This documentation is only valid for older versions of Wordfence. If you are using Wordfence 7 or later, please visit our new documentation.

Wordfence constants for advanced configuration

From Wordfence Documentation
Revision as of 14:39, 12 December 2016 by WFMattr (Talk | contribs)

Jump to: navigation, search

Wordfence has many options that can be set within the WordPress admin pages, but there are some additional options that are not often needed. These can be set in wp-config.php before the line that says /* That's all, stop editing! Happy blogging. */, or in some cases, in the wordfence-waf.php file, where noted below.

The Wordfence scan results page shows up to 100 results by default, and loads more results when you reach the bottom of the page. You can adjust this higher or lower by using this line, and changing the number:


The Blocked IPs page will show up to 100 blocked IPs by default. If you have a long list of blocked IPs, you can change this value to a lower amount if you prefer faster loading, or increase the amount to load more entries, which may be helpful if you use your browser's search to find blocked IPs:


Falcon and Basic caching are being discontinued in version 6.2.8 and "Performance Setup" no longer appears on the admin menu if caching was not enabled during a recent update. If you temporarily need access to this menu again, use this line -- this constant is only available up through version 6.2.7:

define('WF_ENABLE_FALCON', true);

If running Wordfence on a site where the wp-content directory is not writable, you can change the default path to a path that is writable. When the firewall is set up with "Extended Protection" (using .htaccess or .user.ini), add this line after the opening "<?php" tag in wordfence-waf.php instead of in wp-config.php, and change the path to a safe and writable location:

define("WFWAF_LOG_PATH", '/var/www/html/wp-content/wflogs/');

If you need to disable the Web Application Firewall, this line can be added to wordfence-waf.php on the line after the opening "<?php" tag if the firewall is set up with "Extended Protection", or to wp-config.php if the firewall is using "Basic WordPress Protection":

define('WFWAF_ENABLED', false);

Wordfence can detect how your server sees visitors' IP addresses and alert you if your site may not be set up to get the visitor IP addresses correctly. If you need to disable notices about this, you can add this to wp-config.php:


In addition to the option above, if you don't want to disable the check, you can set a shorter timeout for the scan. This may be helpful if you have a development copy of your site that is not accessible publicly, so the scan will wait for a shorter time instead of the default of 30 seconds on that site. Many sites should work correctly with a timeout of only 10 seconds instead of 30: