Updates on CyberSecurity, WordPress and what we're cooking in the lab today.

Wordfence 5 with Falcon Engine Released!

This entry was posted in Wordfence on April 6, 2014 by Mark Maunder   83 Replies

This is a big day for us. We’ve been quietly working on a release that will fundamentally improve the amount of protection that Wordfence provides for your site and your online presence.

This evening at 8pm eastern time we released Wordfence 5.0.1 to the world. This version of Wordfence includes many fixes and improvements. You can find Wordfence 5.0.1 here, and the full ChangeLog for Wordfence 5.0.1 is available on this page.

The biggest focus for this release was performance. We realized that the best way to combat distributed denial of service attacks and many other attacks that overwhelm your site with traffic was to increase your site performance by such a large margin that your site would continue to perform even under severe load conditions.

When we started work on this release, we started from the basics and analyzed web server performance and Wordfence’s performance from the ground up. We used low level performance analysis tools that watched operating system and database performance to carefully monitor our test servers and see exactly where the bottlenecks were. We also looked at the way a web server works and found out a few surprising insights.

I’m going to share one of the most interesting things we discovered which led to a very efficient design in our new high performance caching system: Falcon Engine….

Did you know that if you have a page stored on your web server and it is stored in a deeply nested directory structure, this has a huge impact on how fast the page is served? For example the page


is going to be served much faster than


The reason for this is because most hosting environments for WordPress use .htaccess configuration files. This causes the web server (Apache being the most common one) to check if there is a .htaccess file in the directory you are accessing. But it goes further than that. The web server will also check for the existence of an .htaccess file in EVERY parent directory of the directory being accessed.

The trouble with this is that Apache generates a stat() request every time it checks for .htaccess which accesses the physical disk and that is the slowest thing you can do on a web server. You NEVER want to access physical disk if you can help it.  

So in the second example above, if you hit the above document with a web request, it will cause Apache to stat() for .htaccess files in the following locations:

  1. /this/is/the/deep/directory/where/my/page/is/.htaccess
  2. /this/is/the/deep/directory/where/my/page/.htaccess
  3. /this/is/the/deep/directory/where/my/.htaccess
  4. /this/is/the/deep/directory/where/.htaccess
  5. /this/is/the/deep/directory/.htaccess
  6. /this/is/the/deep/.htaccess
  7. /this/is/the/.htaccess
  8. /this/is/.htaccess
  9. /this/.htaccess
  10. /.htaccess

That is 10 disk accesses which is incredibly slow. Depending on which web server you’re using you may see more stat() activity in parent directories of your web server root.

Many caching plugins for WordPress, including the most popular ones, actually store cached versions of your web page on disk using the same directory structure as your URL structure. So in the above example if the URL looks like /this/is/the….. then that is the directory structure that will be used on disk. That means that, while they speed up your site by storing pre-rendered versions of your web page on disk, they slow it down again by forcing the web server to do a large number of stat() operations which accesses physical disk.

This is a big performance problem for WordPress because we like to use permalinks in the WordPress world which have a structure like /2014/04/20/my-new-web-page/ – and most of our pages have these deep structures.

What we did when designing Falcon Engine is we designed a new caching storage scheme that uses far fewer subdirectories, which therefore generates far less disk accesses per request and makes Falcon Engine faster than other caching plugins.

To give you an idea of how much faster Falcon Engine will make your WordPress website, I’ve created a short 5 minute video to give you a brief introduction to Falcon and show off a few benchmarks.

Falcon Engine is one of the many performance improvements we have added to Wordfence 5. Another improvement is that we cache our own configuration data in a serialized disk file to dramatically reduce the number of database queries for requests that are not cached. This provides a nice performance improvement for every request and reduces load on your database.

We have also included a PHP based caching system for site owners who aren’t able to modify their .htaccess files to enable Falcon Engine. This provides a 2 to 3 times performance improvement over plain vanilla WordPress performance.

Wordfence 5 removes the choice that site owners have historically had to make between performance and security and we provide both, combined into a single, enterprise ready, high performance security plugin for WordPress.


Mark Maunder – Wordfence Founder.

Did you enjoy this post? Share it!

Your rating:

83 Comments on "Wordfence 5 with Falcon Engine Released!"

Shanw April 6, 2014 at 9:50 pm • Reply

So, if I already have a cache plugin installed, should I remove it? Might it conflict if the Falcon Engine is activated?

mark April 6, 2014 at 9:54 pm • Reply

Yes that's correct. However we anticipated this and if you try to enable Wordfence caching (either the basic caching or Falcon Engine) you will get a warning that you have another caching plugin enabled if that's the case. We detect the 5 major caching plugins if they're active on your site. I should add that Kerry [my co founder who handles quality assurance] gets credit for making sure we added this detection to avoid conflicts.

Dawid April 6, 2014 at 9:53 pm • Reply

Wow guys! I'm really enthusiastic. Didn't see such a performance power before. This is awesome. It's looks like as an opening of the new era in WP ecosystem, without a joke! I've tested new version of Wordfence on one on my VPS (debian 7.4 with apache 2.2.22 and PHP 5.4.27) and see huge difference. I will do benchmarks later and provide results. How this gem works? Do it has any downsides? :) Anyway, keep up good work!

