Each Wordfence installation has its own unique identifier – a “License key” (or API key). Free versions of Wordfence automatically have one of these. To upgrade to Wordfence premium, you purchase a premium License key and install it in place of the free key. You can read more about License Keys here.
General Wordfence Options
Update Wordfence automatically when a new version is released?
New vulnerabilities and infections appear daily. Keeping Wordfence up to date is a critical part of keeping your website secure. This ensures that you have the latest protection, detection and removal technology that Wordfence provides, and that you have a better chance of maintaining a secure website. As of WordPress 5.5, if you enable automatic updates for Wordfence on the Plugins page in wp-admin, WordPress’s built-in auto-updates will occur instead, and this option will have no effect, in order to avoid potential conflicts in updating the same plugin twice in a single cron hit. We recommend that you choose one method or the other, and still watch for pending updates, just in case an issue on your site prevents scheduled jobs from running. [Read more about Auto Update]
Where to email alerts
This is the email address where Wordfence emails its security alerts. This should usually be your WordPress site administrator’s email address, but you can add multiple email addresses here and separate them using commas.
How does Wordfence get IPs
Wordfence needs to determine each visitor’s IP address to provide security functions on your website. The Wordfence default configuration works just fine for most websites, but it’s important that this configuration is correct. For example, if Wordfence is not receiving IP addresses correctly and thinks an external visitor originates from a private address, it will allow that visitor and bypass security protocols. You can read more about which addresses Wordfence considers private here.
The Wordfence scanner has an option to “Scan for misconfigured How does Wordfence get IPs”. This scan feature can help you detect if the wrong option has been selected for “How does Wordfence get IPs.”
Another way of determining if Wordfence is getting IPs correctly is to check the “IPs” section in the Wordfence Tools > Diagnostics.
Let Wordfence use the most secure method to get visitor IP addresses. Prevents spoofing and works with most sites.
This is the default mode of operation for Wordfence. Wordfence will try to get a valid IP address from PHP and if that doesn’t work, it will look at data that a firewall or reverse proxy sends in case your website uses this configuration.
This option provides a good balance between security and compatibility.
Use PHP’s built in REMOTE_ADDR and don’t use anything else. Very secure if this is compatible with your site.
If you know that you definitely don’t use a reverse proxy, cache, Cloudflare, CDN or anything else in front of your web server that “proxies” traffic to your website, and if you are sure that your website is just a standalone PHP web server, then using this option will work and is the most secure in a non-proxy or load balancer configuration.
You may also want to select this option for other reasons – for example to force Wordfence to use the $_SERVER[‘REMOTE_ADDR’] variable in PHP.
Use the X-Forwarded-For HTTP header. Only use if you have a front-end proxy or spoofing may result.
If you are using Nginx or another load balancer as a front-end-proxy or load balancer in front of your web server, and the front-end server sends IP addresses to the web server that runs WordPress using the HTTP X-Forwarded-For header, then you should enable this option.
Be careful about enabling this option if you do not have a front-end-proxy, load balancer, or CDN configuration, because it will then allow visitors to spoof their IP address and you will also miss many hits that should have been logged.
Use the X-Real-IP HTTP header. Only use if you have a front-end proxy or spoofing may result.
As with the X-Forwarded-For option above, only use this option if you are sure that you want Wordfence to retrieve the visitor IP address from the X-Real-IP HTTP header, and do not enable this if you don’t have a front-end proxy or load balancer that is sending visits to your real web server and adding the X-Real-IP header.
Use the Cloudflare “CF-Connecting-IP” HTTP header to get a visitor IP. Only use if you’re using Cloudflare.
Wordfence is fully compatible with CloudFlare, and in some configurations Cloudflare will send the real visitor IP address to your web server using the CF-Connecting-IP HTTP header. If the CloudFlare support personnel have advised you that this is the case, then enable this option on Wordfence to ensure that Wordfence is able to get your visitor IP address.
Note that Cloudflare has several configurations including their own web server module that takes care of detecting the visitor IP address, so be sure to work with their technical support staff and read their documentation to determine which configuration you’re using.
Multiple IPs detected
If your host requires using the X-Forwarded-For header, there may be multiple IP addresses detected. If your own IP address does not appear where it shows “Your IP with this setting,” you may need to add trusted proxies.
If you do not know whether your host uses more than one proxy address, contact your host or the reverse-proxy service that you use. If you know there is only one proxy address, it should be the last address in the “Detected IPs” field.
- Once you know which proxies to trust, click the + Edit trusted proxies link below the detected IPs.
- In the Trusted proxies field that appears, enter the IP addresses of the proxies. You can enter a single IP like 10.0.0.15. You can also enter a “CIDR” range like 10.0.0.0/24. Note that your host’s trusted IPs should not be the same addresses in these examples.
- Click Save Options to save the changes, and check that your IP appears correctly in the “Your IP with this setting” field.
If you are using the Ezoic advertising platform
If you are using the Ezoic advertising platform for your website then you will need to set and save the option “Use the X-Forwarded-For HTTP header. Only use if you have a front-end proxy or spoofing may result”.
This is necessary for Wordfence to be able to detect each visitor’s IP address correctly instead of Wordfence seeing all visits to your website as coming from Ezoic IP addresses. Once that option has been set then you will need to add all of the IP address ranges that Ezoic uses as trusted proxies in Wordfence. Currently Ezoic provides a list of all of the IP address ranges that they use in a text file found in the “Attachments” section at the bottom of their website page here:
To add Ezoic’s IP address ranges as trusted proxies:
- Download the text file.
- Click the “+ Edit trusted proxies” link below the detected IPs in Wordfence.
- In the “Trusted Proxies” field that appears, copy and paste the list of IP address ranges from the text file that you downloaded.
