Each Wordfence installation has its own unique identifier, a “license key” (or API key). Free versions of Wordfence automatically have one of these. To upgrade to Wordfence premium, you purchase a premium license key and install it in place of the free key. You can read more about License Keys here.
General Wordfence Options
Update Wordfence automatically when a new version is released?
New vulnerabilities and infections appear daily. Keeping Wordfence up to date is a critical part of keeping your site secure. This ensures that you have the latest protection, detection, and removal technology that Wordfence provides. This ensures that you have a better chance of maintaining a secure site. As of WordPress 5.5, if you enable automatic updates for Wordfence on the “Plugins” page in WordPress, then WordPress’s built-in auto-updates will occur instead. Our update option will have no effect, in order to avoid potential conflicts in updating the same plugin twice in a single cron job hit. We recommend that you choose one method or the other, and still watch for pending updates, just in case an issue on your site prevents scheduled cron jobs from running. [Read more about Auto Update]
Where to email alerts
This is the email address where Wordfence emails its security alerts. This should usually be your WordPress site administrator’s email address, but you can add multiple email addresses here and separate them using commas.
How does Wordfence get IPs
Wordfence needs to determine each visitor’s IP address to provide security functions on your website. The Wordfence default configuration works automatically for most sites, but it is important that this configuration is correct. For example, if Wordfence is not detecting IP addresses correctly, and detects that an external visitor originates from a private IP address, then it will allow that visitor to bypass all Wordfence security protocols. You can read more about which addresses Wordfence considers private here.
You can find your correct IP address using the example site link below. There are other sites that you can find in a search engine that will tell you your IP address.
Your IP address should match the IP address shown on the line “Your IP with this setting”.
Another way of determining if Wordfence is getting IP addresses correctly is to check the “IP Detection” section on the Wordfence “Tools” > “Diagnostics” page.
The Wordfence scanner also has an option to “Scan for misconfigured How does Wordfence get IPs”. This scan feature can help you detect if the wrong option has been selected for “How does Wordfence get IPs”.
Let Wordfence use the most secure method to get visitor IP addresses. Prevents spoofing and works with most sites.
This is the default mode of operation for Wordfence. Wordfence will try to get a valid IP address from PHP. If that does not work, it will look at data that a firewall or reverse proxy sends in case your site uses this configuration.
This option provides a good balance between security and compatibility.
Use PHP’s built in REMOTE_ADDR and don’t use anything else. Very secure if this is compatible with your site.
If you know that you definitely do not use a reverse proxy, cache, Cloudflare, CDN, or any other type of proxy in front of your web server that “proxies” traffic to your website, and if you are sure that your website is just a standalone PHP web server, then using this option will work and is the most secure in a non-proxy or load balancer configuration.
You may also want to select this option for other reasons – for example, to force Wordfence to use the $_SERVER[‘REMOTE_ADDR’] variable in PHP.
Use the X-Forwarded-For HTTP header. Only use if you have a front-end proxy or spoofing may result.
Only use this option if you are using Nginx, a load balancer, or CDN as a front-end proxy in front of your web server, and the front-end proxy server sends IP addresses using the X-Forwarded-For HTTP header to the web server that runs WordPress.
Be careful about enabling this option if you do not have a front-end proxy configuration because it will then allow visitors to spoof their IP address and you will also miss many hits that should have been logged.
Use the X-Real-IP HTTP header. Only use if you have a front-end proxy or spoofing may result.
Only use this option if you are using Nginx, a load balancer, or CDN as a front-end proxy in front of your web server, and the front-end proxy server sends IP addresses using the X-Real-IP HTTP header to the web server that runs WordPress.
Use the Cloudflare “CF-Connecting-IP” HTTP header to get a visitor IP. Only use if you’re using Cloudflare.
Wordfence is fully compatible with Cloudflare, and in some configurations, Cloudflare will send the real visitor IP address to your web server using the CF-Connecting-IP HTTP header. If Cloudflare support personnel have advised you that this is the case, then enable this option in Wordfence.