Btw. I disabled W3 Total Cache (which I have many issues with earlier), I'm not sure if I can simply delete it - have heard it leaves a lot of stuff stuff in DB ;( Is it possible to add some tool for measuring speed/performance fo site (requests, queries etc.) in future? By now I've used W3 Total Cache with New Relic and Query Monitor + P3. It would be great to have everything in one plugin - Wordfence :)

mark April 6, 2014 at 9:56 pm • Reply

Thanks Dawid for the great feedback. I'd love to see your benchmarks! We're looking at adding benchmarking ourselves, but more on that soon.

David April 6, 2014 at 10:36 pm • Reply

Hi Mark and Kerry, can you help me understand better how Falcon Engine works. If my existing caching plugin has already been configured to allow my site to handle more requests, won't I also enjoy performance benefits with Wordfence 5?

Falcon Engine sounds really cool but perhaps it should be a separate plugin? I'd like to use object caching, offloading files to CDNs, etc but enjoy the performance increase with Wordfence but right now it feels like I have to choose one for the other since Wordfence doesn't have these features now, and it doesn't seem like these features would fit into future versions of Wordfence. Thanks

mark April 7, 2014 at 12:13 am • Reply

Hi David,

You can simply disable our caching and use whatever you like. However keep in mind that there are many features in some caching plugins that provide only a small performance gain like some of the object and database caching routines. The really big gains in server performance come from storing your entire pages as cached versions on disk and then having the web server fling them as fast as possible to your users without even touching PHP.

Yes, Falcon will rapidly evolve from this point out based on your and other customer feedback, so let us know what you need and we'll add it asap!!

Lee April 6, 2014 at 10:39 pm • Reply

Nice addition. For the first few minutes I thought 'What's this Falcon Engine all about?' and searched to see whether it is a new framework similar to Phalcon but for WP. Then I realised: it is a caching option in Wordfence.

Testing Falcon in one of my more active sites where Quick Cache was in use prior to Falcon. Seems good so far. Both plugins provide comparable performace boosts in the limited (online) tests I've run.

Four questions:

1) Will minification be available at some point or can I use a minification plugin alongside Falcon?
2) Will lazy loading be available in Falcon or can I use a lazy loading plugin alongside Falcon?
3) I know we can exclude pages from being cached. Will an in-page editor option be added to make excusions easier to administor (nice overview page would be good too)?
4) Will useragent (e.g mobile, not-specified etc..) exclusion options be added as well?

Thank Mark and Wordfence team for this new feature.

mark April 7, 2014 at 12:09 am • Reply

Hi Lee.

Minification: We store a gzipped version of all cached pages on disk pre-compressed. This is what most web servers with deflate/gzip enabled serve up. Minifying your code is actually redundant if you're serving up gzipped pages because there's very little benefit. I know it sounds like a great idea and I used to do it, but there's really no point because the gzip algorithm is far more effective.

Lazy loading: We'll see what the level of demand is for this. However an external lazy loading plugin should work fine alongside Falcon.

In-page exclude option: Yes we could do this and it sounds like a really good idea. I'll give it some more thought.

Useragent exclude: Yes this is feasible too and also a really great idea. Will give this some thought too.

Lee April 7, 2014 at 12:49 am • Reply

Didn't know that about gzip and minification. Really glad to know not to worry about minification when gzip is used because minification gets complicated - so complicated I only add minification to simple sites.

Thank you, Mark.

Bob April 12, 2014 at 11:09 am • Reply

That doesn't appear to be true. Apparently, the best option is to both minify and gzip.


Mitch August 21, 2014 at 7:23 am • Reply

I actually agree with you, logically speaking minify will remove and reduce file size, then gzip does exactly that compress that already optimized file so the result should actually be smaller. Whilst it may not be a big difference in a small file if there was a very large file then i can see it making a difference...

jody April 7, 2014 at 3:50 am • Reply

Do you have support for NGINX as well ?

mark April 7, 2014 at 8:13 am • Reply

Yes, Wordfence will work out of the box if you're using nginx as a front-end proxy which is exactly what I'm doing with my personal site at markmaunder.com where I already have Falcon enabled. (Falcon is actually running on this blog as well as the main www.wordfence.com site too and has been for several days now).

However if you want to configure Nginx to serve up your cached pages directly and bypass your PHP application server or web server, we haven't put rules together to do that yet. But it is feasible and something we'll get to in the coming days.



jody April 7, 2014 at 8:40 am • Reply

could we continue this privately, want to show you something Re: GT Metrix & before/after performance difference, but guessing you'd want to see our setup at root level ...

doug m April 10, 2014 at 7:54 pm • Reply

Considering security and performance are two goals of this, and wordpress itself is run with nginx, I'd hope you get these together sooner rather than later. Apache and Wordpress is not optimal to begin with, and one of the benefits of nginx is eliminating .htaccess from the picture.

