Troubleshooting

How do I inspect the browser console or take a screenshot? Information about debugging issues with your site can be found here.

Debugging

Sometimes other plugins can interfere with or break WordPress functions and therefore prevent Wordfence from working. The easiest way to isolate which plugin is causing the issue is to disable all plugins except Wordfence and then reenable them one by one until one of them breaks Wordfence. Some examples of problems we’ve seen are:

  • Plugins that try to protect your /wp-admin/ area but in doing so block access to admin-ajax.php which lives in that directory and needs to be publicly accessible.
  • Plugins that put your site into maintenance mode and also disable admin-ajax.php.
  • Plugins that generate JavaScript errors. These errors prevent any other JavaScript from executing on the same page and will thus break Wordfence JavaScript. Read more below about using the browser console.
  • Plugins that disable jQuery in WordPress. This disables Wordfence and almost all other plugins and themes that rely on this core library.

Please note that the Wordfence team can’t provide support for other plugins, however if you’re aware of a specific incompatibility please report it to us.

How to inspect the browser console

Chrome Browser Console

Browsers on desktop computers have a console which shows details about every page loaded in your browser. On Windows in Chrome, Edge and FireFox, the browser console can be opened by pressing F12. On Mac, you can open it by pressing Command+Option+i. The Browser console is also available via respective Browsers menu.

The console has several tabs. The most important ones for debugging are the “Console” and “Network” tabs. The Console will tell you if there are any JavaScript errors happening on the page. The “Network” tab will show you if all resources on the page have loaded correctly. A resource that has loaded correctly will have a status of 200 OK or 304 Not Modified. If you see a status code of 404, it means that resource was not found. 403 means the request was blocked and 503 means the server responded to the request saying that the Service is unavailable.

How to take a screenshot

When collecting data for debugging purposes, it can be useful to save screenshots to communicate exactly what is going wrong. If you are in contact with Wordfence support, they may ask you to provide a screenshot to demonstrate your issue.

Most operating systems provide built in features for taking screenshots. On Windows computers, you can use the “Snipping tool”. On Mac computers you can press Shift-Command(⌘)-3 to save a full screenshot on your desktop. To take a partial screenshot, press Shift-Command(⌘)-4 and click-drag over the area you want to screenshot. For information on other ways to take a screenshot, you can visit https://www.take-a-screenshot.org.

Once you have the screenshot you can send it as an attachment in an email, or host it on a service online so that you can share a link to it instead. An example of such a service is https://imgur.com/ Remember to never share any sensitive details such as usernames or passwords in screenshots or text.

Frequently Asked Questions

  • Warning: require_once(vendor/wordfence/wf-waf/src/init.php): failed to open stream

    Plugin updates can fail for various reasons such as running out of disk space, connection issues or performance issues. This is not something that only affects the Wordfence plugin but happens with other plugins as well. If you see this specific error message

    Warning: require_once(vendor/wordfence/wf-waf/src/init.php): failed to open stream

    it likely means a Wordfence update failed. You need to access your site via FTP/SSH or any file browser your web host may be providing and delete the “wordfence” folder located in wp-content/plugins. Then install Wordfence from the WordPress plugins page. Your options are saved in the database so this procedure should completely restore your Wordfence installation.

  • PHP Fatal error: Allowed memory size exhausted

    Occasionally, depending on your site, resources, and plugins and themes you may get a php error that says something like this:

    PHP Fatal error: Allowed memory size of 67108864 bytes exhausted (tried to allocate 491520 bytes)

    Fatal error: Out of memory (allocated 33292288) (tried to allocate 616 bytes) in...

    This issue is not a Wordfence error but simply indicates that you need to contact your hosting provider and ask them to increase your site memory. Usually your hosting provider will edit your php.ini file to increase the memory_limit parameter, and they may also have to increase your web server memory limit along with any operating system limits they have.

    Increase PHP Memory
    This is an indication that your memory in php.ini is not set high enough. You can define this in your php.ini file (usually found in /etc on linux systems – check your documentation for windows servers, which are currently unsupported by Wordfence). Look through the file for a line like this: memory_limit = 128M. Keep in mind the 128M is probably different. That’s the amount of memory that php is allowed to consume. If you have 10 plugins and combined they consume more memory than you have allocated, you’re going to have problems. You can assign more by increasing this value. (Some of our personal sites have 256M allowed, but these are pretty big sites with a substantial number of hits and plugins). Make sure and restart httpd (apache) after making changes here.

    Disable plugins that affect database queries
    When the scan is running Wordfence has to make a lot of database queries. If you are using plugins that affect all database queries such as Query Monitor, you may run out of PHP memory. If you have Query Monitor or any similar plugin installed, make sure it’s deactivated while Wordfence scan is running.

  • “Connection reset” error message after updating

    This may occur rarely on Windows servers, and can be solved by increasing the thread stack size by adding the following code to httpd.conf:


    <IfModule mpm_winnt_module>
    ThreadStackSize 8388608
    </IfModule>

    If your site is on a Windows server and you do not have access to the httpd.conf file, you will need to contact your hosting company for the change to be made.

    In at least one case on a local WAMP installation, the ThreadStackSize had to be set to 16777216 (16 MB) instead. This may depend on which Windows version you are using, the active Apache modules, or other settings.

