This documentation is only valid for older versions of Wordfence. If you are using Wordfence 7 or later, please visit our new documentation.

Falcon Cache

From Wordfence Documentation
Jump to: navigation, search
Support for the Falcon and Basic cache has been removed in version 6.2.8. If you previously used Falcon or Basic caching, we recommend choosing another caching plugin that works for your site, alongside Wordfence for security -- most caching plugins work well with Wordfence. If enabled, caching will be disabled automatically in version 6.2.8.

Since Falcon cache was open source, another developer has "forked" the code, essentially making a separate plugin with nearly the same functionality. While this plugin is not affiliated with Wordfence, Vendi cache is based on Falcon's original code and may work well if your site previously used Falcon:

More details on discontinuing the caching feature in Wordfence are available on our blog:

Falcon cache is a very fast server-side caching system by Wordfence. We offer two modes of operation: Basic Caching and "Falcon Engine". In both modes of operation the cached pages are generated in the same way. The difference is in the way pages are served up.

In basic caching mode, pages are served by WordPress and PHP which is compatible with more environments but offers only a 2 or three times performance improvement.

Using "Falcon engine" mode, pages are served directly from your web server without executing any PHP at all, which is incredibly fast. We've seen performance improvements of 40 to 50 times. Web servers using this configuration have gone from being able to handle 20 requests per second to over 800 requests per second.

Why we created Falcon

Many attacks on the web are denial of service attacks (DoS) or distributed denial of service attacks (DDoS) designed to overwhelm your web server. By giving you a way to boost your server performance by over 40 times we give you a way to weather the most serious DDoS attack and continue serving content to your customers.

If your web server can only handle 20 requests per second and you get 40 requests per second, you have effectively been DoS'd. But if you can handle 800 requests per second, your server keeps on doing its job without breaking stride.

Do I have to use Falcon Engine or Wordfence caching? Can I use another cache? Do I even need a cache?

Please note, Falcon is provided as a very fast server cache to give you a way to boost site performance if you need it. You are not required to enable it if you are using Wordfence.

Most web servers that are not under attack do not need a caching system at all. Your site will still be fast, you will still rank high in Google's search results and your visitors will still find a responsive website. You don't need to squeeze every ounce of speed out of your site to impress visitors or Google unless your web server is under severe load or your hosting provider has sold you a slow or overloaded server, which is unusual. WordPress on a well configured web server with PHP and MySQL performs quite well.

If you choose to use another caching engine, plugin or cloud service, Wordfence will work just fine. However please note that some of our blocking features that block access to static content like country blocking, IP blocking and IP throttling may not work correctly because instead of blocking a malicious IP, they will be able to view your content as it is served from the cache. With Falcon Engine we have endeavored to provide a balance between security and performance, so when you enable Falcon we disable features that don't work reliably in a cached environment, make it clear what has been disabled and ensure that other essential security features are still operational.

Caching Modes

No performance improvement

In this mode all Wordfence caching is completely disabled. If you are using any other caching system, whether it is a plugin or a cloud service, enable this mode in Wordfence to ensure there is no conflict or items aren't cached twice. This is the default mode and is selected when you first install Wordfence.

Basic Caching

In this mode, when a page is generated, Wordfence stores a copy on disk. Then if another request comes in for the same URL - and if that request fulfills our requirements for being able to receive a cached page, then we serve up the page that is stored on disk. The file stored on disk is served by WordPress and PHP. This means that the second request that gets a cached page does execute PHP code, but because it doesn't have to generate the content, it is much faster, typically 2 to 3 times faster, effectively doubling or tripling your server speed.

We recommend users who have trouble enabling Falcon Engine should use basic caching instead because it does not require any modifications to your .htaccess configuration file and is compatible with a wide range of environments.

Falcon Engine

As with basic caching, Falcon will store a copy of a page on disk the first time that page is requested. When the next request arrives, if it fulfills the requirements for a request that can receive a cached page, then Falcon tells your web server to serve that page directly to the visitor. No PHP is executed and no database requests are generated.

Falcon also uses a directory structure to store its cached pages that is more efficient than other caching plugins for WordPress. This generates less disk accesses which makes Falcon faster than other plugins we've tested.

Internally Falcon actually stores two copies of each web page on disk when a page is accessed for the first time. The first copy is uncompressed and the second copy is compressed using the "deflate" algorithm. When Falcon receives a request for a page, it checks if the web browser making the request can accept compressed content and if it can, it sends the compressed version of the page it stored to the browser. This further speeds up your website by saving your web server from having to recompress pages that are cached.

