Troubleshooting

Information about debugging issues with your site can be found here.

Sometimes your theme or other plugins can interfere with or break WordPress functions and therefore prevent Wordfence from working. The easiest way to isolate which plugin is causing the issue is to deactivate all plugins except Wordfence and then activate them again one by one until one of them breaks Wordfence. Some examples of problems that we have seen are:

  • Plugins that try to protect your “/wp-admin/” area but in doing so block access to the “admin-ajax.php” file which is located in that directory and needs to be publicly accessible.
  • Plugins that put your site into maintenance mode and also disable the “admin-ajax.php” file.
  • Plugins that generate JavaScript errors. These errors prevent any other JavaScript from executing on the same page and will thus break Wordfence JavaScript. Read more below about using the browser console.
  • Plugins that disable jQuery in WordPress. This disables Wordfence and almost all other plugins and themes that rely on this core library.

Please note that the Wordfence team cannot provide support for other plugins. However, if you are aware of a specific incompatibility then please report it to us.

How to inspect the browser developer tools Console

Chrome Browser Console

Browsers on desktop computers have developer tools that show details about every page loaded in your browser. On Windows in Chrome, Edge, and Firefox, the browser developer tools can be opened by pressing F12. On Mac, you can open it by pressing Command+Option+i. The browser developer tools are also available via the respective browser’s menu.

The developer tools have several tabs. The most important ones for debugging are the “Console” and “Network” tabs. The “Console” tab will tell you if there are any JavaScript errors happening on the page. The “Network” tab will show you if all resources on the page have loaded correctly. A resource that has loaded correctly will have a status of 200 OK or 304 Not Modified. If you see a status code of 404, it means that resource was not found. 403 means the request was blocked and 503 means the server responded to the request saying that the Service is Unavailable.

How to take a screenshot

When collecting data for debugging purposes, it can be useful to save screenshots to communicate exactly what is going wrong. If you are in contact with Wordfence support, they may ask you to provide a screenshot to demonstrate your issue.

Most operating systems provide built-in features for taking screenshots. On Windows computers, you can use the “Snipping tool”. On Mac computers, you can press Shift-Command(⌘)-3 to save a full screenshot on your desktop. To take a partial screenshot, press Shift-Command(⌘)-4 and click-drag over the area you want to screenshot. For information on other ways to take a screenshot, you can visit https://www.take-a-screenshot.org.

Once you have the screenshot you can send it as an attachment in an email, or host it on a service online so that you can share a link to it instead. An example of such a service is https://imgur.com/. Remember to never share any sensitive details such as usernames or passwords in screenshots or text.

Admin pages with query string redirect to the home page

If you are trying to visit “Click to view your system’s configuration in a new window” on the Wordfence “Diagnostics” page and the home page of your site loads instead of the system information page, your theme may be using the “template_redirect” hook incorrectly.

WordPress has a built-in function called “template_redirect” which allows theme authors to make redirects that are informed about the specific state of WordPress during a request. For example, it can be used to make different redirects depending on whether a user is logged in or not.

On occasion, theme authors will use the “template_redirect” hook in a way that breaks all URLs that request the root of the site and have query strings, because it redirects all those requests to the site’s home page. Unfortunately, there is not a fix for this, other than to ask the theme developer to change how their code works so it doesn’t impact other URLs on your site. You can read more about the “template_redirect” hook and how to use it in the WordPress documentation. Please note that as the documentation states, loading a different template is not a good use of this action hook.

Frequently Asked Questions

  • PHP Fatal error: Allowed memory size exhausted

    Occasionally, depending on your site, resources, and plugins and themes you may get a php error that says something like this:

    PHP Fatal error: Allowed memory size of 67108864 bytes exhausted (tried to allocate 491520 bytes)

    Fatal error: Out of memory (allocated 33292288) (tried to allocate 616 bytes) in...