Also, does this conflict with W3TC?

Gero April 7, 2014 at 4:00 am • Reply

I had WP Supercache installed and now disabled it and I will check what happens with the new Falcon engine.
My question: I have plugins installed, that show the most popular plugins. They worked fine with Supercache, because the cache was cleared from time to time. Will they also work with the Falcon engine?

mark April 7, 2014 at 8:15 am • Reply

How are you currently solving this issue? Are you using scheduled cache clearing?



Gero April 7, 2014 at 1:41 pm • Reply

Yes. Supercache has an option that let's your clear cached pages, older than ... or every x minutes. I set the cache to be cleared every hour, which updates the "living" parts of the site. It would be great to have inside Falcon also an option, that let's clear the cache every y minutes.

mark April 7, 2014 at 2:20 pm • Reply

Yup, this is version 1, so lots of cool stuff to be added. Thanks for the feedback.

Gero April 7, 2014 at 4:16 am • Reply

Sorry: I mean "popular posts"

Boo April 7, 2014 at 4:35 am • Reply


Sorry to be a downer, but I'm disappointed to see this update. Some of the best plugins only focus on a single function and do it well - backups, commenting, etc. Some of the worse plugins usually try and do to much and incorporate too many features.

I don't know why the Wordfence security plugin is adding in caching features. Instead of using the best in class security plugin (e.g., Wordfence) and the best in class caching plugin (e.g., W3 Total) you will have to use Wordfense with their relatively new, unproven, caching feature. Wordfence should stick to what they do best - security. Or spin off the caching into a separate, optional plugin so users have a choice.

mark April 7, 2014 at 8:17 am • Reply

Actually we see site performance as a core security function and we made this call early on before we even started work on Falcon. That's why we've integrated the two. A high performance website is one of the most effective ways to counter a denial of service attack.



nguyen April 7, 2014 at 10:29 am • Reply

Yes, I think it was right when incorporate site performance as a core security function. People don't want to worry a lot about site security and performance or the compatibility of both. But there is one thing that I'm concerned.
Does Falcon Engine do better than w3 total cache or any other cache plugin?
And that is what all people're concerned. And that is what you have to do to get people's beliefs
I still keep w3 as a main cache plugin, until I see some good reviews about Falcon Engine do better than W3.
I think that this is a risky move , but I still look forward to the success of your. If you do better, you're winner.

Robbie April 7, 2014 at 6:56 am • Reply

Will the Falcon engine work on a IIS server?

mark April 7, 2014 at 8:17 am • Reply

Unfortunately Wordfence is not officially supported on Windows servers.



gio April 7, 2014 at 8:21 am • Reply

Hi Mark,

I use wordfence on all my websites and promote it to all my friends.

I used the new falcon caching and disabled my W3totalcache plugin.

What happened is insane (in a good way :)).

My pageload went from 3,56 sec to a staggering .998 second. the performance grade from 71/100 to 100/100

I want to personally thank you so much for al the energy and time in providing and improving a free plugin

(If i can afford to go for the paid version in the future I will gladly support you)

Thanks so much

gio April 7, 2014 at 8:53 am • Reply

Hi Mark,

I was cheering too fast :)

unfortunately it was a hickup in http://tools.pingdom.com/fpt/

All my sites actually load slower than with W3total cache....

But I am sure you keep improving

Leslie April 7, 2014 at 9:04 am • Reply

Hi Mark,

I added some extra browser caching to htaccess and am getting even better speed scores:
100/100 Perf Grade
Not sure if it will help anyone or could be added to falcon but seems to work.

# Enable compression
AddOutputFilterByType DEFLATE text/css text/javascript application/x-javascript text/html text/plain text/xml image/x-icon

BrowserMatch ^Mozilla/4 gzip-only-text/html
BrowserMatch ^Mozilla/4.0[678] no-gzip
BrowserMatch bMSIE !no-gzip !gzip-only-text/html
BrowserMatch bMSI[E] !no-gzip !gzip-only-text/html

# Make sure proxies deliver correct content
Header append Vary User-Agent env=!dont-vary
# Ensure proxies deliver compressed content correctly
Header append Vary Accept-Encoding

# No ETags, No Pragma
Header unset Pragma
Header unset ETag
# Default cache time to 1 year (31536000 sec)
Header set Cache-Control "max-age=31536000, public, must-revalidate"

# No ETags
FileETag none
# CACHE SETTINGS (mod_expires)

# Turn on Expires
ExpiresActive On
# set default to "access plus 1 year"
ExpiresDefault A31536000
# html - "modification plus 1 hour"
ExpiresByType text/html M3600
# css and JavaScript - "modification plus 6 weeks"
ExpiresByType text/css M3628800
ExpiresByType text/javascript M3628800
ExpiresByType application/x-javascript M3628800

# No cache for php-files

ExpiresActive Off

Header set Cache-Control "private, no-cache, no-store, proxy-revalidate, no-transform"


Jeff George April 7, 2014 at 10:05 am • Reply

So far, I am really pleased with the new release of Wordfense 5. I deleted the other caching plugins I was using prior to enabling the Falcon Engine. I have enabled the caching feature on 7 WordPress sites so far and everything is going just fine. No issues at all. Nice job! I think that most people do not know enough about DOS attacks to understand why this feature is so great. Nice job!

