This documentation is only valid for older versions of Wordfence. If you are using Wordfence 7 or later, please visit our new documentation.

Web Application Firewall FAQ

From Wordfence Documentation
Revision as of 20:59, 21 June 2016 by WFMattr (Talk | contribs)

Jump to: navigation, search

General Information

What is the Wordfence Web Application Firewall?

Setup and Maintenance

How do I set up the Web Application Firewall?

Can I dismiss the notice with the "Click to configure" button, if I don't want to set up the firewall right now?

  • The notice can be dismissed by clicking the Dismiss button. If you want to enable Extended Protection in the future, you can enable it on the Firewall page.

What can I do if an action is blocked when it should not be?

  • Visits blocked by the firewall will display "403 Forbidden" and "A potentially unsafe operation has been detected in your request to this site". When you are logged in as an admin, you are given a choice to whitelist any action where you are blocked. If you are not logged in at the time, you can either whitelist items from the Live Traffic page, or by enabling Learning Mode temporarily, completing the actions, and re-enabling the firewall. More information on whitelisting and Learning Mode are available on the Web Application Firewall page.
  • Background requests sent from your browser may show a message that says "Background Request Blocked" if they are blocked by the firewall. These messages are only displayed for the site's admin, and they can be whitelisted by clicking the Whitelist button in the message, if you know that they are safe. More information about blocked background requests is available here.

What is Learning Mode, and how do I use it?

How do I fix the error about being unable to write to ~wp-content/wflogs/ ?

Why do I get a message that says "The changes have not yet taken effect" after following the setup steps?

  • First, check your PHP version on the Diagnostics page, on the Wordfence menu. PHP 5.2 cannot load the .user.ini required for automated setup on CGI/FastCGI configurations. Some hosts let you choose a newer PHP version in your control panel. For other hosts, you may have to submit a support request to the host.
  • In most cases, this means that your host caches certain PHP settings files. If you see this message for more than 5 minutes or continue to see the setup button at the top of your admin pages more than 5 minutes after completing the setup process, see the Web Application Firewall Setup page.

How can I hide .user.ini if my server runs NGINX?

The .user.ini file that Wordfence creates can contain sensitive information and public access to it should be restricted. To do this, you'll need to append the following directives to the server context of your nginx.conf file:

location ~ ^/\.user\.ini {
    deny all;

If you have your WordPress installation in a subdirectory, you can should add the path portion of the URL to the pattern:

location ~ ^/wordpress/\.user\.ini {
    deny all;

Disabling the firewall

How can I disable the firewall?

  • On the Firewall page on the Wordfence menu, set the Firewall Status to "Disabled" and click the Save button.

How can I disable the firewall if I have technical problems and cannot update settings?

  • To disable the firewall, this constant can be set:
define('WFWAF_ENABLED', false);
  • If you have Basic WordPress Protection enabled, you can add this code to your wp-config.php file, just below the line about "WP_DEBUG".
  • If you have Extended Protection enabled, the code should be added in wordfence-waf.php, before the line that begins with "if".

Uninstalling the firewall files

How can I remove the firewall files and other code installed during the setup process?

  • Near the bottom of the Firewall page, click the button that says Remove Extended Protection. This will prompt you to save backups of relevant files and then will remove the Wordfence firewall portions of those files automatically. Depending on your server's configuration, it may ask you to wait for a 5 minute delay, to wait for a specific type of cache to expire on your server.
  • Alternately, you can remove the firewall setup files and related code by enabling "Delete Wordfence tables and data on deactivation" near the bottom of the Wordfence options page, and then deactivating Wordfence. This method will reset Wordfence's options entirely, since it removes all Wordfence tables and data.

How can I remove the firewall setup manually?

  • Depending on your server's setup, you may have changes in the files .htaccess, .user.ini, and php.ini, all in the site's main directory.
  • Wordfence surrounds its code with comments "Wordfence WAF" and "END Wordfence WAF" in the files it modifies. You can remove the code between these comments in these files:
    • .htaccess code varies by server configuration, but is surrounded by the comments mentioned above
    • .user.ini is only used on some server configurations, but if it exists, Wordfence code is surrounded by the comments mentioned above
    • php.ini is only used on some server configurations, and would have a single line beginning with "auto_prepend_file"
  • The file wordfence-waf.php in the site's root folder can be removed after the files above are updated.
  • Important: If your host uses .user.ini or a PHP cache, the changes can take 5 minutes or so to go into effect. You may see white screens or error messages during this period.