Information about debugging issues with your site can be found here.
Sometimes your theme or other plugins can interfere with or break WordPress functions and therefore prevent Wordfence from working. The easiest way to isolate which plugin is causing the issue is to deactivate all plugins except Wordfence and then activate them again one by one until one of them breaks Wordfence. Some examples of problems that we have seen are:
- Plugins that try to protect your “/wp-admin/” area but in doing so block access to the “admin-ajax.php” file which is located in that directory and needs to be publicly accessible.
- Plugins that put your site into maintenance mode and also disable the “admin-ajax.php” file.
- Plugins that disable jQuery in WordPress. This disables Wordfence and almost all other plugins and themes that rely on this core library.
Please note that the Wordfence team cannot provide support for other plugins. However, if you are aware of a specific incompatibility then please report it to us.
How to inspect the browser developer tools Console
Browsers on desktop computers have developer tools that show details about every page loaded in your browser. On Windows in Chrome, Edge, and Firefox, the browser developer tools can be opened by pressing F12. On Mac, you can open it by pressing Command+Option+i. The browser developer tools are also available via the respective browser’s menu.
How to take a screenshot
When collecting data for debugging purposes, it can be useful to save screenshots to communicate exactly what is going wrong. If you are in contact with Wordfence support, they may ask you to provide a screenshot to demonstrate your issue.
Most operating systems provide built-in features for taking screenshots. On Windows computers, you can use the “Snipping tool”. On Mac computers, you can press Shift-Command(⌘)-3 to save a full screenshot on your desktop. To take a partial screenshot, press Shift-Command(⌘)-4 and click-drag over the area you want to screenshot. For information on other ways to take a screenshot, you can visit https://www.take-a-screenshot.org.
Once you have the screenshot you can send it as an attachment in an email, or host it on a service online so that you can share a link to it instead. An example of such a service is https://imgur.com/. Remember to never share any sensitive details such as usernames or passwords in screenshots or text.
Admin pages with query string redirect to the home page
If you are trying to visit “Click to view your system’s configuration in a new window” on the Wordfence “Diagnostics” page and the home page of your site loads instead of the system information page, your theme may be using the “template_redirect” hook incorrectly.
WordPress has a built-in function called “template_redirect” which allows theme authors to make redirects that are informed about the specific state of WordPress during a request. For example, it can be used to make different redirects depending on whether a user is logged in or not.
On occasion, theme authors will use the “template_redirect” hook in a way that breaks all URLs that request the root of the site and have query strings, because it redirects all those requests to the site’s home page. Unfortunately, there is not a fix for this, other than to ask the theme developer to change how their code works so it doesn’t impact other URLs on your site. You can read more about the “template_redirect” hook and how to use it in the WordPress documentation. Please note that as the documentation states, loading a different template is not a good use of this action hook.
Failed Wordfence update
As of WordPress 5.5, WordPress has a feature on the Plugins page where you can choose for individual plugins to update automatically that are available from the wordpress.org plugin repository. Wordfence also has an option to allow the plugin to update automatically. In very rare cases, allowing Wordfence to update automatically can be problematic because the update may fail and you won’t know about it until you login to your site and see that Wordfence is missing from the list of plugins for example. This can also happen to other plugins that have a feature to update automatically and not just Wordfence. Often site owners will try to install Wordfence again and be presented with a common error message containing, ‘Destination folder already exists’.
A failed automatic update of Wordfence is usually related to a problem on the hosting server. The update process involves removing old files, extracting the new plugin and then copying over the new files to the plugin location. On some hosting servers that process can exceed the PHP max_execution_time or even the gateway timeout. It is usually during the last part of the transfer when the new files are copied over that issues can occur.
To resolve this you can manually delete the Wordfence plugin directory in the plugins directory below:
All of your plugin settings will remain intact as they are stored in the database.
You can then reinstall the plugin again on the WordPress Plugins page.
You can also prevent this from happening again by disabling the option to update Wordfence automatically, whether that is the WordPress “Plugins” page and/or in the “General Wordfence Options” section on the Wordfence “All Options” page. If you have the Wordfence email alert option “Alert me with scan results of this severity level or greater” set to at least “Medium” then you will receive an email alert when a new version of Wordfence is available to install.
Frequently Asked Questions
- PHP Fatal error: Allowed memory size exhausted
Occasionally, depending on your site, resources, and plugins and themes you may get a php error that says something like this:
PHP Fatal error: Allowed memory size of 67108864 bytes exhausted (tried to allocate 491520 bytes)
Fatal error: Out of memory (allocated 33292288) (tried to allocate 616 bytes) in...
This issue is not a Wordfence error but simply indicates that you need to contact your hosting provider and ask them to increase your site memory. Usually your hosting provider will edit your php.ini file to increase the memory_limit parameter, and they may also have to increase your web server memory limit along with any operating system limits they have.
Increase PHP Memory
This is an indication that your memory in php.ini is not set high enough. You can define this in your php.ini file (usually found in /etc on linux systems – check your documentation for windows servers, which are currently unsupported by Wordfence). Look through the file for a line like this:
memory_limit = 128M. Keep in mind the 128M is probably different. That’s the amount of memory that php is allowed to consume. If you have 10 plugins and combined they consume more memory than you have allocated, you’re going to have problems. You can assign more by increasing this value. (Some of our personal sites have 256M allowed, but these are pretty big sites with a substantial number of hits and plugins). Make sure and restart httpd (apache) after making changes here.
Disable plugins that affect database queries
When the scan is running Wordfence has to make a lot of database queries. If you are using plugins that affect all database queries such as Query Monitor, you may run out of PHP memory. If you have Query Monitor or any similar plugin installed, make sure it’s deactivated while Wordfence scan is running.
