- How to I install my Premium Wordfence API Key?
- My scans are not starting. What should I do?
- Some feature in Wordfence isn’t working. What should I do?
- I’ve locked myself out of my site. I’ve tried the email unlock feature and it didn’t work. What should I do?
- I get a “can’t connect to host” error while scanning. What should I do?
- I use an .htaccess file in my /wp-admin/ directory for an added layer of password protection. Can I use Wordfence?
- My scans don’t finish. What can I do?
- What known plugin conflicts are there with Wordfence?
- What does “Scan public facing site” do?
- Do any other plugins break Wordfence?
- I’m getting errors that Wordfence can’t detect visitor IP addresses. Or I use IPv6 on my site and I know Wordfence doesn’t support that. What can I do?
- I have sucuri installed and Wordfence isn’t working. What can I do?
- I can’t save Wordfence “options”, I can’t update my API key and a few other things aren’t working.
- I cleaned my site with Wordfence but Google still says I have malware. What must I do?
- I’m getting an error that my API key is being used by another site, but I’m sure it’s my own API key. What should I do?
- How many Wordfence API keys do I need? One per site?
- The “see how file changed” and some other features in Wordfence aren’t working. What should I do?
- When I do a theme and plugin scan to verify their integrity I see a lot of modified files. What should I do?
- I often get “Forbidden” messages when trying to use a Wordfence feature. What should I do?
- I get a error about my site not being able to connect to itself. What should I do?
- I get an error when trying to scan about Wordfence not being able to sign in as admin. What should I do?
- My WordPress site has been hacked. What should I do?
- What does Wordfence scan?
- The Wordfence team asked me to send them my Wordfence activity log. How do I do this?
- My Wordfence scan is not completing. What should I do?
- I’m seeing red errors in the activity log. Is this a problem?
- What do Wordfence’s cloud servers do?
- What data does Wordfence send to the scanning servers when a scan happens?
- Wordfence won’t let me block IP addresses in certain address ranges. Why?
How do I install my Wordfence Premium API Key?
Once you’ve signed up for a paid Wordfence membership, you need to sign into www.wordfence.com using the account information we emailed you. If you’re not already signed in, click the link at the top of this page to Sign-In. Then go to your Dashboard and click the option to get API keys. You can then create your Premium Wordfence API Key. Once created, copy the key to your clipboard. Then sign into your own WordPress website. Go to the Wordfence ‘options’ menu. At the top you’ll see a box where you can paste your new API key. You may need to replace the free key with your new Premium key. Then click “Save” and you should be upgraded to a Premium membership.
My scans are not starting. What should I do?
Make sure you haven’t blocked Wordfence’s scanning server’s IP address range from accessing your site. Our servers are from 126.96.36.199 to 188.8.131.52. If your site is unable to connect to itself to start a scan, we get our scanning servers to connect to you to kick the scan off. If you’ve blocked our servers, your scans won’t start. The newest version of Wordfence has code that prevents you from blocking individual addresses in our range but you can still block our entire network, so make sure you haven’t done that.
The most common problem is that your site’s WordPress AJAX handler is not working. You may have accidentally blocked access to it or a theme you’re using may have broken it.
Test that you can access the following URL:
Replace www.example.com with your site URL.
You should see a blank page with a “0″ at the top left. If you don’t see this, then you need to fix your site’s AJAX handler or Wordfence and many other WordPress features won’t work. Here are a few tips:
- If you see a 500 Internal Server Error, then check your web server’s error log for the reason. If you don’t know how to do this ask your site administrator or hosting company.
- If you see a FORBIDDEN message, then you’ve probably set up an .htaccess file that blocks access to your wp-admin area and you need to add an exclusion for your AJAX handler. See below for more info on how to do that.
- If you see a page that looks like your site home page or some other page on your site, then your designer or theme creator has broken the way your site works and you need to tell them to fix access to the WordPress AJAX handler.
Some feature in Wordfence isn’t working. What should I do?
We’ve found that there are unfortunately many badly written plugins out there that break certain features in WordPress and therefore prevent Wordfence from working. The easiest way to isolate which plugin is causing the issue is to disable all plugins except Wordfence and then reenable them one by one until one of them breaks Wordfence. Some examples of problems we’ve seen are:
- Plugins that try to protect your /wp-admin/ area but in doing so block access to the WordPress AJAX handler which lives in that directory and needs to be publicly accessible.
