Updates on CyberSecurity, WordPress and what we're cooking in the lab today.

We are removing Falcon Cache from Wordfence. Here’s what you need to know.

This entry was posted in Wordfence on October 12, 2016 by Mark Maunder   47 Replies

Version 6.2.1 of Wordfence was just released and you may have noticed in the changelog that we’ve announced that we will be removing Falcon from Wordfence. I thought I’d go into some detail about why we made this decision.

When we launched Falcon, the caching feature that is part of Wordfence, it was a ground breaking caching engine that was faster than any cache available for certain user configurations. But caching is a complex beast and we have learned a lot during the past few years. When Falcon launched, we were just a team of two people. Wordfence is now a team of 23 people and our area of specialization is high performance security. Not caching.

During the past few months we have been working with hosting providers and what we’ve learned is that, for certain hosting provider configurations, Falcon cache actually can slow things down slightly and it’s preferable for the customer to instead rely on a much faster front-end cache that the host provides. The reason for this is because some hosts use slow local disk for their WordPress hosting but use very fast front-end caches. In those configurations, Falcon generates unwanted disk IO trying to outperform the front end cache, which it will never do.

Some of the hosting providers we’ve worked with have told us that they want the awesome security that Wordfence provides, but they don’t want users to slow down their customer sites by enabling Falcon. Remember, this only applies to certain hosts. But this is one of the reasons we have chosen to remove the feature.

The second, and main reason is that Wordfence is really all about security. It’s what we know and what we’re incredibly good at. We have a sizable team now of forensic experts, analysts, senior developers, operations people and customer service experts and we’re all completely focused on securing WordPress websites. We’d like to stay 100% focused on that and not be distracted by trying to support a feature that is outside our area of focus.

And so with that in mind, we’d like to announce that Wordfence 6.2.1, released yesterday, is phasing out Falcon cache. For this release, if you’re using Falcon, you will receive a notice that you should manually disable it. If you don’t have Falcon enabled or have a newly installed Wordfence installation, you will notice that the Falcon menu has been removed for you.

Our QA team has worked through many scenarios to ensure that this transition is painless for the relatively small percentage of users using Falcon. An upcoming release will disable Falcon and remove the feature if you haven’t already manually disabled Falcon. We recommend that you remove it manually because an attended installation is always safer than having things happen automatically.

We currently have no timeline for when Falcon will be completely removed, but it will be relatively soon and we recommend you take action now. We won’t completely remove Falcon for at least another 4 weeks.

If you’re looking for a replacement WordPress caching plugin, you can find a few recommendations with benchmarks on this page. But I strongly recommend you first consult your hosting provider because what we’ve found is that in some cases, it’s better to rely on the caching that your host already provides.

Going forward, Wordfence will be 100% focused on security and in particular providing the best firewall and malware scanner available for WordPress.

Minor update: As a helpful user on reddit pointed out, it’s unclear in the post above if we’re also removing the ‘basic’ cache. Yes, we’re removing what we refer to as ‘Falcon’ cache which is the .htaccess based caching engine and we’re also removing the ‘Basic’ cache which is the PHP based caching engine. If that’s not clear or if you have any more questions, please post in the comments. Thanks. ~Mark.

Did you enjoy this post? Share it!


2.67 (6 votes) Your rating:

47 Comments on "We are removing Falcon Cache from Wordfence. Here’s what you need to know."

Ed October 12, 2016 at 11:56 am • Reply

Makes sense and glad to see those resources re-applied to the core product.

JohnWF October 12, 2016 at 1:53 pm • Reply

Thanks for a thoughtful & insightful overview!

You guys ARE great at security!

Keep up the good work :)

Blake October 12, 2016 at 6:21 pm • Reply

This is upsetting! I really enjoyed having a security plugin AND a great caching. WordFence causes a load generally, and Falcon Engine not only reduced the heavy load, it sped my site up.

mark October 12, 2016 at 6:44 pm • Reply

Wordfence has gotten incredibly fast, so that load should not be a problem anymore. Your site should be really fast with the regular version of Wordfence. If you would like to speed up your site with caching, first talk to your hosting provider because they may have a recommendation that works well on their specific configuration. (And these vary considerably) If they don't have a preferred option, check out the link in our post to a variety of caching plugins which work quite well.

Thanks for your comment Blake - I know this is a big change, and I'm sorry we had to make this decision. We certainly didn't take it lightly and it's something we've discussed at length and we had to make this hard call. I hope you'll stick with us and I think you'll find our 100% focus on security going forward will benefit your site security.

Regards,

Mark.

JustSayNoToGoDaddy October 12, 2016 at 7:47 pm • Reply

Such a bummer! I just transitioned multiple clients away from W3TC to using WordFence and the Basic/Falcon engine.