John April 7, 2014 at 12:10 pm • Reply

Hi Mark & team. To me this is great news. Well done!

I'm not an expert in speeding up sites, but I understand the importance of it. I currently run WP Super Cache and also use MaxCDN. I did some tests last week and discovered that MaxCDN didn't make a massive difference in the case of my website. I'm going to switch to Falcon and re-run my tests from last week. I'm very curious to see what difference it makes.

Thanks for an excellent plugin!

John April 7, 2014 at 1:47 pm • Reply

I wonder if I'm missing something. Like gio above, my site also seems slower after disabling WPSC and enabling Falcon Engine.

I did some speed tests this past Friday to see if my CDN really made a difference that is big enough to justify the cost. So I picked 8 pages from my site and tested their loading speed with the Pingdom speed tool. A few moments ago, I repeated that test by switching to Falcon (deactivated WPSC) and speed testing the same 8 pages. Before each page's test, I loaded the page in my browser to ensure that any type of caching had been done before testing the speed. My tests showed speed drops (load time increases) varying between 35 - 90% with Falcon. Considering how others are reporting substantial speed increases, could I be doing something wrong?

mark April 7, 2014 at 2:19 pm • Reply

Remember that the first request will generate the page that is stored in the cache so that one will be slow and if your tests are serial then the whole test will slow down, compared to testing something that is already installed and has a primed cache.

Also make sure the test is scientific, meaning that you take out variables like a shared server that might be under more load during the second test, a network that a hosting provider has oversold and may be slow, pingdom itself etc. You really want to test over time if you're unable to remove the variables to get at least a more reliable general indication of performance.

John April 7, 2014 at 2:51 pm • Reply

Mark, thanks for your feedback. Yes, unfortunately there are some variables that I can't control, including those that you pointed out. I'm going to keep Falcon running and wait a few days before doing another test.

I'm really impressed with the work you guys do, and really want this to work out well.

mark April 7, 2014 at 2:53 pm • Reply

Thanks very much.

Jeremy April 7, 2014 at 8:18 pm • Reply

Hi Mark, I don't understand your reply here in regards to Pingdom. You wrote that "the first request will generate the page that is stored in the cache", but that only applies to viewing the webpage in my own browser - it has nothing to do with tests done by Pingdom - right?

Obviously when I view a webpage for the first time in my browser, it will take longer to load as it's downloading every single component to my browser's cache. But the next time I view that page, it will display faster because it's loading many of the page's components directly from my own browser cache (on my local drive) rather than re-downloading them from the internet (and that's the case whether or not I'm using Falcon, although Falcon should make this faster still I suppose).

But John's question here refers to a Pingdom test. Pingdom tests have nothing to do with what is in my own browser - the Pingdom tool downloads the tested website to its own server (ie. to Pingdom's server), testing its speed and counting the number of components while doing so. When you run a second test on the same webpage from Pingdom, Pingdom downloads the entire site again - it doesn't use any cache - that would defeat the purpose of a tool like Pingdom. AFAIK, Pingdom's purpose is to test the realtime load speed of a site *from scratch* ie. without caching.

John noticed that Pingdom shows his site loading faster with W3TC than with Falcon. The reason for this may be to do with the fact that his site uses a CDN with W3TC, which Falcon does not support.

Would you agree with everything I've written above?

In any case, I'd suggest signing up for a (free) account with Pingdom and using their ongoing page load tool (which requires adding a small bit of code to your WordPress site - not hard to do, I've done it myself) - then you can monitor the load speed of your site over several days, which will help to smooth out any "out of the ordinary" one-off load delays caused by, for example, a sudden spike in traffic from another site on the same shared host, or slow network speed, etc.

After a few days of monitoring the site while it's using W3TC, you can then switch over to Falcon (disable W3TC) and monitor it with Pingdom for a few more days, and see if there is a significant change in load time *average* (Pingdom will show you a nice graph) in comparison.

I'd suggest testing for one week each, starting on the same day of the week, to keep the two tests as similar as possible. Day of week and time of day can also be factors in a site's load time.


John April 9, 2014 at 4:53 pm • Reply

Hi Jeremy. Thanks so much for your input. :-)

It is now 2 days after switching to Falcon. It just so happens that I have a Pingdom account and installed their code on my site several months ago. Two days isn't much testing time, but it does look like my site is responding faster now with Falcon running. I will look at the response times again in a few days, and compare to an earlier period. It's looking promising though...

Jeremy April 9, 2014 at 8:25 pm • Reply

That's good to know John! I haven't used W3TC myself before, so I don't have any experience with how that compares, but I did enable Falcon on one of my sites last night, and found it to be significantly faster afterwards (also verified with Pingdom).

