In this post I’ll explain how to configure WordFence security plugin, so that your WordPress website becomes as secure as possible (in as much as WordFence can help with that), but, at the same time, to make WordFence take as little resources as possible – not slowing your website down and/or put much load on your server.
All the info given in this post (as well as on my websites) is to be taken as: “to the best of my knowledge”. Based on my current knowledge and experience so far. As always: any additions and/or corrections are more than welcome – help make this even more useful for everyone. Constructive criticism helps more than a pat on the back.
- How much does WordFence slow down a website?
- How much does WordFence help website security?
- Configuring WordFence plugin
4.1. WordFence Global Options
4.2. Firewall Options
4.3. Blocking Options
4.4. Scan Options
4.5. Tool Options
Many times I heard how “WordFence is not good”, or “not needed for a WordPress website protection”. As well as how it “puts too much load on the server” and “slows the websites down”. Many hosting providers and website developers are saying this. My experience is different: WordFence helps website protection and doesn’t slow it down – but it does need to be configured properly. Still, don’t take my word for it. Read this post, see the provided test results, do your own testing and decide for yourself.
Of course, WordFence alone is not enough to keep a WordPress website secure, so in those terms, I recommend reading my post: how to secure a WordPress website.
WordFence configuration options are grouped in the following way:
2. How much does WordFence slow down a website?
I like to say that one good measurement is better than a thousand expert opinions. So I did some load tests. Website used for testing has two pages with caching completely disabled – so that raw server performance can be better tested. Other pages are cached – as most properly optimized WordPress websites should be. Website is hosted using resources of a decent shared hosting account. The test simulated 50 visitors browsing the website simultaneously. Here you can see the test results (in PDF):
In short: slow down (and errors because of overload) appears only on pages that aren’t cached (booking-sr and booking-en). Note: 50 concurrent visitors is the equivalent of over 50,000 daily visitors (about 1.5 million monthly) on an ordinary shared hosting account.
What about the server load? Here are the statistics:
My conclusion (you can draw your own after looking at the test reports above) is: yes, WordFence does slow down a website (and cause extra server load) to a degree. But nothing critical. Is the level of protection it provides enough to justify that? You be the judge, after reading the next chapter.
I wrote a series of posts explaining how to optimize a WordPess website. The link leads to the first post, though I suggest you read the others as well. It will get you on the right track if you are relatively new, while, for the experts, reading the posts and offering any additions, or corrections, would make the posts even better and more useful for anyone working with WordPress. In other words: I would have liked to have had a website like this for help when I was starting – in 2015.
3. How much does WordFence help website security?
Security experts usually have families, hobbies, friends. On a weekend you are more likely to see them on a mountain, or cycling, at a kids birthday etc, than at a computer. Those trying to hack your website spend days in a room, with a beard down to half their chest and haven’t seen a woman in real life for years. With the main happiness in their lives being to virtually stick it in to someone – so to say. The ratio of knowledge, dedication and sacrifice of the latter, compared to the former, is immeasurable. In addition to that is the fact that it takes a lot less knowledge and energy to mess something up, than to build, secure and improve it.
In other words: I would not expect any expert (much less myself, or any plugin) to keep my website secure. Every website will get hacked – sooner, or later. The best one can hope for is to at least be able to tell when they have been hacked, then, hopefully, figure out how – in order to prevent it from re-occuring, as soon as the freshest clean backup has been restored.
Of course, this doesn’t mean you should make any hacker’s job easier – quite the contrary. Do whatever is up to you to make your website as secure as possible. Though I’ll immediately contradict myself on this “as secure as possible” part. Every level of protection introduces a certain level of user inconvenience and makes things more complicated (and expensive). So a less popular blog will not require (nor justify) the same level of protection as a popular e-commerce website… unless someone with enough knowledge and time really puts their mind to it – in which case we go back to the beginning of this chapter.
Explanation why a 100% secure system is unusable – by definition.
Now, after a lengthy digression (hope you don’t mind), let’s get back to the topic. How much does WordFence help with website security?
For start – it will notify you in case of any file change and/or admin. user login. That goes under the important part of “figuring out when you’ve been hacked”. Educative discussion on LowEndTalk forum on: how to figure out you’ve been hacked.
This can be achieved in other ways, but the available options on a shared/reseller hosting account are very limited.
Next thing that WordFence offers is blocking many brute-force attacks. You can set it to automatically block the IP address of a visitor trying to log in using any username you pre-defined (like block anyone trying to login using “admin”, “administrator” etc. username). As well as blocking an IP after a pre-defined number of failed log-in attempts.
In addition – WordFence can prevent user listing, making it more difficult to figure out existing user names. So in addition to having problems with guessing a password, hackers will need to figure out which username to try.
Finally, of course, WordFence will scan the website for any viruses and block access patterns that resemble a hacking attempt.
These are some, most important, things that the plugin offers and yes, all this can be set on the hosting server level, not needing a plugin. However, that requires time, knowledge and a VPS, or a Real managed WordPress hosting™ (so that hosting provider does it all for you).
In other words: just like you can make a website using static HTML, but you choose WordPress for making it a lot easier, simpler and faster – you can also have security set “manually”, or using a plugin, for convenience. In both cases, the “hard-core” approach is a lot faster performing, takes fewer server resources and is more secure. It just boils down to how much time you wish to spend, how much you have to learn (which also takes time), or paying someone to do it for you (with another reference to the start of this chapter)?
There is no “best solution”, only an “optimal solution”, weighing all the pros and cons based on your priorities, knowledge, budget etc.
