Trusted WordPress tutorials, when you need them most.
Beginner’s Guide to WordPress
25 Million+
Websites using our plugins
Years of WordPress experience
WordPress tutorials
by experts

How to Install and Setup Wordfence Security in WordPress

Editorial Note: We earn a commission from partner links on WPBeginner. Commissions do not affect our editors' opinions or evaluations. Learn more about Editorial Process.

Do you want to install and set up the Wordfence security plugin on your website?

Wordfence is a popular WordPress plugin that helps you tighten the security of your WordPress site and protects it from hacking attempts.

In this article, we will show you how to easily install and set up Wordfence security plugin in WordPress.

How to install and setup Wordfence

What Is Wordfence? How Does It Protect Your WordPress Site?

WordPress security is one of the biggest concerns for website owners since one hack can lead to your entire site shutting down or even potentially stealing customer data.

That’s where Wordfence comes in.

Wordfence is a WordPress security plugin that helps you protect your website against security threats like hacking, malware, DDOS, and brute force attacks.

It comes with a website application firewall, which filters all traffic to your website and blocks suspicious requests.

It has a malware scanner that scans all your WordPress core files, themes, plugins, and upload folders for changes and suspicious code. This helps you clean a hacked WordPress site.

The basic Wordfence plugin is free, but it also comes with a premium version that gives you access to more advanced features such as country blocking, firewall rules updated in real-time, scheduled scanning, etc.

Having said that, let’s see how to install and easily set up Wordfence for maximum security.

How to Install and Set Up Wordfence in WordPress

The first thing you need to do is install and activate the Wordfence Security plugin. For more details, see our step-by-step guide on how to install a WordPress plugin.

Upon activation, the plugin will add a new menu item labeled Wordfence to your WordPress admin bar. Clicking on it will take you to the plugin’s settings dashboard.

Wordfence settings dashboard

This page shows an overview of the plugin’s security settings on your website. You will also see security notifications and stats like recent IP blocking, failed login attempts, total attacks blocked, etc.

Wordfence settings are divided into different sections. The default settings will work for most websites, but you still need to review and change them if needed.

Let’s start by running a scan first.

Scanning Your WordPress Site Using Wordfence

Head over to the Wordfence » Scan page and then click on the ‘Start New Scan’ button.

Wordfence scan

Wordfence will now start scanning your WordPress files.

The scan will look for changes in file sizes in the official WordPress core and plugin files.

It will also look inside the files to check for suspicious code, backdoors, malicious URLs, and known patterns of infections.

Typically, these scans need a lot of server resources to run. Wordfence does an excellent job of running the scans as efficiently as possible. The time it takes to complete a scan will depend on how much data you have and the server resources available.

You will be able to see the progress of the scan in the yellow boxes on the scan page. Most of this information will be technical. However, you don’t need to worry about the technical stuff.

scan loading

Once the scan is finished, Wordfence will show you the results.

It will notify you if it finds any suspicious code, infections, malware, or corrupted files on your website. It will also recommend actions you can take to fix those issues.

In this example, you can see that it found 32 critical errors on the site. The good news is that they offer a ‘Delete All Deletable Files’ or Repair All Repairable Files button. That lets you either delete all the files or repair all the files, causing the errors all in one fell swoop.

Next to each error, you can click ‘Details’ to learn more or ‘Ignore’ to disregard it.

critical errors

The free Wordfence plugin automatically runs full scans on your WordPress site once every 24 hours. The premium version of the plugin allows you to set up your own scan schedules.

Setting Up Wordfence Firewall

Wordfence comes with a website application firewall. This is a PHP-based application-level firewall.

The Wordfence firewall offers two levels of protection. The basic level which is enabled by default, allows the Wordfence firewall to run as a WordPress plugin.

This means that the firewall will load with the rest of your WordPress plugins. This can protect you from several threats, but it will miss out on threats that are designed to trigger before WordPress themes and plugins are loaded.

The second level of protection is called extended protection. It allows Wordfence to run before WordPress core, plugins, and themes. This offers much better protection against more advanced security threats.

Here is how you would set up the extended protection.

Visit the Wordfence » Firewall page and click on ‘Manage Firewall’.

wordfence firewall

Under Protection Level, select ‘Optimize The Wordfence Firewall.’

Wordfence will now run some tests in the background to detect your server configuration. If you know that your server configuration is different from what Wordfence has selected, then you can select a different one.

manage firewall protection level

Next, Wordfence will ask you to download your current .htaccess file as a backup.

Click on the ‘Download .htaccess’ button, and after downloading the backup file, click on the ‘Continue’ button.

download htaccess

Wordfence will now update your .htaccess file, allowing it to run before WordPress.

You will be redirected to the firewall page, where you will now see your protection level as ‘Extended protection.’

Protection level

You will also notice a ‘Learning Mode’ button. When you first install Wordfence, it attempts to learn how you and your users interact with the website to make sure that it doesn’t block legitimate visitors.

After a week, it will automatically switch to ‘Enabled and Protecting’ mode.

Monitoring and Blocking Suspicious Activity Using Wordfence

Wordfence shows a very useful log of all requests made to your website. You can view it by visiting the Wordfence » Tools page. Then, head over to the ‘Live Traffic’ tab.