Note that Cloudflare has several configurations including their own web server module that takes care of detecting the visitor IP address, so be sure to work with their technical support staff and read their documentation to determine which configuration you are using.
Multiple IPs detected
If your host requires using the “X-Forwarded-For” HTTP header, there may be multiple IP addresses detected. If your own IP address does not appear where it shows “Your IP with this setting” then you may need to add trusted proxies.
If you do not know whether your host uses more than one proxy address, contact your host or the proxy service that you use. If you know there is only one proxy address, it should be the last address in the “Detected IP(s)” field.
- Once you know which proxies to trust, click the “+ Edit trusted proxies” link below the detected IP addresses.
- In the “Trusted Proxies” field that appears, enter the IP addresses of the proxies. You can enter a single IP like 10.0.0.15. You can also enter a “CIDR” range like 10.0.0.0/24. Note that your host’s trusted IP addresses should not be the same addresses in these examples.
- Click the “Save Options” button to save the changes, and check that your IP appears correctly in the “Your IP with this setting” field.
If you are using the Ezoic advertising platform
If you are using the Ezoic advertising platform for your site then you will need to set and save the option “Use the X-Forwarded-For HTTP header. Only use if you have a front-end proxy or spoofing may result”.
This is necessary for Wordfence to be able to detect each visitor’s IP address correctly instead of Wordfence seeing all visits to your site as coming from Ezoic IP addresses. Once that option has been set then you will need to add all of the IP address ranges that Ezoic uses as trusted proxies in Wordfence. Currently, Ezoic provides a list of all of the IP address ranges that they use in a text file found in the “Attachments” section at the bottom of their site page below:
To add Ezoic’s IP address ranges as trusted proxies:
- Download the text file.
- Click the “+ Edit trusted proxies” link below the detected IPs in Wordfence.
- In the “Trusted Proxies” field that appears, copy and paste the list of IP address ranges from the text file that you downloaded.
- Click the “Save Changes” button to save the change and check that your IP appears correctly in the line “Your IP with this setting” field.
If you have added Ezoic’s IP address ranges to the Wordfence option “Allowlisted IP addresses that bypass all rules” then all of Ezoic’s IP address ranges must be removed from the allowlist. If Wordfence has not been configured to detect IP addresses correctly then Wordfence will see all threat actors as having an Ezoic IP address and will be able to bypass all WordPress protection due to all of Ezoic’s IP addresses having been added to the allowlist.
Ezoic may update their list of IP address ranges in the future so we recommend asking them about this. If that is the case then you can update the list of trusted proxies in Wordfence accordingly.
Note that if your website is hosted at SiteGround then currently it appears that SiteGround will overwrite or remove the “X-Forwarded-For” HTTP header so that Wordfence cannot detect IP addresses correctly if you use Ezoic. You may be able to use the Ezoic Integration plugin available from WordPress.org instead of making changes to the DNS records of your domain name.
Hide WordPress version
Disable Code Execution for Uploads directory
Enabling this option will place a “.htaccess” file in your “wp-content/uploads/” directory which prevents any PHP code in your uploads directory from executing. This is an added level of protection against a hacker managing to upload PHP code into your “uploads” directory. Even if they manage to do that, the code won’t execute if you have this option enabled. The contents of the .htaccess file are below:
# BEGIN Wordfence code execution protection
php_flag engine 0
php_flag engine 0
php_flag engine 0
AddHandler cgi-script .php .phtml .php3 .pl .py .jsp .asp .htm .shtml .sh .cgi
# END Wordfence code execution protection
Disable Wordfence Cookies
Pause live updates when window loses focus
This option displays a “Live Updates Paused” overlay on the “Scan” and “Live Traffic” pages, and the small overlay on the “Wordfence Live Activity” bar on some pages. This saves server resources by only updating the page while you are actively using it. For this reason, it is enabled by default, but you can disable it if you need your site to display updates while you are working in another window.