- Plugins that put your site into maintenance mode and also disable the AJAX handler in wp-admin.
- Plugins that disable jQuery in WordPress. For some reason there seem to be several plugins that completely break jQuery. This disables Wordfence and almost all other plugins and themes that rely on this core library.
I’ve locked myself out of my site. I’ve tried the unlock email feature and it didn’t work. What can I do?
First please make sure that it’s actually Wordfence that is locking you out of your site. There are many plugins that offer a “lock out” feature and quite a few of them that don’t work well. If you are locked out by Wordfence you’ll see a message giving you a reason you’re locked out and explaining how to unlock access to your own site.
Whenever Wordfence locks a user out it provides a “Reason:” with a reason describing why you’re locked out. You can use this reason to determine which firewall rule you need to modify to prevent this from happening in future. If you post on the forums, make sure you include the “Reason: [explanation]” text or a screenshot of the locked-out page so that we can tell you what to change to prevent getting locked out in future.
Here’s how you regain access to your site:
The easiest way to solve this problem immediately is to simply delete the Wordfence files from your WordPress installation. You can do that as follows:
- Connect to your server using the method your normally use to upload files. Most people either use FTP or SFTP to do this.
- Remove the Wordfence directory (or folder if you prefer). If your site has the standard WordPress structure, you can do this by simply deleting the wp-content/plugins/wordfence/ directory and everything underneath it.
This procedure will immediately unlock your site. If you are still seeing a message that you’re locked out, make sure you disable any caching plugins like W3 Total Cache, or clear their cache. If you can’t access the site to disable the caching plugin, you may have to temporarily rename the caching plugin directory to disable it.
You may also have to clear any caches on a front-end caching proxy if you have an advanced configuration.
In the highly unusual case that you don’t have access to your own files on your server, you will need to log a support call with your web hosting company or whoever manages your server and ask them to delete the wordfence folder.
I get a “can’t connect to host” error when trying to scan. What can I do?
If you see an error that looks like the following:
Scan terminated with error: We received an error response when trying to contact the Wordfence scanning servers. The HTTP status code was  and the error from CURL was couldn’t connect to host.
Then it’s likely that your web server (the machine that runs your WordPress website) can’t connect to our scanning server.
When you run a scan your web server needs to be able to connect to our scanning server which is noc1.wordfence.com so that it can send hashes of files and signatures for comparison against known bad items.
Your web server must be able to connect to port 443 and port 80 of noc1.wordfence.com.
To test if it can do this you can SSH to your server and run the following commands. If you don’t know how to do this, ask your administrator.
telnet noc1.wordfence.com 80
telnet noc1.wordfence.com 443
I use an .htaccess file in my /wp-admin/ directory for an added layer of password protection. Can I use Wordfence?
Yes you can but you need to set up the .htaccess file correctly. You can’t simply block access to everything in /wp-admin/ because the directory contains your AJAX handler. The AJAX handler is what allows users on your website to perform application functions without a full page reload occurring. E.g. when you click a button and see a rotating “loading” icon, that is usually an AJAX call. If you simply block the whole of /wp-admin/ with a password, you will break any plugin or theme that uses AJAX for users who are not logged in.
To work around this, you can whitelist your ajax handler as follows. Your .htaccess file should look something like this:
AuthUserFile /path/to/your/htpasswd AuthType basic AuthName "Restricted Resource" require valid-user
# This is the whitelisting of the ajax handler <Files admin-ajax.php> Order allow,deny Allow from all Satisfy any </Files>
You can read more about how to whitelist your ajax handler on this page.
My scans don’t finish. What can I do?
The following has worked for some users:
- Go to wordfence “options” page
- Scroll to the bottom
- Set “Maximum execution time for each scan stage” to 15 seconds. Don’t forget to “Save”.
- Try another scan.
- If the scan does not complete, try this instead:
- Go to the bottom of Wordfence “options” page.
- Click the option to view your configuration.
- Look for max_execution_time
- Set the “Maximum execution time for each scan stage” to about 80% of that value. So if it’s 90, try setting the option to 75.
