How to resolve issues with the Wordfence Web Application Firewall.

Problems reading Wordfence Firewall config data

The Wordfence firewall stores some of its information in the file system. The files are located in the “wp-content/wflogs” directory. If there are issues with file writing or disk space on the server, the configuration file “config.php” could become corrupt. If this happens, you will receive an administrative notice on all Wordfence pages, prompting you to rebuild the configuration file automatically. If restoration completes successfully, no further action is required on your part.

If the message still appears after reloading the page, you may need to fix file permissions on the files in the “wp-content/wflogs” directory, including the “wflogs” directory itself. Some hosting companies may need to do this for you, while most others allow you to do it yourself.

You can also try renaming the “wflogs” directory, which will reset the firewall settings.  This will cause the firewall status to revert to “Learning Mode” if it was previously set to the “Enabled and Protecting” mode.  It will also remove any automatic allowlist entries added to the “Allowlisted URLs”.

Configuration update for sites switching from mod_php5 to mod_php7

Sites that were originally installed on a server using mod_php5 may display an admin notice like this, in preparation for upgrading to PHP 7, or to optimize the firewall again after switching to PHP 7:

The Wordfence Web Application Firewall needs a configuration update. It is not currently in extended protection mode but was configured to use an older version of PHP and may have become deactivated when PHP was updated. You may perform the configuration update automatically by clicking here or use the "Optimize the Wordfence Firewall" button on the Firewall Options page.

Hosts using mod_php are less common than those using other methods to run PHP, so if your firewall is already optimized and you do not see this admin notice, your site should be configured correctly.

PHP 8 will have a similar message, and the new module name will no longer include a PHP version number.

Generally, you should only need to click the link in the admin notice to automatically update the “.htaccess” file for the firewall. If the notice disappears, then the configuration has been modified correctly. If the notice appears again, you can use the button “Optimize the Wordfence Firewall” on the “Firewall Options” page to try updating the files in the same way that it works in a new installation. If you still have trouble resolving the issue, please contact our support team.

Firewall Optimization Troubleshooting

If you are experiencing issues during Firewall Optimization, please see our documentation on Firewall Optimization Troubleshooting.

Frequently Asked Questions

  • What does “The changes have not yet taken effect” mean?

    If you get this message after Optimizing the Firewall, first check your PHP version on the Diagnostics tab on the Tools page, on the Wordfence menu. PHP 5.2 cannot load the .user.ini required for automated setup on CGI/FastCGI configurations. Some hosts let you choose a newer PHP version in your control panel. For other hosts, you may have to submit a support request to the host.
    In most cases, this means that your host caches certain PHP settings files. If you see this message for more than 5 minutes or continue to see the setup button at the top of your admin pages more than 5 minutes after completing the setup process, see the “Optimizing the Firewall” page.

  • ‘How does Wordfence get IPs’ setting is misconfigured

    When Wordfence detects that your site is behind a “reverse proxy”, you may need to adjust the option “How does Wordfence get IPs” in the “General Wordfence Options” section on the “Dashboard” > “Global Options” page, or by clicking the link in the admin notice that warns you about the issue. This includes the following message, followed by a recommendation:

    Your 'How does Wordfence get IPs' setting is misconfigured

    To resolve this you can click the link in the message to apply the recommended setting, or you can adjust the setting manually.

    Wordfence also runs this check upon the activation of the plugin, to ensure that your settings are correct.

    For advanced users, there are two constants that can be set to control this feature:



    If you have dismissed the admin notice about this option being misconfigured, it can reappear when a new version of Wordfence is installed, to be sure you are aware of the issue. If you do not want the admin notice to reappear, you can use the constant above to disable the notice permanently.

    Additional Options

    If you do not want the scan option “Scan for misconfigured How does Wordfence get IPs” to run, this can be disabled on the “Scan” > “Scan Options and Scheduling” page.

  • What is Firewall Read-Only mode?

    In rare cases, a logged-in admin may see a notice saying: “The Wordfence Web Application Firewall is in read-only mode. PHP is currently running as a command line user and to avoid file permission issues, the WAF is running in read-only mode. It will automatically resume normal operation when run normally by a web server.”

    Read-only mode means that the firewall will not write its config file or other files, mainly to avoid issues with file permissions or other issues when PHP is not being run via the web server.
    This notice should only appear when PHP is being run from the command line, and it should not appear when you are logged in as an admin on a site with a normal PHP installation. If you see this notice during normal use of your site, you can set the constant WFWAF_ALWAYS_ALLOW_FILE_WRITING in wp-config.php as a temporary fix. See Wordfence constants for advanced configuration. Please also notify us so we can determine how your server has been set up.