- Warning: require_once(vendor/wordfence/wf-waf/src/init.php): failed to open stream
Plugin updates can fail for various reasons such as running out of disk space, connection issues, or performance issues. This is not something that only affects the Wordfence plugin but happens with other plugins as well. If you see this specific error message shown below then it likely means that a Wordfence update failed. You need to access your site via FTP/SSH or your hosting control panel file manager and delete the “wordfence” directory located in “wp-content/plugins”. Then install Wordfence from the WordPress “Plugins” page again. Your options are saved in the database so this procedure should completely restore your Wordfence installation.
Warning: require_once(vendor/wordfence/wf-waf/src/init.php): failed to open stream
- “Connection reset” error message after updating
This may occur rarely on Windows servers, and can be solved by increasing the thread stack size by adding the following code to the “httpd.conf” configuration file:
If your site is on a Windows server and you do not have access to the “httpd.conf” configuration file, you will need to contact your hosting company for the change to be made.
In at least one case on a local WAMP (Windows, Apache, MySQL, PHP) installation, the “ThreadStackSize” had to be set to 16777216 (16 MB) instead. This may depend on which Windows version you are using, the active Apache modules, or other settings.
On local installations, the “httpd.conf” configuration file is typically located at a path like:
- ‘How does Wordfence get IPs’ setting is misconfigured
When Wordfence detects that your site is behind a “reverse proxy”, you may need to adjust the option “How does Wordfence get IPs” in the “General Wordfence Options” section on the “Dashboard” > “Global Options” page, or by clicking the link in the admin notice that warns you about the issue. This includes the following message, followed by a recommendation:
Your 'How does Wordfence get IPs' setting is misconfigured
To resolve this you can click the link in the message to apply the recommended setting, or you can adjust the setting manually.
Wordfence also runs this check upon the activation of the plugin, to ensure that your settings are correct.
For advanced users, there are two constants that can be set to control this feature:
If you have dismissed the admin notice about this option being misconfigured, it can reappear when a new version of Wordfence is installed, to be sure you are aware of the issue. If you do not want the admin notice to reappear, you can use the constant above to disable the notice permanently.
If you do not want the scan option “Scan for misconfigured How does Wordfence get IPs” to run, this can be disabled on the “Scan” > “Scan Options and Scheduling” page.
- ‘Forbidden’ message when trying to use a Wordfence feature
If you look at a particular scan result after you run a Wordfence scan on your site and try to view a file’s contents or see file differences using Wordfence then you may see a “Forbidden” message. This is often caused by other plugins that try to protect your site by creating complex “.htaccess” files. Often these plugins accidentally block legitimate WordPress applications or site visitors, which is why we do not like to protect sites with very complex “.htaccess” files.
If you see this message, look for a “.htaccess” file in your WordPress root directory that was created by another plugin and contains many complex rules. Either modify the plugin to prevent it from blocking legitimate WordPress applications or use a simple “.htaccess” file and use another method to protect your site.
- Fatal error: Cannot call overloaded function for non-object
If your site goes down with this error below then this is not caused by Wordfence. Instead, it is a PHP problem:
Fatal error: Cannot call overloaded function for non-object in /home/urnamehere/public_html/wp-content/plugins/wordfence/lib/wfLog.php
To fix this, you can upgrade php to version 5.5 or higher. You can also disable your APC cache which can be done by modifying your PHP initialization file. Note that we recommend backing up your PHP initialization file file before modifying it.
On a new line, type apc.enabled=0
Save your changes.
- Handling script conflicts on admin pages
Some plugins or themes may cause conflicts with scripts that can prevent some WordPress admin pages from working when both Wordfence and the other plugin (or theme) are enabled.
Plugin conflicts from WordPress combining scripts
If one of the errors comes from “load-scripts.php”, that is because WordPress combines multiple scripts into a single request so admin pages load a little more quickly, but since multiple scripts are loaded at once, an error in one script can affect the others. You can prevent this so that each script will load individually by adding this line of code to your WordPress “wp-config.php” configuration file:
Be sure to add it before the line that says:
/* That's all, stop editing! Happy blogging. */
This will either help show which script file is causing the conflict, or it may prevent the issue from happening. If you can find the cause of the conflict and fix it, you can remove this line from your WordPress “wp-config.php” configuration file.
Plugins loading scripts on all admin pages
Most plugins should not load scripts on other plugins’ pages, but some do this unintentionally, or because they have features that work throughout all WordPress admin pages.
Caching and optimization plugins
If you use a plugin that “minifies” scripts or concatenates (combines) scripts, any script that is loaded can trigger a problem with other scripts. This type of feature is usually included in a caching or optimization plugin. You can temporarily disable the caching or optimization plugin and check if the problem still occurs. If it stops occurring, there are a few ways it can be fixed:
- If your caching / optimization plugin allows you to exclude some scripts from optimization, you can add Wordfence’s scripts to that list. This is the easiest solution, but may still leave conflicts between other plugins aside from Wordfence.
- Temporarily disable other plugins, except for Wordfence and the caching / optimization plugin. Then, enable one additional plugin at a time until the problem occurs again. When you find which plugin causes the conflict, you can report the issue to the plugin author. Be sure to mention which caching / optimization plugin you are using too since that can help them see what happened.
- Temporarily switch themes and see if the problem still occurs. Some themes contain scripts and could cause the same problem.
Amazon CloudFront and other CDNs
Amazon CloudFront and some other CDN’s have an option to treat files as the same, no matter what query string is included in the URL. WordPress, Wordfence, and other plugins use the “?ver=” query string to prevent caching when a new version is released, so if you use a CDN, it should be configured to treat URLs as different files if the query string is different, and “forward query strings to the origin server” when they request files from your site. More details are available here.