- Try another scan and see if that works.
What known plugin conflicts are there with Wordfence?
Any plugin that uses the GeoIP library or provides geo blocking or geo detection features may have a problem with Wordfence. This includes the plugin “iq-block-country” which can’t run alongside Wordfence.
We are not currently aware of any other plugin conflicts with Wordfence.
What does “Scan public facing site” do?
The free version of Wordfence does a full scan of all files on your system. It also scans your database tables including your comments, users table, posts and pages. This is an extremely effective and high performance way to find security vulnerabilities. In general it is far superior compared to remote scans of your site, because remote scans don’t know the location of all your files and don’t have access to your database.
However in some cases it’s useful to scan the final rendered version of your website. For example, if a hacker has managed to craft PHP code that our server scan misses, then the code will usually generate something malicious that appears on the final rendered version of your website. The “public facing” scan will scan the final rendered version of your site and catch this.
At this time we’re not aware of any hacks where an intruder is able to inject code that our server based scan misses and our public facing scan catches. As soon as we become aware of hacks like this, we update the server code to catch the intruder. But we include this feature as a backup measure for extra security to make sure that you are given the most comprehensive security scan in the business.
Do any other plugins break Wordfence?
We are currently aware of an issue with the “W3 total cache” and “WP Super Cache” plugins which causes Wordfence to behave erratically. In general you’ll see old status messages appearing instead of what is actually happening and you’ll see “No issues” in the security issues list when you do actually have security issues, or a list of security issues appearing when you’ve resolved everything.
I’m getting errors that Wordfence can’t detect visitor IP addresses. Or I’m using IPv6 on my site and I know Wordfence doesn’t support that. What can I do?
One of our users (Tom K.) was kind enough to send us a fix for this. If you’re using Apache and can change your Apache configuration, you can simply change the Apache “Listen” directive to force your Apache server to listen on an IPv4 address.
# # Listen: Allows you to bind Apache to specific IP addresses and/or # ports, in addition to the default. See also the <VirtualHost> # directive. # # Change this to Listen on specific IP addresses as shown below to # prevent Apache from glomming onto all bound IP addresses (0.0.0.0) # #Listen 184.108.40.206:80 Listen 80
# # Listen: Allows you to bind Apache to specific IP addresses and/or # ports, in addition to the default. See also the <VirtualHost> # directive. # # Change this to Listen on specific IP addresses as shown below to # prevent Apache from glomming onto all bound IP addresses (0.0.0.0) # #Listen 220.127.116.11:80 Listen 0.0.0.0:80
- Don’t forget to restart Apache once you make this configuration change.
- This works for me: IPV6 was activated on my VPS node, but not fully configured, i.e was returning ::1 as the IPV6 address. Not tested on any system which has an active IPV6 address, but should work hypothetically, as all you’re doing is specifying a mask for apache to listen to, and in this case, an IPV4 address syntax.
- You’d have to do Listen 0.0.0.0:443 in SSL httpd.conf for an HTTPS configuration
I have sucuri installed and Wordfence isn’t working. What should I do?
One of our users was kind enough to inform us that one of the Sucuri “one click hardening options” may break Wordfence and other plugins that rely on their PHP code being executable. There is an option under Sucuri one-click hardening called “Restrict access to wp-content”. If you click this option, Sucuri will create a .htaccess file that prevents PHP code in your plugins and themes from being executed directly via the Web. This will cause any plugin or theme that has PHP code that is executed directly to stop functioning. That includes Wordfence.
So at this point we don’t recommend using this feature because it will stop Wordfence from working. I have contacted Sucuri to ask them to either fix this or add it to their documentation. Here is a screenshot of the option in the Sucuri plugin that causes the problem (see the bottom of the image):
I can’t save Wordfence “options”, I can’t update my API key and a few other things aren’t working.
When Wordfence installs it needs to be able to create a few database tables. If your database doesn’t allow WordPress to create tables, then you need to add the “create” permission to the user that WordPress connects as. You can do this in phpmyadmin. Javier Salinas was kind enough to send us a screenshot of the Spanish version of phpmyadmin where you can see which box you need to check. Here’s the screenshot. Click the image for a larger version:
I cleaned my site with Wordfence but Google still says I have malware. What must I do?
