Wordfence Web Application Firewall (WAF)
The Wordfence Web Application Firewall is a PHP based, application level firewall that filters out malicious requests to your site.
What it Protects Against
The Wordfence Web Application Firewall protects against a number of common web-based attacks as well as a large amount of attacks specifically targeted at WordPress and WordPress themes and plugins. It is set up to run at the beginning of WordPress’ initialization to filter any attacks before plugins or themes can run any potentially vulnerable code. Some of the more general types of attacks we protect against are:
|SQL Injection||Unsanitized SQL code that can compromise a database system.|
|Malicious File Upload||Unsanitized files containing malicious code that can be uploaded to and executed by the web server.|
|Directory Traversal||Unsanitized path names that can be used to trick the web server into serving files containing credentials or other potentially sensitive information.|
|Local File Inclusion||Unsanitized path/file names that can be used to execute potentially malicious code available to the web server’s file system.|
|External Entity Expansion (XXE)||A “feature” of XML that can be used to trick the web server into serving files containing credentials or other potentially sensitive information.|
The Wordfence Web Application Firewall also has a number of rules that match known attacks, i.e. attacks commonly seen and exploited in the wild. The patterns for these attacks are specific and require minimal processing in determining if the request matches. The WAF also uses a number of generic rules that use pattern matching to determine if the request looks malicious. These are designed to prevent hackers from exploiting 0-days for known types of attacks.
Wordfence will automatically update the Firewall rules from our servers in our network operations center without you having to update Wordfence. As new threats emerge, the Firewall uses rules to protect you that are updated in real time for Premium members. Premium users receive an additional layer of protection: when we add new rules, our servers will “ping” your site to prompt Wordfence to pull down the latest rules, so you are automatically protected from attackers as new threats emerge. Free users receive the community version of the rules 30 days later.
The Firewall status circles indicate to what degree you are currently protected. If the circles are gray, it means the Firewall is in Learning Mode or Disabled. To reach 100% on all Firewall status circles:
- Enable Rate Limiting and Advanced Blocking. This option is enabled by default. You can find it in the “Rate Limiting” section of the Wordfence Firewall Options.
- Enable all Firewall rules. All Firewall rules are enabled by default. If you have previously disabled some Firewall rules, visit the Firewall Options to re-enable them.
- Optimize the Wordfence Firewall. This improves security and performance of your Firewall. Learn how.
- Enable Brute Force Protection. This feature protects your WordPress admin from unauthorized login attempts. It is enabled by default.
- Enable Premium Firewall Rules. Upgrade to Premium to get instant protection against threats the moment they are discovered.
- Enable Real-Time IP Blacklist. With the Wordfence Premium Real-Time IP Blacklist, IP addresses that are currently attacking other WordPress sites will be automatically blocked from your website, too.
Free users can reach a max of 64% (as displayed on the Dashboard) and 55% (as displayed on the Firewall page).
The Firewall can be Enabled, Disabled or in Learning mode. If your status circles are grayed out, it means the Firewall is disabled or in Learning mode. Learn more.
As soon as you have installed Wordfence on your site, the Firewall is activated. At this point the Firewall lives inside of your WordPress installation and will protect you against exploits. To make the Firewall even more efficient, we encourage you to optimize the Firewall. You will get prompted to do this via the Wordfence plugin user interface. In most cases, optimizing the Firewall involves clicking through a short configuration procedure.
The protection level shows whether the default “Basic WordPress Protection” is enabled, which can protect against many attacks, or if “Extended Protection” is enabled. To enable “extended protection” you have to go through the Firewall Optimization procedure described above. Extended Protection allows the firewall to run before WordPress even starts, protecting against additional attacks. Both protection levels are available in the free and premium version. [More about Firewall Optimization]
Whitelisted URLs and False Positives
The Firewall uses pattern-matching to identify malicious requests. Sometimes, non-malicious content in the request may accidentally match one of the rules and trigger the Firewall to block the request. This is considered a false positive. Wordfence provides a way to exclude this particular URL and parameter from the Firewall rules, so they may be whitelisted. You can create whitelisted rules automatically while the firewall is in Learning Mode, manually by an admin via the Firewall options, via a button in “Live Traffic” or via the block page, if an admin got blocked.
Visits blocked by the firewall will display “403 Forbidden” and “A potentially unsafe operation has been detected in your request to this site.” If you get this message when you are logged in as an admin, you can directly choose to whitelist any action where you are blocked. If you get the message when you are not logged in you should log in to your site. You can then either
- Locate the request that was blocked in “Live Traffic” and whitelist it from there or
- Enable Learning Mode temporarily, repeat the action that was previously blocked and then re-enable the firewall.
