Website security is a headache at the best of times. I don’t claim to be an expert in internet security but I do try to make sense of the things that I read so that I can at least make an attempt to choose well.
Wordfence is a security plugin for WordPress that is relatively straight forwards to understand and set up if you take the time to understand what it’s doing. I can’t say if it’s the best because I really don’t have the tools or the knowledge to judge if there is a best. I can say that it’s prevented some attacks on some of the websites that I’ve used it on although I’ve had similar success with other plugins on other WordPress websites.
WordPress does pool information like what IPs are performing attacks at a particular time so that other sites can protect themselves. And indeed yours benefits from the results of other sites’ reports.
Anyway… to business.
With the plugin installed, here are the wordpress security settings that I have set, this may change as I learn more. The options are all in the Wordfence > Options section of the dashboard.
In the Basic Options:
- Enable the Firewall
- Enable Login Security
- Uncheck the Enable Live Traffic view. Unless there’s something you really want to see it will just slow things down.
- Enable regular scans
- Automatically update Wordfence
- Set the contact email address so the plugin can inform you about what’s happening on your site.
- Set How does Wordfence get IPs. Firstly what does this mean?
- Well the IP address is a unique address that’s assigned to all computers on the internet. So when you go online you will have an IP assigned to your PC, it’s al done for you so you don’t have to mess with it. When you go to a website your IP address is used by the web server to send you all the files you need for the site. The default setting is probably safest (Let Wordfence use the most secure method), however Use PHP’s built in REMOTE_ADDR is best and it works on most sites.
- Remember to save the changes you made.
In the Advanced Options:
You can control when it sends you an email.
We have turned off live traffic view so leave the defaults.
What Scans should the plugin make? basically all of them.
The login security options allow Wordfence to lock out and IP address. The rules say how many attempts the attacker/person gets before they are locked out. Then how long for. You can set much longer timescales if you want, so that attackers will have to wait in between attacks.
Whitelisted IPs: That means you add the ip address of your main PC here so that if all else fails you will be able to login. To get your IP address you can go to Google and type what’s my ip. The numbers it gives you can be entered as your whitelisted IP.
That should provide a reasonable level of protection. However please remember to take regular backups and things, don’t rely on security alone. If it all goes wrong you should be able to rebuild your site quickly. I explain how to do that in The Therapist Website Book.