Falcon operates by modifying your .htaccess configuration file and using mod_rewrite rules to perform its caching function. When a request arrives, the rules in .htaccess will check if a cached version of a page exists, check if the visitor web browser can handle compressed content and if a cached page exists and all other conditions are fulfilled, the web server will serve the cached page directly to the browser.

When Falcon is enabled, any IP blocking that Wordfence does is implemented by adding IP blocking rules in .htaccess. Normally Wordfence will block IP addresses when WordPress and its PHP code is executed by doing a database lookup and checking if the IP making the request is on a blocked list. With Falcon enabled we block IP's in your .htaccess file which also saves any PHP from executing and database queries from occurring.

When you enable Falcon, we give you a link to click that lets you download the current version of your .htaccess file. We do this because we are about to make changes to that file. You can NOT ENABLE FALCON until you click the link to download this file.

Cache Options

Allow SSL pages to be cached

This option is disabled by default. When a page is cached by Wordfence basic caching or Falcon, a copy of the page we served one of your visitors is stored on disk. Then if another visitor hits the same web page, we serve up the copy that we stored. If the page the first visitor saw contains any sensitive information, then the second visitor will see that information.

So when it comes to page caching, it's important that the pages you are caching do not contain information that other visitors must not see.

On SSL websites, the website is using a secure connection between the site visitor and the website itself. This is done to ensure that no one can see any of the sensitive information that the visitor is sending the website or that the website is showing the visitor. So Wordfence is very careful when it comes to caching SSL pages and you need to think carefully about whether this is something you should enable.

To decide whether you should enable caching of SSL pages, ask yourself this question: Is it OK to take all the information in the SSL pages you are caching and publish that information on the front page of the New York Times? If the answer is yes, then it's OK to enable this option.

Add hidden debugging data to the bottom of HTML source of cached pages

When you enable this option we insert an HTML comment in the page footer of your HTML source for each page that Wordfence caches. The comment looks like the following:

<!-- Cached by Wordfence Falcon Engine. Time created on server: 2014-11-10 20:53:24 UTC. 
Is HTTPS page: no. Page size: 12810 bytes. Host: 
Request URI: /2014/10/17/testing-one/  Encoding: GZEncode -->

We have split the comment above into multiple lines for readability but the comment above will appear as a single line at the bottom of your site HTML source.

As you can see it contains some useful information including the time the page was generated, if it's an SSL page (HTTPS), the page size, the requested URI path and if the page is compressed using GZEncode.

Most of the time you won't actually care about any of this information when you're using this feature to insert a comment into page footers. What you are really looking for is whether this comment appears at all. Because if you see this comment in the bottom of your HTML source you know you're looking at a page that was cached and served by Wordfence. So you know that Wordfence caching is working. That is the most useful aspect of this feature: You can use it to verify if Wordfence caching is working.

Clear cache when a scheduled post is published

Some of our customers publish posts using the WordPress scheduling system. They requested a feature that clears the Wordfence cache when a scheduled post is published. This ensures that if links to the post need to appear in the sidebar of the site or on the home page, by clearing the cache when the post is published your site pages are regenerated and the links to your new post will appear.

If you are using scheduled posting we encourage you to enable this feature.

Cache Management

Clearing the cache

By clicking the "clear the cache" button you clear the entire Wordfence cache. This will delete all files on disk belonging to the Wordfence cache. You will see a message that looks like this which contains some useful statistics:

A total of 42 files were deleted and 12 directories were removed. We cleared a total of 3202KB of data in the cache.

When you clear the cache, if you have the feature to add an HTML comment into your page footers enabled (described above) when you visit your site as a non-logged in visitor, if you view your HTML source immediately after cache clearing you'll see that comment in your HTML footer is not there. Then if you refresh the page, you should see that footer appear because you are now seeing the cached version of your web page.

Events that cause the Falcon Cache to auto-clear

The following events will cause Falcon to automatically clear the cache:

If you are logged into WordPress or have been previously logged into WordPress and

  • You publish a post, then the cache for that post will be cleared.
  • You publish a new page, then the cache for that page will be cleared.

If you are logged into WordPress or were previously logged in and one of the following events/actions occurs, then the entire cache is cleaned:

  • If the clean_object_term_cache action executes. This fires after the object term cache has been cleaned.
  • If the clean_post_cache action is called.
  • If the clean_term_cache action is called.
  • If the clean_page_cache action is called.
  • If the after_switch_theme action is called after you change themes.
  • If the customize_save_after action is called.
  • If the activated_plugin action is called after you activate a new plugin.
  • If the deactivated_plugin action is called after you deactivate a plugin.
  • If the update_option_sidebars_widgets after you update your sidebar widgets.
  • If you send a POST request to the /wp-admin/options.php URL.
  • If you send a POST request to the /wp-admin/options-permalink.php URL

Whether or not you were logged in the cache will clear:

  • If a comment is posted the whole page cache is cleared.

