Wordfence works on most WordPress websites. However, to make sure it works on your site you can check that it meets our minimum system requirements.
General System Requirements
We recommend using the most recent version of WordPress, or one major release behind. For older sites that cannot upgrade WordPress without major theme or plugin changes, Wordfence supports versions as early as WordPress 4.4, though we still recommend fixing any plugin or theme conflicts and updating to a more recent WordPress version as soon as it is practical. Currently, Wordfence will still run on WordPress 3.9, but support for versions below WordPress 4.4 will be discontinued in a future release.
If you are running an older major version or “branch” of WordPress, always be sure that your site is running the latest minor version of that branch. For example, WordPress 4.4.24 is not as safe as WordPress 4.4.25 and should be updated. See the list of WordPress versions here.
Operating system and web server software
Wordfence is tested and works on Linux or other Unix type operating systems. We do not recommend using Wordfence on Windows/IIS. Though we have reports of Wordfence working on IIS and other Windows web server platforms they are not officially supported. Please note that HHVM is not supported due to stability issues within HHVM. As of May 2017, WordPress is not tested with HHVM.
Wordfence works on PHP versions as old as 5.5, but we recommend PHP version 8.0 and above. Please note that everything prior to PHP 8.0 is currently considered old and unsupported by the developers of PHP. There are no security releases for older versions, though some hosting providers may have an old version of PHP with “backported” security fixes, to make the old version safe while making minimal changes to PHP itself. You can see a timeline of PHP version history here on php.net:
Aside from security concerns, newer versions generally have performance and stability improvements. Some hosting providers let you choose the PHP version your site uses in the site’s hosting control panel, separate from WordPress.
PHP 8.0 and greater have significant changes from previous versions, which may change the existing behavior of WordPress, plugins, and themes. Wordfence is compatible with PHP 8 and above, but other plugins and themes still may cause conflicts that do not occur on earlier PHP versions. Plugin and theme conflicts or other issues that previously caused warnings can now cause fatal errors instead. You can read more about PHP 8 on our blog post below:
In 2019, WordPress also changed its minimum version of PHP required for WordPress version 5.2 to PHP 5.6.20 and recommended using PHP 7.4 or greater: https://wordpress.org/about/requirements/
As of October 2020, WordPress core considered PHP 8.0 and 8.1 to be under “beta support”, marked with an asterisk here: https://make.wordpress.org/core/handbook/references/php-compatibility-and-wordpress-versions/
WordPress 6.2 was released on March 29, 2023 and includes some PHP 8.0 compatibility fixes. This now prevents certain warnings or notices that could occur in WordPress core while using Wordfence on PHP 8.0+, including messages from the “Requests” library.
Wordfence is tested on multiple PHP versions, including PHP 8.2. We recommend checking your other plugins and themes for compatibility with newer PHP versions, to avoid plugin conflicts caused by PHP compatibility issues.
For Wordfence to function properly, it needs to be able to connect to Wordfence cloud servers. These servers support modern SSL/TLS technology, which means TLS 1.1 or higher. For more information about this, please consult this document from the PCI Security Standards Council.
You can check if your Wordfence installation is able to connect to Wordfence servers on the Wordfence “Tools” > “Diagnostics” page in the “Connectivity” section. If there is an indication of problems connecting to Wordfence servers, scroll down on the Diagnostics page to the “Other tests” section and click “Click to view your system’s configuration in a new window”. In the new browser tab that opens, find your SSL version. You can then use either of these links to determine how old your SSL version is:
If you find that your SSL version is more than 5 years old, you should contact your hosting provider and have them upgrade it to a more recent version. The SSL version is often upgraded automatically when you upgrade cURL or PHP. If you are having problems despite using a modern SSL version please run an SSL test for detailed diagnosis. If you need help interpreting the results then contact your hosting provider or Wordfence support for assistance.
You will need to have a MySQL or MariaDB database. Wordfence will work with the MyISAM or the InnoDB storage engine set as your default storage engine. Apart from the two tables listed below, we do not specify the storage engine type when creating our database tables, and we will use the default storage engine set on your server. The two tables below will be created using the InnoDB storage engine:
If you are having issues with corrupt database tables, try reinstalling using InnoDB as the default storage engine instead of MyISAM as it tends to be a bit more stable.