Disabling this option is not recommended for most shared hosting plans, as it can be the resource usage equivalent of a visitor reaching your site every two seconds. If you keep this option disabled, you may want to increase the time in the “Update interval in seconds” option, so your browser will request fewer updates from the site.
Update interval in seconds
This option specifies how often Wordfence updates the view in your admin interface. This applies specifically to real-time views like on the “Live Traffic” and the “Scan” pages. On both pages, data appears in real-time as progress is occurring.
Wordfence will cause your web browser to repeatedly send a request to check if new data is available. Those requests consume server resources, and on web hosting providers that don’t provide many resources, you may receive complaints from your host about the resources you are using when viewing the “Live Traffic” or “Scan” pages and leaving your web browser window open.
By changing this setting, which controls how often the live data is refreshed, from the default of 2 seconds to something like 10 or 15 seconds, you dramatically reduce the amount of processing power that viewing the “Live Traffic” or “Scan” page will consume.
This setting does not affect the resource usage of the scan process itself. It determines how often your web browser connects to your site to refresh the scan log where you see the scan progress. Increasing this value decreases the frequency, making your view refresh less frequently. This reduces the number of requests that are made to your site which can help on resource-limited sites.
Bypass the LiteSpeed “noabort” check
On many LiteSpeed web servers in the past, the server administrator had set the “External Application Abort” option to abort long-running processes, which can cause scans to fail and Wordfence plugin automatic updates from working properly. This could usually be overridden by setting a value in your main “.htaccess” file (see Wordfence and LiteSpeed). If this is not done, we normally disable automatic updates, to prevent LiteSpeed from interrupting an update.
But on some LiteSpeed servers we’ve seen recently, the administrator has disabled these aborts for all sites, so it is not necessary to set “noabort” in your main “.htaccess” file. If you are certain that your host uses LiteSpeed and that that the “External Application Abort” is set to “No Abort” then you can enable this option so that Wordfence will skip checking for “noabort” in your main “.htaccess” file.
Delete Wordfence tables and data on deactivation
By default, if you disable Wordfence, the database tables will remain in place with their data. This is to ensure that if you accidentally or temporarily deactivate Wordfence then you won’t lose your configuration or the data you have accumulated like the “Live Traffic” page data.
If you would like to remove all Wordfence data when you deactivate the plugin then check this box and save the change. When you disable the plugin then all Wordfence database tables, entries in the WordPress options database table, scheduled cron jobs, and any other stored data associated with the Wordfence plugin will be removed.
Note that this does not include “Login Security” settings and tables, which have a similar option at the bottom of the “Login Security” > “Settings” page. This allows you to leave those settings in place if you are switching to the standalone Wordfence Login Security plugin. This will be simplified in an upcoming version.
If you then reactivate Wordfence after removing all tables and data, it will appear as if it has been activated on your website for the first time.
Dashboard Notification Options
These options allow you to select which types of notifications appear on the Wordfence “Dashboard” page. Free users can choose to disable notifications for updates (plugins, themes, and WordPress core) and scan results. If you have Wordfence Premium, options for disabling other types of notifications will appear.
Email Alert Preferences
Wordfence sends email alerts on certain events if you have enabled the alerts in this section. The alerts are sent to the email address provided under the “General Wordfence Options” section in the field titled “Where to email alerts”.
Using the option “Maximum email alerts to send per hour” allows you to limit the number of email alerts received per hour to prevent being inundated with emails. You can also disable alerts if you are experiencing a brute force attack and the email alerts you are receiving are becoming overwhelming.
This feature lets you enable an email activity report that summarizes recent security-related events on your site. You can choose whether you want this activity report every day, every week, or every month. There is also an option to exclude certain directories from the “Recently Modified Files” section of the activity report. Two directories are added here by Wordfence itself. These directories are excluded since file modifications in these folders are normal and frequent.
The “Activity Report” section also lets you enable or disable the Wordfence activity report widget on the WordPress “Dashboard” page.