In the dynamic world of the internet, ensuring the security and performance of your WordPress website is of paramount importance. Wordfence, a leading security plugin for WordPress, is one of the best ways to safeguard your website from a multitude of malicious threats. In this comprehensive guide, we will explore the best Wordfence settings that enhance the security of your website, making sure we do not sacrifice performance.
Wordfence Installation
Historically, enabling Wordfence was a straightforward process, simply a matter of clicking a few buttons. However, there has been a recent shift in the installation process. Now, to harness the power of Wordfence, you are required to obtain a free license. Fortunately, this is an efficient and hassle-free process. You don’t need to engage in the laborious task of creating an account; all that’s needed is your email subscription. Subscribing with your email also gives you access to valuable articles and insights, making it a win-win situation.
Wordfence Admin Menu Options
Upon installing Wordfence, you’ll notice a dedicated Wordfence menu within your WordPress admin panel. This menu provides an array of options for managing your website’s security. Among these options are the Dashboard, Firewall, Scan, Tools, and Login Security. What’s more, Wordfence offers the flexibility to further customize your security settings within the “All Options” section. The Dashboard serves as a central hub, allowing you to keep an eye on your website’s overall security status and activity.
Best Wordfence options for security and speed
Wordfence Global Options
General Options: The configuration of general settings serves as the foundation of your Wordfence setup. This section covers crucial settings related to the firewall, scan, and login security. Tailoring these settings to your specific needs is essential for an optimal balance between security and performance.
Two important options here that we suggest you should change are:
- Hide WordPress version: Enabled
- Disable Code Execution for Uploads Directory: Enabled
Email Alert Preferences: Staying informed about your website’s security status is vital. Wordfence provides email alerts that you can customize to your preferences, ensuring you receive timely notifications of any security-related events. Defaults are fine as the options purely depend on your personal preference.
Activity Report: The activity report keeps you informed about various security-related events on your website, providing an overview of your site’s security status.
Again, defaults are fine for email summary, just make sure you do not increase it further, since 1 month is too much for being notified if something goes wrong. If you only run your website, we suggest you decrease it to daily.
Firewall Settings
The Wordfence firewall is a critical component of your website’s defense against various online threats. Within the firewall settings, you have the option to configure both basic and advanced settings. By personalizing these settings, you can significantly enhance the security of your website.
Basic Firewall Options: These settings provide fundamental protection for your website. Customizing these settings based on your site’s unique needs is essential for bolstering your security.
Make sure you leave firewall on Learning Mode for at least a week. 10 days is even better. After a few days, remember to check back and verify the firewall has been enabled.
Advanced Firewall Options: For advanced users and those who require a higher level of security, Wordfence offers a range of fine-tuned options. These settings allow you to tailor your security strategy to IP level, giving you the option to whitelist IPs. This section of options purely depends on your scenario. For start, you can leave it by the defaults (which are empty).
Brute Force Protection: Protecting your website against brute force attacks is paramount. The settings within this section help you defend your site against these malicious login attempts.
Brute force default options can be surely optimized. We advice you change the default settings to the following:
- Lock out after login failures: 8
- Lock out after forgot password: 5
- Count failures time period: 4 hours
- Amount of time a user is locked out: 4 hours
- Immediately lock out invalid usernames: enabled
- Immediately block usernames: wwwadmin, admin, yourwebsitename, administrator, admin@yourwebsite.com, info@yourwebsite.com (those are common names bots are using most often)
Make sure you disable username discovery and application passwords if you don’t need them.
Rate Limiting: Rate limiting is a crucial technique for preventing abuse of your site’s resources. Properly configuring rate limiting can significantly enhance your website’s security while keeping it performant by identifying “greedy” visitors who consume a lot of resources. Most of the time, those are bots that eat up bandwidth from legitimate visitors. When you rate limit those bots, you lighten up the effort your server needs to handle your visitors.
- Crawlers page not found (404) exceed: 60 per minute
- Human’s page views exceed: 120 per minute
- Human’s pages not found (404) exceed: 60 minute
- How long is an IP address blocked: 2 hours
Scan Settings
Wordfence scans are an important component your website’s security. Within this section, you can configure your scan settings to ensure the best possible performance and protection.
Scan Schedule: Setting up a scan schedule ensures that your website undergoes regular checks for vulnerabilities. It is essential to choose a schedule that aligns with your site’s activity, striking the right balance between security and performance. If you don’t have a dedicated server and/or you do not own the premium version, we suggest to completely disable the automatic scans. They have a great impact on your site’s performance when they are running. After all, we can always manually start the test whenever you like, there is no need for an excessive automatic scheduling if it’s not necessary.
Basic Scan Type: Wordfence offers different types of scans. Choose the one that best suits your server capabilities, your website’s needs and make sure it aligns with your security priorities.
if you don’t think you are hacked, standard scan is just fine.
General Options: These settings encompass general scan options that affect both your site’s security and performance. Configuring these settings correctly is vital for ensuring optimal results of the scan. Of course, the most features you enable, the longer it will take for the scan to complete. The defaults are good for a start. However if your server is underpowered you can uncheck some of the options. If you feel like your hosting can handle it, enable all available options and have patience!
Performance Options: By delving into the performance-related scan options, you can fine-tune your scans regarding duration and resources used. Our only comment here is that if your website is huge (e.g. an e-shop with 500/1000+ items) you might want to increase Maximum Scan Duration and Memory Used options, depending on your case. Begin with 5 hours and 512MB respectively, and increase further if you come up to any issues after your scan.
Advanced Scan Options: You can leave these options to their default values. It’s better you don’t exclude any files or increase the number of tries for resuming each stage of the scan. .
Login Security
Login security is the first line of defense against unauthorized access to your website. Neglecting login security could expose your site to vulnerabilities and data breaches. Hence, it’s crucial to ensure this aspect is well-protected.
Login Security Overview: In order to edit your Login Security settings you’ll have to jump to another options page. It is not included in All Tools like the rest of the settings.
In terms of Login related options, you should pay attention to the following:
- Disable XML-RPC: enabled (enabled means disabled 😂)
- WooCommerce integration: Enable if you are running a WooCommerce store
- Enable reCaptcha v3 on Login and Registration pages: Enabled
The rest of the options can remain with their default values. Try lowering your reCaptcha threshold to 0.4 or 0.3 if you come across to any issues with form submitting by your visitors. (in low traffic website, we may tend to lower it).
Keep your WordPress safe and fast!
Securing your WordPress website is not just a good practice; it’s a necessity. Wordfence offers a comprehensive security solution, and by optimizing its settings for both performance and security, you’ll ensure that your site remains well-protected. The best practices outlined in this guide will help you take charge of your website’s safety. Implementing these recommendations will safeguard your digital presence effectively, while keeping your website’s speed mostly intact. Enjoy your peace of mind and keep your website secure and performing at its best.