Live traffic wordfence

Here, you can see the list of IPs requesting different pages on your website.

For example, you’ll spot any suspicious activity like Failed Login attempts from unknown users. Under each item, you can automatically:

  • Block IP to restrict them from your site.
  • Run WHOIS lookup on them.
  • Find out more information about the activity with the ‘See Recent Traffic option.
see failed attempts

If you want to filter the list, you can check the ‘Show Advanced Filter’ option so that you can filter activity by date and type of traffic.

The traffic you can filter includes humans, registered users, crawlers, google crawlers, logins, and logouts, locked out, blocked by firewall, and so on.

show advanced filters

You can block individual IPs and even full networks on this page.

You can also block suspicious IPs manually by visiting the Wordfence » Firewall page. Then head over to the ‘Blocking’ tab.

Here is where you can create blocking rules based on IP Address, Country, or Custom Pattern.

Then click ‘Block This IP Address’ so the rule takes effect.

block ip address rules

Below that, you’ll see an entire list of people you’ve blocked.

It’ll also show the rules, reasons, and other details about each ban.

blocking list

Advanced Settings and Tools in Wordfence

Wordfence is a powerful plugin with lots of useful options. You can visit the Wordfence » All Options page to review them.

wordfence options

Here, you can selectively turn features on and off. You can also enable or disable email notifications, scans, and other advanced settings.

Wordfence vs Sucuri – Which One Is Better?

Now, some of you will probably be thinking, how does Wordfence stack up against Sucuri?

Sucuri is another popular website security suite that comes with a website application firewall, malware scanner, and removal.

Both Wordfence and Sucuri are great choices to improve your WordPress security. However, we believe that Sucuri has some features that give it a slight edge over Wordfence.

One of them is the website application firewall. Wordfence WAF is an application-level firewall, which means it is initiated on your server.

On the other hand, the Sucuri website firewall is a DNS-level firewall. This means all traffic to your website goes to their cloud proxy before reaching your website. This helps Sucuri block DDOS attacks more efficiently and also reduces server load on your website.

We hope this article helped you learn how to install and properly set up Wordfence on your website. You may also want to check out our ultimate guide on how to speed up WordPress performance and the most common WordPress errors and how to fix them.

If you liked this article, then please subscribe to our YouTube Channel for WordPress video tutorials. You can also find us on Twitter and Facebook.

Disclosure: Our content is reader-supported. This means if you click on some of our links, then we may earn a commission. See how WPBeginner is funded, why it matters, and how you can support us. Here's our editorial process.

Editorial Staff

Editorial Staff at WPBeginner is a team of WordPress experts led by Syed Balkhi with over 16 years of experience in WordPress, Web Hosting, eCommerce, SEO, and Marketing. Started in 2009, WPBeginner is now the largest free WordPress resource site in the industry and is often referred to as the Wikipedia for WordPress.

The Ultimate WordPress Toolkit

Get FREE access to our toolkit - a collection of WordPress related products and resources that every professional should have!

Reader Interactions

10 CommentsLeave a Reply

  1. Syed Balkhi says

    Hey WPBeginner readers,
    Did you know you can win exciting prizes by commenting on WPBeginner?
    Every month, our top blog commenters will win HUGE rewards, including premium WordPress plugin licenses and cash prizes.
    You can get more details about the contest from here.
    Start sharing your thoughts below to stand a chance to win!

  2. Shaxid Rahman says

    Thanks for your great explanation. It’s really easy to understand the process! I really appreciated.

  3. Anondi says

    I have used wordfence in my wordpress site (version 4.5.9),but it’s firewall maybe blocking google bot for crawling because after submitting sitemap it’s showing that error(Network unreachable:http error 503).what can be settings for this issue?

  4. Sue says

    I am confused as to why the you would even compare the paid Sucrui firewall to the free Wordfence firewall. Going one step farther why even compare them at all, when the main focus according to the title of the article is how to set up and install Wordfence in WordPress.

    It is sad as the only reason I can think of is that you make a referral few with Sucrui as your review article plainly states. I think you would need to add this here too to be in compliance with proof of affiliation.

    • Editorial Staff says

      Hey Sue,

      Sucuri and WordFence are both security solutions and rather popular ones. We have gotten several emails through our contact form asking how to use Wordfence and how does it compare to Sucuri (the product that we use and recommend). Like all articles on WPBeginner, this one was also user suggested.

      We only recommend products that we use ourselves (Sucuri is one of them). A lot of WordPress companies have an affiliate / referral program. As a WordPress publisher, we use those referral links instead of naked regular links, so we can avoid having to sell ads on the website with tons of tracking scripts. The revenue earned allows us to continue providing free WordPress resources for the community.

      Having that said, we only recommend products that we use ourselves or would use if needed for a specific use-case. At WPBeginner there are thousands of pages, and there is a FTC disclosure link at the bottom of every page.


      • Sue says

        Thanks for your explanation. Make sense now why the comparison even though the Sucuri firewall is a paid feature.

Leave A Reply

Thanks for choosing to leave a comment. Please keep in mind that all comments are moderated according to our comment policy, and your email address will NOT be published. Please Do NOT use keywords in the name field. Let's have a personal and meaningful conversation.