Google takes some time to realize that your site has been cleaned. You can submit a “request for reconsideration” which usually speeds up Googling re-listing your site in search results once you’ve been flagged as having malware on your site.
I’m getting an error that my API key is being used by another site but I’m sure it’s my own API key. What should I do?
Go to the Wordfence “options” page. Scroll to the bottom. Select the option to remove Wordfence data on plugin deactivation and Save your options. Then deactivate and reactivate the Wordfence plugin. Create a fresh API key and go to the Wordfence options page to install it by pasting the key. Save your options. That should fix it.
How many Wordfence API keys do I need? One per site?
If you want to use the paid version of Wordfence, you need one API key per WordPress installation. However if you run WordPress multi-site, you only need one API key for the entire Multi-Site installation.
The “see how file changed” feature and some other features in Wordfence don’t work. What should I do?
One cause for this is the plugin “Secure WordPress” which is created by WebsiteDefender changes the internal $wp_version variable for WordPress in an attempt to hide your WordPress version from the world. They change it to a randomly generated number. The correct way to do this is not to change that variable’s value, but to hook into an action or filter within WordPress that displays the version and modify what is displayed.
By changing this internal variable, this plugin breaks many other plugins and themes that rely on this variable to know internally what version of WordPress you are running. For example, if a theme needs to know if you’re running an older version of WordPress, they will rely on being able to check this variable’s value.
Our recommendation at this time is to uninstall “Secure WordPress” until such time as the developer modifies their code so that it does not change an important internal variable that many other plugins and themes rely on. This will fix the above issue with Wordfence and may fix other problems you’re experiencing with your site or it’s plugins and themes.
When I do a theme and plugin scan to verify their integrity, I see a lot of modified files. What should I do?
If you have customized the TwentyTen or TwentyEleven themes in WordPress without creating a “child theme“, you will see the files listed as changed if you have enabled “Theme Scanning” in Wordfence. You can safely ignore these warnings if you are sure that it was you who changed those files.
If you have downloaded an open source theme or plugin from the WordPress repository and have modified it, you will also get warnings about the modified files. You can also choose to ignore these warnings in the scan results if you are sure that it was you who modified the files.
I often get “Forbidden” messages when trying to use a Wordfence feature. What should I do?
If you scan your site, get the scan results and then try to view a file’s contents or see file differences using Wordfence, you may see a “Forbidden” message. This is often caused by plugins that try to protect your site by creating complex .htaccess files. Often these plugins accidentally block legitimate WordPress applications or site visitors, which is why we don’t like to protect sites with very complex .htaccess files.
If you see this message, look for an .htaccess file in your WordPress root directory that was created by another plugin and contains many complex rules. Either modify the plugin to prevent it from blocking legitimate WordPress applications, or stick with a simple .htaccess file and use another method to protect your site.
I get an error about my site not being able to connect to itself. What should I do?
I get an error when trying to scan about Wordfence not being able to sign in as admin. What should I do?
We are aware of this problem with some sites and haven’t tracked down the root cause yet. However a workaround that works for many is to create another user with “admin” access. Make sure the username and password are extremely hard to guess because no one will ever log in using this account. Then try to do a scan and it should work.
My WordPress site has been hacked, what should I do?
What does Wordfence scan?
- Scans all files in the base of your WordPress directory (ABSPATH) including hidden files.
- Scans all files in any WordPress directories under this base directory.
- Compares all your core files against the originals, will show you the changes and let you repair them.
- Compares all your plugin files against the originals, will show you the changes and let you repair them.
- Compares all your theme files against the originals, will show you the changes and let you repair them.
- Scans all your files (including themes and plugins, even for free users) to see if they are on a list of known malware files. The current list is over 44,000 files.
- Scans the contents of all your files (including themes and plugins, even for free users) to see if they contain a malware, trojan, virus, backdoor, known dangerous URL or known vulnerability.
- Scans all your posts and comments for URL’s on Google’s Safe Browsing list.
- Continually scans comments as they arrive.
- Scans for weak passwords.
- Alerts you to DNS changes.
- Checks for out of date plugins or themes.
- Checks your disk space.
