Wordfence Now Works on WP Engine and with Load Balancers
Today we are launching a version of Wordfence containing a new feature for sites on hosting providers with read-only file systems such as WP Engine or for environments where multiple web servers are behind a load balancer. This new feature uses a MySQL storage engine for firewall attack data to protect WordPress sites in complex hosting environments.
For most sites, Wordfence uses the file system to store data about attacks. Writing attack data to the file system is the most efficient method of doing so, and if a site allows for file access, your Wordfence plugin will continue to use this method.
WP Engine’s File System Locking
One of WP Engine’s security features only allows write access to the filesystem when a WordPress administrator is logged in. When there is no active administration session, the file system is read-only. This is a great security feature to limit file changes when no authenticated user is working on the site. However it limits the ability for certain plugins to work optimally, such as Wordfence.
In cases like this where file system access is not allowed, the new Wordfence MySQL storage engine allows WP Engine users to leverage Wordfence’s unparalleled protection for WordPress.
Load Balancers are now supported
In load balanced environments, state is not maintained on individual WordPress servers. This prevents Wordfence from using a file-based storage scheme for the firewall. The new Wordfence MySQL storage engine solves this by allowing a load balanced site to maintain state across multiple web servers, using MySQL as a central storage system.
Wordfence customers can now deploy Wordfence in their load balanced environments and scale their web server cluster horizontally while benefiting from Wordfence protection for the entire installation. We have many larger customers who are very excited about this new feature.
Wordfence MySQL Storage Engine FAQ
As we are sure you have questions, we wanted to provide some answers to determine what this means for your sites.
Q: I’m not using WP Engine. What changes do I have to make?
Nothing will change, and you won’t have to change anything. Wordfence will continue to work exactly as it always has on your site. In fact, we recommend you don’t change anything. This new feature is an accommodation for complex environments only. There are no new settings that you need to adjust.
Q: I’m installing Wordfence on a site at WP Engine. What do I have to do?
Site owners do not have to change anything. Wordfence will detect your WP Engine installation and make the required configuration change to activate the MySQL storage engine for the firewall
Q: I have a site hosted behind a load balancer. What do I need to do?
In order to have the MySQL storage engine enabled in load balanced environments, a constant will need to be changed in the Wordfence environment.
To configure the WAF to use the MySQL storage engine, you would need to add define(‘WFWAF_STORAGE_ENGINE’, ‘mysqli’); to the top of your site’s wordfence-waf.php in Extended Protection mode. Our documentation details how to do this.
Q: How will this change performance of Wordfence?
There are no changes in performance for either the Wordfence firewall or scan engine. This new feature only changes how the recording of attacks are stored for sites on WP Engine or load balanced servers. Performance will not be affected.
Q: Do I have to use Wordfence Premium to use the MySQL storage engine?
The MySQL storage engine is completely free. It is available for users running Wordfence Premium and our free community customers. That means that both the free and Premium versions of Wordfence will now be supported on WP Engine.
Q: Anything else we should know?
WP Engine needs to make a change on their end once we release this version of the plugin to ensure that Wordfence is fully supported. There may be a brief delay while they make this change, so please be patient. If you are trying to enable Wordfence on WP Engine and are having trouble, please contact their support team. We are working directly with WP Engine and they are able to reach out to us in case we need to provide assistance.
If you are using a load balanced environment and need help enabling this new feature, please don’t hesitate to reach out to our support team either via our ticketing system for Premium customers, or via our public forums if you are a free customer.
We welcome your feedback about Wordfence’s MySQL storage engine and how Wordfence supports your security on WP Engine and load balanced WordPress environments.
All product names, trademarks and registered trademarks are property of their respective owners. All company, product and service names used in this post are for identification purposes only. Use of these names,trademarks and brands does not imply endorsement.
Comments
10:21 am
Thank you for sharing, Matt. This is exciting news! I just have a quick question purely out of curiosity. You mention that writing attack data to the file system is the most efficient method of doing so, but you also mention that using the new MySQL engine won't have any impact on performance. I'm just curious as to the reasoning behind the file system being preferable. Is it just to avoid consuming unnecessary DB connections, or are there other reasons you opt to use the file system whenever possible? Keep up the great work!
11:36 am
Initiating a database connection is part of the reason why using the filesystem is faster. One other reason is how the WAF rules are stored within Wordfence. Using the file based storage engine, they are compiled into pure PHP which can take advantage of opcode caching and results in fast execution. Using MySQL, we need to pull the rules down from the database and translate them into a format which the WAF can run. It adds some latency, but is still quite fast.
11:51 am
Thanks for the explanation!
10:46 am
Hi Matt, many thanks your article! I have been using wordfence for couple of years and there is just one word I can use to describe your service. It's simply AWESOME! It makes me sleeping well all times. Thank you guys!
12:33 pm
Will this also by chance help solve the issue whereas some hosts do not allow the setting the auto_prepend_file and thus allowing the firewall to run in Extended Protection mode?
Thank you for such an awesome product!
1:55 pm
No, unfortunately, that's an issue that is unrelated to this new feature.
3:08 pm
Hi
nice feature... to improve performance, systems with memcached or something can cache the result of the queries, right?
or this kind of cache isn't ok to this kind of feature?
6:41 am
We haven't implemented a caching layer around this storage engine yet (although MySQL does provide its own caching). It's possible we will in the future though.
7:01 am
Your timing is great. We have a new client with five WordPress sites on WP-Engine who wants to subscribe to our Maintenance and Monitoring service (that includes WordFence). Since we were aware of the WP-Engine issues, we were concerned about securing their sites. Thank you!
8:04 am
I just contacted WP Engine customer support. They are still saying that Wordfence is still a disallowed plugin in their environment. Maybe some communication work needs to occur to get the news about this new functionality down to the WP Engine support ranks. I'd like to try this out on some of my sites, but until support works this into their disallowed plugins scanner, they are going to shut me down.
Thanks,
Cynthia
8:50 am
Hi Cynthia! Thank you for letting us know. We've reached out to our contacts at WP Engine. Thanks for your patience as this change is communicated throughout their organization. Once you get it up and working, please do let us know how things work out.
8:58 am
Thanks for your reply, Kathy. They just contacted me again a few minutes ago to let me know that Wordfence has been removed from the disallowed list today. The information is filtering into the Support organization it appears.
9:04 am
Awesome! Thanks for letting us know.
10:53 am
If a website has been using the file based storage method, and then changes to the database storage. Will it take current data from files and move it into the database, or just start fresh?
11:24 am
Hi Dale! When switching storage methods, the dataset will start fresh.