Johan October 13, 2016 at 1:30 am • Reply

Oh no, this is bad news. I've tried so many caching solutions and this one is by far my favourite. I get your reasoning but hope you can consider splitting off the Falcon caching code into a separate working module, then putting it on Github or similar with an appropriate license, so the community can continue with it. That way you can go ahead and focus on security, but the great effort you put in to Falcon won't go to waste. With a slight bit of effort packaging up the code subset, you can really help those like me who want to carry on with it. Pretty please?

Fabio Fava October 13, 2016 at 2:23 am • Reply

Is sad to hear, I was having amazing results using Falcon Cache. I'll keep using WordFence since I really love it, but is actually dang to have to install another plugin just for that.

ELAN42 October 13, 2016 at 3:12 am • Reply

Very bad news.

oscar October 13, 2016 at 3:26 am • Reply

the cache was great by the way, absolutely the best there is.

Kevin Friend October 13, 2016 at 7:39 am • Reply

Are there any plans to release the Falcon code, on Github or somewhere else? Maybe someone will pick up the torch.

mark October 13, 2016 at 9:44 am • Reply

No we have no plans to do that.

cfc October 13, 2016 at 10:38 am • Reply

Kevin, like all WordPress plugins, Wordfence is open source; so you're welcome to pull out the Falcon code and create your own fork on Github if you think it's worthwhile.

That said, while I've been using Falcon on a handful of low-traffic sites and having to switch those to another solution is a minor inconvenience to me, I certainly understand this decision, and I don't really disagree with it. I used Falcon because it was a zero-config, "good enough" option for very basic sites andsince I had to install Wordfence anyway, just using the included cache was super-convenient. However, it was never really a full-featured optimization solution, so for any "serious" website I've always installed W3TC or Super Cache anyway.

If you're looking for another easy "good enough" solution for basic sites, Falcon Cache was hardly the only one out there. Personally, I would recommend WP Super Cache on that front; it's widely considered one of the top two caches for WordPress, and unlike its main competitor requires very minimal configuration.

John Chandler October 13, 2016 at 12:46 pm • Reply

Flacon adds blocked IP addresses to .htaccess (e.g. one that has tried to logon too many times).

When Falcon goes away, will Wordfence still do this?

If I understand correctly, the htaccess blocking is desireable, since once blocked, subsequent attempts to access the site by that IP are blocked immeditately - without invoking wordpress and firing up the whole wordpress environment.

If the htaccess blocking will not be able to occur any more, a blocked ip address would be blocked, yes... but could still bring the sever to its knees by just repeatedly trying and trying. Becasuse firing up the whole wordpress environment (even if just to say "sorry you've been blocked") can be a problem if theserver is getting hammered with high traffic of this nature.

Any suggestions about this particular need, let us know. Thanks!

mark October 13, 2016 at 3:16 pm • Reply

Once falcon is removed, blocks will be handled by the Wordfence Firewall which executes incredibly quickly. It does not load the whole PHP execution environment, doesn't load the database and doesn't load WordPress. It just loads minilistic blocking code, makes a decision and then either blocks or allows the rest of the execution environment to load and run. So IP blocking once you move away from Falcon will happen at the Firewall level, but will still be incredibly fast.

Mark.

Joni October 19, 2016 at 11:14 am • Reply

This sounds reasonable and makes me happy. And if killing Falcon makes my web host happier, and makes you guys happy, then I'm all for that too!

Scrhllbrg October 14, 2016 at 5:35 am • Reply

A bit guttered since I thought I found an excellent shortcut through the caching jungle. Hope someone will pick up this excellent concept.

Rob October 15, 2016 at 2:41 am • Reply

I've tried a number of wordpress caching plugins and I've been surprised how much faster Falcon caching is under load for my configuration. Both W3-total-cache and WP Super Cache are pretty respectable, but when I simulate 100 simultaneous users over a minute, Falcon cache is still over 3 times faster (300ms vs over 1000ms). I've tried a lot of settings so far on the alternatives but so far no luck.

For those of us looking to match Falcon's performance for our configs, can you give a brief breakdown of the caching strategic Falcon employes? I'm hoping to find something that matches the performance without having to break down and see if I can extract Falcon from the rest of your plugin for my needs.

Ronald October 15, 2016 at 6:33 am • Reply

This is indeed very bad news. I can understand from you guy's point of view, but I have mixed feelings about this. Falcon always has been a big part of my Network and has made my WordPress Mutlisites super fast. Even faster than any other Caching plugin I have tried (W3TC, Super Cache, Fastest Cache, etc). And so easy to use. Too bad you guys don't consider on making it optional, so everyone wins. I hope you guys will reconsider this and make it still available for those that made a huge difference.

