Configure SiteFort for your WordPress site
This guide explains what to enable, what to test before enforcing, and which settings depend on how your site works. Use the docs when you need to understand how a feature works. Use this guide when you need to decide what to turn on.
Best starting point for every WordPress site
Enable high-confidence controls first, then add stricter settings one layer at a time.
Harden WordPress
Enable obscurity settings, server hardening, and security headers. Lock down file exposure and PHP execution before configuring traffic rules.
Protect accounts
Enable login attempt limits, obfuscated error messages, breached password detection, and 2FA for privileged users.
Enable firewall protection
Verify IP Detection first. Then enable Balanced bot policy, scanner blocking, community blocklist, and moderate rate limiting.
Monitor continuously
Enable audit logging, configure scan alerts and vulnerability notifications, and set a scan schedule that matches your site's risk level.
Configure SiteFort in this sequence
Avoid enabling every strict control at once. Apply one layer, verify it works, then continue.
Recommended settings by site type
The baseline applies everywhere. These notes cover what to adjust based on how your site works.
Small business website
- Enable WordPress Obscurity and Server Hardening baseline.
- Login limits, obfuscated errors, and 2FA for admins.
- Balanced bot policy, scanner blocking, community blocklist, moderate rate limiting.
- Weekly Standard Scan.
- Email notifications for scan findings, vulnerabilities, and login lockouts.
WooCommerce store
- Enable safe hardening, but test REST API and security headers against cart, checkout, account pages, and payment callbacks before enforcing.
- Login limits and 2FA for Administrators and Shop Managers.
- Balanced bot policy with rate limits tuned around real checkout traffic.
- Enable Cloudflare Sync if the store uses Cloudflare.
- Daily or weekly scans depending on order volume.
Membership or LMS site
- Moderate login lockout settings. Members forget passwords. Tighten after reviewing lockout data, not before.
- CAPTCHA on registration if fake signups are a problem.
- 2FA required for staff, instructors, admins, and editors. Optional for regular members.
- Rate limits set higher than a brochure site. Logged-in users generate more requests per session.
- Daily or weekly scans depending on user activity.
Agency-managed client sites
- Apply the same SiteFort hardening and firewall baseline across all client sites.
- Require 2FA for all administrators. Include recovery codes in handoff documentation.
- Route scan findings and account activity alerts to the agency support inbox or Slack webhook.
- Enable Audit Log on every site before handoff. Export before any major remediation.
- Schedule scans based on maintenance plan and client risk level.
Headless or API-heavy WordPress
- Do not restrict REST API until every frontend, app, and integration endpoint has been tested and allowed individually in Endpoint Status.
- Disable Application Passwords only if no API clients depend on them.
- Enable firewall and tune rate limits around real API traffic patterns.
- Test CSP and connection-level security headers carefully before enforcing.
- Require 2FA for human administrators regardless of API usage.
Not sure where to start?
Start with the hardening guide. It covers the settings that apply to every WordPress site and separates what is safe to enable immediately from what needs testing first.
Open hardening guideOpen docsUse this guide for security decisions. Use the docs for exact steps.
The security guide explains what to enable and what to test. The documentation explains where each setting is, what it controls, and how to troubleshoot it. Start with hardening in the guide, then open the relevant docs page when you need to understand a specific setting in detail.