I copy/pasted this from a buried thread… Here are my thoughts and how I tend to set it up on a site that’s fairly large (4,000 posts, 71,000 comments). Just my opinion, I am not associated with Wordfence and suggestions below are only intended to provoke thought and customization.
Also, I’m not a huge fan of fiddling around with scanning — it can be a real time waster and resource hog. It’s reactive and can never catch every possible exploit. Being proactive with defense and good redundant backups are much more important things to spend time on. For example, perhaps instead of devoting time to setting up Wordfence scanning, figure out if you could actually restore your entire stack from backups?
Scan public facing site for vulnerabilities? (Do this once a month, keep unchecked.)
Scan for the HeartBleed vulnerability? (Do once in your life, and run don’t walk from your ripoff ISP if you get a positive.)
Scan for publically accessible configuration, backup, or log files. (Do twice a year.)
Scan for publicly accessible quarantined files. (Once in your life, if you get a positive fix the bad setup that’s letting this happen.)
Scan core files against repository versions for changes. (Keep checked.)
Scan theme files against repository versions for changes. (Once in a while, or never if you customize your own theme.)
Scan plugin files against repository versions for changes. (Uncheck, perhaps run once in a while if you don’t customize your plugins and every one is an exact match to repository.)
Scan wp-admin and wp-includes for files not bundled with WordPress (Takes minimal bandwidth, keep checked.)
Scan for signatures of known malicious files (Sure, why not? BUT, perhaps this references a huge list of sigs and uses significant bandwidth? Perhaps this is another one to run once a year.)
Scan file contents for backdoors, trojans and suspicious code (Run once a month, Sunday night.)
Scan posts for known dangerous URLs and suspicious content (If you’ve got very many posts, scan once a year, at night, then keep unchecked.)
Scan comments for known dangerous URLs and suspicious content (Probably never, unless you have a crazy bunch of comment threads. In that case, scan once a year, at night. And use an external scan service such as Mcaffe.)
Scan for out of date plugins, themes and WordPress versions (Keep unchecked, evaluate with human hands-on management.)
Scan for admin users created outside of WordPress (Unchecked, evaluate with human hands-on management.)
Check the strength of passwords (Useless if you know anything about passwords, keep unchecked.)
Monitor disk space (Use ISP for this, keep unchecked.)
Scan for unauthorized DNS changes (Uncheck.)
Scan files outside your WordPress installation (If your site has any mass at all, keep unchecked.)
Scan images, binary, and other files as if they were executable (Again, regarding mass, I’ve got something like 50,000 image files, yeah sure, we’re going to binary scan each one of those? I could pay another $50/month for the bandwidth to do so, but nope, I don’t think so.)
Enable HIGH SENSITIVITY scanning. May give false positives. (Keep unchecked.)
Use low resource scanning. Reduces server load by lengthening the scan duration. (CHECK)
MTN