Steve April 7, 2014 at 1:57 pm • Reply

Any issues with with using Falcon on Multisite installs?

mark April 7, 2014 at 2:20 pm • Reply

We haven't tested this as extensively as on single site installs, so I'd recommend waiting until the next release if you're running a busy multi-site, or set it up in a test environment.

Bet May 11, 2014 at 6:22 pm • Reply

I will be watching for info on how Falcon works with multisite! If I have time, I'll try to set up a testing environment.

Max April 7, 2014 at 2:59 pm • Reply

Great, does this feature work on Zeus servers?

Saddam Hossain April 7, 2014 at 4:24 pm • Reply

Thanks Mark, for the nice upgrade. I have started using it in my site. Disabled everything else. Working fine since then. Now, need to sort out the minify.

brian kelly April 7, 2014 at 8:32 pm • Reply

Hows does this affect a plugin such as woocommerce? Should I exclude the cart and checkout pages from cache?

Jeremy April 7, 2014 at 8:50 pm • Reply

Hi Mark, I've encountered a bug with Falcon: it doesn't support WordPress subdirectory installations (ie where WordPress is installed in a subdirectory, which is a fairly standard and widely-used configuration).

In my case, I've got my WP installed at www.mysite.com/wordpress. I have WP_HOME = www.mysite.com and WP_SITEURL = www.mysite.com/wordpress (as defined in my wp-config.php).

I just upgraded to Wordfence 5.02 and tried to enable the Falcon Engine. It gave me an error, telling me that it couldn't find the .htaccess file located at www.mysite.com/wordpress.

The reason is because there isn't any .htaccess file located there in the first place. My .htaccess file is located where it should be, in the document root folder (www.mysite.com). It shouldn't be at www.mysite.com/wordpress - my rules won't work properly if it's located there.

Can you kindly update Wordfence to take into account subdirectory installations like mine, where the .htaccess file is located in the doc root folder, outside of the WordPress installation folder? (This will certainly affect many of your other users who also use a subdirectory installation).


Jose April 8, 2014 at 6:57 am • Reply

I haven't tried falcon yet, just researching, but I believe that according to the codex on installing in a sub directory install, your supposed to copy the .htaccess from the install folder to the root, not move, so if done that way, you probably wouldn't have received that error.

Jeremy April 9, 2014 at 8:20 pm • Reply

No, the .htaccess file needs to go in the doc root folder - the top-level folder. WordPress itself writes its own rules to that copy of the file (ie. the one in the doc root folder) whenever you update the permalink settings on the Settings -> Permalinks page. WordPress ignores any .htaccess file that may exist in the subdirectory, because .htaccess files should always go in the top-most directory that is relevant to the rules it contains.

Besides, it would be counter-productive to have to maintain two separate .htaccess files - one in the doc-root and the other in the subdirectory. The various other rules that can be added to a .htaccess file (eg. for 301 redirects, IP blocks, caching, gzip compression, ErrorDocument rules, and so on and so forth - they need to go in the doc root folder. So having a separate .htaccess file in the subdirectory would be a pain to maintain, aside from being totally unnecessary.)

I've read what the codex suggests, and in my opinion its instructions on that point are not correct or not ideal. It should rather advise to move the file, or at least to explain that the copy in the doc root is the one to use for everything. :)

Jeremy April 9, 2014 at 8:29 pm • Reply

...Additionally, the other plugins I've used in the past which write their own rules to the .htaccess file - eg. some of those other security plugins - also write to the .htaccess file in the root folder rather than trying to write to the subdirectory. They recognise that I have a subdir installation, and they correctly identify the location of my .htaccess file in the root folder and modify that one.

I'm sure it will be a pretty straight-forward thing to get Wordfence to do the same. :)

Scott N April 7, 2014 at 11:04 pm • Reply

I noticed that in the Chrome browser, when clicking to download a backup copy of the .htaccess file, it says "htaccess_Backup_f...com is not commonly downloaded and could be dangerous" and the only option is "Report & Discard". I wonder if there is anything you can do to make the download of the .htaccess file less malicious-looking to Chrome? Or am I the only one seeing this issue?

Scott N April 8, 2014 at 9:38 pm • Reply

I am behind a Sophos UTM9 Firewall (formerly Astaro) at one location that I am often at, and when I try to download the .htaccess file it is blocked and states "The URL you have requested matches a forbidden file extension. If you think this is wrong, please contact your administrator." and I'm not able to enable Falcon. Just another data point for you.

Nishant Ratnakar April 8, 2014 at 2:31 am • Reply

This is great news. I use Wordfence security on my wordpress site. I need a clarification though. I use Google adsense on my website to display and publish google advertisements as a way to monetize my website. Would activating Falcon Engine caching, cause any issue with usage of Google adsense? Would it violate any google policy with respect to Google adsense.

Mark April 8, 2014 at 3:47 am • Reply

Hi Mark, just wanted to say thanks for Falcon Engine. I've tested it on a few sites now, and the performance increase is very noticeable. I have replaced W3TC with Falcon Engine on some of these too :)

Keep up the awesome work - it's much appreciated.

