As I continue to use Wordfence and have started to use it on other sites, I grow to appreciated more and more. I already mentioned the ability to block specific IP addresses in an earlier post “Wordfence Live Monitoring Plugin for WordPress” and some of the reports the plugin is able to generate. Today, I would like to focus on some of the Firewall options in the free version.
When you fire up Wordfence and look up the options, you will notice that the plugin defaults to Security Level 2. As you can see in image #1, Wordfence recommends this setting for most websites.
Scrolling down to the Firewall Rules, you will find additional security options (see image #2). These change as you change your security levels. I should also stress that these rules only affect the firewall for your WordPress site and do not change the firewall settings for your computer or server.
I have been personally debating both the level 2 and level 3 defaults. At level 2 they don’t really do anything, and at level 3 they only throttle back a crawler or human being who is searching your website. So rather than staying at the default level 2, I have set some of the option myself to actually block rather than throttle down after what I feel is a reasonable request per minutes. The danger here is you can actually block legitimate crawls by search engines, negatively affecting all the hard work you are someone else has done for search engine optimization (SEO). So you might want to leave these alone unless you are sure you need to need to tweak a setting.
The other area that is affected by changing the basic security leve setting is the Security Login section (image #3). This area controls the complexity of your users’ passwords and how soon the will be locked out of the site if they fail to enter the correct password.
Again, I find the settings a little lax for my taste, so I have beefed them up over the default level 2 setting you see here. I would be careful how far you tweak this setting or you could be flooded with a lot of users complaining that they were locked out.
Under options you will also find a spot to input an email address. The plugin will then email you when people successfully login to your WordPress Dashboard or when someone has been blocked. So if you aren’t able to watch you site, you at least know if someone has logged into your site and potentially damaged your site.
The most common report I get from Wordfence is a report of someone trying to use ‘admin’ as a user id and was locked out. (A good reason to assign an existing user administrator rights and then deleting the default admin account, or creating a user with administrative powers and then deleting the default admin account.)
I highly recommend this plugin if you have a WordPress site! It is fairly intuitive and does a good job blocking attacks.