The Wordfence support team asked me to send them my Wordfence activity log. How do I do this?
- Sign in to your WordPress site.
- Click the ‘Wordfence’ menu option on the left.
- Click the ‘activity log’ tab at the top of the page.
- Wait for it to load.
- Click the little email icon at the top right of the activity log.
- Enter the email address we asked you to send the log to. Usually firstname.lastname@example.org
- Click send. A longer version of your activity log is now emailed to us along with your system configuration which we can use to diagnose any problems you’re having.
My Wordfence scan is not completing. What should I do?
First make sure you are running the newest version of Wordfence. Then check the Wordfence activity log which you can get to by clicking the “Wordfence” menu, then clicking the “Activity Log” tab.
Look for any errors in red that may indicate the reason. Then report this issue ASAP in our support forum with as much detail including any errors in your error log. Please make sure any errors you include don’t contain sensitive information like usernames or passwords from your site.
If you see an error about running out of memory, you can try the following:
- Go to the Wordfence options page.
- Click the advanced options link to show the advanced options.
- Scroll all the way to the bottom where you’ll see an option to specify the maximum memory that Wordfence uses.
- Try increasing this to 300 Megabytes (the default is 256 megs)
- Do another scan.
- If you still get an out of memory error, try increasing by another 50 and re-scan.
- You can keep increasing by 50 megabytes, but be careful that your web server does not run out of memory because this may cause the operating system to behave unpredictably. You can refer to your web host’s documentation to find out what the maximum memory is that you’ve been allocated.
- Let us know if this worked for you by emailing support at wordfence.com. Thanks.
I’m seeing red errors in the activity log. Is this a problem?
You can view the activity log by clicking the Wordfence menu on the left of your WordPress admin console and then clicking the “Activity log” tab at the top. The red errors you see here are not just Wordfence errors, but errors from other plugins and even WordPress itself in rare cases.
If you see red errors here, they are often just warnings which may not affect the functioning of your site. But you should investigate them and report any errors to the owner of the plugin that is generating the error.
An example of a plugin error is:
Use of undefined constant user_level – assumed ‘user_level’ (8) File: /home/blah/foo/bar/home/wp-content/
If you look at the filename above, notice where the name of the plugin appears. Use that to determine which plugin is generating the errors you’re seeing and report the issue to the plugin maker. If Wordfence is generating the error, then report it to us ASAP! If the error is the last error (or close to last) that appears before a scan mysteriously stops running, then send that to us too!
What does Wordfence’s cloud servers do?
- Maintain a pristine copy of every version of WordPress ever released and information about each file that allows us to very quickly compare your files with the originals.
- Maintain a pristine copy of every version of every plugin and theme ever released into the WordPress theme and plugin repositories. We also maintain a massive database with information about every file to rapidly verify your files against the originals.
- Have a list of known malware files that your installation of Wordfence uses to check if any of your files are known malware variants.
- Keep a cached copy of Google’s Safe Browsing list that is updated in real-time and used for your scans.
- Contain data about known vulnerabilities that is sent to your Wordfence plugin during scans.
- Keep a list of known dangerous IP’s that is shared among Wordfence sites.
- Perform various other functions that assist with scanning your site and keeping it secure.
What data does Wordfence send to the scanning servers when a scan happens?
All data is sent to our servers using a secure SSL connection. The following data is sent when a scan occurs:
- MD5 and SHA hashes of your files and the filenames.
- Integers representing URL’s on your site to scan against a list of known dangerous URL’s.
- If the option to participate in the Wordfence security network is selected in your options, we send IP addresses (as integers) that have violated your firewall or login rules. These are compared against rule-breakers on other sites and may be included in a list of dangerous IP’s that we distribute to you and other sites to watch out for if we determine there is a pattern of an IP address behaving maliciously.
Wordfence won’t let me block IP addresses in certain address ranges. Why?
We don’t block IP addresses that are only used on internal networks like the 10.*.*.* range and the 192.168.*.* and the 172.16.0.0 to 18.104.22.168 range. We also don’t block special addresses like the loopback address which is 127.0.0.1. And we also don’t block Wordfence’s scanning server address range which is 22.214.171.124 to 126.96.36.199 which would stop Wordfence from working.