Ronny October 15, 2016 at 9:24 pm • Reply

What about open sourcing it as a separate plugin?

mark October 18, 2016 at 10:12 pm • Reply

We have no plans to do that, but you're welcome to grab the Falcon code and play with it yourself.

Joni October 19, 2016 at 11:15 am • Reply

I hope someone does, this is excellent! {{thumbs up}}

Pramod Kumar October 16, 2016 at 9:38 pm • Reply

So sad, I'm Using Wordfence Falcon Engine, When it was launched. And it still working faster than other and doesn't increase server load. Please Don't remove this feature.

Rudolf Huber October 18, 2016 at 2:58 am • Reply

Gents, I comment you. Plenty of warning, recommendations on how to proceed, plenty of explanations. Thats plenty for a free plugin. Thanks

Arnold Wender October 19, 2016 at 2:47 am • Reply

Falcon Engine was a great alternative to other caching plugins :(

Simon Hamp October 19, 2016 at 7:11 am • Reply

I have to echo most others comments here: WordFence is superb from my point of view and has been a great benefit to all our clients' sites.

The caching aspect was a nice bonus and one that we started using and seeing some benefits from. It's a shame that it will be removed and disabled.

I've had some experience with caching and I strongly believe that the WordPress caching space is in need of a simple and free alternative. I would like to throw my hat into the ring and say that I would be happy to support the ongoing development of Falcon if it gets open-sourced.

Please consider this guys. Happy to discuss how we could make that work.

Clint October 19, 2016 at 2:54 pm • Reply

Wow, one of the reasons I picked Wordfence was the ability to combine caching and security into one package. Time to open up my research again.

Sheila Hoffman October 20, 2016 at 10:16 am • Reply

Like others I'm disappointed to lose Falcon Engine but I do understand. I have about 40 sites I'm in the middle of converting to WP-Rocket. Since I keep my htaccess and wp-config permissions set to non-writable, it's a process of manually setting them to write and then deactivating FE and installing and configuring the new cache.

My question is that sometimes my installs of Wordfence still have the Performance section there where I can deactivate it thereby removing the code. But sometimes, the same version (6.2.2) which seems odd, no longer has the Performance area and then I cannot do anything but add the new plugin.

I'm wondering why that is. A couple of times I've had issues and I'm now thinking it related to this. I've had to remove the old htaccess file and rebuild the permalinks and then I regain my site functionality. CRAZY making! Not sure if the issue is related but it seems likely. I'd appreciate any insights.

Derek Wood October 20, 2016 at 11:14 am • Reply

Mark, Thanks for the heads up. I agree with many here that is will be a shame to see this feature removed, but it is fully understandable to focus on your strengths. Far better to be a top notch security plugin then to sacrifice security for caching functions.

In relation to grabbing the Falcon code, is that code specifically available as a separate portion of the original plugin? As you guys are the ones who integrated it separating it might help anyone willing to take on the project as they they would not have to go through the process to separate it from the WordFence code. Just a thought.

Look forward to seeing future updates.

mark October 20, 2016 at 2:57 pm • Reply

Hi Derek,

Yeah actually this is a problem we discussed internally. There is some interest among a few people who want to take the falcon code and work on it as an open source project. However it's deeply integrated into Wordfence including the Wordfence IP blocking code. And separating it out - if you want to create a separate caching-only plugin - is quite a labor intensive task. We unfortunately don't have the resources internally right now to do that for someone because we're working on a major project internally, so if someone wants to run with it they're going to have to do that themselves.

I wish we did have the time to do it, but we don't.

Mark.

Chris Haas October 24, 2016 at 1:09 pm • Reply

Hi Derek,

I emailed genbiz last week but didn't hear anything back. Our company has actually undertaken and completed the task of pulling the caching engine out of Wordfence into its own dedicated plugin. I emailed your team asking what should be done in regards to branding/licensing/attribution but didn't hear anything back. Can you help me get in touch with someone? We have zero plans to profit from this and we want to make sure that we give you guys credit without making it sound like you officially support this. The plugin can be picked up here:
https://wordpress.org/plugins/vendi-cache/

Thanks,
Chris

mark October 25, 2016 at 7:19 am • Reply

Thanks Chris. We did see this. Well done! I think you should have received a reply by now. If not, we're glad you did the fork. You need to remove all Wordfence branding from the product and it looks like you've mostly done that except for a filename or two. Also pull out any copyrighted materials - I suspect you've also done that. Other than that you're free to use the code and it's awesome that users have somewhere to go to get access to it.

Congrats!!

Mark.

