How to Configure Wordfence Security Plugin for WordPress

Wordfence security plugin is a complete Anti-Virus and Firewall package for your WordPress install. It not only protects your site from many possible attacks, but also keeps you off Google’s SEO blacklist and help repair a hacked files, even if you don’t have backups. It also include a  features like login brute force protection, hiding your WordPress version number, blocking fake google crawlers and many other security enhancements.

Powered by their cloud scanning servers based in Seattle, they maintain a pristine copy of every version of WordPress core, plugins and themes ever released  in the WordPress repositories  to quickly verify your files against the originals. They also keep a cached copy of Google’s Safe Browsing list that is updated in real-time and used for your scans.

Of the security plugins i’ve used, wordfence has become my favorite security plugin when it comes to securing a WordPress site. I install it on all of my sites and it’s quiet easy to configure. It has an average rating of 4.9/5 on the WordPress repository, with over 1.8 million downloads.

Click here to see how Wordfence protect WordPress sites in Real-Time.

Here are some of the important features of this plugin:

  • Compare core WordPress files against originals in repository.
  • Compare plugins and open source themes against originals.
  • Scan files outside your WordPress installation
  • Scan your site for the HeartBleed vulnerability
  • Scan for known malware files
  • Scan file contents to see if they contain a malware, trojan, virus, backdoor, known dangerous URL or known vulnerability.
  • Scan files, posts an comments for URLs in Google’s Safe Browsing List
  • Scan for weak passwords
  • Scan DNS for unauthorized changes
  • Checks your disk space to prevent DDos attack.
  • Checks for out of date themes, plugins and core files

Brute-force log-in protection:

  • Locking out users after a specified number of failures are detected.
  • Immediately lock out invalid usernames.


  • Immediately block fake Google crawlers.
  • Blocks anyone that accesses your site too quickly.
  • Block anyone who is generating page not found errors too quickly.

Other Options:

The free version of Wordfence will automatically scan all the files and database tables of your site once a day and alert you via email  if there has been an intrusion. Upgrading to paid version of wordfence gives you two factor authentication (sign-in via cellphone) and country blocking, which are both effective ways to stop brute force attackers in their tracks.

Configuring Wordfence settings

Basic Options

  • Once installed, go to your Wordfence options in the side menu and enter your email address to receive alerts.
  • Uncheck Enable Live Traffic View. Live Traffic View is a nice feature that lets you see the real time activity of your site, but it causes a slow down in page load time, particularly on a high traffic site.
  • How does Wordfence get IPs: From the drop-down menu, select “Use PHP’s built in REMOTE_ADDR…” which is the recommended option for most cases.

Advanced options


Live Traffic View

Scans to include

Under Scans to include, select all options.

Firewall Rules

In the “Firewall Rules” section, you can set different rules for humans and crawlers who are trying to misuse your site. If someone breaks one of your rules, you can either “block” them or “throttle” them, which temporarily limits their access with an SEO safe 503 (come back later) HTTP message. The firewall rules must be set carefully based on the type of traffic. If you don’t know much about it,  just leave the settings alone.

Please note that these are only suggestions. You can even tighten up security by lowering the values on firewall rules.

Here are some tips for setting up firewall rules:

  •  If you choose to limit the rate at which your site can be accessed, you need to customize the setting or your site.
  • If your users usually skip quickly between pages, you should set the values for human visitors to be high.
  • If you are aggressively crawled by non-Google crawlers like Baidu, you should set the page view limit for crawlers to a high value.
  • If you are currently under attack and want to aggressively protect your site or your content, you can set low values for most options.
  • In general wordfence recommend you don’t block fake Google crawlers unless you have a specific problem with someone stealing your content.

Login Security Options

Other options

  • Whitelisted IP addresses that bypass all rules: Don’t touch this option unless you have a static IP address that never changes. 
  • If you’re participating in the WordFence security network, wordfence will immediately block any attack originating from an IP address that has attacked other WordPress sites.
  • Click Save Changes.

Run the scan

  • Under the Wordfence menu, go to the “Scan” and start your first security scan.

Once the scan is complete,  address the issues it finds which will appear at the bottom of the page.

If you run into trouble or have questions, please visit Frequently Asked Questions (FAQs)  for more information.

Leave a Comment