General System Requirements
We recommend using the most recent version of WordPress, or one major release behind. For older sites that cannot upgrade WordPress without major theme or plugin changes, Wordfence supports versions as early as WordPress 4.4 — though we still recommend fixing any plugin/theme conflicts and updating to a more recent WordPress version as soon as it is practical. Currently, Wordfence will still run on WordPress 3.9, but support for versions below WordPress 4.4 will be discontinued in a future release.
If you are running an older major version or “branch” of WordPress, always be sure that your site is running the latest minor version of that branch. For example, WordPress 4.4.24 is not as safe as WordPress 4.4.25 and should be updated. See the list of WordPress versions here.
Wordfence is tested and works on Linux or other Unix type operating systems. We do not recommend using Wordfence on Windows/IIS. Though we have reports of Wordfence working on IIS and other Windows web server platforms they are not officially supported. Please note that HHVM is currently not supported due to stability issues within HHVM. As of 2017-05-25, WordPress is not tested with HHVM. WordPress development team recommend switching to PHP 7.
Wordfence works on PHP 5.3 but 5.4 is required for some features. We strongly recommend PHP version 7.3 or 7.4. Please note that everything prior to PHP 7.2 is currently considered old and unsupported by the developers of PHP. There are no security releases for older versions, though some hosts may have an old version of PHP with “backported” security fixes, to make the old version safe while making minimal changes to PHP itself. You can see a nice visual depiction of PHP version history here: http://php.net/supported-versions.php. Aside from security concerns, newer versions generally have performance and stability improvements. Some hosts let you choose the PHP version your site uses in the site’s control panel, separate from WordPress.
We do not yet recommend PHP 8.0, as it has significant changes which may change the existing behavior of WordPress, plugins, and themes. Wordfence can run on PHP 8.0, but other plugins and themes may cause conflicts that do not occur on earlier PHP versions. You can read more about PHP 8.0 here: PHP 8: What WordPress Users Need to Know
In 2019, WordPress also changed its minimum version of PHP required for WordPress version 5.2 to PHP 5.6.20, and currently recommends using PHP 7.4 or greater: https://wordpress.org/about/requirements/
For Wordfence to function properly, it needs to be able to connect to Wordfence cloud servers. These servers support modern SSL/TLS technology, which means TLS 1.1 or higher. For more information about this, please consult this document from the PCI Security Standards Council.
You can check if your Wordfence installation is able to connect to Wordfence servers on the Wordfence Tools > Diagnostics page in the Connectivity section. If there is an indication of problems connecting to Wordfence servers, scroll down on the Diagnostics page to the “Other tests” section and click “Click to view your system’s configuration in a new window.” In the new window that opens, find your SSL version. You can then use either of these links to determine how old your SSL version is:
If you find that your SSL version is more than 5 years old, you should contact your web host and have them upgrade it to a more recent version. The SSL version is often upgraded automatically when you upgrade cURL or PHP. If you are having problems despite using a modern SSL version please run an SSL test for detailed diagnosis. If you need help interpreting the results contact your web host or Wordfence support for assistance.
You require a MySQL or MariaDB database. Wordfence will work with MyISAM or the InnoDB storage engine set as your default engine. Apart from the two tables listed below, we don’t specify storage engine type type when creating our tables and will use your defaults. The two tables below will be created using the InnoDB storage engine:
If you are having issues with corrupt tables try reinstalling using InnoDB as the default storage engine instead of MyISAM as it tends to be a bit more stable.
We recommend a minimum of 128 megabytes of memory which needs to be available to PHP for you to run Wordfence.
You can also check your system information by clicking the link at the bottom of your Wordfence options page to view your web server and PHP environment information. On some installations there may be text titled “memory_limit” which shows your memory limit as set in your PHP.ini file. However this is not present on many modern systems and it’s also unreliable because it’s possible to limit memory at the web server level and also the operating system level. So instead, if you see an out of memory error, we suggest you contact your site admin or hosting provider and work with them to determine:
- What your memory limit is.
- If you can upgrade it.
Most hosting environments seem to work well with Wordfence and we have not had reports of a well configured Wordfence installation unable to do it’s job due to lack of CPU resources. So you should not have to upgrade or change your CPU configuration to use Wordfence.
We see two kinds of CPU issues. In both cases a hosting provider will contact a customer and tell them that something is accessing /wp-admin/admin-ajax.php with many requests and consuming too many resources. The hosting provider will tell the customer (that’s you site administrators) to slow down or face throttling. Here’s how you fix either scenario:
Scanning too frequently
If you are using the free version of Wordfence then your scans will run every 3 days and you are unable to adjust this frequency. If you need to reduce scan frequency you can upgrade to Wordfence premium and schedule Wordfence to scan once per week instead.
If you already have a premium license key, with multiple scans scheduled to be run on a daily basis, then you can schedule no more than one scan per day. You could also schedule scans to run once every few days or once a week.
You can further optimize server load with the following tips:
- Set the Standard Scan option instead of the High Sensitivity option for routine scanning.
- Enable the scan performance option Use low resource scanning (reduces server load by lengthening the scan duration).
- Set the general Wordfence option Update interval in seconds to a value of 10, or even 15.
If the automatic updating of the Live Traffic page feed is causing your hosting provider to reach out to you about server resource usage then you can reduce the update frequency of your Live Traffic page feed. The Live Traffic page feed is set to update every 2 seconds by default. Reduce this to something like 10, or even 15 seconds. This is controlled by the general Wordfence option Update interval in seconds.
Wordfence has been tested on and works with the following web servers or environments:
- Apache using mod_php
- Apache with Nginx in front as reverse proxy.
- Apache with FastCGI
- Nginx with PHP-FPM
Please note that on Nginx the Wordfence option Disable Code Execution for Uploads directory does not work since it relies on .htaccess. You also need to take special action to hide the .user.ini file on Nginx. You can find information about how to do that here.
As of Wordfence 6.0.2, released 5/20/2015, we fully support IPv6.
Feature Specific Requirements
The Wordfence Country Blocking feature requires PHP version 5.4 or greater. With lower versions of PHP Wordfence will not be able to block visits to your site based on the IPs estimated country of origin. This is a feature specific requirement. All other functions in Wordfence will continue working if you are unable to upgrade PHP though we strongly recommend upgrading to increase the performance, stability and security of your site.
On some web hosts you can change PHP version yourself via cPanel or a similar administration panel. If you are unsure of how to upgrade PHP please contact your web host for support.
Separate prompt for Two Factor Authentication
The Two Factor Authentication feature in Wordfence allows you to use a separate input field for the security code. This feature requires that the PHP setting output_buffering is enabled. You can check the settings for output_buffering via the Wordfence “Diagnostics” page by locating the section Other Tests and then “Click to view your system’s configuration in a new window”.
WordPress Multi-Site Compatibility
Wordfence is compatible with WordPress multi-site installations. Please note that Wordfence needs to be installed on your Network Admin plugin installation page and will appear as a menu option in the network admin area. Please do not attempt to install Wordfence for each site instance on a multi-site installation.
LiteSpeed Specific Configurations
Wordfence works fine with LiteSpeed. However, in some cases some configurations may need to be tweaked for Wordfence Scans and Automatic updates to work optimally. For more information, please see Wordfence and LiteSpeed.