Jose April 8, 2014 at 6:59 am • Reply

If I use BPS security plugin to code my .htaccess file, does Falcon override the coding that I have set up via the BPS plugin?

Do these two plugins get along with Falcon enabled?

Thank you. Love Wordfence. :)


TamrahJo April 8, 2014 at 11:24 pm • Reply

I've shied away from caching my small biz/rural non-profit sites, as they are all small and I don't always feel confident in setting cache plug-ins properly -
I tested all 8 of my sites (3 in development, the rest live) before and after Initializing Falcon Engine - there were a couple of ones that temporarily went higher, but in the end they all came down - I read here the benefit of testing over time, to rule out other variables, but here's the initial highlights, with all load times in seconds unless marked "ms":
1- - Before: 10.55 - After 2.17
2 - Before: 1.88 After: 1.59
3 - Before: 2.49 After: 1.23
4 - Before: 2.68 After: 1.81
5 - Before: 8.24After: 3.7
6 - Before: 3.20 After: 1.23
7 - Before: 2.52 After: 495ms
8 - Before: 2.9 After: 311 ms

@Jeremy - all my site installs are in a subdirectory with site url pointed to main domain - I didn't have any issues with install or seeing reduced times - don't know what to tell you, but it is working on my sites.

Thank you for this tool and the testing really opened my eyes to things I can change to make my sites 'cleaner/faster' - I always felt lost when looking at all the options in caching plug-ins - feel more comfortable using this and identifying ways to clean up my css files (And do better design of landing pages)

Thank you ever so much.
Tamrah Jo

Jeremy April 10, 2014 at 11:23 am • Reply

@TamrahJo, that means your site has two separate .htaccess files, in two different locations, which are both being used - which is certainly a nuisance for maintenance and ease of use. WordPress itself will be writing its own permalink rules to the .htaccess file in your root directory, as will any other plugins you use which write stuff to .htaccess, because that is the correct location for the .htaccess file to be - meanwhile Wordfence/Falcon will be writing its own rules to your other .htaccess file in the subdirectory. That's totally unnecessary and (IMO) bad practice. All these rules should go in just one .htaccess file, which should be the one in the root directory, which covers the entire site. :)

TamrahJo April 16, 2014 at 2:38 am • Reply

@Jeremy - You're right, I checked - there are two htaccess files - but the one that's left in the subdirectory doesn't show a last modfied date any later than when I changed everything RE; site url, etc - sorry for my slow response - I thought I'd get an email if anyone responded -

The two files do seem to have all the same info, so can I safely delete the one in the subdirectory OR by doing that, I'll run into the same problems you did? Thanks!
Tamrah Jo

Jay April 10, 2014 at 6:00 am • Reply

Just a quick comment for anybody that was in the situation I just had to deal with.

I enabled Basic Caching on a site I manage and it immediately stalled, producing 504 Gateway errors on all frontend and Admin pages.

If this happens to you, the only thing you can do is FTP into your site, backup the Wordfence plugin directory on the server, and then delete it from the server. You'll then be able to access your site, and reconfigure Wordfence.

This was probably just a one-off error, but for anybody Googling Wordfence 504 errors, hopefully this helps. I'd like to try the caching capability for real soon, but it looks like I'll be testing it out on a less-popular website of mine first to be extra cautious.

Vishwajeet Kumar April 21, 2014 at 12:07 pm • Reply

First Of All I am very thankful to wordfence team for such a great security plugin. Now come to the new feature that is falcon engine, I have had never seen this type of cache plugin which can drastically increase my blog performance, just incredible. Great job Guys.

Kahi Admin April 22, 2014 at 12:56 am • Reply

Do you have a way to use FalconEngine without WordFence security... it's a weird request I know, however your caching method interests me on it own accord for various use-case scenarios

I have not been introduced May 3, 2014 at 2:27 pm • Reply

I did not have a clue what I was doing with W3 Total Cache. I have now disabled, but not deleted it so I can use Falcon. TBH I was following instructions on another site to set up W3. I am grateful that I do not have to follow any complex instructions to use Falcon. Also it is nice to have a plugin that actually doubles up.

Don Chumsai May 15, 2014 at 12:04 am • Reply

I'm testing the Falcon cache with Nginx, and it was smart enough to know that I'm using Nginx, as it tells me to add the wordfence directives into my nginx.conf. After adding the directives, when I "Click to Enable Falcon Engine" it responds with:

Wordfence could not edit .htaccess
Wordfence could not edit your .htaccess code. The error was: Wordfence could not find your .htaccess file.

If WordFence already knows that I am using Nginx, why does it report an error in regards to .htaccess files when Nginx doesn't use them?

TeeDev May 19, 2014 at 11:31 pm • Reply

Activating Falcon Cache WITH W3TC

Is there anyway I can override the check for W3TC and enable Falcon Cache?

