Knowledge base article
Optimising Wordfence firewall and security settings
Related articles
Basic WordPress security and site management
How did my WordPress website get hacked? What do I do?
Remove Wordfence firewall block via MySQL CLI
Other WordPress articles
Accessing your site before changing DNS
Basic WordPress security and site management
Check MySQL database table disk usage
Configure object cache with memcached and Litespeed Cache plugin
Create a clone of your website
Create a WordPress administrator via MySQL CLI
Create a WordPress administrator via phpMyAdmin
Create a WordPress cron task in cPanel
Disable automatic WordPress updates via wp-config.php
Domain options for shared hosting
Download or restore individual files, directories or database backups with JetBackup
Enabling PHP extensions, Changing PHP Version and Setting PHP Options
Export or Import a MySQL database via CLI
Force HTTPS via .htaccess (cPanel)
Go live with your WordPress staging website
Help! I need a backup of my cPanel-hosted website
How did my WordPress website get hacked? What do I do?
How to ensure website generated emails are delivered successfully
How to issue a Let’s Encrypt certificate
How to remove Site Software management
Introduction to LiteSpeed Cache
Manual WordPress migrations in a nutshell
Migrate remote staging website to local hosting server
Migrate remote transactional website to local server
My site and/or email service is down
Prevent website generated spam with CAPTCHA
Push updates from a staging to production website
Reconfigure production website to subdomain
Recover your hacked WordPress website
Remove Wordfence firewall block via MySQL CLI
Secure your WordPress installation
The SLA – Best effort versus 99.9% versus 100%
Understanding CloudLinux resource limits
Update a WordPress website to use a new domain name
Update your WordPress username via phpMyAdmin
WordPress install still shows Serversaurus “new customer” landing page
This guide recommends the best configurations to optimise Wordfence firewall and security settings for WordPress
Wordfence is a powerful firewall and security plugin offering a range of protection settings to strengthen WordPress application security and resilience against web attacks.
To enhance the protection Wordfence offers, we've compiled our recommended Wordfence configuration settings which are verified by our WordPress Management team as highly beneficial.
Note: This guide recommends configurations for the free version of WordPress so no premium Wordfence features will be referenced.
Let's begin!
- Login to WordPress and navigate to the Wordfence dashboard. If you've not yet installed Wordfence, you can download Wordfence free on WordPress.org.
- Select All Options on the left hand side tool bar, then navigate to the Brute Force Protection section and set the following parameters:
Enable brute force protection >> ON
Lock out after how many login failures >> 5
Lock out after how many forgot password attempts >> 5
Count failures over what time period >> 2 hours
Amount of time a user is locked out >> 5 days
Prevent the use of passwords leaked in data breaches >> Enabled For all users with "publish posts" capability.
Leave the remaining default settings in this section as is.
To assist implementing these recommendations, you can also reference the following visual representation of the settings:
- Scroll down to the next section labelled Rate Limiting and set the following parameters:
Enable Rate Limiting and Advanced Blocking >> ON
How should we treat Google's crawlers >> Treat Google like any other Crawler
If anyone's requests exceed >> 240 per minute then throttle it
If a crawler's page views exceed >> 240 per minute then throttle it
If a crawler's pages not found (404s) exceed >> 240 per minute then throttle it
If a human's page views exceed >> 240 per minute then throttle it
If a human's pages not found (404s) exceed >> 240 per minute then throttle it
How long is an IP address blocked when it breaks a rule >> 1 day
You can also reference the following visual representation of the settings:
- Select SAVE CHANGES.
These recommendations are curated after hands on experience with hundreds of WordPress applications however these settings are always best tailored to your needs so adjust the settings as necessary.
Published June 21, 2022. Last updated November 30, 2023.
"*" indicates required fields