This documentation is only valid for older versions of Wordfence. If you are using Wordfence 7 or later, please visit our new documentation.

Web Application Firewall FAQ

From Wordfence Documentation
Revision as of 22:52, 14 April 2016 by WFMattr (Talk | contribs)

Jump to: navigation, search

General Information

What is the Wordfence Web Application Firewall?

Setup and Maintenance

How do I set up the Web Application Firewall?

Can I dismiss the notice with the "Click to configure" button, if I don't want to set up the firewall right now?

  • The notice can be dismissed by clicking the Dismiss button. If you want to enable Extended Protection in the future, you can enable it on the Firewall page.

What can I do if an action is blocked when it should not be?

  • When you are logged in as an admin, you are given a choice to whitelist any action where you are blocked. If you are not logged in at the time, you can either whitelist items from the Live Traffic page, or by enabling Learning Mode temporarily, completing the actions, and re-enabling the firewall. More information on whitelisting and Learning Mode are available on the Web Application Firewall page.

What is Learning Mode, and how do I use it?

Why do I get a message that says "The changes have not yet taken effect" after following the setup steps?

  • In most cases, this means that your host caches certain PHP settings files. If you see this message for more than 5 minutes or continue to see the setup button at the top of your admin pages more than 5 minutes after completing the setup process, see the Web Application Firewall Setup page.

How can I hide .user.ini if my server runs NGINX?

The .user.ini file that Wordfence creates can contain sensitive information and public access to it should be restricted. To do this, you'll need to append the following directives to the server context of your nginx.conf file:

location ~ ^/\.user\.ini {
    deny all;

If you have your WordPress installation in a subdirectory, you can should add the path portion of the URL to the pattern:

location ~ ^/wordpress/\.user\.ini {
    deny all;