This documentation is only valid for older versions of Wordfence. If you are using Wordfence 7 or later, please visit our new documentation.

Web Application Firewall FAQ

From Wordfence Documentation
Revision as of 14:44, 15 April 2016 by WFMattr (Talk | contribs)

Jump to: navigation, search

General Information

What is the Wordfence Web Application Firewall?

Setup and Maintenance

How do I set up the Web Application Firewall?

Can I dismiss the notice with the "Click to configure" button, if I don't want to set up the firewall right now?

  • The notice can be dismissed by clicking the Dismiss button. If you want to enable Extended Protection in the future, you can enable it on the Firewall page.

What can I do if an action is blocked when it should not be?

  • When you are logged in as an admin, you are given a choice to whitelist any action where you are blocked. If you are not logged in at the time, you can either whitelist items from the Live Traffic page, or by enabling Learning Mode temporarily, completing the actions, and re-enabling the firewall. More information on whitelisting and Learning Mode are available on the Web Application Firewall page.

What is Learning Mode, and how do I use it?

Why do I get a message that says "The changes have not yet taken effect" after following the setup steps?

  • In most cases, this means that your host caches certain PHP settings files. If you see this message for more than 5 minutes or continue to see the setup button at the top of your admin pages more than 5 minutes after completing the setup process, see the Web Application Firewall Setup page.

How can I hide .user.ini if my server runs NGINX?

The .user.ini file that Wordfence creates can contain sensitive information and public access to it should be restricted. To do this, you'll need to append the following directives to the server context of your nginx.conf file:

location ~ ^/\.user\.ini {
    deny all;

If you have your WordPress installation in a subdirectory, you can should add the path portion of the URL to the pattern:

location ~ ^/wordpress/\.user\.ini {
    deny all;

Disabling the firewall

How can I disable the firewall?

  • On the Firewall page on the Wordfence menu, set the Firewall Status to "Disabled" and click the Save button.

How can I disable the firewall if I have technical problems and cannot update settings?

  • To disable the firewall, this constant can be set:
define('WFWAF_ENABLED', false);
  • If you have Basic WordPress Protection enabled, you can add this code to your wp-config.php file, just below the line about "WP_DEBUG".
  • If you have Extended Protection enabled, the code should be added in wordfence-waf.php, before the line that begins with "if".

Uninstalling the firewall files

How can I remove the firewall files and other code installed during the setup process?

  • You can remove the firewall setup files and related code by enabling "Delete Wordfence tables and data on deactivation" near the bottom of the Wordfence options page, and then deactivating Wordfence.
  • This will reset Wordfence's options entirely. If you want to save your other settings, you can use the Export option at the bottom of the Wordfence options page, and import the settings again afterward.

How can I remove the firewall setup manually?

  • Depending on your server's setup, you may have changes in the files .htaccess, .user.ini, and php.ini, all in the site's main directory.
  • Wordfence surrounds its code with comments "Wordfence WAF" and "END Wordfence WAF" in the files it modifies. You can remove the code between these comments in these files:
    • .htaccess code varies by server configuration, but is surrounded by the comments mentioned above
    • .user.ini is only used on some server configurations, but if it exists, Wordfence code is surrounded by the comments mentioned above
    • php.ini is only used on some server configurations, and would have a single line beginning with "auto_prepend_file"
  • The file wordfence-waf.php in the site's root folder can be removed after the files above are updated.
  • Important: If your host uses .user.ini or a PHP cache, the changes can take 5 minutes or so to go into effect. You may see white screens or error messages during this period.