    On local installations, httpd.conf file is typically located at a path like: c:\wamp\bin\apache\Apache2.x.x\conf\httpd.conf

    References:
    https://bugs.php.net/bug.php?id=47689
    https://www.drupal.org/node/1597820

  • ‘How does Wordfence get IPs’ setting is misconfigured

    When Wordfence detects that your site is behind a “reverse proxy”, you may need to adjust the option How does Wordfence get IPs on the Dashboard > Global Options page in the “General Wordfence Options” section, or by clicking the link in the admin notice that warns you about the issue. This includes the following message, followed by a recommendation:

    Your 'How does Wordfence get IPs' setting is misconfigured

    Solution: You can click the link in the message to apply the recommended setting, or you can adjust the setting manually.

    Additional Options
    If you do not want this scan to run, this can be disabled on the options page at Scan for misconfigured How does Wordfence get IPs. Wordfence also runs this check upon activation, to ensure that your settings are correct.

    For advanced users, there are two constants that can be set to control this feature. (See Wordfence constants for advanced configuration: WORDFENCE_DISABLE_MISCONFIGURED_HOWGETIPS and WORDFENCE_CHECKHOWGETIPS_TIMEOUT.)

    If you have dismissed the admin notice about this option being misconfigured, it can reappear when a new version of Wordfence is installed, to be sure you are aware of the issue. If you do not want the admin notice to reappear, you can use the constant above to disable the notice permanently.

  • Fatal error: Cannot call overloaded function for non-object

    If your website goes down with a this error: “Fatal error: Cannot call overloaded function for non-object in /home/urnamehere/public_html/wp-content/plugins/wordfence/lib/wfLog.php”, this is not a Wordfence problem. It’s a PHP problem.

    To fix this, you can upgrade php to version 5.5. or higher. You can also disable your APC cache which can be done by modifying your PHP initialization file file. NOTE: We recommend backing up your PHP initialization file file before modifying it.

    On a new line, type apc.enabled=0.
    Save your changes.

  • Handling script conflicts on admin pages

    Some plugins or themes may cause conflicts with scripts, that can prevent some WordPress admin pages from working when both Wordfence and the other plugin (or theme) are enabled.

    First, it is best to Open the JavaScript console and check for errors. This may show which plugin has caused the conflict.

    Plugin conflicts from WordPress combining scripts

    If one of the errors comes from “load-scripts.php”, that is because WordPress combines multiple scripts into a single request so admin pages load a little more quickly, but since multiple scripts are loaded at once, an error in one script can affect the others. You can prevent this, so that each script will load individually by adding this line of code to your wp-config.php file:

    define('CONCATENATE_SCRIPTS', false);

    Be sure to add it before the line that says: /* That’s all, stop editing! Happy blogging. */

    This will either help show which script file is causing the conflict, or it may prevent the issue from happening. If you can find the cause of the conflict and fix it, you can remove this line from wp-config.php.

    Plugins loading scripts on all admin pages

    Most plugins shouldn’t load scripts on other plugins’ pages, but some do this unintentionally, or because they have features that work throughout all WordPress admin pages.

    If you find a plugin that conflicts with Wordfence’s admin pages, in most cases, the other plugin author should avoid loading their javascript files on pages where they are not required.

    Caching and optimization plugins
    If you use a plugin that “minifies” scripts or concatenates (combines) scripts, any script that is loaded can trigger a problem with other scripts. This type of feature is usually included in a caching or optimization plugin. You can temporarily disable the caching or optimization plugin and check if the problem still occurs. If it stops occurring, there are a few ways it can be fixed:

    • If your caching/optimization plugin allows you to exclude some scripts from optimization, you can add Wordfence’s scripts to that list. This is the easiest solution, but may still leave conflicts between other plugins aside from Wordfence.
    • Temporarily disable other plugins, except for Wordfence and the caching/optimization plugin. Then, enable one additional plugin at a time until the problem occurs again. When you find which plugin causes the conflict, you can report the issue to the plugin author. Be sure to mention which caching/optimization plugin you are using too, since that can help them see what happened.
    • Temporarily switch themes and see if the problem still occurs. Some themes contain scripts and could cause the same problem.

    Amazon CloudFront and other CDNs

    Amazon CloudFront and some other CDNs have an option to treat files as the same, no matter what query string is included in the URL. WordPress, Wordfence, and other plugins use the “?ver=” query string to prevent caching when a new version is released, so if you use a CDN, it should be configured to treat URLs as different files if the query string is different, and “forward query strings to the origin” when they request files from your site. More details are available here.

  • ‘Forbidden’ message when trying to use a Wordfence feature

    If you scan your site, get the scan results and then try to view a file’s contents or see file differences using Wordfence, you may see a “Forbidden” message. This is often caused by other plugins that try to protect your site by creating complex .htaccess files. Often these plugins accidentally block legitimate WordPress applications or site visitors, which is why we don’t like to protect sites with very complex .htaccess files.

    If you see this message, look for an .htaccess file in your WordPress root directory that was created by another plugin and contains many complex rules. Either modify the plugin to prevent it from blocking legitimate WordPress applications, or stick with a simple .htaccess file and use another method to protect your site.