Plugins that might have issues and solutions to them
NOTE : This is by no means a complete list. On occasion some plugins may have an unforeseen issue because of the way they were written. This page is to document issues with plugins and what the fixes were.
Acunetix WP Security If you use our two factor authentication (also referred to as cell phone authentication), this plugin will likely cause problems. Acunetix WP Security, also know as WP Security Scan, prevents the status messages we send to the login page from being displayed. The authentication still works as normal, but the status messages might make it really confusing to anyone who wasn't aware of this. (Thanks to RandomQ for reporting this!)
Acunetix Secure WordPress This plugin changes the $wp_version variable, that is part of WordPress. This can cause strange results from the "see how file changed" option in Wordfence scans, and may cause issues with other plugins that rely on the WordPress version as well. (Last updated Oct 2014.)
Adminimize This plugin hides the wordfence menu, along with others like the plugins menu on the left side navigation of your admin area. The only way we found to view these two pages was to click on the adminimize menu and then wordfence or plugins. There is no reason we could find for this behavior.
AGP Font Awesome Collection Version 2.8.1 This plugin has been known to render buttons unclickable
AskApache Password Protect has been reported to interfere with Wordfence.
BackupBuddy Backups may fail to include files located in wp-content/wflogs (and wp-content/wordfence/tmp if you are using a very old version of Wordfence) if files in those folders are being written to while the backup is running. This issue is rare but if you do encounter it, please exclude those folders from your BackupBuddy backup.
BP Profile as Homepage It has been reported by user Stefan D that this prevents the links to show file differences or the current file in scan results from displaying and instead sends the user back to their profile page.
Comet Cache A user reported that when automatically building it's cache Comet Cache can be seen as an attacker by Wordfence. This causes the requests to be blocked which slows down the creation of cached files. This can be fixed by whitelisting the servers own IP.
Contact Form Advanced Database Using this plugin will throw pop up warnings in the admin area that say this (or similar):
DataTables warning: table id=wfIssuesTable_new - Requested unknown parameter '0' for row 0, column 0. For more information about this error, please see http://datatables.net/tn/4
DataTables warning: table id=wfIssuesTable_ignored - Requested unknown parameter '0' for row 0, column 0. For more information about this error, please see http://datatables.net/tn/4
This is not an indication of a problem in wordfence.
Cool Cast Player This plugin can cause the Wordpress admin screen to keep telling you that the browser has sent an invalid security token.
Divi Builder may cause Wordfence to run slowly. Thanks to Chusman for the report.
Duplicator Duplicator throws a warning for table names that use camel case. This warning can normally be ignored. However, if migrating from Windows to Linux and then back to Windows again, you may have issues with duplicate tables. Wordfence is not officially supported on Windows so we recommend to develop on Linux type systems if you want to develop with Wordfence.
FormCraft Premium - ONLY VERSIONS EARLIER THAN 3.2.29 Earlier versions of this plugin display errors in some server configurations that can't be turned off, even though error reporting is. The errors that it displays interrupt the scan process and cause the scans to fail. We did some research over here now and this error appears to be occurring in a few plugins that use the same library (Parsedown). The reason is that this particular version of the Parsedown library, that Formcraft used to use, is not compatible with PHP 7. If you check this link you'll see another plugin, plugin-update-checker, that was suffering from the same issue. It was fixed by changing some parts of Parsedown which were not compatible with PHP 7. Formcraft has fixed this problem by updating the Parsedown library to a more recent version. We are recommending that you switch update formcraft to the latest version if you are using premium. Formcraft free does not have this library included so it shouldn't be affected.
Google Captcha (reCAPTCHA) by BestWebSoft changes WordPress's error codes for failed login attempts, which prevents the Wordfence option "Immediately block the IP of users who try to sign in as these usernames" from identifying invalid users. Additional login security options may be affected as well. Thanks to DareDevil73 for the report!
- A customer, André Marhaun reported in that there is a setting in this plugin that must be checked. The setting is called "Check this box if you use a plugin that uses admin-ajax.php". Make sure this is checked. You shouldn't ever block the ajax handler for WordPress for any reason.
- (Not sure this is a problem anymore but we haven't heard further problems relating to it.) Any plugin that uses the GeoIP library or provides geo blocking or geo detection features may have a problem with Wordfence. This includes the plugin “iq-block-country” which can’t run alongside Wordfence.
KutethemeToolkit This plugin breaks Live Traffic
Limit Login Attempts If you are running the Limit Login Attempts plugin and are using our Two Factor Authentication, the first login (username and password only) that sends our code is counted against the total that the Limit Login Attempts plugin uses to determine if you will be locked out. This should be addressed in the next Wordfence release. Please also be aware that the Limit Login Attempts plugin is unsupported, hasn't been updated since 2012, and isn't even listed as compatible with any Wordpress version past 3.3.2. As always, Wordfence would like to remind you that using outdated, unsupported plugins is not recommended and puts your site at risk.