We recommend a minimum of 128 megabytes of memory which needs to be available to PHP for you to run Wordfence.
You can also check your system information by clicking the link “Click to view your system’s configuration in a new window”. This is found in the “Other Tests” section on the “Tools” > “Diagnostics” page. A new browser tab will open to show your web server and PHP environment information. If the page is blank then this means that your hosting provider has likely disabled the “phpinfo” function. Look for the line “memory_limit” in the “Core” section which shows your memory limit as set in the master “php.ini” file on your server. However, this might not be present on some systems and it is also unreliable because it is possible to limit memory at the web server level and also the operating system level. So instead, if you see a memory error, we suggest you contact your site administrator or your hosting provider and work with them to determine:
- What your memory limit is.
- If you can upgrade it.
Most hosting environments work well with Wordfence and we have not had reports of a well-configured Wordfence installation unable to function fully due to lack of CPU resources. So you should not have to upgrade or change your CPU configuration to use Wordfence.
We see two kinds of CPU issues. In both cases, the hosting provider will contact their customer and tell them that something is accessing “/wp-admin/admin-ajax.php” with many requests and consuming too many resources. The hosting provider will ask their customer to reduce the number of requests or face throttling. Here is how you can fix either scenario:
Scanning too frequently
If you are using the free version of Wordfence then the scanner will run every 3 days and you are unable to adjust this frequency. If you need to reduce scan frequency you can upgrade to Wordfence Premium and schedule the Wordfence scanner to run once per week instead.
If you already have a Premium license key, with multiple scans scheduled to be run on a daily basis, then you can schedule no more than one scan per day. You could also schedule scans to run once every few days or once a week.
You can further optimize server load with the following tips:
- Set the “Standard Scan” mode instead of the “High Sensitivity” mode for routine scanning.
- Enable the scan performance option “Use low resource scanning (reduces server load by lengthening the scan duration)”.
- Set the general Wordfence option “Update interval in seconds” to a value of 10, or even 15. See here for more information about this option.
If the automatic updating of the “Tools” > “Live Traffic” page feed is causing your hosting provider to reach out to you about server resource usage then you can reduce the update frequency of your Live Traffic page feed. The Live Traffic page feed is set to update every 2 seconds by default. Reduce this to a value of 10, or even 15. This is controlled by the general Wordfence option “Update interval in seconds”. See here for more information about this option.
Wordfence has been tested on and works with the following web servers or environments:
- Apache using mod_php
- Apache with Nginx set up as a reverse proxy.
- Apache with FastCGI
- Nginx with PHP-FPM
Please note that on Nginx the Wordfence option “Disable Code Execution for Uploads directory” does not work since it relies on the use of a “.htaccess” file. You also need to take special action to hide the “.user.ini” file on Nginx. You can find information about how to do that here.
As of Wordfence 6.0.2, released on the 20th of May 2015, we fully support IPv6.
Feature Specific Requirements
Separate prompt for Two-Factor Authentication
The Legacy Two-Factor Authentication feature in Wordfence allows you to use a separate input field for the two-factor authentication code. This feature requires enabling the PHP function “output_buffering”. You can check the settings for “output_buffering” via the Wordfence “Tools” > “Diagnostics” page. Expand the “Other Tests” and then on “Click to view your system’s configuration in a new window”.
WordPress Multisite Compatibility
Wordfence is compatible with WordPress Multisite installations. Please note that Wordfence needs to be installed on your “Network Admin” > “Plugins” page. Please do not attempt to install Wordfence for each site instance on a Multisite installation.
We have seen several multisites with performance issues due to an outdated “object-cache.php” file. If you have performance problems on a multisite with Wordfence and are using an object cache, note that drop-in plugins do not show updates when WordPress checks for plugin updates, so you may need to check manually that it is up to date.
LiteSpeed Specific Configurations
Wordfence works on a LiteSpeed web server. However, in some cases, some configurations may need to be tweaked for Wordfence scans and the automatic update feature to work optimally. For more information, please see Wordfence and LiteSpeed.