- Click the “Save Changes” button to save the change and check that your IP appears correctly on the line “Your IP with this setting”.
If you have added Ezoic’s IP address ranges to the Wordfence option “Allowlisted IP addresses that bypass all rules” then all of Ezoic’s IP address ranges must be removed from the allowlist. If Wordfence hasn’t been configured to detect IP addresses correctly then Wordfence will see all threat actors as having an Ezoic IP address and will be able to bypass all WordPress protection due to all of Ezoic’s IP addresses having been added to the allowlist.
Ezoic may update their list of IP address ranges in the future so we recommend asking them about this. If that is the case then you can update the list of trusted proxies in Wordfence accordingly.
Note that if your website is hosted at SiteGround then currently it appears that SiteGround will overwrite or remove the X-Forwarded-For HTTP header so that Wordfence can’t detect IP addresses correctly if you use Ezoic. You may be able to use the Ezoic Integration plugin available from wordpress.org instead of making changes to the DNS records of your domain name.
Hide WordPress version
Disable Code Execution for Uploads directory
Enabling this option will place a .htaccess file in your wp-content/uploads/ directory which prevents any PHP code in your uploads directory from executing. This is an added level of protection against a hacker managing to upload PHP code into your uploads directory. Even if they manage to do that, the code won’t execute if you have this option enabled. The contents of the .htaccess is:
# BEGIN Wordfence code execution protection
php_flag engine 0
php_flag engine 0
php_flag engine 0
AddHandler cgi-script .php .phtml .php3 .pl .py .jsp .asp .htm .shtml .sh .cgi
# END Wordfence code execution protection
Disable Wordfence Cookies
Pause live updates when window loses focus
This option displays a “Live Updates Paused” overlay on the Scan and Live Traffic pages, and the small overlay on the “Wordfence Live Activity” bar on some pages. This saves server resources by only updating the page while you are actively using it. For this reason, it is enabled by default, but you can disable it if you need your site to display updates while you are working in another window.
Disabling this option is not recommended for most shared hosting plans, as it can be the resource usage equivalent of a visitor reaching your site every couple of seconds. If you keep this option disabled, you may want to increase the “Update interval in seconds” option, so your browser will request fewer updates from the site.
Update interval in seconds
This option specifies how often Wordfence updates the view in your admin interface. This applies specifically to real-time views like Live Traffic and the Scan page. On both pages, data appears in real time as progress is occurring.
Wordfence will cause your web browser to repeatedly send a request to check if new data is available. Those requests consume CPU, and on web hosting providers that don’t provide many resources you may receive complaints from your host about the resources you are using when viewing Live Traffic and leaving your web browser window open.
By changing this setting, which controls how often the live data is refreshed, from the default of 2 seconds to something like 10 or 15 seconds, you dramatically reduce the amount of processing power that viewing Live Traffic or the Scan page will consume.
This setting does not affect the resource usage of the scan process itself. It determines how often your web browser connects to your site to refresh the scan log where you see the scan progress. Increasing this value decreases the frequency, making your view refresh less frequently. This reduces the amount of requests that are made to your site which can help on resource-limited sites.
Bypass the LiteSpeed “noabort” check
On many LiteSpeed web servers in the past, the server administrator had set the “External Application Abort” option to abort long-running processes, which can stop scans and automatic updates from working properly. This could usually be overridden by setting an value in .htaccess (see Wordfence and LiteSpeed). If this is not done, we normally disable automatic updates, to prevent LiteSpeed from interrupting an update.
But on some LiteSpeed servers we’ve seen recently, the administrator has disabled these aborts for all sites, so it is not necessary to set “noabort” in .htaccess. If you are certain that your host uses LiteSpeed and that “External Application Abort” is set to “No Abort,” you can enable this option so that Wordfence will skip checking for “noabort” in .htaccess.
Delete Wordfence tables and data on deactivation
By default, if you disable Wordfence, the database tables will remain in place with their data. This is to ensure that if you accidentally or temporarily disable Wordfence, you won’t lose your configuration or the data you have accumulated like the live traffic data.
If you would like to remove all Wordfence data when you deactivate the plugin, check this box and when you disable the plugin all tables, entries in the WordPress options table, scheduled jobs and any other stored data associated with Wordfence will be removed.
Note that this does not include Login Security settings and tables, which have a similar option at the bottom of the Login Security settings page. This allows you to leave those settings in place if you are switching to the standalone Wordfence Login Security plugin. This will be simplified in an upcoming version.
If you then reactivate Wordfence after removing all tables and data, it will appear as if it has been activated on your website for the first time.
Dashboard Notification Options
These options allow you to select which types of notifications appear on the Wordfence Dashboard. Free users can choose to disable notifications for updates (plugins, themes, and WordPress core) and scan results. If you have Wordfence Premium, options for disabling other types of notifications will appear.
Wordfence sends email alerts on certain events if you have enabled the alerts in this section. The alerts are sent to the email address provided under “General Wordfence Options” in the field titled “Where to email alerts”.
Using the option “Maximum email alerts to send per hour” you can limit the number of email alerts received per hour to prevent being flooded with emails. You can also disable alerts if you are experiencing a brute force attack and the email alerts you are receiving are becoming overwhelming.
If you want alerts on all issues detected in Wordfence scan, enable both “Alert on critical problems” and “Alert on warnings”. Theme and plugin updates are “warning” alerts.
This feature lets you enable an email activity report that summarizes recent security related events on your site. You can choose whether you want this activity report every day, every week or every month. There is also an option to exclude certain directories from the “recently modified files” section of the activity report. Two folders are added here by Wordfence itself. These folders are excluded since file modifications in these folders is normal and very frequent.
The “Activity Report” section also lets you enable or disable the Wordfence activity report widget on the WordPress dashboard.