Memcached Redux / object-cache.php This plugin is over 2 years unsupported and breaks functionality in live traffic.
Paid Membership Pro The symptom:
You try to move your login pages behind ssl. You change wp-config.php by adding
Wordfence works more or less but any pages it creates, like the pages that show the differences between changed and original files, or system specifications by clicking the link at the bottom of the options page, show as blank pages or with a 404 not found http error. PaidMembershipsPro is the cause because it applies its own logic to force pages to be SSL or not, and in the case of Wordfence reports and some other things PMPro gets it wrong.
Postmatic can work well with Wordfence, but Wordfence's option "Hold anonymous comments using member emails for moderation" will prevent comments from being processed when they come in by email, since the user sending the comment cannot be verified. We recommend disabling this option if using Postmatic.
Query Monitor It was reported by our friend, John M, that this plugin can cause out of memory errors in Wordfence scans. It is recommended to deactivate this plugin during these scans if you have issues.
qTranslate X Scans can fail when the plugin "qTranslate X" is installed. The qTranslate X plugin appends a query string to the root of the WordPress URL. When Wordfence tries to construct a scan URL based on what the sites URL is, the result is an invalid URL consisting of two query strings (/?lang=en?action=wordfence_testAjax). Because this URL is not valid, scans will not be able to start. On the Wordfence Diagnostics page you will see a "fail" for the "wp_remote_post() test back to this server" check. The response code on this check will be "200 OK" but the check will fail because the invalid URL will fail to serve a WFSCANTESTOK value in the response body.
RetsPro (WPRealty) This plugin has been reported to make certain aspects of our plugin 'unclickable'.
shoutout to HMSRE for finding this one!
Restricted Site Access Is reported to cause issues with initial configuration
SI CAPTCHA Anti-Spam This plugin forces itself to run before anything else loads on the login page meaning that logins are not blocked and emails alerts for them are not sent. Thanks to Premium customer Richard D. for reporting this
Simple Cache As of April 2017 we have reports that Simple Cache can cache the Wordfence block pages. A review of the source code indicates that Simple Cache caches everything that is not a WordPress search, 404 or a password protected post. This means that error, maintenance, block pages etc. can end up getting cached and be served to all visitors on a website.
Stop Spammers Spam Prevention This plugin's option "Check credentials on all login attempts" may cause Wordfence's Cellphone Sign-In option to be counted as failed logins, when the user's password is very long. If Wordfence's "Lock out after how many login failures" options is set below 5, it may cause lockouts even with a valid password. Disabling the option, or adjusting Wordfence's lockout setting will prevent the problem. Thanks to Premium user Russel for reporting the issue
Swift Security Bundle This plugin breaks scanning and many other features. It might have adverse effects on other plugin that make ajax calls as well.
Tribulant Newsletters This plugin may make Wordfence's caching page 'unclickable'. Temporarily disabling the plugin to make changes to the Wordfence settings is reported to work.
Thanks to IsItCoffeeYet for the report!
uPricing - Pricing Table for Wordpress
This plugin, which hasn't been updated since 2012, breaks Wordfence scanning.
1. Older versions of W3TC are not compatible with the first release of WordPress 4.7. If you are using an older version of either WordPress, W3TC or Wordfence, you may have issues where the Wordfence block page will get cached and served to all visitors to the site.
2. We found that using the database cache function caused scans to fail. The error looked like this:
opendir(/directory/directory/wp-content/cache/db/000000/comments/): failed to open dir: No such file or directory (2) File: /directory/directory/wp-content/plugins/w3-total-cache/inc/functions/file.php Line: 82
Note : obviously the /directory/directory/ is the path to your web folders on the server and will be different
We recommend turning off database caching at the very least when scanning.
WPML Multilingual CMS - This is a multi language paid plugin. When using it if you set the option in settings > Language URL format to use different languages in directories, check the box for 'use directory for default language', and specify the directory (eg /en/) it will add /en/ to any path called including www.domain.com/wp-admin/admin-ajax.php
WP-Rocket - We have not had any recent reports of issues with WP-Rocket. We did at some time in the past have a few reports that WP-Rocket runs better with Wordfence Live Traffic turned off. If you are having performance issues with WP-Rocket, we suggest turning Wordfence Live Traffic off and see if there is an improvement.
WP Backup Bank Pro - This plugin will cause scan results not to display. We recommend turning it off when performing scans or viewing results.
XYZ WP Contact Form uses the same Geo IP as Wordfence, so country blocking in Wordfence cannot work correctly if this plugin is also installed.