Comments on: WordFence Security Plugin – Why It’s The Best

By: tbwhs

tbwhs — Tue, 07 Nov 2017 19:30:14 +0000

In reply to Kat Chang. Sometimes there are backdoors on your site or the server you are hosting your website on that security plugins would not be able to detect. There is a vulnerability somewhere that needs to be fixed. Have you asked your web host for help? Best of luck to you!

By: Kat Chang

Kat Chang — Thu, 19 Oct 2017 10:34:47 +0000

Hi Garen, thanks for the article! I have been using Wordfence for a month now, however, my sites have been hacked everyday this week despite having Wordfence on. I know its not 100%, and we can revert to the backup. It took the entire day to work out where the malware was (WF did not find it).

Will the premium version work better? What would your advice be?

By: Garen

Garen — Sat, 15 Apr 2017 19:12:30 +0000

In reply to Howard. I haven't noticed that WordFence slows down your website. Sometimes the live traffic feature can use too many resources for your setup and cause problems. Maybe try disabling that option if you haven't already.

By: Howard

Howard — Thu, 09 Mar 2017 17:11:03 +0000

I read that that wordfence slows down your website; what do you make of this?
Thanks

By: Garen

Garen — Tue, 21 Feb 2017 10:14:17 +0000

In reply to Farzana. Yeah, I know what you mean about Wordfence telling you .txt files have been changed. There is a button that you can click that will just ignore them in the future. I have used this for years. Never do I see those messages again!

By: Farzana

Farzana — Mon, 20 Feb 2017 10:36:13 +0000

I have used WordFence for several years now. This plugin has saved me time and time again. When files get infected, I really like how you can revert back to a previous version. It’s very easy to do and is a lifesaver. However, WordFence does let you know when text files are changed. These are mostly just read me files with plugins or themes. It’s kind of annoying, but I always just disregard those.

By: Mats Schmid

Mats Schmid — Sat, 10 Dec 2016 13:01:24 +0000

Outstanding article! Wordfence is definitely a must have plugin. I am using it for all my WordPress websites upon recommendation from my hosting provider. It has very useful features to protect my site from hackers.

Going to certainly make a couple adjustments that you have suggested. I am even using the Premium version, too. Love it!

By: Garen

Garen — Mon, 29 Feb 2016 17:42:00 +0000

In reply to Kim D.. I would have to say that I am really not a fan of Wordfences caching system. I do not use them It doesn’t seem to be quite as effective as WP Super Cache. I would recommend disabling the caching for Wordfence. But, Wordfence is great for security!

By: Kim D.

Kim D. — Mon, 29 Feb 2016 02:55:00 +0000

I was wondering what do you think of the caching settings for Wordfence. I have used them in the past but they really don’t seem to be all that great? It seems to have conflicts with some other WordPress plugins.

By: Garen

Garen — Sun, 12 Apr 2015 22:08:00 +0000

In reply to Teresa.

Under “alerts” make sure the following are checked:

“Alert on critical problems”

“Alert on warnings”

“Alert when IP address is blocked”

“Alert when some is locked out from login”

“Alert when the “lost password” form is used for valid user”

“Alert me when a non-admin user signs in”

With “scans” make sure everything is checked

Under “firewall rules” configure these settings:

Check “Immediately block fake Google crawlers”

Make sure “Verified Google crawlers have unlimited access to the site”

If anyone’s requests exceed: 240 per minute (4 per second) then throttle it

If a crawler’s page views exceed: 960 per minute (16 per second) then throttle it

If a crawler’s pages not found (404s) exceed: 960 per minute (16 per second) then throttle it

If a human’s page views exceed: 240 per minute (4 per second) then throttle it

If a human’s pages not found (404s) exceed: 240 per minute (4 per second) then throttle it

If 404’s for known vulnerable URL’s exceed: 120 per minute (2 per second) then throttle it

How long is an IP address blocked when it breaks a rule: 12 hours

For “login security options” options configure these settings:

Force admins and publishers to use strong passwords

Limited login failures and forgot password attempts to 5

Count failures and amount of time a user is locked out to 6 hours.

Make sure these are checked:

Immediately lock out invalid usernames

Don’t let WordPress reveal valid users in login errors

Prevent users registering ‘admin’ username if it doesn’t exist

Prevent discovery of usernames through ‘?/author=N’ scans

Hope this helps 🙂