One of the BIGGEST failings of MaxCDN is that they have not developed their own WordPress plugin and so, practically the only way to use it to its full potential is to install and activate W3TC.

I have been using Falcon on several sites for almost a month now and I'm very happy with its caching but on some of my sites which have more global reach (in terms of audience distribution) I need to use MaxCDN. While Falcon's cache engine is very fast it doesn't compensate for the latency issue of distant server resources and so I prefer to continue to use W3TC to enable MaxCDN. The mathematics is:


Is it possible to enable some sort of advanced usage for those who are happy to make a few more settings changes so that we can use W3TC with only the CDN module enabled alongside Falcone engine?

RichH May 21, 2014 at 9:11 pm • Reply

I run a membership site and have several concerns with Falcon...

1) Are pages cached for logged-in users? Our membership software customizes pages for each user so it would make sense to (a) not cache if logged in and, maybe, (b) to optionally establish separate cache for each user.

2) Does Falcon honor the setting define('DONOTCACHEPAGE', TRUE) and not cache pages where this has been set. This would allow us to safely handle certain pages where the data is generated on a timely basis without having to enumerate them. We have many of these pages and other caching software spots this and handles it appropriately.

3) Can we set a cache time limit? Some websites I work with can operate on a long time cache, but others should be timed out after 3 - 60 minutes (depending on the site), so that automated updates can take place.

RichH May 22, 2014 at 5:17 pm • Reply

Okay, after some testing I've determined that:

1) Falcon DOES NOT cache pages for logged-in users, at least admin level users.

2) Falcon DOES honor the setting define('DONOTCACHEPAGE', TRUE).

3) Can we set a cache time limit? Not yet, but it would be useful.

RichH May 24, 2014 at 1:11 am • Reply

It appears that the cache does not clear for days, which is okay for some pages/posts but not for others on some websites.

For example, several of our member sites have a shortcode on the home page that posts updated information daily.

I've found that I can embed define('DONOTCACHEPAGE', TRUE) in the php on that page and the page will not be cached, but in the event of a DDOS attack that page would probably get hit hard, and that's exactly what we are trying to avoid with Falcon.

If we could set at time period, in other words, a maximum number of seconds or minutes for the cache file to live, it would be ideal. Some of these sites would be fine with a 10 or 15 minute cache life for these particular pages, others might be better at one minute. This would have a significant benefit in a DDOS attack.

If we could just set a define... but set it to a number of minutes... it would solve the issue. The page would still get updated automatically in a reasonably timely fashion, yet when getting hit hard most of the page serves would be from cache.

Loggy May 27, 2014 at 9:55 am • Reply

I added WordFence to a site that runs on a shared hosting system that kept throttling (ie blocking) access and it made a lot of difference. I removed W3TC that was only configured for browser caching anyway and like the elegance of Falcon.

I am moving the site to my own server which runs nginx with apache in a reverse proxy configuration. nginx itself can of course cache although it is generally a bad idea to run two caching approaches.


1) Since nginx passes *.php calls to apache running mod_php (ie apache ie effectively a wrapper for php), will this cause problems with Falcon? eg Falcon will prepare a page from php while normally nginx will serve css, js, jpg etc separately. Is there any point in this as the cached version will not be a full page?

I've tried it on one site and it appears to work but that is just a raw WP installation really. I don't want to let it loose on bigger sites and find it causes problems.

2) One of my sites has a large Simple:Press forum (that I intend migrating to bbPress shortly). This of course means that users are actually logged in. Would Falcon work or help at all with this?

3) A few of the sites on my server use php-fastcgi instead of apache so .htaccess is not appropriate there. Presumably the nginx configuration would be needed or would it be better to use nginx fastcgi caching?

4) Have you tested it with mod_PageSpeed or ngx_pagespeed at all?

Thanks for all your efforts - site speed is an essential part of security I do agree.

Loggy May 28, 2014 at 9:28 am • Reply

Just another question about clearing.

At the moment the cache is completely cleared on: "Publishing a post, creating a new page, updating general settings, creating a new category, updating menus, updating widgets and installing a new plugin."

This seems rather extreme as for example publishing a post may alter the front page (or blog page) plus generate its own single post but won't affect other 'pages' or genuine pages.

As a result a site may well slow down enormously when new post is published, which is exactly when you expect most traffic.

I understand about plugins (although not all plugins affect pages) and menus but is there not a better way to check whether a page or page of posts needs regenerating? Most other caching systems I believe monitor it in a different way so that pages are only regenerated when needed.

You may additionally think about expiring old cached pages either after a certain time (the individual page is older than so many minutes) or when the wfcache directory gets to a certain size.

Just some thoughts - I now have Falcon working well on a few sites but one of them did slow down a lot when a new post was published!

Cedric May 29, 2014 at 4:10 am • Reply

Hi there,

I am now trying Wordfence Falcon Engine.
What would be nice is an option for the cache to build itself automatically (perhaps every x hour/minute or each time a post is published or updated).

Regarding performance, I unfortunately had to disable Live Traffic as it was too slow.

