The Wordfence Firewall can be either “Enabled and protecting”, in “Learning mode” or “Disabled”. When you first install Wordfence, the Firewall will be in “Learning mode” for one week. During this time you will not have full protection from the Firewall. The Firewall will instead during this time be learning how your system works in order to minimize “false positives”. A false positive is when something gets blocked that you did not want to block. If you have recently cleaned your site from a hack, or if you are under attack, you can choose to set the Firewall to “Enabled and protecting” instantly after installing Wordfence. The modes of the Firewall are:
|Enabled and Protecting
||In this mode, the Wordfence Web Application Firewall is actively blocking requests matching known attack patterns, and is actively protecting your site from attackers.
||In this mode, any requests that would normally be blocked by the firewall will be added to the Wordfence Web Application Firewall allowlist. Some requests contain data that may match patterns the firewall uses to detect attacks (such as an article about SQL injection that contains SQL code). While in Learning Mode, these requests will be added to the Wordfence Web Application Firewall allowlist, excluding them from tripping the same rules once the firewall is enabled. Use this mode to prevent false positives on your site. [More about Learning Mode]
||In this mode, the Wordfence Web Application Firewall is functionally turned off and does not run any of its rules or analyze the request in any way.
The Firewall can have Basic or Extended protection. If the Firewall has been Optimized, it will provide an extra layer of security and also improve Firewall performance. Learn how to optimize the Firewall.
Real-Time IP Blocklist
Wordfence monitors millions of attacks on WordPress sites every hour. This data is used to automatically generate a list of IP-addresses that are currently involved in bad behavior. The premium only IP Blocklist prevents known attackers from accessing your site. All this happens automatically, without you having to take any action. The IPs are blocked by the Web Application Firewall, so if your site has been set up with the firewall’s “Extended Protection,” this traffic is blocked before WordPress begins loading. The IP Blocklist is a premium feature and has no effect when using the free version of Wordfence. Learn more about the IP Blocklist.
Delay IP and Country blocking until after WordPress and plugins have loaded
When the Wordfence Firewall is optimized, the Firewall loads before the WordPress environment loads. This is desired behavior, as it increases security and gives the Firewall a performance boost. But if your server has a conflict with blocking by IP, country, or other advanced blocking settings before WordPress has loaded, you can turn on this option to allow WordPress to load first. We do not recommend enabling this option except for testing purposes.
Allowlisted IP addresses that bypass all rules
If you have a static IP address in an office or on a permanent Internet connection and you want to configure Wordfence to always allow that IP address to bypass any rules, then you can enable this option.
Please note that this feature is often misunderstood, and we have site admins who try to add their home IP address on a broadband connection to the IP allowlist. Your broadband IP address is not a permanent IP address because it is dynamically assigned and will change after several weeks or months – or sometimes over a shorter period. So we don’t recommend you add your home Internet connection’s IP address if you’re using ADSL or cable modem to the IP allowlist because your IP will inevitably change after a time, making this addition ineffective and potentially causing whoever is assigned the IP address after you lose it to have unlimited access to your website. Only use this feature if you are sure you have a permanent IP address. Most people don’t.
You can allowlist whole networks if needed (Bing, for example). To enter these, you need to input them in the xxx.xxx.xxx.[x-x] format. This page can help you translate CIDR formats to ranges – http://www.ipaddressguide.com/cidr. Examples:
22.214.171.124/24 would be entered as
- The IPv6 range
2a03:2880:f001::/48 would be entered as
To avoid unintentional blocking of some external services such as Facebook, Wordfence allows these services. For example, if you have strict rate limiting rules, Facebook’s crawler might get blocked or throttled if it requests pages too quickly. This could happen when someone shares links to several pages on your site at once.
The services are allowlisted by default. You can disable allowing of any specific service by disabling its corresponding checkbox in the option “Allowlisted Services”. When a service’s checkbox is disabled, it will be treated the same way as any other visitor.
If you try to manually block an IP that belongs to an allowlisted service, you will see a message saying “This IP address is in a range of addresses that Wordfence does not block. The IP range may be internal or belong to a service that is always allowed. Allowlisting of external services can be disabled.” If you are certain that you want to block an IP belonging to an allowlisted service, you must first disable the allowed service as described above.
This allows you to set a trap for bad guys. You can enter a URL that does not exist, for example: /vulnerabilityLivesHere
If anyone tries to access that URL, they are instantly blocked. You have to specify a relative URL. In other words, it must start with a forward slash. Wildcards (*) can be used, if there are visits to multiple bad URLs. For example, if there are visits to /badpage-one/ and /badpage-two/, then entering /badpage-*/ will block both.
If you are using WordPress Multisite * can be used before a URL to match requests on all mapped domains in the Multisite. For example */spammy-page-to-block/ will match domain182738.com/spammy-page-to-block/ and domain12313.com/spammy-page-to-block/ if those are both sites in the same Multisite where Wordfence is installed.
We only recommend this feature if you are trying to catch a specific hacker to block them, or if you are trying to catch hackers that are trying to exploit a known vulnerability or page on your site. Be careful not to visit the banned URL yourself by accident, as you will be blocked instantly.
When blocked via this option, an IP will be blocked for the duration you have specified under “Rate Limiting Rules.”
Ignored IP addresses for Wordfence Web Application Firewall alerting
If you are regularly running a scanning, uptime, or other bot-like service against your site and you do not want to be alerted about an increased attack rate, you can enter the IP of that service here. Make sure that you trust the service, since you will not receive any alerts if the IP attacks you.
The Wordfence Web Application Firewall has a number of rules that match known attacks, i.e. attacks commonly seen and exploited in the wild. The patterns for these attacks are specific and require minimal processing in determining if the request matches. The WAF also uses a number of generic rules that use pattern matching to determine if the request looks malicious. These are designed to prevent 0-days for known types of attacks from being exploited.
If you are having problems with false positive blocks (legitimate visitors are blocked from performing a specific action), individual Firewall Rules can be disabled for testing purposes. You can use Wordfence Live Traffic to figure out which Firewall rule that caused a specific block.
At the bottom of this section there is a button that allows you to manually refresh Firewall rules. Firewall rules are automatically updated on your site but you may on occasion be prompted by Wordfence support to manually refresh them.
Brute Force Protection
Brute Force Protection prevents attempts to guess username and password aimed at gaining access to your WordPress admin. Wordfence provides an option to limit login attempts and several other features that secure your login. Brute force protection is enabled by default, but you can optimize the individual options. See the full list of Brute Force Options.
Rate Limiting makes it more difficult for attackers to perform unauthorized scanning and scraping of your site. Rate Limiting options come with a default set of values that you can customize. See the full list of Rate Limiting Options.
The Firewall Allowlist is part of the Learning Mode feature of Wordfence, which lets the Firewall learn to not block safe requests even if the Firewall considers them to appear suspicious. You can read more about the allowlist and Learning Mode here.
Monitor Background Requests for False Positives
If you see this message when clicking a link that was sent to you by another person, or a link from another site that leads to your site, it may not be safe to add it to the allowlist. You can contact us about blocked requests if you are not sure whether they are dangerous. Be sure to include a description of what you were working on at the time.
Wordfence loads a script for logged-in admins that watches for background requests that get blocked by the firewall, to alert you if something was blocked that might not need to be blocked. The option “Monitor Background Requests for False Positives” allows you to disable this script if you like, by unchecking either or both boxes, for the front end of the site or for the wp-admin section of the site. Disabling the monitoring script does not affect the firewall’s protection, but may make it harder to notice false positives (blocking actions that are not actually malicious).