Scott N October 24, 2016 at 1:09 pm • Reply

Vendi has forked the WordFence Cache into a separate plugin and it works great (just like it did when it was part of WordFence). Check it out at:

https://wordpress.org/plugins/vendi-cache/

Goshen November 13, 2016 at 6:51 am • Reply

Scot - Thanks for forking out vendi out of word fence. There is a slight bug in Vendi. when other caching plugins are installed on a site, and you attempt to enable vendi after downloading the required htaccess file, vendi shows a popup (just like word fence used to) but rather than specify what 3rd party caching plugin it wants you to disable, it just writes out the plugin variable name as "$1s" as against word fence, which correctly recognizes the name of the conflicting plugin.

Nick Sutcliffe November 28, 2016 at 4:09 pm • Reply

I'm getting ready to activate Vendi Cache. Does anyone know if this bug has been fixed in the latest version? Thanks so much for doing this, Chris!

Charles Ridderstap October 26, 2016 at 2:57 pm • Reply

Hi, is there a specific procedure to do this? or just tick the "Disable all performance enhancements" option in the performance setup tab.

Tom Harrison October 28, 2016 at 5:51 am • Reply

Took your advice, removed Falcon, and then installed another cache program. Completely trashed my site. Honestly, I can't say whether it was the removal or the install of the new cache program. Please give us time to find an alternative solution.

S Stewart October 28, 2016 at 4:15 pm • Reply

Try Vendi Cache then, it should work fine.

Laura November 1, 2016 at 12:39 pm • Reply

While I understand why the caching is being pulled - it's a shame for those of us who understand caching enough to know when to enable it (or leave it disabled) on different hosting environments. Just because some users don't understand how to use the tool; doesn't mean the rest of us should get punished for it, and I feel it's a bad logical argument to make.

I think better reasoning for disabling the support for that part of the plugin is that your team wants to focus on security only - that reasoning sits better with me. In either case, I will continue to use and adore Wordfence, even if the userbase is being labeled too dumb to use the caching settings.

Also, there's a typo in this article in paragraph 4, "Some of the hosting providers we’ve worked with have told us that they want the awesome security that Wordfence providers, " ... should be provides.

mark November 1, 2016 at 1:28 pm • Reply

Thanks Laura, fixed the typo.

Fatima November 6, 2016 at 8:30 pm • Reply

This is disappointing. Falcon was by far my favorite caching solution, and it always did come with a warning to adapt it to your hosting environment. Not everyone has managed WP hosting at places like WP Engine. Most of my clients are small businesses squeezing eCommerce and company sites into budget hosting plans. They could have really used a high performance caching option.

ScottN November 17, 2016 at 1:24 pm • Reply

Fatima, not sure if you know about this, but someone has forked the WordFence cache into a separate plugin. It works exactly like the WordFence one did, so if you liked it, you will like this one the same: https://wordpress.org/plugins/vendi-cache/

Simon November 14, 2016 at 3:56 am • Reply

Soo dissapointed! Could you please leave at least the basic caching untouched? I use wordpfence fragment caching (donotcache) which other plugins do not support. This helps much.

ScottN November 17, 2016 at 1:26 pm • Reply

Simon, the old Wordfence cache has been forked into a separate plugin, so you can still use it. See https://wordpress.org/plugins/vendi-cache/

jtwillia2 November 25, 2016 at 8:46 pm • Reply

This is sad news.

Hypothetically, couldn't one simply copy (from their htaccess file via FTP) the htaccess tweaks that Falcon Engine injects and then paste those manually into the htaccess file for any site you'd want to use that sort of caching for?

Brocknoviatch December 6, 2016 at 10:49 pm • Reply

I absolutely love the basic cache, I run all of my client websites with it. Never had much luck with falcon cache though.
When I tested caching plugins, basic cache was the fastest on my server and I didn't spend hours/days configuring & testing it *cough* W3TC
What I liked most about basic cache was that it was integrated with Wordfence and I didn't have to worry about it conflicting with the security plugin!
Thank you for releasing basic cache as the vendi-cache plugin, I will certainly be using it.

seoallin December 7, 2016 at 5:34 am • Reply

I understand Wordfence wants to focus on security only. There are many cache plugins out there you can choose from. Was the Falcon better that WP Fastest Catche and other stuff out there?

Alex December 25, 2016 at 10:44 pm • Reply

Hi,

I see the performance tab was removed and the Falcon is being deprecated, but I still see the caching code on my htaccess file and there is a line that says:
#WFCACHECODE - Do not remove this line. Disable Web Caching in Wordfence to remove this data.

is it safe to remove this code manually, now that the performance tab is gone and that option is no longer available?

What other steps I need to take to remove the WordFence Falcon cache?

Get the latest WordPress security updates and news

Sign up for WordPress security alerts, Wordfence product updates and security news via email.