WordPress Security Tips Every Developer Should Know
Manasseh Adina | Web Developer at Digital For Africa
As WordPress developers, we all want our clients’ websites to not only look amazing but also stay safe, fast, and reliable. And let’s face it — the last thing you want is a client calling you because their e-commerce site got hammered by bots, broken checkout flows, or worse, lost revenue.
Today, I’m sharing practical insights I recently learned about securing WordPress e-commerce sites using Wordfence, specifically rate limiting and firewall configurations. These WordPress security tips are actionable and will help you deliver stellar results that get clients talking—and referring you.
1. Enable Rate Limiting Without Killing Your Customers’ Experience
Rate limiting is your first line of defense against bad bots, scrapers, and brute-force attacks. But here’s the key: it must be balanced. You want protection without frustrating genuine users.
Recommended settings for an e-commerce site:
-
Enable Rate Limiting and Advanced Blocking: ON ✅
-
Google crawlers: Don’t limit verified bots → keeps your SEO safe.
-
Humans & crawlers: Set throttle rules rather than full blocks to avoid cutting off legitimate traffic.
Throttle vs. Block:
-
Throttle = slows requests down, allowing humans and bots to continue, just at a controlled pace.
-
Block = completely stops access. Use sparingly for suspicious traffic.
Example:
-
Humans exceeding 120 page views per minute → throttle.
-
Crawlers exceeding 60 page views per minute → throttle.
-
Humans hitting too many 404s → throttle at 15 per minute.
Tip: Monitor traffic for a few days and adjust thresholds if legitimate users get throttled.
2. Don’t Forget the AI Crawlers
AI bots like ChatGPT, Claude, and Perplexity are becoming increasingly important. They crawl the web to provide insights, summaries, and even product info for users.
Wordfence allows you to whitelist these AI crawlers so they aren’t mistakenly throttled:
-
GPTBot, ChatGPT-User
-
ClaudeBot
-
PerplexityBot
Also, make sure these crawlers are allowed in robots.txt to maximize visibility.
Pro Tip: Regularly check your firewall logs. New AI crawlers may appear, and adding them to the whitelist ensures they don’t get blocked.
3. Allowlist Smartly
Your allowlist ensures that critical URLs (like payment gateways or WooCommerce AJAX calls) aren’t blocked by the firewall.
Common URLs to allowlist:
Why: Payment gateways and AJAX calls are often flagged as suspicious because they make frequent, rapid requests. Allowlisting ensures checkout works flawlessly.
Tip: Avoid allowlisting entire site paths — only safe, essential URLs.
4. Learning Mode: Your Secret Weapon
Wordfence has a Learning Mode designed to observe normal site behavior without blocking anything.
-
Pros:
-
Learns which URLs and requests are safe.
-
Automatically suggests allowlist entries.
-
Protects users without breaking checkout flows.
-
-
Recommended approach:
-
Enable rate limiting.
-
Switch firewall to Learning Mode for 2–3 days.
-
Simulate browsing, cart, and checkout actions.
-
Switch to full protection once safe allowlist entries are identified.
-
Tip: This step is optional but highly recommended for WooCommerce stores to avoid frustrating real customers.
5. Monitor, Adjust, Repeat
Even after setting up your firewall and rate limiting, monitor logs regularly:
-
Look for false positives.
-
Adjust throttling thresholds.
-
Keep AI crawlers and payment gateways functioning.
This not only protects your client’s site but also helps you fine-tune your configurations, turning security management into a value-added service that clients notice.
Final Thought
Securing an e-commerce site isn’t just about slapping on a plugin — it’s about understanding how traffic flows, who’s visiting your site, and how to protect without breaking user experience.
Implement these configurations, test them, and watch your clients’ sites become faster, safer, and more reliable — all while boosting your reputation as a WordPress developer who delivers results that matter.