Note that Wordfence does not clear your page cache as part of the current HTTP request when one of these events fires. Instead it 'schedules' a cache clear to run immediately, sends another HTTP request to your site and then returns data to your site visitor or logged in user. That way your user's don't have to wait for the cache clear to run before they get their response back from the server. Users are immediately sent a response and then the cache clear runs in the background as a separate request keeping your site responsive.

Auto scheduling a cache clear

What if you want to be able to clear the cache every day at some certain time? Or by hitting a URL? If this is what you would like to do a simple script, called by cron should do the trick.

include 'wp-load.php';

Get Cache Stats

When you click this button you will see data that looks similar to the following:

Cache Stats

Total files in cache: 22
Total directories in cache: 8
Total data: 1729KB
Largest file: 13KB
Oldest file in cache created 10 minutes ago
Newest file in cache created 5 seconds ago

This option is very helpful in debugging the Wordfence cache. You can use it to determine if pages are being stored at all on your site, how large your cache is growing, how old the oldest file in the cache is and so on.

Cache Exclusions

This option gives you a way to prevent certain pages from being cached. You can also tell Wordfence to not serve cached pages if a visitor browser (also called a user-agent) matches a certain pattern or if that visitor has a cookie that matches a pattern.

Note that all cache exclusions, whether they are URLs, cookies or user-agent patterns are case insensitive. That means we will match the pattern whether it's upper-case or lower-case or a mix.

To use this option, select which kind of exclusion you want from the drop down list on the left. Then enter a value in the text box and hit the "Add exclusion" button. Once you hit "add exclusion" it will appear in the list of exclusions below. To remove the exclusion, click the "remove exclusion" link next to the item in the list and it will immediately be removed.

When changing exclusions, we recommend you click the "clear cache" button immediately after adding all your exclusions to ensure that existing cached pages are cleared.

URL starts with

If you have an entire section of your website you want to exclude from caching, use this option. For example, if you have an area on your website where every URL starts with "/shopping-cart/" and you don't want anything in that area to be cached by Wordfence, select "URL starts with" and enter "/shopping-cart/" without quotes in the text box. Then click the add-exclusion button and anything in that area won't be cached.

URL ends with

If you have several URLs that all have a similar ending and you don't want them to be cached, you can use this option. For example, lets say you have the following list of URLs:


If you want to exclude all these pages from the cache, you can select the "URL ends with" option and enter "dynamic/" without quotes in the text box and hit add-exclusion. Now none of the pages above will be cached.

URL contains

To prevent URLs that contain certain text from being cached you can use this option. For example if you have URLs that look like this:


If you want to exclude these pages and any other pages that contain the word "product" then simply select "URL contains" and enter "product" without quotes into the text box. Hit add-exclusion and the pages above will never be cached.

URL exactly matches

To exclude a specific page, use this option. For example you can enter "/never-cache-this-page/" in the text box with this option selected if you have a page with that URL that you don't want cached.

User-agent contains

This is a very useful option if you want certain web browsers to not receive cached pages. For example if you want to exclude all Android browsers and all iPhone and iPad browsers, just create three separate rules containing the text 'iphone', 'ipad' and 'android' without quotes and you will exclude those browsers. You can find a list of mobile browsers on this external link and more info on Apple mobile browsers at this external link.

User-agent exactly matches

If you want to exclude a specific web browser that exactly matches a pattern you can use this option. Most customers won't want to use this option unless they are excluding a known user-agent, for example a website monitoring system that sends a user-agent that you don't want to serve cached data to.

Cookie name contains

This option is useful if you want to exclude users that have taken certain actions on your site. By default Wordfence already excludes logged-in visitors, visitors who were logged in but are now logged out and visitors who have posted a comment from any caching.

However if you have a shopping cart system, for example, and you want to exclude visitors who have just purchased something and your shopping cart sets a cookie with the name 'buyer', then you can use this option. Just enter the text 'buyer' without quotes into the text box, select the "cookie name contains" option and add the exclusion. Now any visitor that has the cookie called 'buyer' set will be not be served cached pages, no matter what the value of the cookie is.


That concludes this introduction to Falcon Cache.


If you turn our caching on and see results like the image below, turn off whatever other caching you have on.
Falcon caching error.jpg
It might be that your theme has caching bundled with it, or that your hosting provider is doing it for you. We never recommend using more than one caching program at a time because of the weird things, like this, that can happen.