How to Install and Setup Wordfence Security in WordPress

Using security plugins along with better security measures for your WordPress CMS is only smart. WordPress’s popularity makes it ideal for hackers to try gain access to WordPress sites. That is why using Wordfence Security and Firewall plugin is a great choice to increase security of your installation.

Video Lesson for Installing and Setting Wordfence Security Plugin in WordPress

Wordfence Import Settings

386694919d5afa41ee9d165768b2389f5ac65376a16e3aed7454940e5bcca2e87370bc881867249490b1e9cd71d3d7b9cc1b7fbe8453bde253b9af3e11de266b96fb982dc9f831b6ac5d389474fb61df

How to Use Import Settings

In your WordPress Dashboard locate Wordfence plugin menu option > Tools > Import/Export Options

And then copy paste above code > Save changes

htaccess rules for WordPress Security

RewriteCond %{QUERY_STRING} base64_encode[^(]*\([^)]*\) [OR] RewriteCond %{QUERY_STRING} (<|%3C)([^s]*s)+cript.*(>|%3E) [NC,OR] RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR] RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2}) RewriteCond %{QUERY_STRING} (;|'|"|%22).*(union|select|insert|drop|update|md5|benchmark|or|and|if) [NC,OR] RewriteCond %{QUERY_STRING} (localhost|mosconfig) [NC,OR] RewriteCond %{QUERY_STRING} (boot.ini|echo.*kae|etc/passwd) [NC,OR] RewriteCond %{QUERY_STRING} (javascript:).*(;) [NC,OR]

How to Use htaccess rules for WordPress Security

First download and backup .htaccess file from your web server usually located in File Manager > public_html > .htaccess

Then, you should see something like this # BEGIN WordPress # The directives (lines) between "BEGIN WordPress" and "END WordPress" are # dynamically generated, and should only be modified via WordPress filters. # Any changes to the directives between these markers will be overwritten. <ifmodule mod_rewrite.c> RewriteEngine On RewriteBase / RewriteRule ^index\.php$ - [L] RewriteCond %{REQUEST_FILENAME} !-f RewriteCond %{REQUEST_FILENAME} !-d RewriteRule . /index.php [L] </ifmodule> # END WordPress

CHANGE THAT to include .htaccess rules for WordPress Like This

# BEGIN WordPress RewriteEngine On RewriteBase / RewriteCond %{QUERY_STRING} base64_encode[^(]*\([^)[*\) [OR] RewriteCond %{QUERY_STRING} (<|%3C)([^s]*s)+cript.*(>|%3E) [NC,OR] RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR] RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2}) RewriteCond %{QUERY_STRING} (;|'|"|%22).*(union|select|insert|drop|update|md5|benchmark|or|and|if) [NC,OR] RewriteCond %{QUERY_STRING} (localhost|mosconfig) [NC,OR] RewriteCond %{QUERY_STRING} (boot.ini|echo.*kae|etc/passwd) [NC,OR] RewriteCond %{QUERY_STRING} (javascript:).*(;) [NC,OR] RewriteRule ^index\.php$ - [L] RewriteCond %{REQUEST_FILENAME} !-f RewriteCond %{REQUEST_FILENAME} !-d RewriteRule . /index.php [L[ # END WordPress

Save changes for .htaccess file to be updated

At this stage, visit your website to double check all is working. If its not, delete the changes you made (or simply upload your backup and overwrite .htaccess)

Force SSL Logins

WordPress provides rules through wp-config.php file where you can force ALL logins to do through https version your website. You should definitely use this option for better security of your WordPress CMS. Simply edit File Manager > public_html > wp-config.php to insert below code

Force SSL Logins

define('FORCE_SSL_ADMIN', true); define('FORCE_SSL_LOGIN', true );

WordPress Security

Because WordPress Content Management System is popular, hackers create scripts that look for security vulnerabilities in WordPress CMS built sites. Considering the importance of security means that you won’t wake up to a hacked WordPress site.

Other things to consider apart from using Wordfence security plugin for WordPress is that you can and should regularly update your passwords for

• WordPress Dashboard
• Web Hosting Account
• PhpMyAdmin Database

Then, depending on the website setup (as in WooCommerce or small business site) you could start looking in to paid version Auto Backup options such as:

• VaultPress
• UpdraftPlus

Protect WordPress uploads folder

Create a new file and call it .htaccess and upload that file specifically in to wp-content/uploads/.htaccess with these rules (note to change the PHP Version according to your own server) below example uses mod_php8 and if yours is 7 then you would change it to mod_php7 # BEGIN RankYa WordPress Specialist Codes # BEGIN PHP code execution protection <IfModule mod_php8'c> php_flag engine 0 </IfModule> # END PHP code execution protection # Another way double make sure to Kill PHP Execution, as in, everyone denied to execute file extension that has 'ph <Files ~ "\'ph(?:p[345]?|t|tml)$"> Require all denied </Files> # -ExecCGI = Execution of CGI scripts using mod_cgi is NOT permitted' #Options -ExecCGI <IfModule mod_cgi'c> Options -ExecCGI </IfModule> <IfModule mod_cgid'c> Options -ExecCGI </IfModule> # faster and safer uploads RemoveHandler 'ini 'sh 'bsh 'bash 'awk 'nawk 'gawk 'csh 'var 'c 'in 'h 'asc 'md5 'sha 'sha1 'cgi 'pl 'php 'inc 'asp 'exe 'bin 'py 'pl 'phtml RemoveHandler 'out 'output 'overlay 'p12 'p5c 'pam 'pas 'patch 'phps 'php5 'php4 'php3 'pbxproj 'pdb 'pdf 'pem 'perl 'phar 'php 'php_cs 'phpize 'phpt 'pingpong 'pipelining 'pk #its harder to run code on just text programs <FilesMatch "\'(ini|sh|bsh|bash|awk|nawk|gawk|csh|var|c|in|h|asc|md5|sha|sha1|cgi|pl|php|php*|py|inc|asp|exe|bin|list|py|rb|phtml|tag|info|txt)$"> ForceType text/plain </FilesMatch>

Website security is an ongoing process because hackers never stop exploiting WordPress built websites. These are only some of the methods for better securing a wordpress site.