    This issue is not a Wordfence error but simply indicates that you need to contact your hosting provider and ask them to increase your site memory. Usually your hosting provider will edit your php.ini file to increase the memory_limit parameter, and they may also have to increase your web server memory limit along with any operating system limits they have.

    Increase PHP Memory
    This is an indication that your memory in php.ini is not set high enough. You can define this in your php.ini file (usually found in /etc on linux systems – check your documentation for windows servers, which are currently unsupported by Wordfence). Look through the file for a line like this: memory_limit = 128M. Keep in mind the 128M is probably different. That’s the amount of memory that php is allowed to consume. If you have 10 plugins and combined they consume more memory than you have allocated, you’re going to have problems. You can assign more by increasing this value. (Some of our personal sites have 256M allowed, but these are pretty big sites with a substantial number of hits and plugins). Make sure and restart httpd (apache) after making changes here.

    Disable plugins that affect database queries
    When the scan is running Wordfence has to make a lot of database queries. If you are using plugins that affect all database queries such as Query Monitor, you may run out of PHP memory. If you have Query Monitor or any similar plugin installed, make sure it’s deactivated while Wordfence scan is running.

  • Warning: require_once(vendor/wordfence/wf-waf/src/init.php): failed to open stream

    Plugin updates can fail for various reasons such as running out of disk space, connection issues, or performance issues. This is not something that only affects the Wordfence plugin but happens with other plugins as well. If you see this specific error message shown below then it likely means that a Wordfence update failed. You need to access your site via FTP/SSH or your hosting control panel file manager and delete the “wordfence” directory located in “wp-content/plugins”.  Then install Wordfence from the WordPress “Plugins” page again. Your options are saved in the database so this procedure should completely restore your Wordfence installation.

    Warning: require_once(vendor/wordfence/wf-waf/src/init.php): failed to open stream

     

  • “Connection reset” error message after updating

    This may occur rarely on Windows servers, and can be solved by increasing the thread stack size by adding the following code to the “httpd.conf” configuration file:

    <IfModule mpm_winnt_module>
    ThreadStackSize 8388608
    </IfModule>

    If your site is on a Windows server and you do not have access to the “httpd.conf” configuration file, you will need to contact your hosting company for the change to be made.

    In at least one case on a local WAMP (Windows, Apache, MySQL, PHP) installation, the “ThreadStackSize” had to be set to 16777216 (16 MB) instead. This may depend on which Windows version you are using, the active Apache modules, or other settings.

    On local installations, the “httpd.conf” configuration file is typically located at a path like:

    c:\wamp\bin\apache\Apache2.x.x\conf\httpd.conf

    References:

    https://bugs.php.net/bug.php?id=47689
    https://www.drupal.org/node/1597820

  • ‘How does Wordfence get IPs’ setting is misconfigured

    When Wordfence detects that your site is behind a “reverse proxy”, you may need to adjust the option “How does Wordfence get IPs” in the “General Wordfence Options” section on the “Dashboard” > “Global Options” page, or by clicking the link in the admin notice that warns you about the issue. This includes the following message, followed by a recommendation:

    Your 'How does Wordfence get IPs' setting is misconfigured

    To resolve this you can click the link in the message to apply the recommended setting, or you can adjust the setting manually.

    Wordfence also runs this check upon the activation of the plugin, to ensure that your settings are correct.

    For advanced users, there are two constants that can be set to control this feature:

    WORDFENCE_DISABLE_MISCONFIGURED_HOWGETIPS

    WORDFENCE_CHECKHOWGETIPS_TIMEOUT

    If you have dismissed the admin notice about this option being misconfigured, it can reappear when a new version of Wordfence is installed, to be sure you are aware of the issue. If you do not want the admin notice to reappear, you can use the constant above to disable the notice permanently.

    Additional Options

    If you do not want the scan option “Scan for misconfigured How does Wordfence get IPs” to run, this can be disabled on the “Scan” > “Scan Options and Scheduling” page.