So in this post I won’t say: “use WordFence”, or “don’t use it”, everyone must decide that for and by themselves. What I can say is that WordFence works for me and I’ve failed to measure websites slowing down, or some great additional server load from it. While at it, I think it’s fair to say: the reasons I don’t use managed WordPress hosting are the following:
- I like learning how to do things myself, not have others do them for me. At least not until I’ve got it figured out – I’m all for task distribution, outsourcing etc. cPanel / DirectAdmin shared (and reseller) hosting offers a nice middle ground between too much management hassle (as a VPS requires) and too limited access level (as managed WP hosting limits).
- Reseller/shared hosting is cheaper than managed WordPress hosting. I don’t like paying for things that aren’t necessary.
Now, I don’t think this is the most reasonable, nor profitable way to do things, but it is how I am. For similar reasons I don’t use a VPS – I wrote in another post about the pros and cons of a VPS.
4. Configuring WordFence plugin
If you decide to use WordFence thanks to, or in spite of, the above provided information, here’s a list of settings that have proven to be optimal for me. I’ll try to write briefly, with minimum explanations – for any questions use the comment section below this post. I won’t go over every particular option – for brevity sake. But will not skip any I consider important in terms of security and/or speed. I repeat: this is the setup that has worked fine for me, nothing more, nor less than that.
Click on the WordFence in the backend, then on “All Options” (picture 1) and let’s start, from the top.
4.1. WordFence Global Options
Check only Display “All Options” menu item.
General WordFence Options
Update Wordfence automatically when a new version is released? – de-check, it’s best to test an update before deployment.
Where to email alerts – enter your email.
How does Wordfence get IPs – choose the first option “Let Wordfence use the most secure method to get visitor IP addresses”. Even if using Cloudflare.
Disable Code Execution for Uploads directory – check.
Pause live updates when window loses focus – check.
Update interval in seconds – set the value to “100” (without the quotation marks).
Dashboard Notification Options
De-check everything in this options group. You can always see the notifications when clicking on the “Dashboard”.
Email Alert Preferences
The fewer the notifications, the better. However, the following options should be enabled (checked):
Email me if Wordfence is deactivated
Email me if the Wordfence Web Application Firewall is turned off
Alert me with scan results of this severity level or greater: Medium
Alert me when someone with administrator access signs in
Only alert me when that administrator signs in from a new device or location
Alert me when there’s a large increase in attacks detected on my site
Maximum email alerts to send per hour – 10
Enable email summary – if you wish to get the stats emailed.
4.2. Firewall Options
Basic Firewall Options
Web Application Firewall Status – will first say “Learning Mode”, after few weeks, it should be set to “Enabled and Protecting”.
Advanced Firewall Options
Check (enable) everything, except:
Delay IP and Country blocking until after WordPress and plugins have loaded (only process firewall rules early)
UptimeRobot – unless you are using it, I like HetrixTools (affiliate link).
StatusCake – unless you are using it
ManageWP – unless you are using it
Brute Force Protection
Here you should basically check (enable) all the options. Just a couple of explanations:
Enable brute force protection – ON – set the number of attempts and blocking time as you think is best – default options are a good start.
Immediately lock out invalid usernames – check and list usernames you see often (ab)used in WordFence login stats (“admin” and “administrator” are a good start).
Immediately block fake Google crawlers – un-check.
The other options can be left as default, then fine-tune later.
Check (enable) options under
Monitor background requests from an administrator’s web browser for false positives
This will allow for the WordFence to ask you whether an action can be allowed, when you are working in the frontent, or backend, while logged in as an administrator. After you have created the website and configured everything, you can de-check these options, while the whitelisted actions can also be deleted, or left – depending on whether they are used again, or not.
4.3. Blocking Options
The free version doesn’t offer any settings here. If you wish to censor Internet, ie. prevent visitors from a certain country to reach your website, you can use these options. Hackers can use a VPN, or an infected foreign computer to reach your site, of course.
4.4. Scan Options
Schedule Wordfence Scans – ENABLED*
– free version only lets you choose the option
Let Wordfence choose when to scan my site (recommended)
* If your hosting server has Imunify360 running (or a similar high-quality anti-malware software), you can disable the WordFence scans.
Check (enable) all, except:
Check the strength of passwords – but do choose strong passwords for your account(s).
Scan images, binary, and other files as if they were executable
Use low resource scanning (reduces server load by lengthening the scan duration) – check
Limit the number of issues sent in the scan results email – 100
Time limit that a scan can run in seconds – 0
How much memory should Wordfence request when scanning – 256
Maximum execution time for each scan stage – 0
4.5. Tool Options
Live Traffic Options
Traffic logging mode – SECURITY ONLY
Don’t log signed-in users with publishing access – check.
Amount of Live Traffic data to store (number of rows) – 10
Maximum days to keep Live Traffic data (minimum: 1) – 1
This would be a rough guide as a good starting WordFence setup for websites.
What wisdom can be gained from all this drivel? For one, as with many other things, there is no “best option” when it comes to security, only an optimal one – based on needs, priorities, risks, budget etc.
WordFence is not the only security plugin, another most popular is Sucuri, followed by a dozen of other security plugins. They all serve the same purpose: to make website protection easier and simpler for you. Also, like all the other plugins, they bring slower website speed (to a higher, or lower degree, depending on the plugin), potential security backdoor (yes, even with security plugins) and extra cost if going with premium plugin versions.
It’s worth noting that Sucuri, in paid version, offers a firewall (WAF) placed between the hosting server and the visitors, but the price (in dollars) can be seen on Sucuri website.
Apart from this, paid solution, Cloudflare, even in free package, offers some basic firewall and DoS protection. I like using it.
Personally I use WordFence and think that, of all the free security plugins, it offers the best protection, without hampering website performance, or functioning. Different people have different experiences and hence, different opinions, but this is mine, with all the disclaimers from the start of this post: I don’t claim to be a security expert.