You already know we think the Wordfence plugin is most important for protecting your website.
We often get asked if you should use the free or paid version of Wordfence. Our suggestion is that you start with the free edition and get comfortable with that; then, if you need it, you can move up to paid. It's a remarkable service.
When you first install Wordfence, many of the settings are already set. There are a few we think you should change to make security even tighter. They are:
Enable Live Traffic View - Uncheck
Update Wordfence automatically when a new version is released? - Check
Scan theme files against repository versions for changes - Check
Scan plugin files against repository versions for changes - Check
Use low resource scanning (reduces server load by lengthening the scan duration) - Check
Immediately block fake Google crawlers - Check (unless you're marketing to Brazil)
If anyone's requests exceed 60 per minute throttle it
If a crawler's page views exceed 120 per minute block it
If a crawler's pages not found (404s) exceed 120 per minute block it
If a human's page views exceed 60 per minute block it
If a human's pages not found (404s) exceed 30 per minute block it
If 404s for known vulnerable URLs exceed 30 per minute block it
How long is an IP address blocked when it breaks a rule 2 hours
Lock out after how many login failures 5
Lock out after how many forgot password attempts 5
Immediately block the IP of users who try to sign in as these usernames:
admin
administrator
security
tech
webmaster
support
root
anon
login
(login)
your website name
your website domain
Whitelisted IP: Put your own IP address in. (Get it from whatismyip.com)
Hide WordPress version - Check
Disable Code Execution for Uploads directory - Check
SAVE Options
