How we Configure our Wordfence Firewalls
A guide for Maximum Security and Performance
Wordfence is one of the most powerful and flexible WordPress security plugins available. This guide walks you through an optimal configuration based on a high-security setup, with a focus on blocking bad bots, protecting wp-login.php, and balancing performance with protection.
Step 1: Enable and Optimise the Firewall
Go to Wordfence > Firewall and ensure the firewall is ON. If prompted, complete the firewall optimisation to enable extended protection before WordPress loads.
Step 2: Brute Force Protection Settings
Navigate to Wordfence > All Options > Brute Force Protection and configure:
- Enable brute force protection: ON
- Lock out after how many login failures: 5
- Lock out after how many forgot password attempts: 3
- Count failures over what time period: 30 minutes
- Amount of time a user is locked out: 4 hours
- Immediately lock out invalid usernames: ON
- Immediately block the IP of users who try to sign in as specific usernames: Add known targets (e.g., “admin”)
- Prevent the use of passwords leaked in data breaches: ON (for admins only)
Step 3: Advanced Firewall Options
- Delay IP and Country blocking until after WordPress and plugins have loaded: Enabled (unless you’re experiencing early bot attacks)
- Allowlisted services: Keep selected for Uptime Robot, ManageWP, etc.
- Immediately block IPs that access these URLs: Use this powerful option to block bad actors instantly if they request suspicious or sensitive paths.
Recommended Paths to Block
Paste these paths one per line:
/wp-config.php
/xmlrpc.php
/.env
/.git
/.htaccess
/server-status
/ftpconfig
/hidden/
/phpinfo.php
/wp-content/debug.log
/wp-content/plugins/hello.php
/wp-content/plugins/revslider/temp/update_extract
/wp-content/themes/twenty*/404.php
/wp-login.php?user=admin
/wp-login.php?*admin*
/author=admin
/admin
/login
/wp-admin/install.php
/wso.php
These paths are commonly targeted by bots and scanners attempting to find vulnerabilities. Blocking them protects against a wide range of exploits and brute-force attempts.
Step 4: Rate Limiting Configuration
Go to Wordfence > Firewall > Rate Limiting:
- Enable Rate Limiting and Advanced Blocking: ON
- How should we treat Google’s crawlers: Verified Google crawlers will not be rate-limited
- If anyone’s requests exceed: 240 per minute → Throttle it
- If a crawler’s page views exceed: 60 per minute → Throttle it
- If a crawler’s 404s exceed: 15 per minute → Throttle it
- If a human’s page views exceed: 120 per minute → Throttle it
- If a human’s 404s exceed: 10 per minute → Throttle it
- How long is an IP address blocked when it breaks a rule: 30 minutes
- Allowlisted 404 URLs:
/favicon.ico,/apple-touch-icon*.png,/*@2x.png,/browserconfig.xml
These settings strike a balance between security and false positive prevention.
Step 5: Monitor Live Traffic
Use Wordfence > Tools > Live Traffic to:
- Identify suspicious requests (like bots hitting
wp-login.php) - Block IPs or User-Agents on the spot
Recommended Filters
Use the Advanced Filters to spot unwanted activity quickly:
- Bots attempting to log in:
- Filter:
Security Event→contains→login - Filter:
Type→=→Bot - Action: Block all manually — bots should never attempt login
- Filter:
- Bots generating excessive traffic:
- Use rate limiting stats or Live Traffic grouping by IP
- Action: Block IPs with unusually high hits manually
This manual review step adds an extra layer of proactive defense beyond automation.
Summary: Your Wordfence Setup is Now Hardened
With this setup:
- Brute-force login attacks are locked down
- Bad bots are throttled or blocked
- AI scrapers and command-line bots are denied
- Security rules are enforced with minimal impact on performance
You can now let Wordfence run in the background while staying informed via email alerts and periodic traffic review.
Want to go deeper with bot blocking (e.g. path-specific rules via Cloudflare)? Let me know!
