Install the WordFence plugin and activate it. Go through the required motions for the initial setup wizard. Use email address “firstname.lastname@example.org”, and do not sign up for the newsletter.
Now, if you do a browser reload a time or two, you’ll get a message at the top of the screen stating “To make your site as secure as possible, take a moment to optimize the Wordfence Web Application Firewall:”
- Click “Click here to configure”, and you’ll get a popup titled “Optimize Wordfence Firewall”.
- Click the button to download .user.ini (we don’t really need the file, so you can click Cancel when it asks you to save). When you click that button, the system will enable the Continue button.
- Go ahead and click “Continue”, which should result in an “Installation Successful” popup.
Those actions should leave you at the Wordfence Firewall Options page, if not, use menu selection Wordfence > Firewall to go there.
- Change the Web Application Firewall Status dropdown from “Learning Mode” to “Enabled and Protecting”.
- Verify that the Protection Level is set to “Extended Protection”. If not, hit reload and follow the steps in the previous bullet list again.
- If you are going to load a Premium license, you can click the “Upgrade to Premium” button now.
Now you need to click the big “Save Changes” button in the upper-right corner of the page.
Using the menu, go to Wordfence > Tools. Click the Import/Export Options tab. Copy and paste the following code into the “Import Wordfence Options…” field, and click “Import Wordfence Options”. This should result in a “Import Successful” popup. Click “Reload”.
c086 ... (key omitted)
Go down to the Firewall Options section, and open the “Brute Force Protection” widget. In the area with the “Immediately block the IP of users who try to sign in as these usernames” field, you’ll see a list of user IDs already created, like “adm”, “administrator”, etc. Many times hackers will try to brute force login using user IDs built from the site’s hostname. So let’s say the site has a two-part name like “wonderful.com”. Using the large text box, type “wonderful.com” in and hit enter. The user ID will be added to the end of the list. Repeat for “wonderful”. If you have a 3-part name, for example “race.cars.com”, you will need to create user IDs “race”, “cars”, “race.cars”, and “race.cars.com”. Create the necessary user IDs, and don’t forget to click Save in the upper-right corner.
Using the menu, go to Wordfence > Scan. Click the “Start New Scan” button and get a cup of coffee while you wait for it to finish. Make sure it finishes successfully, addressing any issues that the scan turns up. NOTE: If you are using /etc/hosts to point to a test/setup server that is not configured in DNS, this will not work. In that case, you will have to perform the scan after the site goes live, or under a different hostname that does resolve through DNS.