Background requests sent from your browser may show a message that says “Background Request Blocked” if they are blocked by the firewall. These messages are only displayed for the site’s admin, and they can be whitelisted by clicking the Whitelist button in the message, if you know that they are safe.
Disabling the Firewall
On the Firewall page on the Wordfence menu, set the Firewall Status to “Disabled” and click the Save button.
If you are having technical problems and can’t set the Firewall Status to “Disabled,” you can instead set a constant. If you have Basic WordPress Protection enabled, you can add this code to your wp-config.php file, just below the line about “WP_DEBUG”. If you have Extended Protection enabled, the code should be added in wordfence-waf.php, before the line that begins with “if”:
Frequently Asked Questions
- I am locked out of my site
Make sure that it’s Wordfence that is locking you out of your site. If you have been locked out by Wordfence, the block page will mention “Wordfence” and state a reason for the block. If you contact Wordfence support, include that reason in your message for faster assistance.
If you have accidentally locked yourself out of your site, enter your admin email on the block page to receive an email that will allow you to unlock yourself. If that doesn’t work, please log in to your website using FTP/SSH or any file manager your web host may be providing via their administration panel and rename the wordfence plugin directory located in wp-content/plugins/. You can name it wordfence_. When the Wordfence folder has been renamed you should be able to log in. If you are still seeing a block page at this point, clear any cache you have in WordPress or on the server.
Once logged in, reactivate Wordfence by naming the wordfence_ folder back to wordfence. If you then get locked out again, it likely means your IP-address has ended up on your list of blocked IPs. Disable Wordfence again by renaming the wordfence folder. Then install the Wordfence Assistant plugin and use it to either
- Disable the Wordfence Firewall. You can now enable Wordfence and examine Wordfence blocks to determine which one locked you out.
- Clear all currently active blocks in Wordfence. This is an easier method.
If you are able to access WordPress admin but have problems using normal methods of unblocking in Wordfence or can’t find the IP address of the user you are trying to unblock you can use the Wordfence Assistant to clear all currently active blocks in Wordfence.
- PHP Fatal error: Failed opening required wordfence-waf.php
When the Wordfence Firewall is Optimized to have “Extended protection”, the Firewall loads via a file called wordfence-waf.php which is located in the root of your WordPress installation. If this file is deleted, or if the code that loads the file has an incorrect file path, a 500 Internal Server Error can be thrown. The error will typically look like the example below, though the file path “/var/www/html/” will usually be different on your site.
PHP Fatal error: Unknown: Failed opening required '/var/www/html/wordfence-waf.php' (include_path='.:/usr/share/php') in Unknown on line 0
This error can happen if
1. The wordfence-waf.php file has been deleted. This could have been done by accident, either manually or by some automated process on the server.
2. You or your web host have recently moved the site. This would have caused the file path structure on the site to change, which means that Wordfence can not find the wordfence-waf.php file.
To fix this issue, please Revert the Firewall Optimization manually.
- What is in the /wflogs/ directory?
These files in wp-content/wflogs/ contain Firewall configuration data and information on blocked attacks. The Firewall needs these files because it can run before WordPress has loaded, and the database is not available at that time. Files normally included in the wflogs directory are config.php, attack-data.php, ips.php, rules.php, wafRules.rules, and .htaccess. Newer Wordfence versions will also have config-livewaf.php, config-synced.php, config-transient.php, and GeoLite2-Country.mmdb. Some hosts may have additional temporary files in the same directory with similar names, or may also have temporary files with long names containing the letters “nfs”.
Some of these files begin with a line that says `<?php exit(‘Access denied’); __halt_compiler(); ?>`. This prevents anyone from viewing the file contents in a web browser even if the web server does not support .htaccess files, while allowing the rest of the contents to be read as data. Much of the data is encoded or in a binary format, for various reasons, including performance.
- Background Request Blocked
As the admin of the site, you can choose to whitelist these blocked requests by clicking the Whitelist button, if you were simply working on the site when they occur. The message is only shown for logged-in admins of the site, so regular visitors, subscribers, authors, editors, or other types of users on your site will not see them.
If you see this message when clicking a link that was sent to you by another person, or a link from another site that leads to your site, it may not be safe to whitelist. You can contact us about blocked requests if you are not sure whether they are dangerous or not. Be sure to include a description of what you were working on at the time.