Avoid hackers with Wordfence Firewall

The first plugin I install on new WordPress websites. WordFence includes a Firewall, a Malware Scanner and Two-Factor Authentication.

Wordfence has great default settings, so if you’re new to securing your WordPress website, simply install and activate Wordfence and your site is instantly better protected against hackers. But if you’re up for more, you can tweak some of the settings for even better protection. Here are 5 solid recommendations for tuning Wordfence.

Optimize The Firewall

Under Wordfence ‣ Firewall ‣ Protection Level, select Optimize The Firewall. This scans PHP calls for malicious code before it is executed. You will be prompted to download the .htaccess file before activation. In the unlikely event that your site fails after activation, you can re-upload the .htaccess file manually. In the many years I have been using Wordfence, I have not seen this happen once, but now you know.

Enhanced Protection enabled under Wordfence Basic Firewall Options
Enhanced Protection enabled under Wordfence Basic Firewall Options

Brute Force Protection

Check if your email address appears in a known data leak

haveibeenpwned.com

Your website is exposed to brute force attacks every day. Bots on the web try to guess your username and password, usually using passwords from widespread data leaks. If a bot tries a new login once a second, that amounts to 86,400 login attempts a day. One day it might succeed.

You can protect your site from such attacks by enabling Brute Force Protection. After a certain number of failed attempts, the hacker is excluded from trying again. I allow 5 attempts within a 4-hour period. That gives a maximum of 30 attempts per day, a significant tightening.

Brute Force Protection enabled and common invalid usernames excluded
Brute Force Protection enabled and common invalid usernames excluded

Immediately lock out invalid usernames

When your site has been up for a while, you can check the dashboard to see which usernames have been attempted unsuccessfully. These are often generic usernames like admin, user, test and so on. You should not have users with these names, and you may want to block login attempts with these names after the first attempt.

Rate Limiting

With Rate Limiting, you can limit how many pages people and crawlers (e.g. google) can visit on your website per minute. This can be of some interest from a security point of view, as an unnatural amount of 404 page not found requests may be bots attempting to scan your website for vulnerabilities. You can make life difficult for these bots by closing the door to them for a period of time.

Wordfence Rate Limiting tuned to recommended levels.
Wordfence Rate Limiting tuned to recommended levels

Email Alert Preferences

Wordfence sends you emails about all potentially suspicious events, including when an administrator logs on or when someone uses the forgotten password feature. This can quickly add up to a lot of emails in your inbox, which you eventually just delete without looking at them.

To avoid being swamped by unimportant notifications, and thus not realizing when there is a real danger, I recommend that you set Wordfence to send you alerts only at medium or high severity, or if there is an unusually large increase in the number of attacks on your site, in the Email Alert Preferences

Number of emails greatly reduced under Email Alert Preferences
Number of emails greatly reduced under Email Alert Preferences

Wordfence prevents attacks every day, and does it well without your involvement. Limit notifications to when you should be acting.

Two-Factor Authenticaton

You know two-factor authentication (2FA) from, for example, borger.dk, where in addition to using something you know, namely your username and password, you also use an extra code or credit from something you have, such as a key from a card or a swipe on your phone.

Security is dramatically improved with 2FA. If it’s gotten to the point where someone has guessed your password, 2FA is just the extra layer of protection you need. You should have 2FA on all online services where a hacker can do damage, which most certainly includes your website.

2FA is a built-in feature of Wordfence, even in the free version. You need a key app on your phone. It can be Google Authenticator, Microsoft Authenticator or my favorite: Authy

See the full list at Wordfence Two-Factor Authentication

“Another app?!” – I can hear you saying. Yes, but you can use the same app for all your 2FA needs, including your mail, social media, paypal etc. It’s definitely worth the effort.

Under Login Security ‣ Two-Factor Authentication, scan the QR code with your key app and confirm by entering the 6-digit code displayed in the app.

Enabling Two-Factor Authentication in Wordfence
Enabling Two-Factor Authentication in Wordfence

Recovery Codes

You have the option to download and print five Recovery Codes which you can use if you lose your phone. Of course, this kind of stuff shouldn’t be on your computer or in the cloud, but you probably figured that out ;)

Two-Factor Authentication Options

Under Settings, you can set Wordfence to remember your device for 30 days. This saves you from finding your phone every time you log in. If you’re fortunate enough to have a fixed IP address, you can even allow access from that address to bypass 2FA. So the extra layer of security doesn’t have to mean your everyday life is made any harder.

Summary

The mere installation of Wordfence on your WordPress website increases security significantly. But if you follow the five tips above, it’ll get an extra notch. And if you only have time for one thing – enable two-factor authentication. 2FA is the most effective way to prevent unauthorized access to your WordPress website.

If you could use any of the tips above, or there’s anything you’d like expanded on, feel free to leave a comment below. It’s really appreciated.

Share this article
About the author

Bjarne Oldrup

Web developer with a passion for WordPress, sustainable web design, GDPR and web accessibility.

Leave a Reply

Your email address will not be published.