  • ‘Forbidden’ message when trying to use a Wordfence feature

    If you look at a particular scan result after you run a Wordfence scan on your site and try to view a file’s contents or see file differences using Wordfence then you may see a “Forbidden” message. This is often caused by other plugins that try to protect your site by creating complex “.htaccess” files. Often these plugins accidentally block legitimate WordPress applications or site visitors, which is why we do not like to protect sites with very complex “.htaccess” files.

    If you see this message, look for a “.htaccess” file in your WordPress root directory that was created by another plugin and contains many complex rules. Either modify the plugin to prevent it from blocking legitimate WordPress applications or use a simple “.htaccess” file and use another method to protect your site.

  • Fatal error: Cannot call overloaded function for non-object

    If your site goes down with this error below then this is not caused by Wordfence. Instead, it is a PHP problem:

    Fatal error: Cannot call overloaded function for non-object in /home/urnamehere/public_html/wp-content/plugins/wordfence/lib/wfLog.php

    To fix this, you can upgrade php to version 5.5 or higher. You can also disable your APC cache which can be done by modifying your PHP initialization file. Note that we recommend backing up your PHP initialization file file before modifying it.

    On a new line, type apc.enabled=0

    Save your changes.

  • Handling script conflicts on admin pages

    Some plugins or themes may cause conflicts with scripts that can prevent some WordPress admin pages from working when both Wordfence and the other plugin (or theme) are enabled.

    First, it is best to open the JavaScript console in your browser developer tools and check for errors. This may show which plugin has caused the conflict.

    Plugin conflicts from WordPress combining scripts

    If one of the errors comes from “load-scripts.php”, that is because WordPress combines multiple scripts into a single request so admin pages load a little more quickly, but since multiple scripts are loaded at once, an error in one script can affect the others. You can prevent this so that each script will load individually by adding this line of code to your WordPress “wp-config.php” configuration file:

    define('CONCATENATE_SCRIPTS', false);

    Be sure to add it before the line that says:

    /* That's all, stop editing! Happy blogging. */

    This will either help show which script file is causing the conflict, or it may prevent the issue from happening. If you can find the cause of the conflict and fix it, you can remove this line from your WordPress “wp-config.php” configuration file.

    Plugins loading scripts on all admin pages

    Most plugins should not load scripts on other plugins’ pages, but some do this unintentionally, or because they have features that work throughout all WordPress admin pages.

    If you find a plugin that conflicts with Wordfence’s admin pages, in most cases, the other plugin author should avoid loading their JavaScript files on pages where they are not required.

    Caching and optimization plugins

    If you use a plugin that “minifies” scripts or concatenates (combines) scripts, any script that is loaded can trigger a problem with other scripts. This type of feature is usually included in a caching or optimization plugin. You can temporarily disable the caching or optimization plugin and check if the problem still occurs. If it stops occurring, there are a few ways it can be fixed:

    • If your caching / optimization plugin allows you to exclude some scripts from optimization, you can add Wordfence’s scripts to that list. This is the easiest solution, but may still leave conflicts between other plugins aside from Wordfence.
    • Temporarily disable other plugins, except for Wordfence and the caching / optimization plugin. Then, enable one additional plugin at a time until the problem occurs again. When you find which plugin causes the conflict, you can report the issue to the plugin author. Be sure to mention which caching / optimization plugin you are using too since that can help them see what happened.
    • Temporarily switch themes and see if the problem still occurs. Some themes contain scripts and could cause the same problem.

    Amazon CloudFront and other CDNs

    Amazon CloudFront and some other CDN’s have an option to treat files as the same, no matter what query string is included in the URL. WordPress, Wordfence, and other plugins use the “?ver=” query string to prevent caching when a new version is released, so if you use a CDN, it should be configured to treat URLs as different files if the query string is different, and “forward query strings to the origin server” when they request files from your site. More details are available here.