Mike June 1, 2014 at 7:51 pm • Reply

Just purchased this and set the falcon engine for cache and removed my previous cache plugin. I am having issues with my shopping cart. If i add items to my cart then delete them or add my its not clearing the cache and keeps showing incorrect items.
Is there a way i can maually remove cart from cache with this ?

david June 19, 2014 at 11:15 am • Reply

The probelm with this caching methodology is that it DOES NOT WORK WELL on NFS backed web clusters, i.e. BIGGER sites... File IO is EXPENSIVE on NFS, so plugins that don't use the filesystem at all (W3 total cache+memcache) tend to perform as well or better without the IO overhead/conflicts that can happen when two webnodes try to create the same cache-file in the shared NFS webroot. Also NFS slows down the more files there are in a directory which is why initially the performance may be good/ok, but over time it drops off (seen sympton with Supercache and W3 total cache using file based caching on NFS), whereas with a memcache based caching plugin (I use W3 Totalcache with page and database calls cached in memcache) it's performance is consistent over time assuming you cache is appropriately sized for the workload (not expunging stuff too soon due to lack of ram/space in the cache) For web clusters this works well as you can distribute your cache among the nodes, so if nodes die the whole cache isn't lost...

Ian June 24, 2014 at 6:17 pm • Reply

Greetings Guys

The latest update to wordfence fails saying it cannot uninstall previous version of plug-in

Many thanks

mark June 24, 2014 at 6:24 pm • Reply

Hi Ian,

You've likely got a permissions issue that will prevent you upgrading.



jeff@weblance.com July 21, 2014 at 8:26 pm • Reply

Obsessed with building the ultimate Wordpress dream machine. Do you have specific experience with the following technologies and falcon engine? If so, what did you find. I will setting this up very soon and will post some results here. So how did I settle on these technologies. Well I am no expert and have humble skills. This is just what I came up with by googling and reading allot. I included every technology that sounded favorable. But does the recipe make for a good set up?

Ubuntu need be 14.04+
Nginx Optimized
Php5-FPM + ZendOpcache

Matt August 7, 2014 at 6:56 am • Reply

I'm running the Wordfence Falcon engine on my multisite install but when I run a Google PageSpeed insights, it tells me that I should be leveraging browser caching to speed up my site. I though that's what this aspect of the Wordfence plugin would do. Is there a reason that it wouldn't show up as actually caching?

Mitch August 21, 2014 at 8:19 am • Reply

Hi Guys,

I decided to give this a go. I did a before after comparison and also a comparison with w3tc.

Here is my results.

No Caching - First view: 5.8sec http://www.webpagetest.org/result/140821_9Q_FG2/
w3tc Caching - First view: 3.4sec http://www.webpagetest.org/result/140821_QE_GHP/
Falcon aggressive cache - First view: 4.5sec http://www.webpagetest.org/result/140821_FT_GRA/

Falcon also failed to give me a Grade A in First Byte time... where w3tc could give me an A, this probably contributes to the better speed.

Im sorry to say but it did not perform for me as expected.

I was hoping to remove w3tc and only have this one plugin but it looks like i have to go back to it :|

alvar September 15, 2014 at 12:33 pm • Reply

Is this caching different than browser caching?
Ie. is it worthwhile to do browser caching separately?

Mac September 18, 2014 at 1:32 pm • Reply

I would love to see support for maxcdn in the future. Right now, I'm forced to use WP Super Cache.

MattyB November 1, 2014 at 6:16 am • Reply

I'm running an amazon EC2 install of Nginx Stack powered by Bitnami (HVM) and I have wordpress successfully installed and running great. First thing I wanted to add was WordFence and Falcon to see if the claim of Falcon running on Nginx is as good as it gets. I cannot get Nginx to start after applying the Falcon rules provided by the link you give before enabling Falcon on Nginx because it doesn't allow location directives. I also noticed that my nginx.conf file is quite different than the example file you provide in the link, though the top 3 or so lines are the same - but namely "listen", server_name" and "index" among others are not handled in mine.
Can you tell me if I'm missing something here or is there a different rule set for these specialized Bitnami stacks that we should use?


Lu June 17, 2015 at 1:58 pm • Reply

I've been testing this out with Apache Benchmark and a live site that gets a good amount of traffic, and i've been really surprised by the gains.

We were caching using Total cache DB and objects with Memcache, with a 90%+ hit rate and still the site would die when there was tons of traffic, even while running a reverse-proxy (Varnish).

After switching to Falcon, seen a drop in cpu and mysql threads by roughly 50% - which makes sense to pre-empt where WP is slowest, instead of adding caching layers on top. Awesome!

JP August 4, 2015 at 6:08 am • Reply

I am wondering why does Falcon creates the cache file inside the folder? The Wordpress is installed inside a subfolder.

For the pages with many slashes (eg. Posts, Grand Child posts), the cache file is being created inside the subfolder, and inside it are the files _wfcache.html and _wfcache.html_gz.

Get the latest WordPress security updates and news

Sign up for WordPress security alerts, Wordfence product updates and security news via email.