Wordfence has many options that can be set within the WordPress admin pages, but there are some additional options that are not often needed.
Wordfence constants for advanced configuration
Wordfence has many options that can be set within the WordPress admin pages, but there are some additional options that are not often needed. These can be set in wp-config.php before the line that says /* That’s all, stop editing! Happy blogging. */, or in some cases, in the wordfence-waf.php file, where noted below.
The Wordfence scan results page shows up to 100 results by default, and loads more results when you reach the bottom of the page. You can adjust this higher or lower by using this line, and changing the number:
Wordfence can detect how your server sees visitors’ IP addresses and alert you if your site may not be set up to get the visitor IP addresses correctly. If you need to disable notices about this, you can add this to wp-config.php:
In addition to the option above, if you don’t want to disable the check, you can set a shorter timeout for the scan. This may be helpful if you have a development copy of your site that is not accessible publicly, so the scan will wait for a shorter time instead of the default of 30 seconds on that site. Many sites should work correctly with a timeout of only 10 seconds instead of 30:
If you see the message, “The current scan looks like it has failed” while a scan is still running properly, you may have a cache plugin or database server cache interfering with the scan results. By default, Wordfence checks for missing scan result messages in the last 5 minutes (300 seconds). If necessary, you can adjust this to a longer time period to prevent displaying the message. For example, this line would set the duration to 10 minutes:
Wordfence scans are split into short segments, usually running for half of PHP’s max_execution_time. Some hosts have resource limits set outside of PHP or configuration problems that cannot be detected automatically, which may end a scan while it is still running, with no error message in the site’s error logs. Normally, the option Maximum execution time for each scan stage can be set to a lower value, but currently the lowest value that would work with most hosts is 8 seconds. We recommend not changing this limit in most cases, but fast servers with extremely low resource limits may be able to run scans successfully with a lower limit. The minimum time can be set by adjusting the time with this constant, shown here with the default of 8 seconds:
Web Application Firewall (WAF)
If running Wordfence on a site where the wp-content directory is not writable, you can change the default path to a path that is writable. When the firewall is set up with “Extended Protection” (using .htaccess or .user.ini), add this line after the opening “<?php” tag in wordfence-waf.php instead of in wp-config.php, and change the path to a safe and writable location:
If you need to disable the Web Application Firewall, this line can be added to wordfence-waf.php on the line after the opening “<?php” tag if the firewall is set up with “Extended Protection”, or to wp-config.php if the firewall is using “Basic WordPress Protection”:
Due to the way PHP handles reading from php://input, some plugins could have a conflict with the firewall. There are no known conflicts at the time of this writing, but if you find a plugin that conflicts with this part of the firewall, it can be disabled. Disabling this feature will prevent some firewall rules from detecting malicious activity, so it is only recommended as a temporary solution. If necessary, this line should be added to wordfence-waf.php instead of wp-config.php if the firewall is set up with “Extended Protection”:
The firewall has a read-only mode, which should only occur when PHP is run from the command line, to prevent permissions issues from running as a user other than the normal user. This constant allows that to be overridden, so the firewall would always write to its config files, if necessary. More details about read-only mode are available in the Web Application Firewall FAQ.
WPML in certain configurations will change the internal domain that WordPress uses when generating URLs. Normally, Wordfence can detect the site’s main domain automatically in these cases, but it can’t detect if you override the site’s URL using WP_HOME and WP_SITEURL in your wp-config.php to a single domain or a dynamic value. If your site is set up with a single domain in WP_HOME and WP_SITEURL, you can set this constant in wp-config.php so Wordfence will prefer that domain:
Wordfence has a file viewer that lets you view files from the scan results page. If you have limited your admin account’s abilities and would like to disable the file viewer, you can set this constant. This also disables the side-by-side comparison for modified core/plugin/theme files, but the scans will still notify you if the files have changed:
Wordfence’s Live Traffic feature can be disabled on the Options page, but if you need to stop other admins from enabling it, you can set this constant. This can be helpful for developers who have clients using slow hosts, if the client has an admin account and might turn on Live Traffic:
The Blocked IPs page will show up to 100 blocked IPs by default. If you have a long list of blocked IPs, you can change this value to a lower amount if you prefer faster loading, or increase the amount to load more entries, which may be helpful if you use your browser’s search to find blocked IPs: