I’ve been impressed by the Wordfence Security plugin after running it on several sites for a few months. Here are some of my favorite features of this plugin:

  • Scans core files, themes and plugins against WordPress.org repository versions to check their integrity.
  • Lets you see how files have changed, and optionally repair changed files.
  • Scans for out of date plugins, themes and WordPress versions.
  • Scans for malware.
  • Includes login security to lock out brute force hacks and to stop WordPress from revealing info that will compromise security.
  • Allows you to block IP addresses from logging in or even accessing the site.
Wordfence Security Blocked IPs

Wordfence Security Blocked IPs

Wordfence Security Scan Summary and Scan Detailed Activity

Wordfence Security Scan Summary and Scan Detailed Activity

Because Wordfence locks out IP addresses that attempt brute force attacks, I no longer need the Limit Login Attempts plugin. Because Wordfence can email me about available updates to core, themes, and plugins, I no longer need to use the WP Updates Notifier plugin. However, I’ve recently started using WP Remote to update sites en masse, so I don’t need Wordfence to notify me anyway.

Note: Wordfence is recommended by Bluehost.

Wordfence configuration

Here’s how I configure Wordfence. You should adjust these steps for your situation and preferences.

  1. Install Wordfence Security from the plugin repository and activate it.
  2. In the admin menu, click Wordfence > Options.
  3. Uncheck Enable Live Traffic View. Live Traffic View can slow down your site, so only enable it when necessary.
  4. Set Where to email alerts.
  5. Set How does Wordfence get IPs. Unless you’re doing something special, select Use PHP’s built in REMOTE_ADDR. If you’re doing something special, choose another option.
  6. Under Alerts, select all options except Alert me when someone with administrator access signs in.
  7. Under Scans to include, select all options except Scan public facing site for vulnerabilities?, which is only available for paid members.
  8. Under Login Security Options, set Amount of time a user is locked out to 30 minutes.
  9. Click Save Changes.
  10. In the admin menu, click Wordfence > Scan. Click Start a Wordfence Scan. Address issues it finds.

See the Wordfence documentation for more details.

Other WordPress security plugins

Wordfence is great, but it doesn’t do everything. I still use these security plugins:

What WordPress security plugins do you use?


  1. says

    Thanks for this useful article. I am using Wordfence Security plugin in all of my blogs of WP. It works really great as it helps keep my sites clean and working. Fantastic plugin!

    • says

      I’m using WP Remote and Wordfence together on over 20 sites on various hosts, and am not having issues. WP Remote used to recommend adding their IP address as a whitelisted IP address in Wordfence > Options > Other Options, but I’m pretty sure it worked even when I didn’t add that. It looks like WP Remote removed that recommendation from their site. I currently have that address whitelisted on all my sites.

  2. says

    Thanks for a detailed post on setting WF up correctly. I found a lot of the security plugins I was using hadn’t been updated in over 2 years so wanted to switch, and reduce the number of plugins being used.

    I’ve followed your guide and set it up accordingly. I found there wasn’t a check box for turning off live Traffic reports, so that’s still running.

    Great post all the same and has really helped me set it up for the best results.

    Nice one,

    • says

      Barry, they moved the checkbox for Enable Live Traffic View after I wrote this post. It’s now at the top of the WordFence Options page, under Basic Options. I just updated the post accordingly.

  3. says

    thanks a lot for your article. i’ve seen that if i use tor web wordfence can’t help me to discover who use tor. Have you an idea how to block tor web users?

    thanks in advance

Leave a Reply