Install the WordFence plugin and activate it. Go through the required motions for the initial setup wizard. Use email address “security@webmagic.studio”, and do not sign up for the newsletter.

Now, if you do a browser reload a time or two, you’ll get a message at the top of the screen stating “To make your site as secure as possible, take a moment to optimize the Wordfence Web Application Firewall:”


Those actions should leave you at the Wordfence Firewall Options page, if not, use menu selection Wordfence > Firewall to go there.

Now you need to click the big “Save Changes” button in the upper-right corner of the page.


Using the menu, go to Wordfence > Tools. Click the Import/Export Options tab. Copy and paste the following code into the “Import Wordfence Options…” field, and click “Import Wordfence Options”. This should result in a “Import Successful” popup. Click “Reload”.

c086 ... (key omitted)

Go down to the Firewall Options section, and open the “Brute Force Protection” widget. In the area with the “Immediately block the IP of users who try to sign in as these usernames” field, you’ll see a list of user IDs already created, like “adm”, “administrator”, etc. Many times hackers will try to brute force login using user IDs built from the site’s hostname. So let’s say the site has a two-part name like “wonderful.com”. Using the large text box, type “wonderful.com” in and hit enter. The user ID will be added to the end of the list. Repeat for “wonderful”. If you have a 3-part name, for example “race.cars.com”, you will need to create user IDs “race”, “cars”, “race.cars”, and “race.cars.com”. Create the necessary user IDs, and don’t forget to click Save in the upper-right corner.


Using the menu, go to Wordfence > Scan. Click the “Start New Scan” button and get a cup of coffee while you wait for it to finish. Make sure it finishes successfully, addressing any issues that the scan turns up. NOTE: If you are using /etc/hosts to point to a test/setup server that is not configured in DNS, this will not work. In that case, you will have to perform the scan after the site goes live, or under a different hostname that does resolve through DNS.