found (404’s) exceed – we set a tight limit on this because we have very few broken links on, or to, our site so 404’s should be rare.
- If 404’s for known vulnerable URL’s exceed – we set an even tighter limit on this for the same reason as #4 plus the URL’s are known to be vulnerable.
- How long is an IP address blocked when it breaks a rule – we set this to an hour so it’s long enough to significantly reduce the risk of being hacked without a high risk of blocking a legitimate IP.
- Lock out after how many login failures/forgot password attempts – we set this to 3 as it seems unlikely that a legitimate login attempt will need more than 3 attempts in either case.
- Count failures over what time period – we set this to 1 day because it’s long enough to greatly reduce a hackers progress but short enough not to be a huge problem for users that have forgotten their password or don’t know it’s been changed.
- Amount of time a user is locked out – we set this to 1 day because it’s long enough to significantly slow a hackers progress but short enough not to be a major problem for users that make a mistake.
- Immediately lock out invalid usernames – we don’t use this because it can be a pain if you or your users make a typo and you’re locked out for a day.
If you want to learn more about the settings, WordFence have published an in depth guide on their website here: http://docs.wordfence.com/en/Wordfence_options
What if you just use the default settings?
There’s nothing wrong with using the default settings, but they’re unlikely be the optimum balance of security and accessibility for your site. The settings we’ve recommended have proven to work well for our site and our customers’ sites, but every case is different.
To find the optimum settings for your site you’ll need to test, get feedback from your users, adjust the settings and repeat.
If you’re not comfortable setting up WordFence yourself or not sure what settings you need, our WordPress support team will take care of it for you, as well as monitoring your site for alerts and reacting quickly to any issues.