All websites can be hacked. Simple as that. Get used to it. Although WordPress is pretty secure by default it makes sense to add a few extra layers of security if possible. Wordfence is probably the most popular security plugin available.


How do I find the Wordfence plugin?

As per usual, Wordfence can be found in the WordPress Plugins Directory. It’s free but you can pay extra for additional features if required. The free version is normally absolutely fine for smaller websites. Before you configure this plugin please make sure you’ve read the important accompanying information on this page. Here’s what WordFence looks like:

Wordfence security plugin configuration

Why do I need a security plugin for WordPress?

If you don’t have one your website will get hacked. Simple as that. I’ve already made a video all about securing a WordPress website so you might want to take a look at that first.

WordPress Security Basics
Watch this video on YouTube.
Concerned about privacy? Please read our Privacy Policy before watching videos on this site - link at the bottom of every page. Thank you!

How to configure the Wordfence security plugin?

This is quite a big plugin with a LOT of in-built functionality. Most of the default settings are fine but I’ll show you a few things I like to change. First of all it’s a good idea to get Wordfence to send you an e-mail alert if something suspicious happens. Add an appropriate e-mail address to the General Wordfence Options section:

Wordfence security plugin configuration

What are brute force login attempts?

A brute force attack is where a hacker repeatedly tries lots of different usernames and passwords until they hit lucky. There’s more to it than that but it’s something you need to protect yourself against. Remember ALL WordPress websites can be modified by logging in via the wp-admin URL of your site. You’ll see failed login attempts on the Wordfence dashboard widget:

Wordfence security plugin configuration

It’s a good idea to limit how many times someone can attempt to login before their account is locked. I like to give people 5 chances before their account is locked out. It will unlock automatically after 4 hours. Also, over time you’ll notice people trying to login with various ‘default’ admin account names, such as ‘admin’. It’s a good idea to immediately lock these people out as they’re obviously trying to hack your site:

Wordfence security plugin configuration

Other Wordfence options

The weekly e-mail summary can become a bit annoying so you may want to disable this:

Wordfence security plugin configuration

You’ll find there are a LOT of other options in Wordfence and it’s easy to get carried away with endless security tweaks. At the end of the day if you’ve bothered to install this plugin you’re probably already 99% more secure than most websites out there.

If you spot any errors in this article please get in touch. Don’t forget to subscribe on YouTube and please join my mailing list.

Back to contents

Last Updated on 24 November 2020 by Andy Mac